Analysis Overview
SHA256
71209aafe39d92bcb0cfa9b3ca7dfc3962622f887c481bb98d9648c4afae54eb
Threat Level: Known bad
The file 2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
Cobaltstrike
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 04:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 04:45
Reported
2024-06-08 04:48
Platform
win7-20240221-en
Max time kernel
141s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BWmjEaS.exe | N/A |
| N/A | N/A | C:\Windows\System\NxMJnzb.exe | N/A |
| N/A | N/A | C:\Windows\System\iqPIDPS.exe | N/A |
| N/A | N/A | C:\Windows\System\oddxNcS.exe | N/A |
| N/A | N/A | C:\Windows\System\vBPWSEC.exe | N/A |
| N/A | N/A | C:\Windows\System\EYJbJwl.exe | N/A |
| N/A | N/A | C:\Windows\System\jNsVUEd.exe | N/A |
| N/A | N/A | C:\Windows\System\dOALRYo.exe | N/A |
| N/A | N/A | C:\Windows\System\BlsPPlm.exe | N/A |
| N/A | N/A | C:\Windows\System\XmocJMB.exe | N/A |
| N/A | N/A | C:\Windows\System\LEJJGNu.exe | N/A |
| N/A | N/A | C:\Windows\System\hXoCyfi.exe | N/A |
| N/A | N/A | C:\Windows\System\sLETzhg.exe | N/A |
| N/A | N/A | C:\Windows\System\HwhQnjA.exe | N/A |
| N/A | N/A | C:\Windows\System\XuCNTGK.exe | N/A |
| N/A | N/A | C:\Windows\System\SUqcqKY.exe | N/A |
| N/A | N/A | C:\Windows\System\OyMMgcn.exe | N/A |
| N/A | N/A | C:\Windows\System\pJaOtiE.exe | N/A |
| N/A | N/A | C:\Windows\System\WGomaVj.exe | N/A |
| N/A | N/A | C:\Windows\System\kXaDhbd.exe | N/A |
| N/A | N/A | C:\Windows\System\RBeVSsT.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\BWmjEaS.exe
C:\Windows\System\BWmjEaS.exe
C:\Windows\System\NxMJnzb.exe
C:\Windows\System\NxMJnzb.exe
C:\Windows\System\iqPIDPS.exe
C:\Windows\System\iqPIDPS.exe
C:\Windows\System\oddxNcS.exe
C:\Windows\System\oddxNcS.exe
C:\Windows\System\vBPWSEC.exe
C:\Windows\System\vBPWSEC.exe
C:\Windows\System\EYJbJwl.exe
C:\Windows\System\EYJbJwl.exe
C:\Windows\System\jNsVUEd.exe
C:\Windows\System\jNsVUEd.exe
C:\Windows\System\dOALRYo.exe
C:\Windows\System\dOALRYo.exe
C:\Windows\System\BlsPPlm.exe
C:\Windows\System\BlsPPlm.exe
C:\Windows\System\XmocJMB.exe
C:\Windows\System\XmocJMB.exe
C:\Windows\System\LEJJGNu.exe
C:\Windows\System\LEJJGNu.exe
C:\Windows\System\hXoCyfi.exe
C:\Windows\System\hXoCyfi.exe
C:\Windows\System\sLETzhg.exe
C:\Windows\System\sLETzhg.exe
C:\Windows\System\HwhQnjA.exe
C:\Windows\System\HwhQnjA.exe
C:\Windows\System\XuCNTGK.exe
C:\Windows\System\XuCNTGK.exe
C:\Windows\System\SUqcqKY.exe
C:\Windows\System\SUqcqKY.exe
C:\Windows\System\OyMMgcn.exe
C:\Windows\System\OyMMgcn.exe
C:\Windows\System\pJaOtiE.exe
C:\Windows\System\pJaOtiE.exe
C:\Windows\System\WGomaVj.exe
C:\Windows\System\WGomaVj.exe
C:\Windows\System\kXaDhbd.exe
C:\Windows\System\kXaDhbd.exe
C:\Windows\System\RBeVSsT.exe
C:\Windows\System\RBeVSsT.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2076-0-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2076-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\NxMJnzb.exe
| MD5 | f109803ed05a79da20baf494318c917a |
| SHA1 | c3a06eb4ac55b7e498fed37d4cf6be528464ca7e |
| SHA256 | c66b2388d10eba788f5fc5e3fc7ba3d6d4ac28d7e2d7bfcca64c7a77f3acc383 |
| SHA512 | d3dc2a34956045168ac59806d0ef26cdb1e5e99fa92dc8febf8d8cda09c8261fd522b26ba0914cf91769d4f398df92d086fb5dd19a602d1ae507373be6333ec8 |
memory/2076-11-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2076-13-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2308-12-0x000000013F730000-0x000000013FA84000-memory.dmp
C:\Windows\system\BWmjEaS.exe
| MD5 | 9f9b9f68f108c17c3e1020df552a018d |
| SHA1 | 256e21b9500200d41ff6e9ed2cfcd3e677dcb769 |
| SHA256 | b39f6e0fa62a8defe87f84668aa5d38207dfcfb7fc59364218e9b8e470dad114 |
| SHA512 | d1d4e250306fc09f497bae2a775475772025c031208cc2e5dcf36400ca0d688f0ba8ee5682b91a6ebc1a212230e30e534d22f6373e0564cda58f4cd23cbdc6a7 |
C:\Windows\system\iqPIDPS.exe
| MD5 | a16484668fa34722f42e52cdc124ae4f |
| SHA1 | 4e7040f71ad9ee5b45b09f840a14cf7d1ad77266 |
| SHA256 | 3e0cd3317bce00ed2bac9962ed968efec531e085fd6f83f6d7c7155d5649cad0 |
| SHA512 | 4acc3f484363e20823c84596ccecb9b9ddace4970a41db868249b3c8975f28e9ae5118f69d58a644e39aaf4c9eed80d4ab6055e48b3f21397a7b69423bb61478 |
\Windows\system\oddxNcS.exe
| MD5 | 6be588e76313787d6c46b08850f8b795 |
| SHA1 | 1ef84bbb6511c3c75a6194624e39713074613f2f |
| SHA256 | 71b65dda3a5921ad7f843050d1d54f60d0a873cb71675b586f973a63552af405 |
| SHA512 | 65a3012f1961ad5977eab2351231f8fe7036dd2360e3df8a37e6de549d5a3282d1e4d1324f57fff5b87f3a36f67b25dfadb06bc60955cc347505cd17d22e19bc |
C:\Windows\system\vBPWSEC.exe
| MD5 | 7f403972a1a01f2a1dde73ecf5e0e15b |
| SHA1 | 58e2c028e04402cc64bd4c716b4793ab6c1b1d95 |
| SHA256 | ee3b6e168a4e11ea08058339f26cf52f65f64b1a5f4d819a2f470992c1f216bc |
| SHA512 | 62f38f523e726ea2fc3f7b56672c22ade02459cb31b385eb90ea9b1a3735158cbd941382336c85607fe880fa47de35fd86c0aca6e722c1b4a8436095297d7d21 |
C:\Windows\system\BlsPPlm.exe
| MD5 | 11d91ef09b27f31bca692f723cce2e01 |
| SHA1 | 8d55f0161b6c520647e934ba89b0c160a25d4f9b |
| SHA256 | a74539033cf6b7ec77eb424fa22fb1da376211703819e1c9d636d09f8fc6e1c3 |
| SHA512 | f58483a338355fbb41442a71a2030d47b23a4a9a797048550f889172b878b95fe663ee8057156a4dc5d14a927656d55bb98b74a846943862116221bb01b139a0 |
C:\Windows\system\SUqcqKY.exe
| MD5 | c482aaf068262092b525561edec99281 |
| SHA1 | 0bfb3b9c49a202aa1be811833e24531cc11a5d00 |
| SHA256 | 307716138da2c760150120827692c31c8c6323336be2f9a849705d2ace0ea432 |
| SHA512 | aecd6595f77ea290f48b377382777f86573032df73e7a5385263565348f4ade917469af377d354701519598d2f960209be17858222885f4de6928cac1cbdcfb3 |
C:\Windows\system\WGomaVj.exe
| MD5 | a2b2377764f16720e9144acfa09bac44 |
| SHA1 | e08e38ee78f087811d5302134a797fe844c8ed1d |
| SHA256 | adf36e2457579ea07a9a56f5f56d01544292d2768aee5d2e5aa56560e6065fda |
| SHA512 | f151231ad0ad2b23d0898af8e15738f272e084365805a4cce74df24d68c943d683b8e9ee0b538f511fc3c79f47f0926b05fdc9ed36f7688714904dc16bcaf358 |
\Windows\system\RBeVSsT.exe
| MD5 | df551b99fe1cd373b6adb5ae7444cd4e |
| SHA1 | b78d007b6e880afa0f9b253b2c94d22b501348f5 |
| SHA256 | e9d04ee1538a8f16916c76feee485e76830da323e2af7f452f2080e22a91aa01 |
| SHA512 | bfe27ef83df99f44c70f8d4a06bd5108f76a1c1701af3ff024e5920de6d7a4507de7d15282915d95531b7450dd594b61315c0cf11941aed14ad0b6e6c218c75e |
C:\Windows\system\kXaDhbd.exe
| MD5 | 8ed7d2640030c9c33be20ff45f6e2606 |
| SHA1 | 3d7d80f949b97bc0a0a1e31a832ad163fb1ee436 |
| SHA256 | d72d8dd3382123efa21f7bd103703704c3511c74d428fb05307d23cbb83e23e4 |
| SHA512 | 4045f43bf3f3683972744d67e9763995128fc25de9e8fdb9bf653f1b534a7bf6b74b357954344854854742f3057334e6c16994d0daa65b6a9771ebb66c229e9c |
C:\Windows\system\pJaOtiE.exe
| MD5 | 8a2b9dba697f53c95ed193cbb29a4a2f |
| SHA1 | 51683b0724e47113305aa214d0a97842bd368ea1 |
| SHA256 | f87dd941667a1839cdd84564948230b18f169651eeabf23153a361cd610356a7 |
| SHA512 | 4391ebc3e3ca2e9f6e0d14a0b9e666b74c6816ea21b7b014d7e3caa44fa61ae23c6d8ee52e74e1a5a42f824c4b563515f5de3b6801b6333c4c4423aa7e41f3fb |
memory/2172-90-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
C:\Windows\system\OyMMgcn.exe
| MD5 | 2f104183502db3361fd9add35957ceef |
| SHA1 | 40f0333306e357077cea272d287e239ec1b5cf98 |
| SHA256 | fdc77e92f9fac155192d5164fb6d648414a27717c588f40499815e6ecc34f75a |
| SHA512 | d914cc3e1e6878674e55def936735bb6ed3e164cace9be84a0d0d7383b61d1bdb8876b440117d23eed74d49d7182c542faca7047e2175bd77e54c20c42de8035 |
C:\Windows\system\XuCNTGK.exe
| MD5 | cee59e7d10781f9d24fd2a9a44eb0795 |
| SHA1 | d82cf717985da496de39aaa6e1a448e5f028cbbf |
| SHA256 | e7865d5fdcbc8540056b603a1000f4655ca5b6cd070466c36332f3309cf10b46 |
| SHA512 | c96e13f4947db2dd869d74af1ae9c51ecf8d62a50ff3465a2f8ea1bde42f1cfac724916644659d245d72a95fc2e896c8c5c365a4a530318844ea1caec328f715 |
C:\Windows\system\HwhQnjA.exe
| MD5 | ce4c0cb6c8a8c28bbbc21178066a1d5f |
| SHA1 | f6dce32585b317cbdf661988d788f5d56809daf0 |
| SHA256 | 7b378652d67e345c389601454feb85cb002fef115f153a5e9f1cd401a3f5442b |
| SHA512 | fa70f03358f68a7bee0b3f467a086dd3dcb6d558bc8421d2e3e83e674a7e0279f0afba0ae38070f57097d53f9e634d878d570bba7381509714cbb319092587d6 |
C:\Windows\system\sLETzhg.exe
| MD5 | bec319a208b9826fa4bb6a2520d2afff |
| SHA1 | 8947aaf1d0059e5843ad050df0d760a6091d61e9 |
| SHA256 | 91104a1367603b4da9f7040d5ba3c55bd8f5df13e25730463ed2b9cb0dd0ab2e |
| SHA512 | ef95db76b8de87415c7d83828352a512027beaaac2044ca155676b3a3ca5cd9d782218b7dbab2d7f381465e206035be82a5579a878511af29da58013b63082dd |
C:\Windows\system\hXoCyfi.exe
| MD5 | 87f7209bbb4e01aaac6cac281eb71740 |
| SHA1 | 04080809b4bc81b51f816d57c68540b262e95d77 |
| SHA256 | e76481084a43bdd5213d7c1d4d18a8dc6e3f8f38434f6668cccb98d96691cc9d |
| SHA512 | c43d9cb5ef610ef24e62e1a6d03b76d2ff13f92202d97b8d209d83f72f9e70b4364189da599f2922fd629d87e381bfdf264c46f8713f0631511209ebe4578713 |
C:\Windows\system\LEJJGNu.exe
| MD5 | 5977ede5247067f65190930040e9457f |
| SHA1 | 6c44f4f7615de2813477415dc8110cf5f8c8c6c9 |
| SHA256 | 30a832b1758c5b7bd36ae9386c18d7fe4eb97d9a2f5aa00f897fd3e7490ac7a9 |
| SHA512 | 2251b907c66e7a85d6bcb9870c8e9bed925edc74c7a2382f0c97bc7b60bce93aa63c573aba72ea1d50f3da351522cacee4763b3ffded74d354fccc1cfafc6305 |
C:\Windows\system\XmocJMB.exe
| MD5 | 6fed57db65ff83417798aec8eaf3fff2 |
| SHA1 | 1008da209f1bb1b59d640a195f78b011be08ed0a |
| SHA256 | 880bafb4ab59c3afd37c3fa0760e30669b52cc66956733918a503d0dbd1b1419 |
| SHA512 | 582114a48bc67db8bdfd47520ad88c1eaff68d6d267fdaf653ee3455036c5d9a2981521b3344265c82c2739c6282dd5be933c61b2b4fe986b0607750ec011334 |
C:\Windows\system\dOALRYo.exe
| MD5 | 3af43d2c01a52374946d296605b3e6a5 |
| SHA1 | d054d01a48170b61a155c46e2a215337cfe62fd0 |
| SHA256 | fcb0c0674372a81cb35e2519f4c10bd88862f4374899f7ee473abc464cb5dd03 |
| SHA512 | c48a734a3077901ba0706245a74f2855f0d484b2d7e1fa5f1fd905d8e982fb572dbbb5b1b9d9620ef31d86fe7cd705594d97080e8fd13d2adff10b3f22e666c9 |
C:\Windows\system\jNsVUEd.exe
| MD5 | 817bfeea52b53ed4b56ad8643d98449e |
| SHA1 | e94b8f0fe7f35ff0c41f90a26687bcdfb15f492c |
| SHA256 | 548435b912b9a06907c49ae1e90dfba4ea689145357de171fb21cc16d063975a |
| SHA512 | bd9ddc3b81428ed8fe6d1f0f30c60adccc201e1a2208870c9838cc8a37ebd3b57ce5d254d3a8f0126c55fdab403a558c43f5b781545d50cfd0d6860ab454ea64 |
C:\Windows\system\EYJbJwl.exe
| MD5 | 93f5ccb4b45463a7877a6782c76dbbcf |
| SHA1 | aa3f810b6d3d9c53f534d29e358648d6b1eb1523 |
| SHA256 | c92c078c0db1a24d62b5023f22f2a2c5468420c86dca6f5966f8787d636051d2 |
| SHA512 | ad9f93974d0c1569099973acd936869b1cbfff3a7d71f5eb8569557d46605ffb1abec3d3013e3e250ef1282bda0b3371d405d6388f16f46c057c06b34c8be2f7 |
memory/2076-114-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2076-124-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2716-125-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2076-133-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/1676-132-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2500-131-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2076-130-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2444-129-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2076-128-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2676-127-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2076-126-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2476-123-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2076-122-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2576-121-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2076-120-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2604-119-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2076-118-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2668-117-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2076-116-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2600-115-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2168-113-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2076-112-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2560-111-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2076-134-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2172-135-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2308-136-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2500-149-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2676-148-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2476-147-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2604-146-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2600-145-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/1676-144-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2560-143-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2444-142-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2716-141-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2576-140-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2668-139-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2168-138-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2172-137-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 04:45
Reported
2024-06-08 04:48
Platform
win10v2004-20240508-en
Max time kernel
137s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ymJElAa.exe | N/A |
| N/A | N/A | C:\Windows\System\tOSKlPm.exe | N/A |
| N/A | N/A | C:\Windows\System\zzgdmEP.exe | N/A |
| N/A | N/A | C:\Windows\System\OdrnsAh.exe | N/A |
| N/A | N/A | C:\Windows\System\faSbweA.exe | N/A |
| N/A | N/A | C:\Windows\System\CPfnvXZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZcDkcOc.exe | N/A |
| N/A | N/A | C:\Windows\System\CGGPUOT.exe | N/A |
| N/A | N/A | C:\Windows\System\zBAAiUk.exe | N/A |
| N/A | N/A | C:\Windows\System\DLfLAIZ.exe | N/A |
| N/A | N/A | C:\Windows\System\osdsLaz.exe | N/A |
| N/A | N/A | C:\Windows\System\hxtLKws.exe | N/A |
| N/A | N/A | C:\Windows\System\lDoHXcv.exe | N/A |
| N/A | N/A | C:\Windows\System\frblhEl.exe | N/A |
| N/A | N/A | C:\Windows\System\YORPPsa.exe | N/A |
| N/A | N/A | C:\Windows\System\JpKYbbV.exe | N/A |
| N/A | N/A | C:\Windows\System\yxyVKGH.exe | N/A |
| N/A | N/A | C:\Windows\System\sNvOlJy.exe | N/A |
| N/A | N/A | C:\Windows\System\lgoZbCR.exe | N/A |
| N/A | N/A | C:\Windows\System\dmshkeY.exe | N/A |
| N/A | N/A | C:\Windows\System\FHWyTpC.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ymJElAa.exe
C:\Windows\System\ymJElAa.exe
C:\Windows\System\tOSKlPm.exe
C:\Windows\System\tOSKlPm.exe
C:\Windows\System\zzgdmEP.exe
C:\Windows\System\zzgdmEP.exe
C:\Windows\System\OdrnsAh.exe
C:\Windows\System\OdrnsAh.exe
C:\Windows\System\faSbweA.exe
C:\Windows\System\faSbweA.exe
C:\Windows\System\CPfnvXZ.exe
C:\Windows\System\CPfnvXZ.exe
C:\Windows\System\ZcDkcOc.exe
C:\Windows\System\ZcDkcOc.exe
C:\Windows\System\CGGPUOT.exe
C:\Windows\System\CGGPUOT.exe
C:\Windows\System\zBAAiUk.exe
C:\Windows\System\zBAAiUk.exe
C:\Windows\System\DLfLAIZ.exe
C:\Windows\System\DLfLAIZ.exe
C:\Windows\System\osdsLaz.exe
C:\Windows\System\osdsLaz.exe
C:\Windows\System\hxtLKws.exe
C:\Windows\System\hxtLKws.exe
C:\Windows\System\lDoHXcv.exe
C:\Windows\System\lDoHXcv.exe
C:\Windows\System\frblhEl.exe
C:\Windows\System\frblhEl.exe
C:\Windows\System\YORPPsa.exe
C:\Windows\System\YORPPsa.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2700,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3644 /prefetch:8
C:\Windows\System\JpKYbbV.exe
C:\Windows\System\JpKYbbV.exe
C:\Windows\System\yxyVKGH.exe
C:\Windows\System\yxyVKGH.exe
C:\Windows\System\sNvOlJy.exe
C:\Windows\System\sNvOlJy.exe
C:\Windows\System\lgoZbCR.exe
C:\Windows\System\lgoZbCR.exe
C:\Windows\System\dmshkeY.exe
C:\Windows\System\dmshkeY.exe
C:\Windows\System\FHWyTpC.exe
C:\Windows\System\FHWyTpC.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1692-0-0x00007FF637F10000-0x00007FF638264000-memory.dmp
memory/1692-1-0x000001BBB2B60000-0x000001BBB2B70000-memory.dmp
C:\Windows\System\ymJElAa.exe
| MD5 | 3db5144f55b72b29bc52e06677ecf256 |
| SHA1 | 29c5623cb7e96cd314af708485b8c46a37d85160 |
| SHA256 | 1ab1ecf4af95635557246b1986d45eeb514b9d604653b06e3ca41196286e503a |
| SHA512 | 0a9eaec7abb4870bb1b7abf4f53d197b0529c45aa7653403ea5ac809c58a1dc3442dc1981074a652ff0c0cf6253eb966b54131403027cc98da8ab6cabe2f9632 |
memory/1036-7-0x00007FF737500000-0x00007FF737854000-memory.dmp
C:\Windows\System\zzgdmEP.exe
| MD5 | 4bc6304f36df7c649e34a4f0df1c36f6 |
| SHA1 | 3aaaa99c61cb51f8a7c3e7da5fb8bda0390af646 |
| SHA256 | 866d60b66547c852c27dc5c806274c4eb8c1e00ef83b8dc39fdf2fbfdaf79f95 |
| SHA512 | 14865653b27ac4a797d7ef42eb158b494853335f59504d1a2f49cf0b23ae048d7fe41044af281928f4cb26f5f6d0dbe295aa1395287ba90b8a043692d894b4ee |
C:\Windows\System\tOSKlPm.exe
| MD5 | e59e87e6eb40f44d4273f8ca2cd4d579 |
| SHA1 | 24bd9f5969ddf7ae31a9ccf9ef924f50c9d2b374 |
| SHA256 | e810a7304a0451d2c9c7c9df19150bbb39c8adc3d7af01bc1ec251e47ba2558c |
| SHA512 | 04edfb05cfd6ea9523121e4b826923c3b3443d22f4310d7770f9d80d079cd0f2b54dce45eb4bc00fa64cb4177433c29dc9f16e5009232d365fed8db41b663306 |
memory/1720-14-0x00007FF669F00000-0x00007FF66A254000-memory.dmp
C:\Windows\System\OdrnsAh.exe
| MD5 | d3a1f18a802f0ac18c6cc751a01528ca |
| SHA1 | ad3c56a0d46da50245e0b3c2cb06127df0404581 |
| SHA256 | 8e53780a9bd31b08b1f681753c5f362e757ea8f9abcae1056807686bb220e241 |
| SHA512 | b76d78f0a119b1c0e2d2a42d40da8081ceb2a3a15ae90df64e7223201ea711fef55d41939a404908a0d2c38389c236021bcd4b9b08b390b87ca9a7fb5cbc8f5e |
memory/3940-26-0x00007FF6E3930000-0x00007FF6E3C84000-memory.dmp
memory/3900-18-0x00007FF7544D0000-0x00007FF754824000-memory.dmp
C:\Windows\System\faSbweA.exe
| MD5 | cca30bc902364fedb3f85c9af854110e |
| SHA1 | a3a4c3e4a46dffa83deaeae1afc0bf523a618c9a |
| SHA256 | 5024a36d3ef9fa01f975b9ee005088807eadf2da15342b6562fd65ca56d11047 |
| SHA512 | 0a0c07c8a3e5d86352d0e601e6d411e43cdb81e6e7d99716818df8efb45cd0b6f93a1a67730d03d0521da19fc8fbf03fbd9ffe667a631ecb9d5cfbfa087b8331 |
memory/3612-34-0x00007FF7F7B80000-0x00007FF7F7ED4000-memory.dmp
C:\Windows\System\ZcDkcOc.exe
| MD5 | 093452cc701d537d5e0636ef396c34f6 |
| SHA1 | 1d8af20edd4e5d584944ea83cddc41e1033b128a |
| SHA256 | d6aaad07d279d94c102fe730e0b92ace8ebc03aa76e8d3a27e2ae9662d00feac |
| SHA512 | 09ac65d18fb45274fb375a23cbd31d6cb3a0b5d4617aaa8f96f0f688a1ed8891f709844a70294297c51f11d7dab059b1fe5d92e4d701efbdd05a2b30e9e96d3d |
C:\Windows\System\CPfnvXZ.exe
| MD5 | bb4e0fca22dca14a09886cc3f4486f89 |
| SHA1 | 9100f4c9679e82c2f5b7efb248eea17567f9c401 |
| SHA256 | d1d1fd60cda142160928852c3a62549b931b3b2185a48c7d058e7f967c39cfb0 |
| SHA512 | 85e1bd7b39cf9efa76fdcb495d7ddec616e5671178a488f209539b5327b87013d3130597356da063b6cb3ff1ca6b5102671dbd80649e162a99cbf2ec3e06ad70 |
C:\Windows\System\zBAAiUk.exe
| MD5 | d8974aa5bf6a8f35cf5a8e4c031b757b |
| SHA1 | d49c7372cc397639b92a20c606c7e22b70da6cee |
| SHA256 | 6b4d1e448535e911f132ab42c437c1b36b8dce8042f94a4ffe7e5623822da272 |
| SHA512 | b858ccb330eb79064978bb15cac53c01a51ff09c282fd8f77491cfb7bd220ad7930f292c4d2fba26ecea61af7db869f0d01244b14ea31a8aaee948be837aa4e5 |
memory/2396-59-0x00007FF782380000-0x00007FF7826D4000-memory.dmp
C:\Windows\System\osdsLaz.exe
| MD5 | 13f3a188ab2bb731e551d06542b08bb3 |
| SHA1 | 070e0bf8b2d1de310aad83598331671a621d8914 |
| SHA256 | 0f7b5d5bea5b1c7f3906da77a4ebc1117993ea7daf5a4d8b84feffcd6a0d2e83 |
| SHA512 | c04efa702a353620fac4e5fe04c2dcc545dafae1b8d52f4f1503558f9c863d5fd15cc717b878cc1994a4c2dd0a75b83a0f906665ef593aa005017b945b4c7201 |
C:\Windows\System\DLfLAIZ.exe
| MD5 | 14d9775facafef3c9edfd3159b1c0318 |
| SHA1 | 1b3ea60dcf89539cb5566f245c0d6953d0e4b38b |
| SHA256 | 125f6ffdd54c51c69f5b893959b8377a3226af0e41e639c6982064b63f93d397 |
| SHA512 | abe2813b74744df3d12b0ea3ea9dfc943cc627c866995d8d386f6c657adbb84aa295f3d8e8d05834a8c1ab994254133c942dd2200b84b5dc945b3b19395418d4 |
memory/2168-60-0x00007FF7435C0000-0x00007FF743914000-memory.dmp
memory/1648-49-0x00007FF6CB790000-0x00007FF6CBAE4000-memory.dmp
memory/2928-53-0x00007FF786130000-0x00007FF786484000-memory.dmp
C:\Windows\System\CGGPUOT.exe
| MD5 | 2f674b9a28914513508c345b37f15910 |
| SHA1 | fb951ca45efc3486532d6eb997864514d1983434 |
| SHA256 | 7dd432f7f24c2f24c7f46ca3b753929df067b6c09692edd8d1c32fe6882d0603 |
| SHA512 | bc2e499c784f6fb4a72c81a4c184bb10c1e1cf1cdc2975af5f045b7430e7f0d7b25cd4781384e0b18dfb79d1be778a8662a171948db1da66c41aa204c4f601ec |
memory/4072-39-0x00007FF621FB0000-0x00007FF622304000-memory.dmp
memory/1744-68-0x00007FF625250000-0x00007FF6255A4000-memory.dmp
memory/1692-67-0x00007FF637F10000-0x00007FF638264000-memory.dmp
C:\Windows\System\hxtLKws.exe
| MD5 | 310c669b19379983a4154293bb5bffc3 |
| SHA1 | 288f7289f3137ef63e70c447ed959b01c151fcc7 |
| SHA256 | dd3faaccc5933e337168842869cb346f6b1d62ae10dbae90e43f4e2aabb5b9e5 |
| SHA512 | 36ca9dda0eb1aca55d4303fbdf4c8f721f4388c7f8aa91c5b997a0e224cc0b298ad186f3eea3844c7797664eeef01cb18b7dd6a808278773aa7ad5088e5160c6 |
C:\Windows\System\lDoHXcv.exe
| MD5 | e9869d346a157063e427774fb28113b9 |
| SHA1 | 04879f98f1fa70eec9370dcf9c4b2f78a296154d |
| SHA256 | a675f71b4315bc8b129a49250bf6c1fd5362990be006a9afe90f9f294875cd40 |
| SHA512 | baa2b43f6b8cf13f4e33a414f98b267fd07ec437e71e5a3a3895219e8eda3847860ab1e266d9369ca1b5426857bed77fb118090d48634687590ed0df2af5017d |
C:\Windows\System\frblhEl.exe
| MD5 | 26282629d367ebee58f3375db844d21f |
| SHA1 | 264324a902ce1fe9cd201756f699536691418971 |
| SHA256 | 92352385acfce3b5c75401d423ce19e19463ffdc7a669a52df4dbd50d4b5adee |
| SHA512 | 8166d0139ee600a5b9eae250dd30f97da4fa9dfabe15c65bed63757bedf747c809c035fb8276c6e411ed6cdecd4be980010e7ac8c38e29e7aa34ad1b6b0d96d3 |
memory/4688-80-0x00007FF736350000-0x00007FF7366A4000-memory.dmp
memory/4000-76-0x00007FF654D80000-0x00007FF6550D4000-memory.dmp
memory/1036-75-0x00007FF737500000-0x00007FF737854000-memory.dmp
memory/3900-88-0x00007FF7544D0000-0x00007FF754824000-memory.dmp
C:\Windows\System\JpKYbbV.exe
| MD5 | dd42d05d9ef4fccdfb5a3bf321098a4a |
| SHA1 | 9cf150a9de9092221a41fdd6a1720ab29a68b42d |
| SHA256 | 8f8ad2d39ca42f3fb539b774bea743562f34d598823e730d29cd5e1355a7a9d0 |
| SHA512 | d1a3f8ccb5382cf1970623047a0c23c80b313b9b834d6b9c37cc3fd606ebddf56eea7120e78067f896dad7cca95629686b1a110832f91fd91e38f6b494fba5aa |
memory/4296-97-0x00007FF6F8A00000-0x00007FF6F8D54000-memory.dmp
C:\Windows\System\YORPPsa.exe
| MD5 | babc3acb970dddd8cb4d20937a78cb1c |
| SHA1 | 588319d4e90846a87e1860888711876c29e173d6 |
| SHA256 | 9d7e651cf643400c4ed770f9ee714615d5edbc39377af6411d86278b9e72d843 |
| SHA512 | 292c449ee337e8cdbd47950981cba191925d2a4b6cf168b56d4ec2dec312997c580733778d4827774df997e789221780bb29e177ef2de380d1b0a8173b128769 |
memory/4108-89-0x00007FF77DE80000-0x00007FF77E1D4000-memory.dmp
memory/1648-103-0x00007FF6CB790000-0x00007FF6CBAE4000-memory.dmp
C:\Windows\System\sNvOlJy.exe
| MD5 | 3c98dfb7a00748886a9fa916ce8a563c |
| SHA1 | 729b2e2f30cf445b229f8b9e198648a2291ca306 |
| SHA256 | 345cb0e57c20ab9669e548bb2e248729ce96cc15a4eae78b7c7202185ff56af4 |
| SHA512 | 09a44f2c16284eb67e32f49c15eb4e9b60ee6c07d71bc388c2641eca2ef1dffec3efbc532a0ec4659630d0ab55310ed26d8a72e1f473e010841560b912572fa2 |
C:\Windows\System\dmshkeY.exe
| MD5 | 8a6821c88226c46787e591c1fb50177e |
| SHA1 | eeee964c9f2915ffab56770da4b4226fa78d1bcc |
| SHA256 | c0d3ec8db99125ecb4d11a04d8c86e33cd98969e7543aa769e6d908f60a50887 |
| SHA512 | 8b2b27c4a4c8d6b6743029bb6a1b4e42b35e17744d24e72f61789356e9c3f63eefeae40cfb9b46bd4001269bd57a12e225fed78a4f1ab2a1abdc1052bdf12252 |
memory/732-125-0x00007FF756800000-0x00007FF756B54000-memory.dmp
C:\Windows\System\FHWyTpC.exe
| MD5 | 552d7b531acad8a311a2cca14a967ea1 |
| SHA1 | ad70e2f6029b23c09e5655dbccf6397cc25efc5b |
| SHA256 | 9e32a7ae2561810413536ae3062c3cf55783896ffc121bd967e7d100dca0e3da |
| SHA512 | cd8d9851e19f4cd182c3e97589aeb94cf9eb94ac8a0ac1965226fd1fb059b10e8566cd27f279d156303f2ecdd5103449444bb2e1472bed1a2cdd5c31ff7e3422 |
memory/2168-127-0x00007FF7435C0000-0x00007FF743914000-memory.dmp
memory/2396-122-0x00007FF782380000-0x00007FF7826D4000-memory.dmp
C:\Windows\System\lgoZbCR.exe
| MD5 | 403d06d74ce4bb838d81ebdd20247eb6 |
| SHA1 | c005f99a09b4a076b208a74ea48dc36e7f60bbca |
| SHA256 | 53ccc9d8fec1335ded41b9874b1a2d1c35038832755f774c3971478292d583de |
| SHA512 | 93c3f1ad5c42b355e0525ffeb4abbd422ca43eb47b0cf5dfd51dd38ed601f8f1b926bb726f3bf8d2398f05cdebf1621554b016830153ca2231d841a58310de19 |
memory/2708-113-0x00007FF617230000-0x00007FF617584000-memory.dmp
memory/1620-112-0x00007FF7152D0000-0x00007FF715624000-memory.dmp
C:\Windows\System\yxyVKGH.exe
| MD5 | 7ff257b502c198af93053799f65cb44a |
| SHA1 | e76a8e228412f6525d9c47e393bc63b0be3531ab |
| SHA256 | cfae498a16bf6100bb450d048af01ff9bedc323cae95819203775bd686887447 |
| SHA512 | d05c96f78af94193b5675ae4871fe6e6136902260e5b919802d6765fd660af556e3970684284575fb96af72743527e02a66c324bf0ce222bdd31dfd7b49e66a4 |
memory/4072-108-0x00007FF621FB0000-0x00007FF622304000-memory.dmp
memory/740-107-0x00007FF7CC9D0000-0x00007FF7CCD24000-memory.dmp
memory/4488-134-0x00007FF7C06E0000-0x00007FF7C0A34000-memory.dmp
memory/4380-133-0x00007FF7AA080000-0x00007FF7AA3D4000-memory.dmp
memory/4688-135-0x00007FF736350000-0x00007FF7366A4000-memory.dmp
memory/2708-137-0x00007FF617230000-0x00007FF617584000-memory.dmp
memory/1620-136-0x00007FF7152D0000-0x00007FF715624000-memory.dmp
memory/1036-138-0x00007FF737500000-0x00007FF737854000-memory.dmp
memory/1720-139-0x00007FF669F00000-0x00007FF66A254000-memory.dmp
memory/3900-141-0x00007FF7544D0000-0x00007FF754824000-memory.dmp
memory/3940-140-0x00007FF6E3930000-0x00007FF6E3C84000-memory.dmp
memory/3612-142-0x00007FF7F7B80000-0x00007FF7F7ED4000-memory.dmp
memory/2928-145-0x00007FF786130000-0x00007FF786484000-memory.dmp
memory/1648-144-0x00007FF6CB790000-0x00007FF6CBAE4000-memory.dmp
memory/4072-143-0x00007FF621FB0000-0x00007FF622304000-memory.dmp
memory/2396-146-0x00007FF782380000-0x00007FF7826D4000-memory.dmp
memory/2168-148-0x00007FF7435C0000-0x00007FF743914000-memory.dmp
memory/1744-147-0x00007FF625250000-0x00007FF6255A4000-memory.dmp
memory/4000-149-0x00007FF654D80000-0x00007FF6550D4000-memory.dmp
memory/4108-151-0x00007FF77DE80000-0x00007FF77E1D4000-memory.dmp
memory/4688-150-0x00007FF736350000-0x00007FF7366A4000-memory.dmp
memory/4296-152-0x00007FF6F8A00000-0x00007FF6F8D54000-memory.dmp
memory/740-153-0x00007FF7CC9D0000-0x00007FF7CCD24000-memory.dmp
memory/732-156-0x00007FF756800000-0x00007FF756B54000-memory.dmp
memory/2708-155-0x00007FF617230000-0x00007FF617584000-memory.dmp
memory/4380-157-0x00007FF7AA080000-0x00007FF7AA3D4000-memory.dmp
memory/4488-158-0x00007FF7C06E0000-0x00007FF7C0A34000-memory.dmp
memory/1620-154-0x00007FF7152D0000-0x00007FF715624000-memory.dmp