Analysis Overview
SHA256
cddc5acf3291117c12d2349ce4c57a42113ab968aee274303dda47fac483b5e8
Threat Level: Known bad
The file 2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
Xmrig family
xmrig
Cobaltstrike family
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 06:07
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 06:07
Reported
2024-06-08 06:09
Platform
win7-20240221-en
Max time kernel
130s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YkorbGt.exe | N/A |
| N/A | N/A | C:\Windows\System\cJtPjQz.exe | N/A |
| N/A | N/A | C:\Windows\System\qwwYMPf.exe | N/A |
| N/A | N/A | C:\Windows\System\ApigdBf.exe | N/A |
| N/A | N/A | C:\Windows\System\zNuuOXM.exe | N/A |
| N/A | N/A | C:\Windows\System\Oryvgmj.exe | N/A |
| N/A | N/A | C:\Windows\System\WYXObMa.exe | N/A |
| N/A | N/A | C:\Windows\System\YFedHVP.exe | N/A |
| N/A | N/A | C:\Windows\System\iEaWjDk.exe | N/A |
| N/A | N/A | C:\Windows\System\CGdOlhL.exe | N/A |
| N/A | N/A | C:\Windows\System\jTYuDih.exe | N/A |
| N/A | N/A | C:\Windows\System\sDNewBY.exe | N/A |
| N/A | N/A | C:\Windows\System\GBJKDlo.exe | N/A |
| N/A | N/A | C:\Windows\System\GurRoZY.exe | N/A |
| N/A | N/A | C:\Windows\System\mSVytSq.exe | N/A |
| N/A | N/A | C:\Windows\System\OhYrskX.exe | N/A |
| N/A | N/A | C:\Windows\System\TwDNkmv.exe | N/A |
| N/A | N/A | C:\Windows\System\tPPkXiN.exe | N/A |
| N/A | N/A | C:\Windows\System\lEyKKie.exe | N/A |
| N/A | N/A | C:\Windows\System\WSvWXzB.exe | N/A |
| N/A | N/A | C:\Windows\System\KtgeVJD.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\YkorbGt.exe
C:\Windows\System\YkorbGt.exe
C:\Windows\System\cJtPjQz.exe
C:\Windows\System\cJtPjQz.exe
C:\Windows\System\qwwYMPf.exe
C:\Windows\System\qwwYMPf.exe
C:\Windows\System\ApigdBf.exe
C:\Windows\System\ApigdBf.exe
C:\Windows\System\zNuuOXM.exe
C:\Windows\System\zNuuOXM.exe
C:\Windows\System\WYXObMa.exe
C:\Windows\System\WYXObMa.exe
C:\Windows\System\Oryvgmj.exe
C:\Windows\System\Oryvgmj.exe
C:\Windows\System\mSVytSq.exe
C:\Windows\System\mSVytSq.exe
C:\Windows\System\YFedHVP.exe
C:\Windows\System\YFedHVP.exe
C:\Windows\System\OhYrskX.exe
C:\Windows\System\OhYrskX.exe
C:\Windows\System\iEaWjDk.exe
C:\Windows\System\iEaWjDk.exe
C:\Windows\System\TwDNkmv.exe
C:\Windows\System\TwDNkmv.exe
C:\Windows\System\CGdOlhL.exe
C:\Windows\System\CGdOlhL.exe
C:\Windows\System\tPPkXiN.exe
C:\Windows\System\tPPkXiN.exe
C:\Windows\System\jTYuDih.exe
C:\Windows\System\jTYuDih.exe
C:\Windows\System\lEyKKie.exe
C:\Windows\System\lEyKKie.exe
C:\Windows\System\sDNewBY.exe
C:\Windows\System\sDNewBY.exe
C:\Windows\System\WSvWXzB.exe
C:\Windows\System\WSvWXzB.exe
C:\Windows\System\GBJKDlo.exe
C:\Windows\System\GBJKDlo.exe
C:\Windows\System\KtgeVJD.exe
C:\Windows\System\KtgeVJD.exe
C:\Windows\System\GurRoZY.exe
C:\Windows\System\GurRoZY.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1056-0-0x000000013F510000-0x000000013F864000-memory.dmp
memory/1056-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\YkorbGt.exe
| MD5 | 646f16b26ea9eca4f4afce3133d19778 |
| SHA1 | 06d3ec494ceb53790110c0b35ee19baa57003152 |
| SHA256 | 337c3dd73fcea860d8b04097c3ae08b22029857a4fd338e751a0477f6aa7d871 |
| SHA512 | f46a769c9410703d67bff46be530301cfcaf126868a15889dd403ebf126f3d5c32fc8b6fe5bbd1da13b380085f210a461b6b5d2b119a72b121127f66ced97ff3 |
C:\Windows\system\cJtPjQz.exe
| MD5 | a2900bbd2cc238f6248d1af2aa048702 |
| SHA1 | a9b7b31cca27479222d8e35a2f8fa19a91713943 |
| SHA256 | 981bd95330372cc41563896aa6d48a1b399e34783cd2ad8a4d1ee7d667e2bc84 |
| SHA512 | 7770e4d6b0e648b190f0dc177fbcf67ab48c9acc3be9b8222b713e48071cf23a0e7bb89e922ff3d2ee507dca26327dc42cc913a1effb1338aacf7fe87ff02541 |
memory/1056-22-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/1056-14-0x0000000002270000-0x00000000025C4000-memory.dmp
\Windows\system\ApigdBf.exe
| MD5 | 83e3a8bf4d41651c7a5d6408dfcd22d8 |
| SHA1 | d1aaa7e090b72c84c825e7efc291427498b20f2e |
| SHA256 | b70e56832fe7e39da4f8c0791c2c7c6eeeddc874d0c07288df0d8e39c2d987f4 |
| SHA512 | 80b28d48b0134ffc1c9fd49f3f6f43083ab2ace0e8f70e90cc9a111c5f4e5b6c5cafd62ecdb592e61cee9b080949ac87217ddf39590e01b5cf97b9b1d595efe4 |
memory/3064-29-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/760-114-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
C:\Windows\system\KtgeVJD.exe
| MD5 | 7d1166941b20222674bb4ad14b70c655 |
| SHA1 | fccde62356efd30216042d9cc8e97114a259111c |
| SHA256 | 5b19e3f9b5ad2cb34de1da57334cdfe1c68ebf461f6bf1a38a484a15269490ea |
| SHA512 | c1f8baaa3c33cfec26008841b8e71478eedee41d07ad7f1d9d8d882d8a982ab4b2be50ac9020537d1ce5704a1a4a0ed31a280e369d14f1a5c5bf7c31b859fb4c |
memory/1056-109-0x000000013FA30000-0x000000013FD84000-memory.dmp
\Windows\system\WSvWXzB.exe
| MD5 | cecc25eeabe773e63b558a690deb3209 |
| SHA1 | f63f1186b8c9eee571f2359a458670338ea8f983 |
| SHA256 | 54f0f5486c0d920a737fba3f69d384d38049fe17580ddc97028f0fe81482df26 |
| SHA512 | 534fad44e5fdcbfdd63c3f7100c7cb12fc912c13bf578c47cb1796bdb3d8dfc6d915caea6b3d9dfe0b1d251dab3e999dc926753078d1cb6f6f315e0f99c54d7b |
memory/1056-89-0x0000000002270000-0x00000000025C4000-memory.dmp
C:\Windows\system\jTYuDih.exe
| MD5 | b5bd43b896a26ec72b8ee4297c426a12 |
| SHA1 | b14b1b820e0a5ddcbbb9a5eca9ea9973f86da148 |
| SHA256 | 32bba546ed66fc9723b4d24603e3355992c05403fc5085bc0d132cdd83c47f98 |
| SHA512 | 44e66aab0752c7451c8e6df09d2de83dfd6d924e75683360f3ec6339275a60672cd9cd7887f710776809220c3cd84bae436e802d822f9acfc00af4f8a375e7f5 |
\Windows\system\lEyKKie.exe
| MD5 | 09459679c80159947bc92016e3a1f5c8 |
| SHA1 | a023e474f3a51d057f2ce999375a9eff9776df0d |
| SHA256 | b204431d57adfa2d50135c187c2b5f1cea72c0b2301f3657bdea7bf9e62ad453 |
| SHA512 | ecc951139b846441352e4ff8dd8b20a1277df77896b7e5b7876fff9f71c16f5124d42dd4455f9362d85902482c18a7dadb2672858cec9ec7bceabb8bd1b0f85a |
memory/1056-80-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2660-79-0x000000013F090000-0x000000013F3E4000-memory.dmp
\Windows\system\tPPkXiN.exe
| MD5 | 89477a9ffee171680181c9af5c77f216 |
| SHA1 | fffb9c70357d871ed7b32e49b0dd067ff1923407 |
| SHA256 | 39d9c2e01a9ad0b299dffb0549ed9041afcaec78cb3810a49413ac2b51538836 |
| SHA512 | dcb63469c67149b8dd4e9f97db16233362875e4b33898bbdc2cb6e8e04e47957a8e500df068942b91ce336359e2afff07948add2826b6d2f43ecb31e9b6b048c |
memory/2332-70-0x000000013F740000-0x000000013FA94000-memory.dmp
\Windows\system\TwDNkmv.exe
| MD5 | 6b487c5d8301816f994156859cbcc918 |
| SHA1 | e4ec67171a68c8d2865fc7cb5d231437e2dc0dc1 |
| SHA256 | 71e0e2d45cea6b5a9198bb6b6a55a7b42eb4640036bfc6deb31fc64432bb1663 |
| SHA512 | aec0d9a4e68aa0c94b5c9a57d992af29e17309c5fc34cee3943025e291d70cf2571af954e3a989b6ce35c59441fa51116605cb3b4943be9b3a7f8ccd2a474216 |
\Windows\system\OhYrskX.exe
| MD5 | 747086e78209f05943bf3910ff579dda |
| SHA1 | 087e1a813b9efc38e1aa67870f668472f745fa2c |
| SHA256 | 3806fbcf55c2556b529ab1e15ee9d8d2614f070bf728df237bd667b8de17bb55 |
| SHA512 | 6207532ac3e0797840e0f2d7a4512b5e95d3031bd2fb095904dfb7432ee04f4f61c41d8a703d83115f479e4459d2442003344b2c0a9fd5ed55151b8e7727668d |
C:\Windows\system\WYXObMa.exe
| MD5 | 428f0d7edf6f6ed798d59f75b158cbcd |
| SHA1 | 2c3a826ac12140658b38a67fec550cad53cda311 |
| SHA256 | a0de8e02f5e661cc587ff9992c37b0f1db77889e44b07c14cb61f36cdf00fa33 |
| SHA512 | 1c48d9235f72d27d7ba8500998e9dc61ab248acbb280e0cde5fc5425e174b9d9e1f9378f9a9888f9ae74b5d5fb982752d3f2593a1583b2a448b38a2f889d0b79 |
\Windows\system\mSVytSq.exe
| MD5 | a64e1b62c39beabc23a06dceaa3b8ff0 |
| SHA1 | 68eb70a7d56b54be3c456063c8187a0681305604 |
| SHA256 | 44236950283c421872b013aca49e6cad3151b841607fb3e476dae0dc5605afb5 |
| SHA512 | 9835983a414a4038ca85d91964d6a400b09dad20b4bd91b31ef734adc6010998d79f52829e7dbc95d1ed87d233d8ab3f07de73e7fdc17b7b8c26ab6bce6bbea1 |
memory/2608-40-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/1056-38-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/1056-113-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
C:\Windows\system\GurRoZY.exe
| MD5 | b88f79ee613302e97079eea6c4035f6b |
| SHA1 | 8ff33c43c86eb8c95175037bb5d146a7d106fd12 |
| SHA256 | 70378b72a88300801d498b3499922a9ab841a55da5e71bbbd12f2e58773fb6ec |
| SHA512 | e446ccbd2a6560b82fa572ae7e54322b7331e46235a6306834eb56e13dc5f6360ea285dabd69972f77b05678f70d21b8bb805b703c96232d26662d737bd78449 |
memory/1056-105-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/1056-104-0x000000013FF60000-0x00000001402B4000-memory.dmp
C:\Windows\system\GBJKDlo.exe
| MD5 | 3108fed557071babf15a1973e3f56d5d |
| SHA1 | 0b3acbbf5026420fb0b27ece0c3f8c76f15ef72c |
| SHA256 | 67d64a31831e3862170117089fc34b788f15d14fd555b21109de87b0e07a1ab1 |
| SHA512 | 4760a487da110b2d93a378202ff5e9981c80833a38807e8c1616fec83c48701c9f89fb6b022d44709ce80a0de9e11ba6a6155939ac37a7183967dbf18e840b07 |
memory/2800-101-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/1056-95-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\sDNewBY.exe
| MD5 | 48f5815f0a41668972ce1edb5123bb37 |
| SHA1 | 2c1a08124c5794ea58fccd8a97cd7b929fb9b1d6 |
| SHA256 | 2c0326b0c03b0026c25fe03ab3ba97832154a775b092e465daef39ff21a008ac |
| SHA512 | 763dcc0c1fc9f4ebe38ea904ee1d79914dcf075aab617a1dd714241d4dabb491abb6e10cc46be9a8e9bf43609bbf3ae8ddb215d989902463e1c08288379c11f0 |
memory/528-93-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/3064-136-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/1056-84-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/1056-75-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\CGdOlhL.exe
| MD5 | 276785e568b844d82150d425eceb18da |
| SHA1 | 563112ada8b15e962c8a1ae61a2263afef6ca522 |
| SHA256 | 6b9b71e16158e9f3010ba33f940b25c7733eaa4a4d8394c27ddab79000effb33 |
| SHA512 | 8a4462abaf0f990c418f46a15d71a0f632dc13263c4bf512953dcf07c4c172563a4bc93d35d57bf04e0b701add44da742ebee03449d2d2817012c51ab54f5a20 |
memory/2456-66-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\iEaWjDk.exe
| MD5 | 8e38e2599c957f624dc72cc2594a9fc9 |
| SHA1 | 9e64104bec2306057333719f92f6fe701e3d1c13 |
| SHA256 | a124fe55446bf4a6eedcae62ffdadb34b5903f8755e3c8627db4a83ee41b35e2 |
| SHA512 | f0adc49b6c6f4a4e27f8c4f8bcd64dea7823d32e25c622705c670c80b4708c43076a43c78d5bdd193749ba5b5c12e1e62babe8e9391e9568adac14f028fe31a9 |
memory/2340-58-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
C:\Windows\system\YFedHVP.exe
| MD5 | f063072dd34d2122e22eca3ba1475ecc |
| SHA1 | c21eb731b430c31791edb87a0d243b754e0d5c11 |
| SHA256 | 8298e62a19ecb06bac706a27fd12857b1f27e3ed25a1d2d3c9db52a058935b8c |
| SHA512 | 81d7dc1898436a61c766b02895dc9406f56694b0548f61177967bb779152a1603c167b58220bb3189df27d292f80a77e52e97bfc41200d6df60624661ba7e716 |
memory/1056-55-0x000000013F510000-0x000000013F864000-memory.dmp
C:\Windows\system\Oryvgmj.exe
| MD5 | 777e7656c5656f074379a6fbf57e5fcd |
| SHA1 | 2fd2caaca2a824bec386f7c640207ac9552c5648 |
| SHA256 | 64431f64a554b9316c50c4ad5e344ab7a929fdd9006269d165c466c930530b4a |
| SHA512 | 05e77a9415c134b0f43dea7e10d3f386b1091143f9099956d3383f37cb50afd21d7201b0d3e401b96378f71642bf5e2db128dcfaa8d0d71fd4707ffc41ab820b |
memory/1056-43-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/1056-42-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2332-137-0x000000013F740000-0x000000013FA94000-memory.dmp
C:\Windows\system\zNuuOXM.exe
| MD5 | d6a250463a155a60c95a7d7adb9504fd |
| SHA1 | 30901294a03f14fa7f085a4d3e6945a255312fe6 |
| SHA256 | f7e5b476aec10a14684a651b5a9d99b3687cbf24708790193301499dcb99894d |
| SHA512 | 5f57e34282addcf0d1b9b165f53bf4d7984f0f369a52da313bb58ea414eb9afa67e4c2637b134c123d11cd644951e08d581ce9c07ab1ee465040867c53e2d7ab |
memory/1056-25-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/2424-23-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2076-21-0x000000013F600000-0x000000013F954000-memory.dmp
C:\Windows\system\qwwYMPf.exe
| MD5 | 54043bbe9d01fc2953739ac561d5f13d |
| SHA1 | 14c8cd8dbd940b082772afebc2afc54521db3a04 |
| SHA256 | ca00d5018836c1860de24947b34b72f0d7fb4843c4ee07bbb88b9602afbeeca6 |
| SHA512 | e781510d3cda8bd74cbf4a9326b2f4dec807ce5c45107e72f3107ec5d405b5ed61d9078854319606c687fb2c300d86cbf9c66d4a2249717098c05d2efda51ede |
memory/2660-138-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/528-139-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/1056-12-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/2628-18-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1056-140-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2800-141-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/760-142-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2076-143-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2628-144-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2424-145-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/3064-146-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2608-147-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2340-148-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2456-149-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2800-154-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2332-153-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/760-152-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/528-151-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2660-150-0x000000013F090000-0x000000013F3E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 06:07
Reported
2024-06-08 06:09
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HabbCce.exe | N/A |
| N/A | N/A | C:\Windows\System\miZHQEC.exe | N/A |
| N/A | N/A | C:\Windows\System\ftrZvGP.exe | N/A |
| N/A | N/A | C:\Windows\System\KiiYcTr.exe | N/A |
| N/A | N/A | C:\Windows\System\OSRTLbW.exe | N/A |
| N/A | N/A | C:\Windows\System\CNaXBIR.exe | N/A |
| N/A | N/A | C:\Windows\System\QmMmTCF.exe | N/A |
| N/A | N/A | C:\Windows\System\xSjLAjX.exe | N/A |
| N/A | N/A | C:\Windows\System\WwMxuTO.exe | N/A |
| N/A | N/A | C:\Windows\System\rwykzPi.exe | N/A |
| N/A | N/A | C:\Windows\System\SgVSgsJ.exe | N/A |
| N/A | N/A | C:\Windows\System\UdgRYmW.exe | N/A |
| N/A | N/A | C:\Windows\System\eYsHhFN.exe | N/A |
| N/A | N/A | C:\Windows\System\PYnnljd.exe | N/A |
| N/A | N/A | C:\Windows\System\FmEWLdi.exe | N/A |
| N/A | N/A | C:\Windows\System\kaMiKeg.exe | N/A |
| N/A | N/A | C:\Windows\System\NsUnirQ.exe | N/A |
| N/A | N/A | C:\Windows\System\UkFHbnR.exe | N/A |
| N/A | N/A | C:\Windows\System\MFQzjwq.exe | N/A |
| N/A | N/A | C:\Windows\System\mDTlvan.exe | N/A |
| N/A | N/A | C:\Windows\System\BaEWJek.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\HabbCce.exe
C:\Windows\System\HabbCce.exe
C:\Windows\System\miZHQEC.exe
C:\Windows\System\miZHQEC.exe
C:\Windows\System\ftrZvGP.exe
C:\Windows\System\ftrZvGP.exe
C:\Windows\System\KiiYcTr.exe
C:\Windows\System\KiiYcTr.exe
C:\Windows\System\OSRTLbW.exe
C:\Windows\System\OSRTLbW.exe
C:\Windows\System\CNaXBIR.exe
C:\Windows\System\CNaXBIR.exe
C:\Windows\System\QmMmTCF.exe
C:\Windows\System\QmMmTCF.exe
C:\Windows\System\xSjLAjX.exe
C:\Windows\System\xSjLAjX.exe
C:\Windows\System\WwMxuTO.exe
C:\Windows\System\WwMxuTO.exe
C:\Windows\System\rwykzPi.exe
C:\Windows\System\rwykzPi.exe
C:\Windows\System\SgVSgsJ.exe
C:\Windows\System\SgVSgsJ.exe
C:\Windows\System\UdgRYmW.exe
C:\Windows\System\UdgRYmW.exe
C:\Windows\System\eYsHhFN.exe
C:\Windows\System\eYsHhFN.exe
C:\Windows\System\PYnnljd.exe
C:\Windows\System\PYnnljd.exe
C:\Windows\System\FmEWLdi.exe
C:\Windows\System\FmEWLdi.exe
C:\Windows\System\kaMiKeg.exe
C:\Windows\System\kaMiKeg.exe
C:\Windows\System\NsUnirQ.exe
C:\Windows\System\NsUnirQ.exe
C:\Windows\System\UkFHbnR.exe
C:\Windows\System\UkFHbnR.exe
C:\Windows\System\MFQzjwq.exe
C:\Windows\System\MFQzjwq.exe
C:\Windows\System\mDTlvan.exe
C:\Windows\System\mDTlvan.exe
C:\Windows\System\BaEWJek.exe
C:\Windows\System\BaEWJek.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 200.201.50.20.in-addr.arpa | udp |
Files
memory/2064-0-0x00007FF6ECDC0000-0x00007FF6ED114000-memory.dmp
memory/2064-1-0x00000236E1060000-0x00000236E1070000-memory.dmp
C:\Windows\System\HabbCce.exe
| MD5 | 95b960337db4855176852e8dc4e8339e |
| SHA1 | 71c15f0fdb8d1c46d3f4250657d8db56fe947f03 |
| SHA256 | 44e263aefe70fe721949c56f155ba4d0c46dce6140b6fb48ebc3c415801e85d2 |
| SHA512 | 4e3f33e7e2b79681c49c7e794950ba5198a28f238edc86b6847489a1fe6b8dc207ee13d806e8bbd9261097a0d3e0a7bc236ee6ca7ad91dd5937280ab6b4ab1ec |
memory/2452-8-0x00007FF7B2AE0000-0x00007FF7B2E34000-memory.dmp
C:\Windows\System\ftrZvGP.exe
| MD5 | c53cc7fdbb58343ac59dfd6718cf0006 |
| SHA1 | 22c8f50c4eb99320915d6f14e3d2cb250780da3d |
| SHA256 | 5dca6aa68752c037799a0834c5f92508f3137e52c16f06f3398b732447a2b957 |
| SHA512 | ef0f5332b6d59ccd563709cb8556fd683f081720972b965084605d5c08f6900eb6aad29a04e55f868ebe735d020468b28d3364533c3ee02d53365e030c00b927 |
C:\Windows\System\miZHQEC.exe
| MD5 | 2eb94c033bf7a2715f94f9d141faeacd |
| SHA1 | 62c23d46e5ec9ff7f65446ccd89c53de4d5863c0 |
| SHA256 | 3a27b2ae1b94893796623e7190c7cc2272400afb6fdaa10b477a53e6ac679b64 |
| SHA512 | eeb50b46e087cf8b6f950d75d736863cc4459ef132b0989e79f1df6deb19226d44b045bcfcfafd4507a39d2e46745b046bed569fae24d159ba6bdd948783fe54 |
memory/3216-16-0x00007FF704B50000-0x00007FF704EA4000-memory.dmp
memory/696-20-0x00007FF6C1C90000-0x00007FF6C1FE4000-memory.dmp
C:\Windows\System\KiiYcTr.exe
| MD5 | 0f38a9e6bf6b54667085d03545194d93 |
| SHA1 | d113937269d5a5bb452193df0a3a946c67e86fc8 |
| SHA256 | b62ebe295dd87a7d6f6b5cc51c7e0a40c4dcce9335b163bba2091b040ab52b0f |
| SHA512 | f9e964371da0a1ec6486234e968a202b49141a2b463ecbc0a8c22c892465c3964763d71abcd858530677e95708992881eca1cb2a2f4eb4de373438cf49260010 |
C:\Windows\System\CNaXBIR.exe
| MD5 | 28c702707796ccf6baa1675a4d58a307 |
| SHA1 | e4313486d93d07e3081193e7acd119a7ad5c8ff4 |
| SHA256 | 512df00ada49f7dbef02e550c5020fd0f3ff36960b5c65108dc6895803eff91d |
| SHA512 | 6e2de3125e88c65e4b6b27f8fd02a9513e5207e843accbc4fa11284209cb3026b475abf5eeb18d65ed6cf63dfee0974c784b53d1b1c8797e64f0c52850181c82 |
C:\Windows\System\OSRTLbW.exe
| MD5 | 551fa98f22c1ca8fe8a12cd5f7a4127b |
| SHA1 | 7f03292d147d1397ff95288f8d6713b18ad332e5 |
| SHA256 | fe91aacfae6d74fd929dae75ae36d9b4e7b88c3727cd46827d0c47a5f953b8f7 |
| SHA512 | 0ed26a6e341c59fd14d3b6ce3cfa1651dd0c5276c2ab26f491245c2edcfb0aefd96c9c0427a19d9af8863375274a08c5ebb6def183328c9a2b3dc707251814b1 |
C:\Windows\System\xSjLAjX.exe
| MD5 | 973e745504847d261b762ef158a69bcb |
| SHA1 | f3fbab60c5953457b915de79736c0b30e06f050a |
| SHA256 | c6badbe3d173bfb9b20aac02a3b3c3dabf749116c694e47b69a8148403914e3c |
| SHA512 | 311a7fa53b1f9a5943ca2f01b79ebd9b5673649dcf8b0785b962bc72b711fe3196cd1f8645e45a89328f79736671594eece8af58485f4b271017ba9f6abc36e3 |
C:\Windows\System\WwMxuTO.exe
| MD5 | f7c5e2c0f97cffc89e6dd7183b91bd4f |
| SHA1 | 0758e90eefa07d9c16efe8200436c63be813e721 |
| SHA256 | 0ef3d1461d0f6d96fe82b692638967c0f452942bfc3b020c8df0eba57c320626 |
| SHA512 | e75d9c5523872230d5e597ea4475e5d608543159669291843a8636504b0311fe1e7a5c96c11a4da61c2849a6604a261b4b891cd61d916e527a8a88f94b1f3f64 |
C:\Windows\System\rwykzPi.exe
| MD5 | 44fa346212392a76beac1a780b6cc5eb |
| SHA1 | d2b2ef8774deb3c4acbb3ce554d124e29b697ad4 |
| SHA256 | 9391c7a9f8d316f8a57bc76645b46109a57f4c6e69c6eb66c6d84a501e9666d2 |
| SHA512 | 009bc82b81aaf8aa7083a5a8e8d6575a0987b5c3884c58ccd8f5e45f44b4b83d2fd4c2056092e5adb12ed64f68f4214bff6b62ce87f7fa0b6ad74d8d21ec2841 |
memory/3700-65-0x00007FF6734B0000-0x00007FF673804000-memory.dmp
C:\Windows\System\UdgRYmW.exe
| MD5 | e7f89229e157b4c829fc75eb67c0a4dc |
| SHA1 | 57371f9378e01f8c3537ae9d2c0c2e63571865cc |
| SHA256 | b4f0586e75e7942902feafd831a177e214078686b0f8e01ec8a9b3c113811fa7 |
| SHA512 | b88129c5469257a0f6525422d47835355823841e37be9e301c2ccc8a584a59e27c6ddfc8808657830f464e440bbfb7c006078efeebc06e79be5b9deba749f831 |
C:\Windows\System\eYsHhFN.exe
| MD5 | 8483efb37cfe477c3b959b66d9dac65c |
| SHA1 | dcf7a874474e9bfdf94eef6696d419bde9da86d4 |
| SHA256 | 81862797f9394f97641d96a878fe2d287c7375bf0b75f62c4437ae38f5c9f88a |
| SHA512 | 9bcce724a3a4ee9107147f5586212b3487bbd1d31af76588d9f2747102f7583abbd8db455047112ff6e7ad3dacf30c9131af3a5d2df1045e657ce3c604757d84 |
C:\Windows\System\FmEWLdi.exe
| MD5 | 558c52de2400bcc964fab106d3e778fe |
| SHA1 | 8b5e8c2c6e479c870a4dbe1fdfea363265c449f0 |
| SHA256 | 5d4d6124fb2fe8e2edd52db80d272698a5df654e978804f8f272cdf01b21f262 |
| SHA512 | ee1d87cdfa2963e1b1cdf8db4f124a5354e5f30ea7015c207bca63b317a9ef8942b2384b74291e79b7750fbcefdd505c87404770e1f12b7014fb38a5ad3a8c2e |
C:\Windows\System\BaEWJek.exe
| MD5 | 6d4195caf9d6e2da4b430030f66aeb9d |
| SHA1 | 3efebfad44631f8f65372149525d0a6ae8a7f69f |
| SHA256 | 2bc88d5955feb72d811a888abb6fc9db62d06e5073ae8c820adb36b9f5644a91 |
| SHA512 | cadafe386957adf411b93544f7a04828b2558f279c72954cb2f0c40cd1a1564a608874333862a26417c0fe16d00d0f3d136184d3666575b46cdf989ff1690e77 |
C:\Windows\System\mDTlvan.exe
| MD5 | 5f6403e578d6262fd971e5fe2adf0047 |
| SHA1 | 9e86143dfb6a91e2dba5de1a1102946aa4ee8f65 |
| SHA256 | a1fe805c2e4a1ef796f48742b696d09146ba218ba9e994feb99b03dc9369ea78 |
| SHA512 | dc99faac2ec18d0bd7dfbf8232ae0f7956d69ac04f962a46ac0b70c9d81b64b84aa781c16a152bfedbdd65592484d3fbb652a48998006c5f8bcf706b92d9d7aa |
C:\Windows\System\MFQzjwq.exe
| MD5 | 4ba888b80f3d158f627237f3292e7df7 |
| SHA1 | d0a24b380af6c6cee964537bb3916afb138a8f35 |
| SHA256 | 0c041424dd7ea950e577141d6a4ed924f19c23f63675e5f2e8187bd4add43737 |
| SHA512 | baa2e758c4c82a4d7a698399aad4d48d6c6fe034965f0f4f73335225ba3bc138ec3b40deb9adf0cf65dcce83fa2385d71ed79a6f929d7c82204a1f934530a9d6 |
C:\Windows\System\UkFHbnR.exe
| MD5 | 54a5a812f3116203682e4c734c80f9c0 |
| SHA1 | ca4293392390915d4832b67da0bbaef61a8c957b |
| SHA256 | 47e410feca28fe5f09dbd49e8785244d05994bf37ddec6ab8626c09f6c636f4c |
| SHA512 | ab3c63f776fc727fc143fe6a38f87624de6f1ea1a7a920ae2028a1c7efe4d46dc8ceb9c43ccbb59515abad2b528937438b5fa750684505062e56a6754b89f538 |
C:\Windows\System\NsUnirQ.exe
| MD5 | 02b7b333f6d3214a2a59e3bbab7a1e1b |
| SHA1 | a09abb3fb42e72cf655bb089c831b4674ea4d3c1 |
| SHA256 | d264adcebe1404cb47708857378f08958e2bd5fc7cb31cb3605aa0d86b86a1b7 |
| SHA512 | dfc725e1909046cce6a2d7f0a5a5238ab317298e5548f6f4afbf8d7372ff7a0ca90ed58bfbf5422459e64c2142b5c31495db5e0fc4945cc585550d15f9b94a80 |
C:\Windows\System\kaMiKeg.exe
| MD5 | a68c7dc8a024762550e6b64e75cfac71 |
| SHA1 | 2491720150b50a2eabfa8d9fa6bbfb83aed5127d |
| SHA256 | 9e43289e2c000e7b9166e1123849975435ce2e5d3c96c9e79dbc8c04206a4ee0 |
| SHA512 | 03c4a30fa48f058a53e7c82f8f28b7afde27662391aff2268e85ffde495dbaa827d3f276b5fe0bec5983ed6a08cebd870978cfa653cb5c29c68ad63fb2166e0c |
C:\Windows\System\PYnnljd.exe
| MD5 | afc9012f88fe8af3864c7597fb6558bc |
| SHA1 | 51b8fbb65a5d155cbc63c39a3ebac7e2785d027b |
| SHA256 | 3ddd364bee26f47b2b09ab8cef468f8c09fbbabb0e9bd486f26621f2dd27e837 |
| SHA512 | 288cdc6d15e7c19fcc2093ba73231eae9161dd6d2fbc9b65f40fe3ca7d993f5781d834bd8da7c6fb023c0c80fe88a70914e2737466af69ef3fc4773958615929 |
C:\Windows\System\SgVSgsJ.exe
| MD5 | ffbc7b0d3c876a6fa7e278a744e6c2aa |
| SHA1 | b744039616aebe47e0652524c63700e39b5ba3fb |
| SHA256 | c449494ebfed3607d6b2e5d0e97fe633b3644fc86e6464e70eb92f6bed447584 |
| SHA512 | 373f18e4bc628d24d6682a2dac583c8e756a00a9f5a55d846723ea2679c34afc79a2642c234038fa93e1588f8926e85eab6d1c2dfe6eb8824ff7d8e9b585b039 |
memory/1744-69-0x00007FF6E2040000-0x00007FF6E2394000-memory.dmp
memory/2064-66-0x00007FF6ECDC0000-0x00007FF6ED114000-memory.dmp
memory/3288-59-0x00007FF621370000-0x00007FF6216C4000-memory.dmp
memory/3048-55-0x00007FF7ABD50000-0x00007FF7AC0A4000-memory.dmp
memory/4016-51-0x00007FF75B610000-0x00007FF75B964000-memory.dmp
C:\Windows\System\QmMmTCF.exe
| MD5 | 9d513c2a4bba70e344d93d31c68fd0c2 |
| SHA1 | ddbb64e7c4b32a337d3821fc0d6bd50f15a813e7 |
| SHA256 | 2b1e8141c10eefa65d3c6b1ff3c32bedaacd7ae5151567e0c7f69b2ee297ea37 |
| SHA512 | 0034dc7a281b9f308a2e235ea7d47d13354a267369fe9f6611746afc622ac80b3d27b101969c637acfd8c4736ed6ba01deb65670320515b2c32ec5a73ef5fd6e |
memory/2516-34-0x00007FF65ED70000-0x00007FF65F0C4000-memory.dmp
memory/4088-33-0x00007FF618010000-0x00007FF618364000-memory.dmp
memory/4252-30-0x00007FF6C3310000-0x00007FF6C3664000-memory.dmp
memory/2056-119-0x00007FF6C0F90000-0x00007FF6C12E4000-memory.dmp
memory/1680-120-0x00007FF6C4520000-0x00007FF6C4874000-memory.dmp
memory/5100-121-0x00007FF75DFB0000-0x00007FF75E304000-memory.dmp
memory/2528-122-0x00007FF6BE2A0000-0x00007FF6BE5F4000-memory.dmp
memory/1668-123-0x00007FF754750000-0x00007FF754AA4000-memory.dmp
memory/444-124-0x00007FF689390000-0x00007FF6896E4000-memory.dmp
memory/4840-125-0x00007FF6DA390000-0x00007FF6DA6E4000-memory.dmp
memory/3832-127-0x00007FF789860000-0x00007FF789BB4000-memory.dmp
memory/1944-128-0x00007FF7C0870000-0x00007FF7C0BC4000-memory.dmp
memory/2392-126-0x00007FF774DC0000-0x00007FF775114000-memory.dmp
memory/3216-129-0x00007FF704B50000-0x00007FF704EA4000-memory.dmp
memory/696-130-0x00007FF6C1C90000-0x00007FF6C1FE4000-memory.dmp
memory/4088-131-0x00007FF618010000-0x00007FF618364000-memory.dmp
memory/2516-132-0x00007FF65ED70000-0x00007FF65F0C4000-memory.dmp
memory/3700-133-0x00007FF6734B0000-0x00007FF673804000-memory.dmp
memory/3288-134-0x00007FF621370000-0x00007FF6216C4000-memory.dmp
memory/1744-135-0x00007FF6E2040000-0x00007FF6E2394000-memory.dmp
memory/2452-136-0x00007FF7B2AE0000-0x00007FF7B2E34000-memory.dmp
memory/696-138-0x00007FF6C1C90000-0x00007FF6C1FE4000-memory.dmp
memory/3216-137-0x00007FF704B50000-0x00007FF704EA4000-memory.dmp
memory/4252-139-0x00007FF6C3310000-0x00007FF6C3664000-memory.dmp
memory/4088-140-0x00007FF618010000-0x00007FF618364000-memory.dmp
memory/2516-141-0x00007FF65ED70000-0x00007FF65F0C4000-memory.dmp
memory/4016-142-0x00007FF75B610000-0x00007FF75B964000-memory.dmp
memory/3048-143-0x00007FF7ABD50000-0x00007FF7AC0A4000-memory.dmp
memory/3700-144-0x00007FF6734B0000-0x00007FF673804000-memory.dmp
memory/3288-145-0x00007FF621370000-0x00007FF6216C4000-memory.dmp
memory/2056-146-0x00007FF6C0F90000-0x00007FF6C12E4000-memory.dmp
memory/1744-147-0x00007FF6E2040000-0x00007FF6E2394000-memory.dmp
memory/5100-150-0x00007FF75DFB0000-0x00007FF75E304000-memory.dmp
memory/2528-149-0x00007FF6BE2A0000-0x00007FF6BE5F4000-memory.dmp
memory/1668-148-0x00007FF754750000-0x00007FF754AA4000-memory.dmp
memory/3832-153-0x00007FF789860000-0x00007FF789BB4000-memory.dmp
memory/4840-155-0x00007FF6DA390000-0x00007FF6DA6E4000-memory.dmp
memory/444-154-0x00007FF689390000-0x00007FF6896E4000-memory.dmp
memory/1944-152-0x00007FF7C0870000-0x00007FF7C0BC4000-memory.dmp
memory/1680-151-0x00007FF6C4520000-0x00007FF6C4874000-memory.dmp
memory/2392-156-0x00007FF774DC0000-0x00007FF775114000-memory.dmp