Analysis Overview
SHA256
e08c025f7c16d376cc2f4d7468db1eb2e7fd8641abb74a92a7b08815716486b1
Threat Level: Known bad
The file 2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 08:40
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 08:40
Reported
2024-06-08 08:42
Platform
win7-20240215-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\numUqLI.exe | N/A |
| N/A | N/A | C:\Windows\System\ZZaNttC.exe | N/A |
| N/A | N/A | C:\Windows\System\lTHNjyq.exe | N/A |
| N/A | N/A | C:\Windows\System\ejxqYja.exe | N/A |
| N/A | N/A | C:\Windows\System\HyaqsWo.exe | N/A |
| N/A | N/A | C:\Windows\System\wHGaGAU.exe | N/A |
| N/A | N/A | C:\Windows\System\IijdXup.exe | N/A |
| N/A | N/A | C:\Windows\System\mAglsgt.exe | N/A |
| N/A | N/A | C:\Windows\System\TfgGKAz.exe | N/A |
| N/A | N/A | C:\Windows\System\aOmVWGT.exe | N/A |
| N/A | N/A | C:\Windows\System\zgZrEXs.exe | N/A |
| N/A | N/A | C:\Windows\System\hZNfncl.exe | N/A |
| N/A | N/A | C:\Windows\System\HnNeglf.exe | N/A |
| N/A | N/A | C:\Windows\System\TFbIvWs.exe | N/A |
| N/A | N/A | C:\Windows\System\GGLHVob.exe | N/A |
| N/A | N/A | C:\Windows\System\MmheHJQ.exe | N/A |
| N/A | N/A | C:\Windows\System\vRMHszo.exe | N/A |
| N/A | N/A | C:\Windows\System\UHfDUJu.exe | N/A |
| N/A | N/A | C:\Windows\System\YCyEtMO.exe | N/A |
| N/A | N/A | C:\Windows\System\CPwrMBa.exe | N/A |
| N/A | N/A | C:\Windows\System\voAFnGV.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\numUqLI.exe
C:\Windows\System\numUqLI.exe
C:\Windows\System\ZZaNttC.exe
C:\Windows\System\ZZaNttC.exe
C:\Windows\System\lTHNjyq.exe
C:\Windows\System\lTHNjyq.exe
C:\Windows\System\ejxqYja.exe
C:\Windows\System\ejxqYja.exe
C:\Windows\System\HyaqsWo.exe
C:\Windows\System\HyaqsWo.exe
C:\Windows\System\wHGaGAU.exe
C:\Windows\System\wHGaGAU.exe
C:\Windows\System\IijdXup.exe
C:\Windows\System\IijdXup.exe
C:\Windows\System\mAglsgt.exe
C:\Windows\System\mAglsgt.exe
C:\Windows\System\TfgGKAz.exe
C:\Windows\System\TfgGKAz.exe
C:\Windows\System\aOmVWGT.exe
C:\Windows\System\aOmVWGT.exe
C:\Windows\System\hZNfncl.exe
C:\Windows\System\hZNfncl.exe
C:\Windows\System\zgZrEXs.exe
C:\Windows\System\zgZrEXs.exe
C:\Windows\System\HnNeglf.exe
C:\Windows\System\HnNeglf.exe
C:\Windows\System\TFbIvWs.exe
C:\Windows\System\TFbIvWs.exe
C:\Windows\System\MmheHJQ.exe
C:\Windows\System\MmheHJQ.exe
C:\Windows\System\GGLHVob.exe
C:\Windows\System\GGLHVob.exe
C:\Windows\System\vRMHszo.exe
C:\Windows\System\vRMHszo.exe
C:\Windows\System\UHfDUJu.exe
C:\Windows\System\UHfDUJu.exe
C:\Windows\System\YCyEtMO.exe
C:\Windows\System\YCyEtMO.exe
C:\Windows\System\CPwrMBa.exe
C:\Windows\System\CPwrMBa.exe
C:\Windows\System\voAFnGV.exe
C:\Windows\System\voAFnGV.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2028-1-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2028-0-0x000000013FF30000-0x0000000140284000-memory.dmp
C:\Windows\system\numUqLI.exe
| MD5 | 9cf0defae9d4b0c19012438f76afd334 |
| SHA1 | 8045dc64a050dfe5c3c2aa47732833bd627b0268 |
| SHA256 | b8137db1b7da643021443d042561e8b9285f12e2669be64c794275def9fd78e1 |
| SHA512 | 5c6a128ec9bd03379e4e3708e1bfa7f2bf839ed513ba745f25e6e5551ec56ffb84b984b44695a07eece401c40fd0dc7550a46dd159c300ffaf7f575a1d3e6c99 |
\Windows\system\ZZaNttC.exe
| MD5 | 261c2b4ee7c97f65a7c4e52ddfd47d4c |
| SHA1 | 598fb0b239ddd23c6a643ba20235d0a79b0bbb2b |
| SHA256 | a2b761a565295fba34b812e30bb975ae72054369b4442baaae97567ef59fc96e |
| SHA512 | 5ea8787caaa7f055e5b6a7e1cae2a535926a42ab103dbc410f6d4c4d26cf0a7a99106ef0dd1fd4276936fa3b8ef55da6762c0c4e2253450d6e4a0c842816fbae |
memory/2092-16-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2028-15-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2392-9-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2028-8-0x000000013FAE0000-0x000000013FE34000-memory.dmp
C:\Windows\system\lTHNjyq.exe
| MD5 | 547585a39a4ae8b099348314ca49a2d8 |
| SHA1 | 0bf51bd7fc89ee49a3922d5d873f5e252cb29703 |
| SHA256 | 7d17380976ed16b292e6263fec5248c6a186e78d9766c6bdb87a890ecfc14af3 |
| SHA512 | d22f114cf9b9495efdc935ad5eed626486e2f34904d8ac8ca181978b2a4dc1d6b0e1e4044f89f74caa65fbdf5b52e31ad520e352ba7905830e725d3d29deddbb |
memory/2544-23-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2028-22-0x000000013F5F0000-0x000000013F944000-memory.dmp
C:\Windows\system\ejxqYja.exe
| MD5 | 9f155be81eb9737efc1bc12aaa5acbe3 |
| SHA1 | 530aee905a5118f4cf55dd91f144c71a2ff7686a |
| SHA256 | e5ebf66fcfc801e1415055f877246aef64769968675db5fe77c4890cc08e91ab |
| SHA512 | b72dba539bf7391484befe56e693bc8f0214f27a8af1a64f1d98cb30ed5dfe80970a7921a2ca8d89de16fa231190ddca8a6e91398e9ff0c38c32103d30e7dead |
\Windows\system\HyaqsWo.exe
| MD5 | 3ba5771dc445c6ebf3285a2093cd5050 |
| SHA1 | e77cc42341a9347d3aac1aea103d343a4d173cdd |
| SHA256 | ea41cd5595b231930384e28615218018f814b46388d54ad3527c719b5ce1f983 |
| SHA512 | 67bbc32f5b5920107028c10d6f63d5a791f0389b836cc2f1c148f1bb635ae5d486f058cbd655b937369b012655ebe33b8a7900257878cfa3bb051dfa84f35231 |
memory/2028-28-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2656-32-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2744-44-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2596-43-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2028-41-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2028-37-0x000000013FA80000-0x000000013FDD4000-memory.dmp
\Windows\system\wHGaGAU.exe
| MD5 | 7a9d02062878dfa934dbfcc9ae2b8513 |
| SHA1 | 9a0c116b62ab0445c262a7daee13969301319da9 |
| SHA256 | b6a4d21d0e04d5da4de2f1ef34912fde9f2576f73f912cb0da29268f780d27ca |
| SHA512 | 130e0d820661d777b85fa0180e0dc20ce40d185d1da6440b93c866acca3dbdc572bfaaeabb3897ce04dffca705d3ddb15741a054e9e5836f0b43f1d3d24e3c48 |
C:\Windows\system\IijdXup.exe
| MD5 | b66f0dd790d3be4ed6860775f5d845f7 |
| SHA1 | 829aaca5e1061f50459f27c94a514f61b6b018f0 |
| SHA256 | e5824c5a785cddb5bcd86914bebad217565d79d13b2d92b2e2d2ea40d1f3d9fc |
| SHA512 | 8f0406dc1c3b1f40b14bbf53b0559c0c9487f9228a56d44da2d5b7007435403619268f63c129ab13930ae7043e6b85719d2c30355b8dea91631257b852109b6a |
memory/2784-50-0x000000013FFC0000-0x0000000140314000-memory.dmp
C:\Windows\system\mAglsgt.exe
| MD5 | bb546d945694073aa1cafbfd8a2392f4 |
| SHA1 | 281ad2f719d19c8da09e941e04e76098614518ce |
| SHA256 | 8971a54f29c7fd0055589370d7d4f10eec1edd80cbcfca5abe1df3f658b46f00 |
| SHA512 | d167f478e0a2bdb68ffc2b94dfb8daae8132441a7d05ebe57ae99f05452ef518215b97ce9bc1bb7953d22dc39c1d97e42285c119b04ef120adb404dfb4f8690a |
memory/2604-57-0x000000013F980000-0x000000013FCD4000-memory.dmp
C:\Windows\system\TfgGKAz.exe
| MD5 | a1a705d5589e8107b7cfa1e7b5d95464 |
| SHA1 | c0d33db015b606ffdcf3d46702b278e26e5a146f |
| SHA256 | 6c739eb37fe10162940878f74404653088409071d84be67d60e2ff918eceae62 |
| SHA512 | c39e434831a37b383d7589baebe626b2c2f52eee66905461d157fce26ae70523fa6f895b3eb6c2ce7eb2d59424c50ddf88a0e52e76d31146f4989ca908a1f65d |
memory/2028-56-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2028-62-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2516-64-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\aOmVWGT.exe
| MD5 | 09194855a46dd1bf0cbff8aafafbd6fa |
| SHA1 | 1868b841e2ec0a1b2c8485fc0674b656478be5f7 |
| SHA256 | 8d09c41edc783c74b6490b611ffa8fbe83ac7e2bb9eb5fd452fed0a6c049de8b |
| SHA512 | b42bd4478526816a37359258bdd3bdbb135627b14732924eb7aea111adc0b033a309aa048b3573effe22365dc6123e74aa3f14ed6d7a728f4320d69f9a9cad60 |
memory/2028-70-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2028-71-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1988-72-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
\Windows\system\hZNfncl.exe
| MD5 | 27ca0e6958a3045b11db11c71c2dc60a |
| SHA1 | e521c5470cf1519fcf6f6f804ac4d92d5d461e68 |
| SHA256 | 45bb24543b477268ef03795e42f185e0d609c282833e52f013af3835673f47ec |
| SHA512 | 47bd87639980cd3f377c769427ec974e0ca8fc68ab38d64ce38bd9548badf5bb6662b1d80bcae57dae51ab7f8f1a72fb524c48194d79984d393190d4d4f62964 |
memory/2028-106-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2028-107-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2168-112-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2028-110-0x000000013F680000-0x000000013F9D4000-memory.dmp
C:\Windows\system\YCyEtMO.exe
| MD5 | 02b9efa6a74645b2c1fbbf4a101fa6e0 |
| SHA1 | 995d54ca89aa15672e40f3a2a7e39836129f4b8d |
| SHA256 | 9262fb56c002949d750e9c109a89ce0af5eb573ad645877380c994c56b32df7c |
| SHA512 | 145e5ba4f0f68e5db6b9ca20b748849047fa0969701adca5f66b5f001c92cdcf5b68d01515d03561a2725b08d66e099b605434c3c0e91dce9b76a134312ca74f |
\Windows\system\voAFnGV.exe
| MD5 | 5aa945cd9205953e9c037758c0ce75a3 |
| SHA1 | 8631eb96c440082faf7c0c29d37a2b8ff7c3f092 |
| SHA256 | a894da42dbe16c81d62cc69478fb4bef0d96b2c5bc329735c2819b861b5b6070 |
| SHA512 | 6d94bc0065ee89c0cd63d2af182dbaa4ac7d7dcf4c7e1dbf1ad105b02b1de2ad9d08b4bffd84cb42aeae2d08125cee8b8fa2bc9144082210d206037478ed1750 |
C:\Windows\system\CPwrMBa.exe
| MD5 | cd4d2da914095454f6f963b84dbc23bc |
| SHA1 | a6c50aa6261a2517fef90982d3cf9e155122e445 |
| SHA256 | 52552de351378d77a08e8866dc75cb10d8aeb818c36682b2c28c0c83fc0142e1 |
| SHA512 | c9a3b05f1cc15cc98158a55963678e032b7e3898b81394d62e85c80258e941d93251a4429d54dac99cfd425fe49c0571fbf7235e153bfbae72051466c9af40df |
C:\Windows\system\vRMHszo.exe
| MD5 | a2b638afe46db2ff3b51600b896fcace |
| SHA1 | 7114cd616e717709c45fd326a0cb37e7112d05da |
| SHA256 | dba78055c679f432b2cbbf64b2d322bc84a1198fdfcb8ea6e2a4be7203389771 |
| SHA512 | b4accb012ed3250861c35c62c0cf02021a562482944a41cd87246a32129bb73b3fba4b28cb2d5725a06b86a636d2538781743b6e4b0f281ff5f1c8a311c001b1 |
C:\Windows\system\UHfDUJu.exe
| MD5 | b1354e0854d3a46605b7605500e28e9a |
| SHA1 | afb24ce1c42e8bffc2c61be7e78d019b4b848e3c |
| SHA256 | 962c7befb501ac9de1cc1335f8d114ee101576919165fc3c5e5b905ab04bcead |
| SHA512 | ba3b1d374d8fae4a13b772d38cb1eec0f15b3e6a0417c43c75606bc0f0a60ac02c68bae4550295f195833251302bb856f9cb4d324f1ec61884bab6743f56a3a0 |
C:\Windows\system\MmheHJQ.exe
| MD5 | 253d23998eea26dc17742e731c5b4751 |
| SHA1 | 9be351c1e6a6507d936c2c9aed1c20f11fa2ea8d |
| SHA256 | 867a95e01ac4c9c8c84828e1ebdd6d4bfe04d7dd36f019b258fbe15dbe88335f |
| SHA512 | 6d8c6e9aeeec11d2d2c923a86f24b0013de05dcee9b97d46a3e9160ca021faa01637beb1088a82a70f81ba51e9ecde592c2b5fdc362b094ee14187fd21b603d9 |
C:\Windows\system\GGLHVob.exe
| MD5 | 280417e09ac488bee9c009a4fb88a5fc |
| SHA1 | c894a4d8bcb1c654d84e829006e5d45510b6e482 |
| SHA256 | 2b34345164e2cdb09bdf2df60e714dc806ab0dcf26ec7ceffbc31e68b47fed02 |
| SHA512 | 05805162c5cd17d8c9c17eb776a503046dc0f7c6f296008d1744ee69cb8ca9f1a3152ed10f1ad322f368c59c13f46dec967d3779b6c7e72dabf19b3e7b70b9b7 |
C:\Windows\system\TFbIvWs.exe
| MD5 | 552f71070891b701bbea56844e4c0a84 |
| SHA1 | 058f23df44860386c28be0ebe2f1433fd71b89d5 |
| SHA256 | 070349cdfdfed3e05934721c6d1ff61f44edbbc69e810e817e0780c07a416576 |
| SHA512 | 510e2f62195e0dabc067a1c8ff8ce10baa4be16400de67c7fc93940e0a2dfd2efea6b1e7f083a157a9fc54ee0fba57089b92a39aed2274b22e336baaa6b7785c |
memory/2828-96-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2656-88-0x000000013F650000-0x000000013F9A4000-memory.dmp
C:\Windows\system\HnNeglf.exe
| MD5 | 986d6cd3901be93291f7cac1af845345 |
| SHA1 | 49dcb40b0cd1d4deca6ef5088fc7e2cabb1c526f |
| SHA256 | c1ad5fb9b55fcf6f963a116b6e97a9fc0393abebf9e98320320525ebea6efdcb |
| SHA512 | 1284b1e595ac6f816365e0e5b780dc4e9e0651e75251c546bc8a858a43b55eec697906fac690cfa418c3d9b361ce7f03f1f074ff937b147c9449a930c7903820 |
memory/2940-104-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2864-103-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2028-91-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2028-76-0x000000013F2C0000-0x000000013F614000-memory.dmp
C:\Windows\system\zgZrEXs.exe
| MD5 | 189ddf87844aafea6c5e22732e1642bb |
| SHA1 | 9a9d767bcd99950d3fe183cfcf9b274ec52775a8 |
| SHA256 | 1dd385ea5c3503d0bca25741114d97a40cdccf65f1f861c334e69412597967f4 |
| SHA512 | c82c7b9c16e4d3ecc3c6b01f14b5c0c060837ed77abfcc4425274b7e72524d1bbfc8cc9b6bf17b5a8d436196216e155d65225c1d75899697af9a062e4ba4489a |
memory/2028-137-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2516-138-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2028-139-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2028-140-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2028-141-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2028-142-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2392-143-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2092-144-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2544-145-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2656-146-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2596-147-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2744-148-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2784-149-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2604-150-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2516-151-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/1988-152-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2864-153-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2828-154-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2940-155-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2168-156-0x000000013FDC0000-0x0000000140114000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 08:40
Reported
2024-06-08 08:42
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wrCSlgm.exe | N/A |
| N/A | N/A | C:\Windows\System\aaHVzmV.exe | N/A |
| N/A | N/A | C:\Windows\System\euBCamz.exe | N/A |
| N/A | N/A | C:\Windows\System\MrjejWr.exe | N/A |
| N/A | N/A | C:\Windows\System\DrJawLg.exe | N/A |
| N/A | N/A | C:\Windows\System\DzupwxF.exe | N/A |
| N/A | N/A | C:\Windows\System\ehbZzHJ.exe | N/A |
| N/A | N/A | C:\Windows\System\qdohjvV.exe | N/A |
| N/A | N/A | C:\Windows\System\aydDxTC.exe | N/A |
| N/A | N/A | C:\Windows\System\RcPADKx.exe | N/A |
| N/A | N/A | C:\Windows\System\EQFtIFW.exe | N/A |
| N/A | N/A | C:\Windows\System\rHNGEOA.exe | N/A |
| N/A | N/A | C:\Windows\System\TMKNwCx.exe | N/A |
| N/A | N/A | C:\Windows\System\AlrwOMz.exe | N/A |
| N/A | N/A | C:\Windows\System\BXgPAtM.exe | N/A |
| N/A | N/A | C:\Windows\System\hhUUzib.exe | N/A |
| N/A | N/A | C:\Windows\System\tbmQOKe.exe | N/A |
| N/A | N/A | C:\Windows\System\UwTLtYT.exe | N/A |
| N/A | N/A | C:\Windows\System\njrqZQV.exe | N/A |
| N/A | N/A | C:\Windows\System\nctdtyp.exe | N/A |
| N/A | N/A | C:\Windows\System\eUXOKnc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\wrCSlgm.exe
C:\Windows\System\wrCSlgm.exe
C:\Windows\System\aaHVzmV.exe
C:\Windows\System\aaHVzmV.exe
C:\Windows\System\euBCamz.exe
C:\Windows\System\euBCamz.exe
C:\Windows\System\MrjejWr.exe
C:\Windows\System\MrjejWr.exe
C:\Windows\System\DrJawLg.exe
C:\Windows\System\DrJawLg.exe
C:\Windows\System\DzupwxF.exe
C:\Windows\System\DzupwxF.exe
C:\Windows\System\ehbZzHJ.exe
C:\Windows\System\ehbZzHJ.exe
C:\Windows\System\qdohjvV.exe
C:\Windows\System\qdohjvV.exe
C:\Windows\System\RcPADKx.exe
C:\Windows\System\RcPADKx.exe
C:\Windows\System\aydDxTC.exe
C:\Windows\System\aydDxTC.exe
C:\Windows\System\EQFtIFW.exe
C:\Windows\System\EQFtIFW.exe
C:\Windows\System\rHNGEOA.exe
C:\Windows\System\rHNGEOA.exe
C:\Windows\System\TMKNwCx.exe
C:\Windows\System\TMKNwCx.exe
C:\Windows\System\AlrwOMz.exe
C:\Windows\System\AlrwOMz.exe
C:\Windows\System\BXgPAtM.exe
C:\Windows\System\BXgPAtM.exe
C:\Windows\System\hhUUzib.exe
C:\Windows\System\hhUUzib.exe
C:\Windows\System\tbmQOKe.exe
C:\Windows\System\tbmQOKe.exe
C:\Windows\System\UwTLtYT.exe
C:\Windows\System\UwTLtYT.exe
C:\Windows\System\njrqZQV.exe
C:\Windows\System\njrqZQV.exe
C:\Windows\System\nctdtyp.exe
C:\Windows\System\nctdtyp.exe
C:\Windows\System\eUXOKnc.exe
C:\Windows\System\eUXOKnc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5068-0-0x00007FF6AFD10000-0x00007FF6B0064000-memory.dmp
memory/5068-1-0x0000022D07E40000-0x0000022D07E50000-memory.dmp
C:\Windows\System\wrCSlgm.exe
| MD5 | 11bef195edb736d896b563b1fb42bb7c |
| SHA1 | e1a7a9653b18c1b4989c6a1594f94773dee0aea7 |
| SHA256 | cecb31ddced2d7370b2cd1bddfb89384564ed77a01cc55cd5e9c6e32a8a3c9b6 |
| SHA512 | af6644f72b9587050e305af9c1d30647930a2d521ca5d99f48862e52fac1a543596998531e2199ad97c8c01d9e4ffa98d0ae387473502fdb7ddf68764ce10749 |
memory/3228-8-0x00007FF65F080000-0x00007FF65F3D4000-memory.dmp
C:\Windows\System\euBCamz.exe
| MD5 | dc8f6f840f5805457211d03c4f3bfb2f |
| SHA1 | 44b831d714b9a2834d1d1e86517558f9d204c507 |
| SHA256 | 7b9e74b3da7123eba6e685ff75c71c3959c956e0b95c5825296822a5819e79a4 |
| SHA512 | f51fcc78d6b67f6debb619f47e67b4604f5c95da4926a7dc04f134f694c6d00a905d6c2d0790b8728cdd2b0ff24dd5d58962fdfd1d055687b18e070779c2e4f2 |
C:\Windows\System\MrjejWr.exe
| MD5 | 2ed641aed46fa3a75c98fc5049ae421d |
| SHA1 | 4f111aa9652ebf5da3f0323c8220a09edfd50a73 |
| SHA256 | fdfdccccf16bb014051b87e219b993a4a8796990d7ee2efcd9112c55b4ebfb6c |
| SHA512 | 8e82146864cf3d95c1141cbc6e967423e34abbe073384c2e6519c30d2596299e7c3de4e917b129bf01db8f95ca6e7c22120e6a609ea89bd23ccd1b1d224756c5 |
C:\Windows\System\DrJawLg.exe
| MD5 | 02861b33e5136496a92d9f27bc4e276e |
| SHA1 | 570bb27b28f71301049b3de5dead6e5df5f3a3d2 |
| SHA256 | 956a8f8d099e75122f4edb9a649cb2f6a45f6de6e5ec042564e9a3f75dbb59de |
| SHA512 | 9e3628c257e5bc704a9e02ef2dcd69683c6ce29f674bccb0e976081ab5a778342664d219077f3490c409fb3c50d86205024cc879429f85b0868923ac5da27368 |
memory/660-30-0x00007FF79D450000-0x00007FF79D7A4000-memory.dmp
memory/4244-23-0x00007FF7A8C80000-0x00007FF7A8FD4000-memory.dmp
memory/3692-25-0x00007FF7B0330000-0x00007FF7B0684000-memory.dmp
memory/5012-19-0x00007FF7D7020000-0x00007FF7D7374000-memory.dmp
C:\Windows\System\aaHVzmV.exe
| MD5 | ed6768df87f290d4c04f58e3e26b232a |
| SHA1 | a7254c72c254645fe665eb9b41465c8180d3c70b |
| SHA256 | 22c0104826a08bfccca885252169927be1d2e14964eb8a692b50df574c3b33da |
| SHA512 | afc72144096a94b2f754819262d8c112dce0685e42458579934059c1300e5404adcc6bdca2d721c8c107b75e3e113cb66a3c4f05ea7757a04eb84b88df162c14 |
C:\Windows\System\DzupwxF.exe
| MD5 | c7936fe55568d3e28f16916be240755a |
| SHA1 | e682592951f38e47d1f24f63b9db66e083b7030a |
| SHA256 | 1f9cfcedc5f8f6e7221a966f776ddc8adbd5de1f108c539b90528663069871b6 |
| SHA512 | 537657613a9114b6b60da36d509844aaf4d56ddd76c9ae4b1aa812fd286ba747d96244ba508d3c182d100268ed51d83d363d38f7bf7f3145c2a952cdd2ac7f53 |
memory/4460-38-0x00007FF6A62D0000-0x00007FF6A6624000-memory.dmp
C:\Windows\System\ehbZzHJ.exe
| MD5 | 1c04153c08a3aa619bf74aad0e0d6d86 |
| SHA1 | a9dbe6ed9234974eaf8920d783117e8d3f4b88d0 |
| SHA256 | e42e3f72749a10c86dac8e2ddf5dd3988a9abfaed996782795dbe91c0144b7b9 |
| SHA512 | 606287de48fa8faa3e4ea5e4817d8301bab208696196961778efbdc145fadab25a17f7ae0c1599c5db2159a99467c7b1ba18c71348bed01682d250893f1fba02 |
memory/3696-45-0x00007FF63A6E0000-0x00007FF63AA34000-memory.dmp
C:\Windows\System\RcPADKx.exe
| MD5 | 48c93fe3ebd65a1c9ac11da55dac317e |
| SHA1 | 3435a42ddea4c82e38546cfef758c56aeea3d0d3 |
| SHA256 | f912e7f444b32c35073d90b6267cd3bf57b8079ce38876e8e5c0b11829cb93df |
| SHA512 | c1248bcedb30b28593a20a118b2aae165c739902f6e18a3ab5c30085a71135836b4a826dad4e35c6bac8a55d26b473a70b398cd81a157c132a8ffe274b6a1865 |
C:\Windows\System\EQFtIFW.exe
| MD5 | a518ee92222e6ed7c89989a48acfc74a |
| SHA1 | 8b11de0bed926ee1c14400030fbddbe43127a825 |
| SHA256 | e3a3cd7853d4eb79c56f6be0740f10dcba4120db0dde48bdd4a17eaca744edc3 |
| SHA512 | f90edc3acc409cbbc4daf25cb77dc1066976900c0788b6006b4b781cd1a28eed22aaaf9b264f3161ed5af1c2d05e1b82a190fa4e66d618d85ee50bde8484ba9d |
memory/2120-67-0x00007FF783DA0000-0x00007FF7840F4000-memory.dmp
C:\Windows\System\rHNGEOA.exe
| MD5 | 3728e0b19644892621f4822066b5d057 |
| SHA1 | 501ba5f12a18f72aac3cda83a27660a6dec88313 |
| SHA256 | 10747b617e0d4ffc92232559b418b67c903b2e5a6cb1e35f45b4aa586f6e6f97 |
| SHA512 | 12cc314c38862243f1cbe550427cfac87f56fcd7c7afd759016e2c5ba5d3ff92f4952931830ded51b8e8d2ab58c1bcf48456b545ea8ee2ea0642606664e12021 |
C:\Windows\System\TMKNwCx.exe
| MD5 | d9f3dd86bbf8989b4e36671e2e9904ca |
| SHA1 | 9f7c532218da8941a2e6f2fbf8384aadd65f6c10 |
| SHA256 | 49eca836fdc94b0bf74d3ef1a8050b2cbea0dadfaf8aef34911ecb1008879822 |
| SHA512 | 85c5e50d81fbda2708fced9583006a4839a522b0b0aa9ebfdbbdde7cb22b6e8e87d2aafe1e3776610550e1131e5378e8000803ab7703737cbe47f0c907ac43c9 |
memory/2084-82-0x00007FF697C30000-0x00007FF697F84000-memory.dmp
memory/5012-91-0x00007FF7D7020000-0x00007FF7D7374000-memory.dmp
C:\Windows\System\BXgPAtM.exe
| MD5 | 6647577fcb2988dc90ac94427e32a37e |
| SHA1 | f12b2850a856025e45b190285c856e0aa656550c |
| SHA256 | b3dc2c01b8d13ab3c366fc33dfa6d2f2746037ddaabbedd7f7e0dae0c5ac4e7a |
| SHA512 | 4851e00e409c3756ac63d1f893538144366a92b4998221ca0b79c2f4f266af38a6188a10cdc20d9fb462af02e7198af67e4d2433a4e230ffb4d5115b2dc387b5 |
memory/1400-92-0x00007FF7442C0000-0x00007FF744614000-memory.dmp
C:\Windows\System\AlrwOMz.exe
| MD5 | 1e6d07efc1cc74716ceeada9b46ae854 |
| SHA1 | e68122e6f1eaf3c756aa02e57b40da5766b0cf59 |
| SHA256 | fab94043ee2d4da26f7774bfc9c49f8fb5377e96ad8a421aba79c90842c36b7d |
| SHA512 | e7b04d50ddc3c1d54b09c2c756492935ff4e75651ec86d5bee7558c568076f0482865e8197c33f297102e417d6f0659e8f0a4357af3f6b094487b9590e07415a |
memory/3540-88-0x00007FF6FDE90000-0x00007FF6FE1E4000-memory.dmp
memory/3228-87-0x00007FF65F080000-0x00007FF65F3D4000-memory.dmp
memory/5068-79-0x00007FF6AFD10000-0x00007FF6B0064000-memory.dmp
memory/2784-78-0x00007FF64C0D0000-0x00007FF64C424000-memory.dmp
memory/4988-72-0x00007FF61F200000-0x00007FF61F554000-memory.dmp
memory/4600-69-0x00007FF696D50000-0x00007FF6970A4000-memory.dmp
C:\Windows\System\aydDxTC.exe
| MD5 | e28c7e0144160530df09f657fa6d7664 |
| SHA1 | beed5edd6766eec5903aac30b1a2cd56639c0f3c |
| SHA256 | 3d4ccf3063206358c7a498d2b101493ff1af46ea846e29f25efb9c7be4c5edee |
| SHA512 | 6e0517710d171e58902c31c879e0798da94c61b19ece2a78ede722eea0cd5ca4a5ea477cf0f98a8228e015a7803e9919f6e741274b6f93b73d74c9d8bc391b27 |
memory/3052-53-0x00007FF670B90000-0x00007FF670EE4000-memory.dmp
C:\Windows\System\qdohjvV.exe
| MD5 | 85344f225682620239ba54d8881aa381 |
| SHA1 | a9f981d754042621094e75ccd1cb1602dfee4539 |
| SHA256 | 4f23e4ba198c507aacecc578579b085200e635593333e0206d2b636a15936678 |
| SHA512 | d8af1bc38eff621ae15db9790e2686360713a17f1972731e9d85da15f2a3c94543e8486fde787c550a4e137343ca8b93a9df15ee760d343d5afd52fbc0f5786d |
C:\Windows\System\hhUUzib.exe
| MD5 | 91970d931bd794a3d9d96513a09ce271 |
| SHA1 | fd3f2f62868c1479c07aa029bacab06a663865a3 |
| SHA256 | a906bee7b560cf4d7709692efcc8348975a976aa2318d359c1707f1829290d54 |
| SHA512 | 7bf9a3bb9e0bee2a60ac08f951b3837c77163e20cfdaacfd9d4f30815a83857de5cb0ded07f522be2035a6997734bed04a690adb8274c4d87ff3fe86dca60ceb |
C:\Windows\System\UwTLtYT.exe
| MD5 | 9ed950f7e1405b1ba310c9bc605b3760 |
| SHA1 | f0d756e8bd5650c4adb3df51002612b6d06ed04e |
| SHA256 | 0285c27938d1a28a5046726c17a90a3979a79e4abffbb66fed937f08e22073b5 |
| SHA512 | 6bdec658c4847d3788ada1c81a5c0d1609b6e6d7966ee0dfb273880673c8e0a80aa79c4ffc648a141cf29d728962698a4677956c16341431b1c36063de1111fa |
memory/4452-115-0x00007FF7F8E40000-0x00007FF7F9194000-memory.dmp
C:\Windows\System\njrqZQV.exe
| MD5 | eb9fbb61cd5866715d6f0d4a4914ba60 |
| SHA1 | 8532fae148291e85f308ec9a5c82a442862e0c8b |
| SHA256 | 9fcec08ffbc6d2a964d38edcf6d037dd9fa2ea5d62f35964858e03a21099c018 |
| SHA512 | b3a82110a420412cda74dd4a4dcc3159fbaea153d3dbcd51152f8773d718f4528cf40cb010647e4b81ccc867a438768647ed47989b34bfda3fafa69b3c873698 |
C:\Windows\System\eUXOKnc.exe
| MD5 | b5a5c16cb32766c40f22acad90313f4e |
| SHA1 | 9b2f44b795ee2ffaa2dae4e6001e1987d994b677 |
| SHA256 | 7995daf88dcd75c715d20ea8c45d2a25779b00c7282539209e4342806a6aeb12 |
| SHA512 | 71f7d41aefcf7f9e1498f286187f914a6f5942c81b437aee743e21776118c9f8c7b128e2602a0dc4a4bc31a305a5e67385b054b903f09ca20d4ea7baea4c256d |
C:\Windows\System\nctdtyp.exe
| MD5 | bc414437579f09870b121ab59e6d4e5a |
| SHA1 | cffd733c6f77b8221072b978dd438ccb9ecb12f8 |
| SHA256 | 20ad5934c45caa43fcdabaec3bb9155e2930be8dc51d3be18015f264b6c24ab6 |
| SHA512 | fbd29ad823bb19e235d0bbe4a87719bf27a6774e2ced8bd6434429108de7c9eedb8a4791ffb330317762f30aac72359b2c463d5c29e762104aad6069dcd90766 |
C:\Windows\System\tbmQOKe.exe
| MD5 | 9b6af5e40d5590614972f9229e706cad |
| SHA1 | 2c35ef5443ce066d8fd8d21774c1ba839af31d13 |
| SHA256 | b9d15bee4bfc2cf7559ae75887ca21659d6cbbafe2e79a8f6fce65c756010ec9 |
| SHA512 | 9af218dca99b9debc87973de3e4befa590297b4bf80a7fd5bce81c108142e0570b49de77fa63244cfd2dba2246546b9f3ea12995a11a97baafee8760962409ee |
memory/4020-129-0x00007FF6CF7B0000-0x00007FF6CFB04000-memory.dmp
memory/2708-128-0x00007FF6AC830000-0x00007FF6ACB84000-memory.dmp
memory/4684-127-0x00007FF705630000-0x00007FF705984000-memory.dmp
memory/2772-126-0x00007FF667200000-0x00007FF667554000-memory.dmp
memory/3692-130-0x00007FF7B0330000-0x00007FF7B0684000-memory.dmp
memory/3368-131-0x00007FF6B5D80000-0x00007FF6B60D4000-memory.dmp
memory/660-132-0x00007FF79D450000-0x00007FF79D7A4000-memory.dmp
memory/3696-133-0x00007FF63A6E0000-0x00007FF63AA34000-memory.dmp
memory/4988-134-0x00007FF61F200000-0x00007FF61F554000-memory.dmp
memory/2084-135-0x00007FF697C30000-0x00007FF697F84000-memory.dmp
memory/3540-136-0x00007FF6FDE90000-0x00007FF6FE1E4000-memory.dmp
memory/1400-137-0x00007FF7442C0000-0x00007FF744614000-memory.dmp
memory/3228-138-0x00007FF65F080000-0x00007FF65F3D4000-memory.dmp
memory/5012-140-0x00007FF7D7020000-0x00007FF7D7374000-memory.dmp
memory/4244-139-0x00007FF7A8C80000-0x00007FF7A8FD4000-memory.dmp
memory/3692-141-0x00007FF7B0330000-0x00007FF7B0684000-memory.dmp
memory/660-142-0x00007FF79D450000-0x00007FF79D7A4000-memory.dmp
memory/4460-143-0x00007FF6A62D0000-0x00007FF6A6624000-memory.dmp
memory/3052-144-0x00007FF670B90000-0x00007FF670EE4000-memory.dmp
memory/3696-145-0x00007FF63A6E0000-0x00007FF63AA34000-memory.dmp
memory/2120-146-0x00007FF783DA0000-0x00007FF7840F4000-memory.dmp
memory/4600-147-0x00007FF696D50000-0x00007FF6970A4000-memory.dmp
memory/4988-148-0x00007FF61F200000-0x00007FF61F554000-memory.dmp
memory/2784-149-0x00007FF64C0D0000-0x00007FF64C424000-memory.dmp
memory/2084-150-0x00007FF697C30000-0x00007FF697F84000-memory.dmp
memory/3540-151-0x00007FF6FDE90000-0x00007FF6FE1E4000-memory.dmp
memory/1400-152-0x00007FF7442C0000-0x00007FF744614000-memory.dmp
memory/4452-153-0x00007FF7F8E40000-0x00007FF7F9194000-memory.dmp
memory/2772-154-0x00007FF667200000-0x00007FF667554000-memory.dmp
memory/4684-155-0x00007FF705630000-0x00007FF705984000-memory.dmp
memory/4020-157-0x00007FF6CF7B0000-0x00007FF6CFB04000-memory.dmp
memory/2708-156-0x00007FF6AC830000-0x00007FF6ACB84000-memory.dmp
memory/3368-158-0x00007FF6B5D80000-0x00007FF6B60D4000-memory.dmp