Analysis Overview
SHA256
6ea274aa925818a86a00bd0e3f34b677ae5aac9db0e232694e6238f99b6ec894
Threat Level: Known bad
The file 2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike
UPX dump on OEP (original entry point)
Xmrig family
Detects Reflective DLL injection artifacts
Cobaltstrike family
XMRig Miner payload
xmrig
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 09:04
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 09:04
Reported
2024-06-08 09:06
Platform
win7-20240215-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PkBjCsn.exe | N/A |
| N/A | N/A | C:\Windows\System\KYhByon.exe | N/A |
| N/A | N/A | C:\Windows\System\opyAfxo.exe | N/A |
| N/A | N/A | C:\Windows\System\kfLuEEy.exe | N/A |
| N/A | N/A | C:\Windows\System\LsLcBaR.exe | N/A |
| N/A | N/A | C:\Windows\System\OLzcbvX.exe | N/A |
| N/A | N/A | C:\Windows\System\kdLkOfz.exe | N/A |
| N/A | N/A | C:\Windows\System\aZQbJPj.exe | N/A |
| N/A | N/A | C:\Windows\System\TzxQAId.exe | N/A |
| N/A | N/A | C:\Windows\System\kOhnqYb.exe | N/A |
| N/A | N/A | C:\Windows\System\ePpTzQk.exe | N/A |
| N/A | N/A | C:\Windows\System\pIYPmda.exe | N/A |
| N/A | N/A | C:\Windows\System\ftUJfRy.exe | N/A |
| N/A | N/A | C:\Windows\System\ZUavGAv.exe | N/A |
| N/A | N/A | C:\Windows\System\rksIDPY.exe | N/A |
| N/A | N/A | C:\Windows\System\NpaMfBR.exe | N/A |
| N/A | N/A | C:\Windows\System\CkhXWsA.exe | N/A |
| N/A | N/A | C:\Windows\System\WFKMele.exe | N/A |
| N/A | N/A | C:\Windows\System\heeOkeT.exe | N/A |
| N/A | N/A | C:\Windows\System\kgYxpJp.exe | N/A |
| N/A | N/A | C:\Windows\System\haOCwEt.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\PkBjCsn.exe
C:\Windows\System\PkBjCsn.exe
C:\Windows\System\KYhByon.exe
C:\Windows\System\KYhByon.exe
C:\Windows\System\opyAfxo.exe
C:\Windows\System\opyAfxo.exe
C:\Windows\System\kfLuEEy.exe
C:\Windows\System\kfLuEEy.exe
C:\Windows\System\LsLcBaR.exe
C:\Windows\System\LsLcBaR.exe
C:\Windows\System\OLzcbvX.exe
C:\Windows\System\OLzcbvX.exe
C:\Windows\System\kdLkOfz.exe
C:\Windows\System\kdLkOfz.exe
C:\Windows\System\aZQbJPj.exe
C:\Windows\System\aZQbJPj.exe
C:\Windows\System\TzxQAId.exe
C:\Windows\System\TzxQAId.exe
C:\Windows\System\kOhnqYb.exe
C:\Windows\System\kOhnqYb.exe
C:\Windows\System\ePpTzQk.exe
C:\Windows\System\ePpTzQk.exe
C:\Windows\System\pIYPmda.exe
C:\Windows\System\pIYPmda.exe
C:\Windows\System\ftUJfRy.exe
C:\Windows\System\ftUJfRy.exe
C:\Windows\System\ZUavGAv.exe
C:\Windows\System\ZUavGAv.exe
C:\Windows\System\rksIDPY.exe
C:\Windows\System\rksIDPY.exe
C:\Windows\System\NpaMfBR.exe
C:\Windows\System\NpaMfBR.exe
C:\Windows\System\CkhXWsA.exe
C:\Windows\System\CkhXWsA.exe
C:\Windows\System\WFKMele.exe
C:\Windows\System\WFKMele.exe
C:\Windows\System\heeOkeT.exe
C:\Windows\System\heeOkeT.exe
C:\Windows\System\kgYxpJp.exe
C:\Windows\System\kgYxpJp.exe
C:\Windows\System\haOCwEt.exe
C:\Windows\System\haOCwEt.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2616-0-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/2616-2-0x000000013FD10000-0x0000000140064000-memory.dmp
\Windows\system\PkBjCsn.exe
| MD5 | 010d1eb14a124426e3ed44123460ed71 |
| SHA1 | 412bde327a68f5376f49fc5ff88fba9a20764f38 |
| SHA256 | 7a1458dd7c37c6c0fcd4d1625e769beec0299e6acb36b98f4e78ead1fc3c7a2a |
| SHA512 | d689cabde710536d18cd270d2f3d0e7bf0ab99e602cff8da9dd221bd29fa1997fc98442defaae191f261004daae9984296d15b09593201f9cc0095e2e2995f56 |
memory/2616-6-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/3040-8-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
C:\Windows\system\KYhByon.exe
| MD5 | d56028a7f67e7670639c6df0d60332dc |
| SHA1 | 07a7296c37a4b8203978a8641271b8525377154c |
| SHA256 | 8b20c53461383353c2e1239a4c25856436544e2b06535e930270e0e4bbe34331 |
| SHA512 | bc699b7c0dd71f5ee73e2cc008a1d5251a5015c7a96d80811cc12d20d438ca3f0c64d75844f2d17c55f2699e3c713e730731d41a212e110bf90398fd0e2847ca |
C:\Windows\system\opyAfxo.exe
| MD5 | c0302d361a99561f12dfa5d14564f3db |
| SHA1 | ba205699bed7d0813ae5324589352d136cb36e52 |
| SHA256 | e5470591d85d3c29cf89bd481289eb8ff394a5cd3aea31b566c85663d56662df |
| SHA512 | 1ec893ccce7e10941bcc8866e4c90e4ed6b11a44f5bfc6ef4491071c6821dcc5ad0f2fdbba12b3e97734915979b499ac44516253141149500ec75fcf14b3d68e |
C:\Windows\system\kfLuEEy.exe
| MD5 | 23a993567a4f3a71d41ccea15983ea19 |
| SHA1 | 3fb8c72f8a67274225f834f188f60d03c457855e |
| SHA256 | f40c0495cc376144c29cb9930c58d5036adc56fd4a92273be08786156d065320 |
| SHA512 | 3a5b2c092c39849a9076cd55c1d489632a04a48dfa8c93f291adf05607dc3414e7623490c7d775bd8598523249636adfebbd11848e05ba079063d651d8379f3a |
C:\Windows\system\LsLcBaR.exe
| MD5 | 26ad591567da8d01d706ca5cda50f41e |
| SHA1 | 85cf81a91fd5c1c08a9e2282ed12b5d64ebef801 |
| SHA256 | e52d5d356437160591db88a66c7881d3d2153a3052937130550bedd969dade47 |
| SHA512 | ebcd21b0abc3ae805cbdaa85b1d15351433eab751990de002b435e45990ef118894c86c6d92d48550660fac30c5b51a20f491f7c363ed3ef2d151f9662e3ce12 |
C:\Windows\system\OLzcbvX.exe
| MD5 | 400ea84e424d01b38494ef40af37ba15 |
| SHA1 | c14c68925c52119eeb1a77fd9df2f1833116e1fd |
| SHA256 | 90101176b2d335cf27dec45f85dc6b37ad77a01b7d9b63fdaa2809c252fbb848 |
| SHA512 | 00eff9fe9d9b3e844401ceb27f0ced7726b461e3125b863c4238e2080366a7da4462fa5d50b58d93f89e641a0d3ebf18fbc15191df3b712f562ac850ef2204b2 |
C:\Windows\system\aZQbJPj.exe
| MD5 | d6b7e9087da029a8803f4539628e51e9 |
| SHA1 | fc0fe52e906addb74cf47b6597c4e9fb2456e43d |
| SHA256 | bbfd9264936a0e2a00d7b76089bd18210847370e1457eded66d254c29428c525 |
| SHA512 | 8b3a27cb8296a06d99c65dd8a29c21ccb99aaaf4263df9b27a212a1c9afa2f1d0c9c519aee78f7e899bc412f925a919c2b848f7156cfd23eba14c6e6df679422 |
C:\Windows\system\kOhnqYb.exe
| MD5 | ceff06aed7982bc97b10677f5709dd9e |
| SHA1 | 008e04bf9576dde09ce8d5047e7289397aea189e |
| SHA256 | 880ab6cc3a3408d6265dddb4ae625ffd5f4de28d9083bfbed9fb578438d8e9c2 |
| SHA512 | 577c8300b5bc29b7bc503b7b18fe2052c566055f62a1534ea9a20e9d2ef72b77530cd9316e3df970e0f8ac0525812785eca7063082e9e907f3b7d928df0d5c92 |
C:\Windows\system\NpaMfBR.exe
| MD5 | a40f3a854a279cbe41370f4db5027b1e |
| SHA1 | c7f30292a658396fcd4526ad776632f5c12a6aba |
| SHA256 | 977b1206f3f4c1472999bbd261706af9143a7d72d3dbd80f9070408a8bc8b3bb |
| SHA512 | b544b6600d76b2971d540b7baaf975e6a409cd42804a6d4fc74c080becf0871299f3d82e28d69da4ace5d36666a9f094de66a9b277450d28cd5ec4ccdc045e18 |
C:\Windows\system\WFKMele.exe
| MD5 | 97b3d902457f382ba75656f5cca01f7e |
| SHA1 | 7331d99bd432182ce359dc0aae6f0bb411e8842c |
| SHA256 | 85461ff96705173f1b3f768e501253e9153db925f2e3b9e998d678e71b7a3a22 |
| SHA512 | 5f0a822f8c6bbfab62dd0e82779b80b49aa02dbb9ee64bba82a4facb8dfa35e4e82ce0e708669d5d4fb178ada83cf35203e17cd1a8bd001cd178c6759a2e521c |
C:\Windows\system\kgYxpJp.exe
| MD5 | 4ef0b5f96c395a11c39001002687c867 |
| SHA1 | 8dcb91c9ba23ede035ae69d5a480efcd33e7093e |
| SHA256 | 2bb2bc26545d8dabd8219448c9dbc4a4f06af34eebb3580630ca947a20d7823d |
| SHA512 | 7c5fad93a7a99b2dba099df9eadfe1664b45f0e73e9a7de4f3a85afe54f1dd043c1d072e4b821a7f84638a624855f95b16ed8470f345c433cfed4fd3e8baf29d |
\Windows\system\haOCwEt.exe
| MD5 | bf84ccdfeb55cef0a9517ef9f490e76c |
| SHA1 | 6f5329a43599be1fa8f059bb53ee2a4486f97a84 |
| SHA256 | 39675f0620061cc431b791abf1c4db36738feb580614812c2e5627cf6330d1da |
| SHA512 | be1511d35ce170719e3e93ff7b8a401992318de61bb008e05df12655e2f03a0a788746d8b7e21a5c86dacfea87dcc49af82b70805e2ae85e5f555c5d3fc3e543 |
memory/2616-110-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2628-115-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2508-125-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2616-127-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2616-129-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/548-130-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2948-128-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2936-126-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2616-124-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2432-123-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2616-122-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2396-121-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2616-120-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2476-119-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2616-118-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2472-117-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2616-116-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2616-114-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2732-113-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2616-112-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2640-111-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2616-109-0x000000013F390000-0x000000013F6E4000-memory.dmp
C:\Windows\system\heeOkeT.exe
| MD5 | 8c8a6650273cef75288e71f0c0a6e2b9 |
| SHA1 | 868c5c5ffc165cd512b345a877ca34792f9a8388 |
| SHA256 | 13d8d119a5e53507d5d786c34cf963a766a431afaaddaf0a6a51f6448b06668f |
| SHA512 | b4e6a6fd3c9d912ae2d173c8da5a4b5a6b64dbc6044c1f88ff4874189e03fb73b5ed658fc7fb7b38929bf9630fbcd2d8669a3425edc3c51b458efa7d93bd1026 |
C:\Windows\system\CkhXWsA.exe
| MD5 | 99fdf9d74952b452a539f7cfc924587b |
| SHA1 | 8f925dfab5d56801e55a0f6b13d8e5ebabc08c6c |
| SHA256 | 6427a06fe66484161318ba1a48474935ea869cf6f3d521132ed941723b86d645 |
| SHA512 | fbac48267bf707834884f45dd1d4ca42d0c7b77beccb8cd5ef744e24986d15e4a3b91698b4c21513ff004a349760d42c5dbb31e85c3004842a60c3374388edb5 |
memory/2616-133-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2656-134-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2692-132-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2616-131-0x000000013F370000-0x000000013F6C4000-memory.dmp
C:\Windows\system\rksIDPY.exe
| MD5 | 8d398a80689ceef19b102810a6a0f319 |
| SHA1 | d2fe7f476d90e76d791ac8c01d899f2ba13a06ec |
| SHA256 | d196a40c9131d7b557c004d5e06d34f8fc66777d5538938620771fd39c337342 |
| SHA512 | b05d9da39a7b109c8568a3d363dad063b6e6d2e3dad7ec02ad87bf5bbdd97f53e6593dd1b495c73c6162f92e59e8dbd8e9d30ed062d776de4ba87f59ae94536b |
C:\Windows\system\ZUavGAv.exe
| MD5 | 9f2af2d903b29f3f3d83d3b99b9742a1 |
| SHA1 | d01eb7ca958d0f9d24de7fbf07ed18f2d6a4c308 |
| SHA256 | d401b0962288b0e89da560f8db88fdff77e76fa83f98ca6649547940bbc537b5 |
| SHA512 | 3be189df930d3472cb7de732fdae3cb8b06ce9904af16d5f2638b641ff6361ffa3037ad1cd84ee404fe89fb66b1314906ffa298a140fd58c64fc5ad76a8f20bd |
C:\Windows\system\ftUJfRy.exe
| MD5 | a98954c50aae9dd7c13cb8b3618eaa1a |
| SHA1 | b98785706fb3d451a959b9dfc973e0a25616b5a1 |
| SHA256 | d174bb69c26226e4e5fac612f71d959e2495ad8a3eff7ade3ac68d8b421f4ff7 |
| SHA512 | 240340424a57d314eddf3f7c411e6656a60149a3ddb2e50daa2f5aa0dcfb7c7f315b7863ea7b6fd3b1ba0ed472cc951e479ff2433094f2cb107cfda5e74024f6 |
C:\Windows\system\ePpTzQk.exe
| MD5 | 089b2b7463f783e217d73b8ec4669e87 |
| SHA1 | 74598a0e73c83aeab760b8651fe7794ac9cb167b |
| SHA256 | 7e70e65a954eb76794a69f412b59503dd67f3558b1b8f25313fa98a0776eadb1 |
| SHA512 | 9d8a31b7ea0160c5c3cb6886ec180b69bc46b58e3b88bc0d0f0804c0cfb270386025d47b578150b83bb548c6360627996fe92b8fd9eac6328ef1f396e406ae3d |
C:\Windows\system\pIYPmda.exe
| MD5 | f31afc802c6720053625fed465f16413 |
| SHA1 | c6f795cb53170b81595e127450eb3d20c595c286 |
| SHA256 | a9300b3adbd830f2b62dac3d3222e1f0800c8f32dfc132d9b586a38238d6923e |
| SHA512 | 5f1fbf4cdde880be30e8b57b214b75af3a3bb39da85a9f4a17c8de4ef09acdf807a2a74a50e247cde6a682be1f9b1d77f77e02a06c583ca817ab7cbab794a2cc |
C:\Windows\system\TzxQAId.exe
| MD5 | 0ef483813706cd1b2eff360ef2aac989 |
| SHA1 | 2d19c2d6820200ce1b27e5c088651645b97b8a02 |
| SHA256 | cc222c1691d4970eaefd938592a48ca08694b2bf0898106b2e880593e2d01336 |
| SHA512 | e201996005a448648f0313ac5f8b7e5b667743cd257556da00066b75974d807710e2a095705aabaa992847db61f596a797c2664592ff3c94e40a1d581d59a6a4 |
C:\Windows\system\kdLkOfz.exe
| MD5 | d39cad1019ff3a58a8d8617884d0e53a |
| SHA1 | 79780703a46f456a6590e9243db9410758fdb1c6 |
| SHA256 | d3f0d1c3554a5f84e28b727d2f212af1ff59a5c6d6908968d13610e4422e34b7 |
| SHA512 | 599d228dbba16e0fff8fd0ceb9ae40d645fbed025fdb63276a62108528076095a250889b69f5458f9dc1722f2ef895fc313a8fd0853e813f44166922f95c2a76 |
memory/2616-135-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/3040-136-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/3040-137-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2656-138-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2640-139-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2732-140-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2628-141-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2472-142-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2476-143-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2396-144-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2432-145-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2508-146-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2936-147-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2692-150-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/548-149-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2948-148-0x000000013F960000-0x000000013FCB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 09:04
Reported
2024-06-08 09:06
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TUVOMTf.exe | N/A |
| N/A | N/A | C:\Windows\System\WHaBAXc.exe | N/A |
| N/A | N/A | C:\Windows\System\PhhfwHr.exe | N/A |
| N/A | N/A | C:\Windows\System\KnwEZor.exe | N/A |
| N/A | N/A | C:\Windows\System\bTIWWIM.exe | N/A |
| N/A | N/A | C:\Windows\System\RUeQpcj.exe | N/A |
| N/A | N/A | C:\Windows\System\uGIVGVI.exe | N/A |
| N/A | N/A | C:\Windows\System\tgCXGRN.exe | N/A |
| N/A | N/A | C:\Windows\System\Vjpfpaf.exe | N/A |
| N/A | N/A | C:\Windows\System\woqEzcE.exe | N/A |
| N/A | N/A | C:\Windows\System\BbVkmLf.exe | N/A |
| N/A | N/A | C:\Windows\System\obUFaEJ.exe | N/A |
| N/A | N/A | C:\Windows\System\dBsVzWk.exe | N/A |
| N/A | N/A | C:\Windows\System\CZgaMfJ.exe | N/A |
| N/A | N/A | C:\Windows\System\iQdFyVA.exe | N/A |
| N/A | N/A | C:\Windows\System\WNORmkU.exe | N/A |
| N/A | N/A | C:\Windows\System\SlnGsVg.exe | N/A |
| N/A | N/A | C:\Windows\System\TBhMmKk.exe | N/A |
| N/A | N/A | C:\Windows\System\SLebjxk.exe | N/A |
| N/A | N/A | C:\Windows\System\rQGbmFu.exe | N/A |
| N/A | N/A | C:\Windows\System\lcWZwPS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\TUVOMTf.exe
C:\Windows\System\TUVOMTf.exe
C:\Windows\System\WHaBAXc.exe
C:\Windows\System\WHaBAXc.exe
C:\Windows\System\PhhfwHr.exe
C:\Windows\System\PhhfwHr.exe
C:\Windows\System\KnwEZor.exe
C:\Windows\System\KnwEZor.exe
C:\Windows\System\bTIWWIM.exe
C:\Windows\System\bTIWWIM.exe
C:\Windows\System\RUeQpcj.exe
C:\Windows\System\RUeQpcj.exe
C:\Windows\System\uGIVGVI.exe
C:\Windows\System\uGIVGVI.exe
C:\Windows\System\tgCXGRN.exe
C:\Windows\System\tgCXGRN.exe
C:\Windows\System\Vjpfpaf.exe
C:\Windows\System\Vjpfpaf.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3124,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=4660 /prefetch:8
C:\Windows\System\woqEzcE.exe
C:\Windows\System\woqEzcE.exe
C:\Windows\System\BbVkmLf.exe
C:\Windows\System\BbVkmLf.exe
C:\Windows\System\obUFaEJ.exe
C:\Windows\System\obUFaEJ.exe
C:\Windows\System\dBsVzWk.exe
C:\Windows\System\dBsVzWk.exe
C:\Windows\System\CZgaMfJ.exe
C:\Windows\System\CZgaMfJ.exe
C:\Windows\System\iQdFyVA.exe
C:\Windows\System\iQdFyVA.exe
C:\Windows\System\WNORmkU.exe
C:\Windows\System\WNORmkU.exe
C:\Windows\System\SlnGsVg.exe
C:\Windows\System\SlnGsVg.exe
C:\Windows\System\TBhMmKk.exe
C:\Windows\System\TBhMmKk.exe
C:\Windows\System\SLebjxk.exe
C:\Windows\System\SLebjxk.exe
C:\Windows\System\rQGbmFu.exe
C:\Windows\System\rQGbmFu.exe
C:\Windows\System\lcWZwPS.exe
C:\Windows\System\lcWZwPS.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4808-0-0x00007FF7143F0000-0x00007FF714744000-memory.dmp
memory/4808-1-0x00000285D4C10000-0x00000285D4C20000-memory.dmp
C:\Windows\System\TUVOMTf.exe
| MD5 | 919ba07af50e10f0ef22abec1bb151bd |
| SHA1 | 8dd462dec3fd50711c41be0f9b6e10e642b88558 |
| SHA256 | 8c842b53946eea50200ae5ba5ba5da6b695096a6acccb08095b6b7e129149e98 |
| SHA512 | 3a56d33123ebe2efa1a78524a111b8f296562c079180bc6985b3c9cac83a70a591bc673f183994a1a60a836672cda5c1b0257fd13a28a1e5affebe9243451226 |
memory/3612-9-0x00007FF6BD350000-0x00007FF6BD6A4000-memory.dmp
C:\Windows\System\PhhfwHr.exe
| MD5 | dd69d2c7870b390a01068ee49100487a |
| SHA1 | 6d0972150b5c5e73cada6db944dda2b9f3503c89 |
| SHA256 | a21f9eb4f5bee9e6034f9fe293ff5d0ef51560380b9b477ccfe095e7a88b55ac |
| SHA512 | 0658fe21ea52852e90748ff598a36df6cf887efb6c3b5c05f44886942b5f0a65ff5c40de890a6ce786c10e652b4e28b67ed503b1e5710c9bb1a9918ce59ef5c6 |
C:\Windows\System\WHaBAXc.exe
| MD5 | 2a0ee99c29716ef0795f2fa85088c321 |
| SHA1 | 87b76e7e0f55c7a6e909f62aa0d30be9a09491e2 |
| SHA256 | abb0b9d35c368a31b599492317cb73b548e7835a802157303b1b8e452bee2235 |
| SHA512 | d7cee8aa4574a9650b9259520dc1121a5747d001c2ac9d58dbd4d130d9dfb61ad49edbf3cd82be0709549b21ff4bccc60475295353a8de69a8ac56c53edea18f |
memory/3124-20-0x00007FF626040000-0x00007FF626394000-memory.dmp
memory/1556-16-0x00007FF78D340000-0x00007FF78D694000-memory.dmp
C:\Windows\System\KnwEZor.exe
| MD5 | 4020239607cc08b80016026a95ec10cb |
| SHA1 | 951c2b2faf6c6ea3e337ae26b2d94c6b7721d680 |
| SHA256 | 49c64985d73baee13f66119725e9670cda64ab90ff20fc17fc26b105dad11950 |
| SHA512 | 0c602362562d081c7c4d659f93004d892e0f3f4c2757f277c4fb74bb1e0a1fdd21ed1269f8e6d5b7db6342922d492ece542c70674b0b5c22f74333019c18ceb4 |
C:\Windows\System\bTIWWIM.exe
| MD5 | b4d6a702de531acc326d6ca2f01f9911 |
| SHA1 | 9af352c25147595db57367a94082fcb8e1b82e4a |
| SHA256 | e067f7a5720864080e04dbe19e37db2e2451ed8886e911047bfeb210cf228f3a |
| SHA512 | 112f5b098e1615b6886273b23b995f472d6a490f0ad7380af3f8dba004b3248a9862d811d4437916376f95ee643b8db937b471537cc68753d3736b5138fc3c4f |
C:\Windows\System\RUeQpcj.exe
| MD5 | 3e380138fae5a4e3654574eed80814c7 |
| SHA1 | 1f76bbdb56bd5106971070021ba156197a6e722e |
| SHA256 | d0647a206c7ba5f0051bd0fdf4541b77332d305e7de50d54515a14762a2b382b |
| SHA512 | 0d8507aeec7009d30c34bfe20345cf2575d64edbac699df42ca04e7da14157d6c32e451edc217ae345b253d13b3277c5717108da70efd4540bc3fc95c2578cdf |
C:\Windows\System\uGIVGVI.exe
| MD5 | 661f2549669cf10b2a08bc1ad8f9d5af |
| SHA1 | 73a4ebf657f5a83c961418162f517e8d4ba1a8ce |
| SHA256 | 3859a375f8d92a56e65e218909874dd084454eec61aa827ca28de5b2880b5193 |
| SHA512 | 6ba00e9553a200104ea2488e39ffcf06f060544bbcbd8fc328f6f26473823b510fd24dc7ae0965f223f450e4be846796bb5b914fe2a24e86d7b437834beeb768 |
memory/3564-42-0x00007FF798100000-0x00007FF798454000-memory.dmp
memory/1232-40-0x00007FF6CF380000-0x00007FF6CF6D4000-memory.dmp
memory/3528-33-0x00007FF6FA390000-0x00007FF6FA6E4000-memory.dmp
memory/4504-24-0x00007FF66B010000-0x00007FF66B364000-memory.dmp
C:\Windows\System\tgCXGRN.exe
| MD5 | 8c548bf9b36aec9bcc02a04795549411 |
| SHA1 | ec63a9233ccdfa74b5a5bbea9fcd413d3508a005 |
| SHA256 | 58ced8dd4c3b0c65ba9b2b31bdf38bf828482e7cdb29bf10466e1ea587e50c72 |
| SHA512 | f1687efc1aa085640036f58f8c521dc58caae46899b726dcd9d5d5b6284b71ffeb63927bfa37ec52d2976b486204bf213ff72ec592150fb9b999da3a1f4af52f |
C:\Windows\System\Vjpfpaf.exe
| MD5 | 38bb1cc5ce9c50c59fc7e6625fc1051b |
| SHA1 | 90fbfb44af7ef264fbe3e41987bb5e5c2a911b0c |
| SHA256 | fc1e69b28f3a589ccbd1dd8d6268904c00a9dc9712aaa6f80e32a2ec68a3ce82 |
| SHA512 | 30f27fd342115f1bdfe1663f6724f42696870c125f8268eca58d533641c89e40ed465f3e6c874dd4bbb26a8d31cc7966cfc7e09925b50bc6ed6dfe37f1769e65 |
memory/1832-50-0x00007FF7B28F0000-0x00007FF7B2C44000-memory.dmp
C:\Windows\System\woqEzcE.exe
| MD5 | 0310000481264d4644f1b7b483298a8e |
| SHA1 | 6e1ab3708276c0b32d9324ea8a5fab4851a64f8e |
| SHA256 | 18912905b1e2f6265371c67f72371e86b54f63279719da9c35a70fc64d1cae55 |
| SHA512 | 6db30427dce98e04281a2ea247ec693fec7218c406b8aefeb3f55ce974e81c105e3b9515a1fd69ca3dac37ce1dd90c3c7f2b5267297366373bf6e44093308bb8 |
C:\Windows\System\BbVkmLf.exe
| MD5 | 66fb32c59a6dfabe7080dcf9ed9773dc |
| SHA1 | 76e5139cefa75c544a10a192c7fe162bb42ffbcc |
| SHA256 | 0455d973d087e3da827702e0c901bae85065ddb0562aea2bc6160594d2cb9b0c |
| SHA512 | 0e318ab66796eaa43776950f9fe3285d8b85617e081e59c4e4dd86c5c2be93b9a37afd7da43f501d9dfe30febd65e26418c0b40a9a3a2e420460d61f96b95b86 |
C:\Windows\System\dBsVzWk.exe
| MD5 | 26b3bdffac4221d92d08b4ed8b37d683 |
| SHA1 | 53071baea2f74a14357562c6fe413ed077c00755 |
| SHA256 | 6d6cfe285bf81c625dabc9f6b13438abd4cc83a9701cbe707f2d554290e1cb46 |
| SHA512 | 7ff0a31446022e2af2f64e78a27eec248b9f008e0a4e04d1289633d3aaf91fa9a1a7022d2de3e256d708b3af289d0b8bdceb7ff8e487103ddbfbc2e306b0fa39 |
C:\Windows\System\CZgaMfJ.exe
| MD5 | 670f46d4287d813f57bdba762ed824f9 |
| SHA1 | 46ec1b07a241d7822a0844c15f3106b09288f52f |
| SHA256 | 6ccbd18ce33c460715ff524f8326c479015ddee700640abdfaffa1da14446c80 |
| SHA512 | 373f332a6607cb9f98fd66d059ba9d95328ebaff3aee0ebc78ec873095a218a3560984d2b92c79a0aad30559d8b5ea9f245c8a32959b9c9a4e65ab59a4b8667f |
memory/628-90-0x00007FF71D570000-0x00007FF71D8C4000-memory.dmp
C:\Windows\System\iQdFyVA.exe
| MD5 | 2e0cf3e559228f769f5c8981851509a3 |
| SHA1 | 1bc2fdb90d7c21591ed3747098a0e89f39936180 |
| SHA256 | 109954158e5a81b2f951c20a28b771d5ce4f509258bbc70f9e323adb2643445d |
| SHA512 | 2b1e8129931a74420250d902929026afe7adc44cd5c61321714a7240b7d052bac4e4e7555b1fb9a9506667f3ee83e1b52960c3851aeea61d498b3f94bd733b8d |
memory/1232-92-0x00007FF6CF380000-0x00007FF6CF6D4000-memory.dmp
memory/3528-91-0x00007FF6FA390000-0x00007FF6FA6E4000-memory.dmp
memory/4504-89-0x00007FF66B010000-0x00007FF66B364000-memory.dmp
memory/3384-88-0x00007FF736C50000-0x00007FF736FA4000-memory.dmp
memory/4584-83-0x00007FF606E40000-0x00007FF607194000-memory.dmp
C:\Windows\System\obUFaEJ.exe
| MD5 | ccf05b8efc767b25ae20a6954262e776 |
| SHA1 | cdbfdea60af30146b111ded01bd754915503df53 |
| SHA256 | 48c9d4ee8e75c8719c5463daba5ad51fe680bd9724f8a4690fdf70e4aed56151 |
| SHA512 | a8e49b07361a4a58133097c566fc24336bed26e24e72a36b9d6c30f3859ed82d7ce19482d49b43b36220026cd2c2e378e5f096cbe999baa2c5be85e40b3edf88 |
memory/2760-78-0x00007FF759740000-0x00007FF759A94000-memory.dmp
memory/4780-70-0x00007FF7334A0000-0x00007FF7337F4000-memory.dmp
memory/2364-68-0x00007FF742DF0000-0x00007FF743144000-memory.dmp
memory/4808-64-0x00007FF7143F0000-0x00007FF714744000-memory.dmp
memory/3996-56-0x00007FF64A930000-0x00007FF64AC84000-memory.dmp
C:\Windows\System\WNORmkU.exe
| MD5 | a7e44af4ac5fe58c4dec42d63b358a2d |
| SHA1 | e3d2e18f59d989d26c50e1e1cbcbe85610f8832e |
| SHA256 | ea97a78f3edbb390dad6bff0241dd03cb1884a09bbf144413428b5d18afb7d9d |
| SHA512 | c4dac3bea8b9f001b5f724f21246507df775ff7d614aa6b4bcefbe7f68afeb39f4879cccbc6c604243b3ee5793c2cb295a262b6b72f04c1f6805dd9fd71c51e2 |
memory/4676-105-0x00007FF6C5A00000-0x00007FF6C5D54000-memory.dmp
memory/3564-104-0x00007FF798100000-0x00007FF798454000-memory.dmp
C:\Windows\System\TBhMmKk.exe
| MD5 | ce27105b4bd16bea0482d052065281f4 |
| SHA1 | 9238b96d7fc2b1df0f64c02dab699d768be753cc |
| SHA256 | de695b222be23a3c48ba8a424ceb693c4d20b3a3a83aa1a337ef41c908e95230 |
| SHA512 | 44f13320674abc60e98c28e4d9df8c9209ed93c34a9f32b9e041f10120129142359f35b0c00f2b34985457430354bbb0940c662c87bdb8cb85790f2703e70810 |
C:\Windows\System\SlnGsVg.exe
| MD5 | 1e3d9950f0ef208f876dcbaebb61bfcf |
| SHA1 | f7db24b834d0a2176ef518676bd3b35d41d09418 |
| SHA256 | c50aec4018ac7eb65f6921a3ed5e89c5c421e74ba1af16a025ee226027a32076 |
| SHA512 | 429097d5b771e96ec8c9da602a2c729dc5aa8c56ee265bbb6fa0bfd89854909eb6f7acb33bce6c761b69999ddd88cf065c582236f471c0aa52d459d3ed8b3405 |
C:\Windows\System\SLebjxk.exe
| MD5 | a7a0691f83f3901d3c94524f1218ce7e |
| SHA1 | e9e615f5afc6e241950f61bbc391fb43e5046b1f |
| SHA256 | 1b91324f6c2f6d5dff6d12b6aeadb3a8080372a54cc129bf5e5fb88c25c3dfa4 |
| SHA512 | bf439343201bb270565b3e4b5c7d6ebcab142886f7be9877f56d5cc174dd9023dab4e2ed335afa98a10f6006974480fd6504f69792d937d65e83fa600663a47f |
memory/4592-119-0x00007FF64ECC0000-0x00007FF64F014000-memory.dmp
memory/2684-112-0x00007FF658A50000-0x00007FF658DA4000-memory.dmp
memory/2904-111-0x00007FF6021F0000-0x00007FF602544000-memory.dmp
C:\Windows\System\rQGbmFu.exe
| MD5 | 0dcc90008ea269d55274d3cd8ad2cc76 |
| SHA1 | 62e6a5b580b3d08b65c5037c6ba78b007e46a8f0 |
| SHA256 | 908bed583ad69012f77cca8b120bc902e62dfb7f4d3cbae2d875246853229536 |
| SHA512 | 2a271efe7202c8fe56b53cfb54208d06add62a49689639257761276011c20549fdd12dda90927867e36d991a0d257a978ccbe3939cffb83e5d782b0313bc754e |
memory/4192-127-0x00007FF605F10000-0x00007FF606264000-memory.dmp
memory/3996-126-0x00007FF64A930000-0x00007FF64AC84000-memory.dmp
C:\Windows\System\lcWZwPS.exe
| MD5 | 050a2b01047d1ad6cb8ce07c86e42433 |
| SHA1 | 22af2e3a4fa130087f02941bc8900846c1c41ee2 |
| SHA256 | 70defd32b17c8b0255052f3f7bfc27b60146ed93b28c993705ff03d049f2cd1a |
| SHA512 | 8745b774a4eae34eb2a4a790be259de8123dc1bf6b8935b3939a44c6dab23568058cf2d8446af549f3bb58be21787f7d5eb70941943ee65a5ef06138063a0a8a |
memory/1244-132-0x00007FF662E70000-0x00007FF6631C4000-memory.dmp
memory/4780-134-0x00007FF7334A0000-0x00007FF7337F4000-memory.dmp
memory/2760-135-0x00007FF759740000-0x00007FF759A94000-memory.dmp
memory/4584-136-0x00007FF606E40000-0x00007FF607194000-memory.dmp
memory/3384-137-0x00007FF736C50000-0x00007FF736FA4000-memory.dmp
memory/628-138-0x00007FF71D570000-0x00007FF71D8C4000-memory.dmp
memory/2904-139-0x00007FF6021F0000-0x00007FF602544000-memory.dmp
memory/2684-140-0x00007FF658A50000-0x00007FF658DA4000-memory.dmp
memory/4592-141-0x00007FF64ECC0000-0x00007FF64F014000-memory.dmp
memory/4192-142-0x00007FF605F10000-0x00007FF606264000-memory.dmp
memory/3612-143-0x00007FF6BD350000-0x00007FF6BD6A4000-memory.dmp
memory/1556-144-0x00007FF78D340000-0x00007FF78D694000-memory.dmp
memory/3124-145-0x00007FF626040000-0x00007FF626394000-memory.dmp
memory/4504-146-0x00007FF66B010000-0x00007FF66B364000-memory.dmp
memory/3528-147-0x00007FF6FA390000-0x00007FF6FA6E4000-memory.dmp
memory/1232-148-0x00007FF6CF380000-0x00007FF6CF6D4000-memory.dmp
memory/3564-149-0x00007FF798100000-0x00007FF798454000-memory.dmp
memory/1832-150-0x00007FF7B28F0000-0x00007FF7B2C44000-memory.dmp
memory/3996-151-0x00007FF64A930000-0x00007FF64AC84000-memory.dmp
memory/2364-152-0x00007FF742DF0000-0x00007FF743144000-memory.dmp
memory/2760-153-0x00007FF759740000-0x00007FF759A94000-memory.dmp
memory/4584-154-0x00007FF606E40000-0x00007FF607194000-memory.dmp
memory/4780-155-0x00007FF7334A0000-0x00007FF7337F4000-memory.dmp
memory/628-156-0x00007FF71D570000-0x00007FF71D8C4000-memory.dmp
memory/3384-157-0x00007FF736C50000-0x00007FF736FA4000-memory.dmp
memory/4676-158-0x00007FF6C5A00000-0x00007FF6C5D54000-memory.dmp
memory/2684-159-0x00007FF658A50000-0x00007FF658DA4000-memory.dmp
memory/2904-160-0x00007FF6021F0000-0x00007FF602544000-memory.dmp
memory/4592-161-0x00007FF64ECC0000-0x00007FF64F014000-memory.dmp
memory/1244-162-0x00007FF662E70000-0x00007FF6631C4000-memory.dmp
memory/4192-163-0x00007FF605F10000-0x00007FF606264000-memory.dmp