Analysis Overview
SHA256
15efae55ad58f40a11baa92251e2b1e6d120af513c4b3a747e1d7da5d9b7b3fd
Threat Level: Known bad
The file 2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
xmrig
Cobaltstrike
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 13:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 13:43
Reported
2024-06-08 13:47
Platform
win7-20240221-en
Max time kernel
135s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fCfiDJN.exe | N/A |
| N/A | N/A | C:\Windows\System\PmEygvH.exe | N/A |
| N/A | N/A | C:\Windows\System\HktMgIM.exe | N/A |
| N/A | N/A | C:\Windows\System\NiLgiYa.exe | N/A |
| N/A | N/A | C:\Windows\System\gFjAUbs.exe | N/A |
| N/A | N/A | C:\Windows\System\QQiQqfb.exe | N/A |
| N/A | N/A | C:\Windows\System\aqTxCVq.exe | N/A |
| N/A | N/A | C:\Windows\System\aFnhkeO.exe | N/A |
| N/A | N/A | C:\Windows\System\TIVlKMH.exe | N/A |
| N/A | N/A | C:\Windows\System\RjprfLn.exe | N/A |
| N/A | N/A | C:\Windows\System\nmFTJHp.exe | N/A |
| N/A | N/A | C:\Windows\System\yMTEKPL.exe | N/A |
| N/A | N/A | C:\Windows\System\YNdEHNH.exe | N/A |
| N/A | N/A | C:\Windows\System\klZDBYc.exe | N/A |
| N/A | N/A | C:\Windows\System\nnTmGHG.exe | N/A |
| N/A | N/A | C:\Windows\System\dImZMoT.exe | N/A |
| N/A | N/A | C:\Windows\System\nuXyOtT.exe | N/A |
| N/A | N/A | C:\Windows\System\pehMZtc.exe | N/A |
| N/A | N/A | C:\Windows\System\sqwvTkK.exe | N/A |
| N/A | N/A | C:\Windows\System\ppkpORd.exe | N/A |
| N/A | N/A | C:\Windows\System\hSjGMDN.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\fCfiDJN.exe
C:\Windows\System\fCfiDJN.exe
C:\Windows\System\PmEygvH.exe
C:\Windows\System\PmEygvH.exe
C:\Windows\System\HktMgIM.exe
C:\Windows\System\HktMgIM.exe
C:\Windows\System\NiLgiYa.exe
C:\Windows\System\NiLgiYa.exe
C:\Windows\System\gFjAUbs.exe
C:\Windows\System\gFjAUbs.exe
C:\Windows\System\QQiQqfb.exe
C:\Windows\System\QQiQqfb.exe
C:\Windows\System\aqTxCVq.exe
C:\Windows\System\aqTxCVq.exe
C:\Windows\System\aFnhkeO.exe
C:\Windows\System\aFnhkeO.exe
C:\Windows\System\TIVlKMH.exe
C:\Windows\System\TIVlKMH.exe
C:\Windows\System\RjprfLn.exe
C:\Windows\System\RjprfLn.exe
C:\Windows\System\nmFTJHp.exe
C:\Windows\System\nmFTJHp.exe
C:\Windows\System\yMTEKPL.exe
C:\Windows\System\yMTEKPL.exe
C:\Windows\System\YNdEHNH.exe
C:\Windows\System\YNdEHNH.exe
C:\Windows\System\klZDBYc.exe
C:\Windows\System\klZDBYc.exe
C:\Windows\System\nnTmGHG.exe
C:\Windows\System\nnTmGHG.exe
C:\Windows\System\dImZMoT.exe
C:\Windows\System\dImZMoT.exe
C:\Windows\System\nuXyOtT.exe
C:\Windows\System\nuXyOtT.exe
C:\Windows\System\pehMZtc.exe
C:\Windows\System\pehMZtc.exe
C:\Windows\System\sqwvTkK.exe
C:\Windows\System\sqwvTkK.exe
C:\Windows\System\ppkpORd.exe
C:\Windows\System\ppkpORd.exe
C:\Windows\System\hSjGMDN.exe
C:\Windows\System\hSjGMDN.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1908-0-0x000000013F130000-0x000000013F484000-memory.dmp
memory/1908-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\fCfiDJN.exe
| MD5 | 2f4a204d264c02e44aac95eca3903cf1 |
| SHA1 | c4ec6126570e6576ffdf8fde8e14a0a2b446bc6f |
| SHA256 | ec3a30bb6a41e2720c13c7583eef47db0242bb9c015c967b53c4f41b28c50dad |
| SHA512 | 00d6056adcce3f384a43ccd1fceee953205cc9a4656e5fbccdba2ac300974701409861dbb6c85de4f3e9409e3f82d4505c40ee13f9b5e1ba13f1f664aaa4581e |
\Windows\system\PmEygvH.exe
| MD5 | fada61fc9948175a56bf39b490ef7c72 |
| SHA1 | fbc013ae5bb71e45e77409b0cb93d497dd98b3d0 |
| SHA256 | 2f57e4101d580b2a866bb0aaa432b070784b60f7623fe82f4531f60362c9ade4 |
| SHA512 | 26b442612aef830950a7c8f77d806e06f97317300f829864a32ccf68983afd9d8d5c5936c46a569ae73384b745babd956cae8039a489814fc4cac128e0a37250 |
C:\Windows\system\HktMgIM.exe
| MD5 | fd1570b6a5ced0b794c82ec12b904580 |
| SHA1 | c56b51b789d4738b011171526989dd55e1863073 |
| SHA256 | c65eee30befd284d627988f542dc34405113c4c5dceae46e12e0aac2cc3d5299 |
| SHA512 | cfd8eea827b7ffa7bf0763f33d443ddbfc92585a6b662e2913876884448cc62c1c07a758660304ea52c47637ee2d1ba46b76efa745f9680a69769be73cfff9d6 |
memory/1908-17-0x0000000002320000-0x0000000002674000-memory.dmp
memory/1908-26-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/1908-28-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2616-30-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1908-29-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2620-27-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2548-25-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2936-22-0x000000013F120000-0x000000013F474000-memory.dmp
C:\Windows\system\NiLgiYa.exe
| MD5 | 33e660d057f51cac72486d96e1c364f0 |
| SHA1 | c39307b49778dbdb2e8417e8459768734746f861 |
| SHA256 | eab13820bd4233145b4f9d9a4b81ef548ef985b7219929828972b64a2c624374 |
| SHA512 | 609930e77104f6d852cc7c196a234e2b07313f8f3c55469fd524a2d354d503fc219bffd606511ca3ad5442bd744a6ea0a9619a3b0937c7ecd96432f123dafdb2 |
C:\Windows\system\gFjAUbs.exe
| MD5 | 784ffe2ee1d3594a18f1ade09536f5c1 |
| SHA1 | 5217d6bda2f04e8ef9140527365a9cc637dd949e |
| SHA256 | 3d75b2de3433ab272883600cb2f13bbf88119c741acdf5f95ab6b4a8f21f312e |
| SHA512 | 06d46ecf5a0067d2a258a76a50db61025ee02c833b6992b971660456b92ca46a8cc0277fc705f0a603cd7677468dc5ae3b88c32fa0f1afb125f9389e0a7739b5 |
memory/1908-35-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2688-37-0x000000013FCC0000-0x0000000140014000-memory.dmp
C:\Windows\system\QQiQqfb.exe
| MD5 | 7f05ce4f1d36fd2e6c778fb33bb3dfd3 |
| SHA1 | 569ba89d8adb798f14ebe403e341b028fc335bc3 |
| SHA256 | bddebb8facf2bf809f50c5b2a1db82f986664f71db4a7f5d86355aacee9af34f |
| SHA512 | 2639937707ee665562fcc5ca5b59cb3c1b714e7b789f0cf293ca236221fa5c1e01cd906ee43f99e0dc06c00f94cb2a0d92d461d28bdde96c4f44f75c8d658fea |
C:\Windows\system\aqTxCVq.exe
| MD5 | 965ebeeb894bc8f45afe4bdf8246ea91 |
| SHA1 | 77d8f8e709eb3ff2e0ae681d71953ded4b6e626d |
| SHA256 | d4f5e8d9b175225e9b2661483806fec53013a7bcfea9885e4b901124c5ba83e7 |
| SHA512 | 2272efb0bef7f7b27922e7679892c08e604b9e6b34da4470ec884398ec81c0604ceff48588efd5c01355716f546d86fa2044e7b7c052a37daa2abc7dd3fee3d7 |
C:\Windows\system\nmFTJHp.exe
| MD5 | 7226df8fac04b0049197c4d8e057a6ac |
| SHA1 | 6f794600cf37adabb84a0bb1449408948a8e996f |
| SHA256 | 4ff0b104d8a8e6007f8775272ea029088a2366d64c5381a9e912a919a761e99a |
| SHA512 | 6fcfd0278308eaddba9f215c9e3150433162e3e21e51151fb616a38561cdab5eb6b8bea19219be648179fc2f98360ed304af3cf674c73875e5a97f9c2c3fb5fc |
C:\Windows\system\yMTEKPL.exe
| MD5 | 3ecbf30965117082b1420763c13be72a |
| SHA1 | 1df7b7b2d530f7cdd153fe7a80f1a3ce4196d929 |
| SHA256 | 1bba64f786673a2ec212d8609a2d872905e01c4b8e2d6c3ec3f59237c4e17cc3 |
| SHA512 | b8db5c37fe60518b1eeea3907861fe0d7a2f38d037a81099b279227792d9eb2a93f3104a84f5fef03fb2a6227991acdf0d86c3e36456c702187ad135dd6d0714 |
\Windows\system\hSjGMDN.exe
| MD5 | b6d6019b4d04ddc4d0891891ce9251a9 |
| SHA1 | 3074578802488a69b88a618fcaef7cf00b41545e |
| SHA256 | c6db8aabf5f75f4cf87b979dc89a741ff4fa747ecc5a7cf03c73f4bce16df4af |
| SHA512 | fd296a49e0938c37ce1ca452c79e6a660bd1d78a4c4649c2fc743231d2f835ce0d02cce3319f0f3927e0f5ba907c26759097f44daace460ccfd4f0486c819ef9 |
C:\Windows\system\ppkpORd.exe
| MD5 | 08bbb24dfd9180418f683df304137397 |
| SHA1 | ea4317af138ab315e6faf71aee4f7207f88f78d9 |
| SHA256 | b3308fff7174b3cde6427ba310f771aad99ccde8fe99313ecab273d1f12d3ab9 |
| SHA512 | 89a6658b2194ac377330427d90ae84f8f75afd576534584c160e78d25c526a6c8d54135038826acf801129b1e142c27c4954e4cd268dec215c4d49a6d438f758 |
C:\Windows\system\sqwvTkK.exe
| MD5 | 86bc6566badd0f3e93dac5e6b8108b4c |
| SHA1 | 0e1238d5a88f09923fdbfd568e81c670b9732149 |
| SHA256 | 0bca74c1888edc20839f6a70075493985f7af24e51381f253c82c22e40203381 |
| SHA512 | 5815d6914c48f63e2399645586ba893b63647ab81254871815e39e6aafcd75b7e0ffdd2da39b24145f97a8076f36a760a95999e61805e2d9ac644e5331ee8ab2 |
memory/1908-120-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2436-123-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1908-126-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/1996-129-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2212-131-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/1908-133-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/1908-134-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/1552-132-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1908-130-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/1908-128-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2836-127-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2540-125-0x000000013F500000-0x000000013F854000-memory.dmp
memory/1908-124-0x000000013F500000-0x000000013F854000-memory.dmp
memory/1908-122-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2684-121-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2584-119-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2520-118-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/1908-117-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\pehMZtc.exe
| MD5 | 4a1988f39ceb99af58bc95d06638f322 |
| SHA1 | 4dd89ae5a26d34b3ca1261fc51a6bd88205259f5 |
| SHA256 | 06abb96430bc179bf67f1b20b231fb76565b519fd728f86fc61cfc99a347fb37 |
| SHA512 | a3509691db49257b7f6f0341854d965e376111ff9f2ed131cba8fcd9f33d89d06fd684a3e99921b21552692312bf3ba65d342a3db09dfa4db6595b5f5c7c8f31 |
C:\Windows\system\nuXyOtT.exe
| MD5 | 215f2abb009f123802624084f30a7533 |
| SHA1 | c27f4d62922d5e55c78165794e6b38fd499d369a |
| SHA256 | e4752a92540a794bec9ce8579d2a85630fecb7ff060f1ac2e1870b126f7a2e46 |
| SHA512 | bff2451f54e33932cf41ddc5cd37593e71a736f03426d9dca2d14d0360da2750999254cab4e6369ac37c87de16827916c7db17e9aa258f2076e2b0d5f2bddbfb |
C:\Windows\system\dImZMoT.exe
| MD5 | 33c6bcf162fb3544238d01fe76088702 |
| SHA1 | e35797cff31f09410c545109f79f536f85b66c06 |
| SHA256 | 16e2f7eacd94d3be57f58f488cf438b24fa0b465b48d6a7ca7dd9bc0ce51a85d |
| SHA512 | b0d7919b69454868c9b913fb9b9ba3cf7d2efda83f47667ef91385ef16c4dfc3e760de46674431d0a348209ba7c0a912444d214a8c3e113cf9953ade3c80730d |
C:\Windows\system\nnTmGHG.exe
| MD5 | cbbcc21874fc2182b9e8ec9491061f5a |
| SHA1 | 3a712500bc9236b5fcb83215fbd58d2c91769dcd |
| SHA256 | b85df1b62255cb55a049e145c87eb678416fe37d5c1e8e1097b77f3581d1e583 |
| SHA512 | cdb210d4d338e62017fcbe38826791f7386d674f6e0ec7ba7f29983f2b4f54a5a60f832f7620b729f44e5b6520ca9048b2e7085720d6c81b1a4cdb2103e1f541 |
C:\Windows\system\klZDBYc.exe
| MD5 | 281ebb28fbedc87a1117a0577616fee0 |
| SHA1 | a92355366821cdf7e3780268de76becff8f18b0b |
| SHA256 | 36af5ef3ac9fe90721a4148f3ac3d267d26a8ee032f359adb56df057b02e2c7c |
| SHA512 | 332f50958cb0c27ad55f159f08dbea4b33ddc396e1da9f4afe3d8295a49287e5ffb05d8b96c9f68380ad08d76c883f5cc828a068e54d9f491ee1264d84bbd4d0 |
C:\Windows\system\YNdEHNH.exe
| MD5 | 4b176c79be3b6d1762c8c340a13cae7a |
| SHA1 | a4ebe346907e650cb6d29937ea1501a15c2483f5 |
| SHA256 | 2152de735a09564c6456d2cc0e8a30a0995a5c4cab51fa3f279a31f0279cd49c |
| SHA512 | 505dc0e340192f84a350ad6c090d88dd3d84e95c91923a6b03ab0b5fad2e9dac1076b956337b593e8127682f9f7274cbf03b319a8190073914e4242dd9e484af |
C:\Windows\system\RjprfLn.exe
| MD5 | 33a0448f5b13a982431e1a690befa50e |
| SHA1 | b6da075d1fcba48bd63f5e22e28ea1d1f0905ac8 |
| SHA256 | c142281faab1981584fcfbac475ddefad0cdcdfe0937bd3dcdeb568c5c9fcb3f |
| SHA512 | dcb613883d6849a68b2fcff06194a6a1f2211ac40e48b68f4b92892226cacc66006a7b558d0fdb3843becc038c1359cf49f5227738dccaad418e8b9d056a2641 |
C:\Windows\system\TIVlKMH.exe
| MD5 | ee11a1334a8c41e13c50edca8c901d6b |
| SHA1 | 3ae7ca66c2f47535333a802b3e07e473150cbea2 |
| SHA256 | a7ac8437fae23ebf871da384079d181f4196ca5873036ca2706f7379858eecef |
| SHA512 | 904e5fef86835f9d19b924a6373a90536351edd545ea2ff0333ded6b7f53fcec075bcd1bf24a42894bf1f1429797c8aa6e44dc8904c154c864f171a65166b9dd |
C:\Windows\system\aFnhkeO.exe
| MD5 | bc00853350ea8a2acccf9dc4cfa1ffbf |
| SHA1 | 30269a17ba3d1b351e4aa68717cce18ea3d7a10c |
| SHA256 | 9292333617d32af52808bd253350d2279653235ef10b371da07203763820cb93 |
| SHA512 | bd066ff188e1e1b22e66255578932460122e0b4b60cb8866ac1af633fae2036fe4689182690747a973b0d80506f80c1caadfc6a6723e4d1a0cf48f31ab3b6c16 |
memory/1908-135-0x000000013F130000-0x000000013F484000-memory.dmp
memory/1908-136-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2688-137-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/1908-138-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/1908-139-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2548-140-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2936-141-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2616-143-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2620-142-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2688-144-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2520-145-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/1552-153-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2212-152-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/1996-151-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2836-150-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2540-149-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2436-148-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2584-147-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2684-146-0x000000013FFB0000-0x0000000140304000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 13:43
Reported
2024-06-08 13:47
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CZpKFgF.exe | N/A |
| N/A | N/A | C:\Windows\System\efLODSi.exe | N/A |
| N/A | N/A | C:\Windows\System\UXzVfmq.exe | N/A |
| N/A | N/A | C:\Windows\System\DyTSQSB.exe | N/A |
| N/A | N/A | C:\Windows\System\wKGQGWX.exe | N/A |
| N/A | N/A | C:\Windows\System\oKoiAyJ.exe | N/A |
| N/A | N/A | C:\Windows\System\rRrardn.exe | N/A |
| N/A | N/A | C:\Windows\System\BcwVYZg.exe | N/A |
| N/A | N/A | C:\Windows\System\ZmfEkGF.exe | N/A |
| N/A | N/A | C:\Windows\System\ceqPjoa.exe | N/A |
| N/A | N/A | C:\Windows\System\DpWMmAF.exe | N/A |
| N/A | N/A | C:\Windows\System\JUCiIHd.exe | N/A |
| N/A | N/A | C:\Windows\System\ifpRqfB.exe | N/A |
| N/A | N/A | C:\Windows\System\SvUKAax.exe | N/A |
| N/A | N/A | C:\Windows\System\QYBNxpZ.exe | N/A |
| N/A | N/A | C:\Windows\System\wptSbTO.exe | N/A |
| N/A | N/A | C:\Windows\System\sPcIbum.exe | N/A |
| N/A | N/A | C:\Windows\System\eMZbmvg.exe | N/A |
| N/A | N/A | C:\Windows\System\IthfdTq.exe | N/A |
| N/A | N/A | C:\Windows\System\jINqasD.exe | N/A |
| N/A | N/A | C:\Windows\System\BZdvyUr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\CZpKFgF.exe
C:\Windows\System\CZpKFgF.exe
C:\Windows\System\efLODSi.exe
C:\Windows\System\efLODSi.exe
C:\Windows\System\UXzVfmq.exe
C:\Windows\System\UXzVfmq.exe
C:\Windows\System\DyTSQSB.exe
C:\Windows\System\DyTSQSB.exe
C:\Windows\System\wKGQGWX.exe
C:\Windows\System\wKGQGWX.exe
C:\Windows\System\oKoiAyJ.exe
C:\Windows\System\oKoiAyJ.exe
C:\Windows\System\rRrardn.exe
C:\Windows\System\rRrardn.exe
C:\Windows\System\BcwVYZg.exe
C:\Windows\System\BcwVYZg.exe
C:\Windows\System\ZmfEkGF.exe
C:\Windows\System\ZmfEkGF.exe
C:\Windows\System\ceqPjoa.exe
C:\Windows\System\ceqPjoa.exe
C:\Windows\System\DpWMmAF.exe
C:\Windows\System\DpWMmAF.exe
C:\Windows\System\ifpRqfB.exe
C:\Windows\System\ifpRqfB.exe
C:\Windows\System\JUCiIHd.exe
C:\Windows\System\JUCiIHd.exe
C:\Windows\System\SvUKAax.exe
C:\Windows\System\SvUKAax.exe
C:\Windows\System\QYBNxpZ.exe
C:\Windows\System\QYBNxpZ.exe
C:\Windows\System\wptSbTO.exe
C:\Windows\System\wptSbTO.exe
C:\Windows\System\sPcIbum.exe
C:\Windows\System\sPcIbum.exe
C:\Windows\System\eMZbmvg.exe
C:\Windows\System\eMZbmvg.exe
C:\Windows\System\IthfdTq.exe
C:\Windows\System\IthfdTq.exe
C:\Windows\System\jINqasD.exe
C:\Windows\System\jINqasD.exe
C:\Windows\System\BZdvyUr.exe
C:\Windows\System\BZdvyUr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1920-0-0x00007FF68D200000-0x00007FF68D554000-memory.dmp
memory/1920-1-0x000001CB030B0000-0x000001CB030C0000-memory.dmp
C:\Windows\System\CZpKFgF.exe
| MD5 | 15244e4c55e9cda28e70036e2a63c866 |
| SHA1 | b633cf4f186f7735823cd137c4fc4e639cfd8eb0 |
| SHA256 | a783e6c9df686b1d9f59be250d9a3eb97022abc331cdcf9d985dcf14da6f5f96 |
| SHA512 | defe88d8f782266aa6c6360739c4dfe0089ff398be84e1f8f61ea6f88a73e3cf596d6aa9438f08e67fc7e660940fdaab0bd6373a838d41707db28996be155647 |
C:\Windows\System\efLODSi.exe
| MD5 | e0e0805cfabdbbb175dca0401a26b7b0 |
| SHA1 | 8d59783be76b770eb83e8a6cfc3909a2599d3f8b |
| SHA256 | 99bc99502d5baea815b2cea5ed1e56243c069f80ed3651420e990af398c64cbf |
| SHA512 | f811d769e02b43df3b82a5ce3d5f2905e0180b768adda5b1d86f6966c507706f56c8ad5fdb831bd98a56f53f8a16bbbe81a4e367c238a37ecf921d4c1ed975b0 |
memory/2764-7-0x00007FF6E28C0000-0x00007FF6E2C14000-memory.dmp
C:\Windows\System\UXzVfmq.exe
| MD5 | 7ab1403902f7be3ce3c169a32e12dda8 |
| SHA1 | f24e84acc764c57ea67cfdf70d760876ba7d715d |
| SHA256 | 8958b3505ea75942f41eeef60b1ac98b8551ff2f903a8a206acb4baa0f22418d |
| SHA512 | 0f866e02cf258465937e18780caa11f613e1e0011cea9b601d1d411a041e035eaa19d2ccfd426e49f1e4589cfefb8cdf4be6ec5f0cb73a6c76e430aa15d2185d |
memory/4388-18-0x00007FF652A10000-0x00007FF652D64000-memory.dmp
memory/2772-14-0x00007FF7C84B0000-0x00007FF7C8804000-memory.dmp
C:\Windows\System\DyTSQSB.exe
| MD5 | 7cbf7455897ff6191f1593b3db47087f |
| SHA1 | 15d05ccb1916e48c8306990a0433aca068e1333c |
| SHA256 | 3a2d6bd0a9a5f92215f06fcc25b24f0f74120663a4f784b9a1ce42c424a59f65 |
| SHA512 | 6b05ada9a5cf87da69f23bc3f139304fc6fdb2cc2c75e9d68df40db8cafc42060a8ba0c0dd7584873b69f0551312706d307e4c2d60ec7d9cdb2c927ed509a305 |
memory/5048-25-0x00007FF770430000-0x00007FF770784000-memory.dmp
C:\Windows\System\wKGQGWX.exe
| MD5 | 879b09ab3079ba88f7cf34bb4bb3f01b |
| SHA1 | d14b04f1ab99af2918180a4cea63423d51bbf785 |
| SHA256 | 86ca357d7d6c67083e84a0ff48963a85bb84cb3b6727a3c521424316e96b47d9 |
| SHA512 | a99c92a8cb9f6c0be07296c1885caa528799701fc855ed6e4a39e2fbc8b879d4023fcf304e4741105cbcca9e9daa58be57590ec0c40269905dda2a0f01edf241 |
memory/5008-33-0x00007FF7BCF70000-0x00007FF7BD2C4000-memory.dmp
C:\Windows\System\oKoiAyJ.exe
| MD5 | 804cd1eff9f5d36224c2fb1f6be3473e |
| SHA1 | 446a0774909a61c480897872e3e8c4d7680984ca |
| SHA256 | 19ba8d79cb0cd2b2af76289e4bed0f3b1935ac18882ed449c7d63d87c9bc34ee |
| SHA512 | 4c9e98d74e07a7d9585f7a9e37a33b7176d0b0daf64710acfdfc3d3fc66410545617c88d5c82fcdf9b0c91725eeb20eb827d021ec83a8ad35094a22c35506166 |
memory/4792-46-0x00007FF74A250000-0x00007FF74A5A4000-memory.dmp
C:\Windows\System\BcwVYZg.exe
| MD5 | c39c475afc95a9a45c9297113e41b4e5 |
| SHA1 | 2827bd9805a5e608c9b469c1c8aaf1a7f07f8017 |
| SHA256 | 8d224ca35455e7570ae5755d544bafb9b03d587c200b220b1f7093beb1bd828b |
| SHA512 | 86431b29d93a4119026705452608701035cead8752ed85a2ae2f4162010092ce5a4831290a8bb833af528e8612f484863330d69b7548a25f7822972b29c2fee6 |
C:\Windows\System\ceqPjoa.exe
| MD5 | c88bd00935a512aa5ae9b58dde5c9e6f |
| SHA1 | cd25bafcb7327f53befd3a17e6a4e1417be5e018 |
| SHA256 | 81ffd717615a5ba307556bb82e140d11058402644a6a0364047d3ca1c92e6c68 |
| SHA512 | 0459e822b612dd875b493217d64c2454b73763cdcb2a1248545d23a8ba8281dbeb0de7c2c237ef81602c187eff4f66c3c611a2b1c2f3b3072293abfd8a48b881 |
C:\Windows\System\DpWMmAF.exe
| MD5 | eeae35a08d83a7baec90532eba1dd1d6 |
| SHA1 | aa50a7593bfe7dce0cc593968941d232ac2cf649 |
| SHA256 | e01a44d2c9072804f0623a28fa85a2a6af503db6d25255730c6420e3d7b8e1b8 |
| SHA512 | aa76d0a177a5c6c260ca9112f6dcdfc882b216e9d6ed32ec5dadb540c429040b55aff8ab69da2d91897ba0fc919431f0d3c9b1fde625946a9fedcdad0ca5c2e3 |
C:\Windows\System\JUCiIHd.exe
| MD5 | 691146249bc1bb145faa3451e1735644 |
| SHA1 | eb57f493f155d970b88c0771b9bf5d44bf1a6010 |
| SHA256 | fc38bf011ba4dd473e6a42c726475fcd44321e10ce07d70fc68d0800c446f683 |
| SHA512 | 9cbc2c01d4271d70c169101421cc33d00dc0dfcc42f979344d273d9df20cbe29862fba9a2c280d57eb9c8ff2d3cd5e5caded634905a63947161777fa393361af |
memory/1920-76-0x00007FF68D200000-0x00007FF68D554000-memory.dmp
C:\Windows\System\ifpRqfB.exe
| MD5 | 14f5133d8ef03dc26e8cb33ad89cf81d |
| SHA1 | 5eeaf37e5db4b522f10fa20e192b9627cebb7ffa |
| SHA256 | d74128cd5bb9befaff7b331385e9db1a39bdf752674a88fc0d3b4f526e3ca771 |
| SHA512 | 19635d7035ca8c9aa6636eeb1faef65c660cb9fb4bdecdda295a9ab2a8c6324d202e49e146e8224ff4fe479c72e6e6652d842ed7538a29ff5b5ba20bf04c8ca2 |
memory/2628-79-0x00007FF7A05C0000-0x00007FF7A0914000-memory.dmp
memory/2256-75-0x00007FF61A780000-0x00007FF61AAD4000-memory.dmp
memory/3532-73-0x00007FF7218E0000-0x00007FF721C34000-memory.dmp
memory/1872-59-0x00007FF7CFDF0000-0x00007FF7D0144000-memory.dmp
memory/656-58-0x00007FF73A180000-0x00007FF73A4D4000-memory.dmp
memory/436-57-0x00007FF7047F0000-0x00007FF704B44000-memory.dmp
memory/980-54-0x00007FF7E2480000-0x00007FF7E27D4000-memory.dmp
C:\Windows\System\ZmfEkGF.exe
| MD5 | cac6619450afb3363bb9f5093726052d |
| SHA1 | 386c0285316ce1286cb9e60aa9c1f4cbffff34c4 |
| SHA256 | aca911487d02402e71442df4b0ee09ddba8ed3b423731c7973050c034d42357f |
| SHA512 | 9513cdda485dee512fe93bcafa9928f11fa5b5054852cf196701b5ca7d66bbf6702c8c0fccff3262c02961918276e08844ffe7eb69a54337e75b98c825ddb0dd |
C:\Windows\System\rRrardn.exe
| MD5 | 02fbb5ad2d4763027ee6b9540a9e595f |
| SHA1 | e1e217088149720fdfd9b622e19a24bce7bf86cf |
| SHA256 | c956f0d37b2bb5ffee0c41f5c1dc832a32e2b4edc8636662f6f3dd0ed00dacb0 |
| SHA512 | fd77f4294de07221929caff88e8969c06a783a6b00099249c857e77535af2a9c9648deeaefded6307674b95b1aed5b86ee2ef5d38509cad3563273a1b1901d83 |
C:\Windows\System\SvUKAax.exe
| MD5 | 13978664d143120437acd9418d851333 |
| SHA1 | 4e5ec373e544f20dcf856385401c4f017665b948 |
| SHA256 | b6e2c02450aad0cca8c86da1a3c2f4197c2fb9f3d5d9b219648274cf9cbf1132 |
| SHA512 | 2f162c6b0c4c8f4041a906041751af638f8cc94d947508dc6046808851dfc4b5b48be6c15dc6f2da70a54e86dbdb2394e411f28d91dbd7d00c1f421710313f2e |
C:\Windows\System\wptSbTO.exe
| MD5 | 29715f56739bdbae966f298c095037d2 |
| SHA1 | d3cf9f8192c420a2784552c87fbc5196639164ad |
| SHA256 | 465d70fcabb7fdd538ed12dfb2a2ff8a7bc3593e95dd79634bebf7e7354fcd2b |
| SHA512 | f5bfb9932b614b43a7251ad6f2f9915a34be0af517ecb2d69d36b01d8486354326c43e9b50a1d7cbe48457d280108f76e94badf19a65c0d597e0db7808101610 |
C:\Windows\System\eMZbmvg.exe
| MD5 | 24eba8ee8b135de990b7528bfa5845d1 |
| SHA1 | edf8fa017c0a6fc09285246748d5e6ae3333c64e |
| SHA256 | 93ac6a86c1859f3eb98ad337ef5ec50b12be5227dc7a13a45a669676875b6381 |
| SHA512 | b3c0afc36b6e775dd6401ab2586a0c72dc4bd16ad0fa9d4942fc25011beb7e5f13b0677e73e667f1380c96593420bb19505a167cb0f354c99f2b479674f3b139 |
C:\Windows\System\BZdvyUr.exe
| MD5 | 13d4d022c00b61cf73bc7f0a4ab0e6f7 |
| SHA1 | 5a82f9ba4fd16a496a3f1d738e55770d5c318a0a |
| SHA256 | 60cbb350067e36e3746e8f1d5787a896d176647f7cd5b1b703971e64e0936280 |
| SHA512 | d4c24e91b2b87903450e483330a19e59d07a837f663bb45fa60166c787ab0b02ff83df53935bbe7413c505e8d26d22aeb2fc7e74e0ff9e8bbf652ad5817a4096 |
C:\Windows\System\jINqasD.exe
| MD5 | 9ee4b2f6a725ade6c9a30d9ea77a0c97 |
| SHA1 | 3b53e2de6704fc237d97af3f407a24b97094be1a |
| SHA256 | 8dd0cf86083b4a9acfb50d7e4c4f710baa03aeb5b24a9b1dc6ad3f0d002aba35 |
| SHA512 | 006ea1a9d25fad1435bad88f649198648659e5f308e7d4a73dee51812df0ee9571e371217c2c92dd4685af24ffa9138886c97ac7510eb10c20f4b362d8d145de |
C:\Windows\System\IthfdTq.exe
| MD5 | 13e8b7ac4c7db2616d75b097d3d1f64f |
| SHA1 | 79d192e6f37ab9f0f77f539c1901b1d8689b136f |
| SHA256 | aa5c984455e185bced5025def71c6ecb105be6a969f85703164d479d1d44a698 |
| SHA512 | 5ad10de231993ded43562271548683b18495c041dca62e9a44b16f6a667cbc139466f67200caeeaeeabf723bfcb609b41a70e3acbd5630e632e97c6ea200376c |
memory/460-117-0x00007FF74C830000-0x00007FF74CB84000-memory.dmp
memory/4448-116-0x00007FF7F4BE0000-0x00007FF7F4F34000-memory.dmp
C:\Windows\System\QYBNxpZ.exe
| MD5 | 52546d4d52086507ce4d3a0e16e3266c |
| SHA1 | faf43a1c0526704c43f07140fc23473463869f69 |
| SHA256 | 1c36d76c5ace25381f19a670618acd2fa66fd94654ea26cf3c8d9cddad23f1e0 |
| SHA512 | a91c47258ab80cdc8345861ee8f12aa005b98a77d67c9d60e016fbe154e37264d7e68d29845470695b996fb4fdd75c4d88d8dbaa405924227bc8380d493cd4d5 |
memory/4388-107-0x00007FF652A10000-0x00007FF652D64000-memory.dmp
memory/520-103-0x00007FF783F60000-0x00007FF7842B4000-memory.dmp
memory/4576-100-0x00007FF7B8A00000-0x00007FF7B8D54000-memory.dmp
memory/3136-99-0x00007FF6BFD90000-0x00007FF6C00E4000-memory.dmp
C:\Windows\System\sPcIbum.exe
| MD5 | 729a2f3129cb6b97bab8c84430e52db7 |
| SHA1 | 191c2fc39f1b1a554f62b693a038639fb6c83f04 |
| SHA256 | bf6323df3e8cb11595e5c37798091e3acf1ccda9e15283487115bda6d6360e97 |
| SHA512 | 458e7abcb1c5010bcfa93b713b2f8d2498ffaa42c108919d3773b8dda2fa72508eac23d25afd0b84c9561456577fd097d4b5b8a6522d6ad112e763aae5466a0c |
memory/2772-91-0x00007FF7C84B0000-0x00007FF7C8804000-memory.dmp
memory/2764-90-0x00007FF6E28C0000-0x00007FF6E2C14000-memory.dmp
memory/1604-129-0x00007FF674610000-0x00007FF674964000-memory.dmp
memory/4900-130-0x00007FF78FB70000-0x00007FF78FEC4000-memory.dmp
memory/1836-132-0x00007FF6B9A10000-0x00007FF6B9D64000-memory.dmp
memory/5048-131-0x00007FF770430000-0x00007FF770784000-memory.dmp
memory/5008-133-0x00007FF7BCF70000-0x00007FF7BD2C4000-memory.dmp
memory/1872-134-0x00007FF7CFDF0000-0x00007FF7D0144000-memory.dmp
memory/2256-135-0x00007FF61A780000-0x00007FF61AAD4000-memory.dmp
memory/2628-136-0x00007FF7A05C0000-0x00007FF7A0914000-memory.dmp
memory/3136-137-0x00007FF6BFD90000-0x00007FF6C00E4000-memory.dmp
memory/520-138-0x00007FF783F60000-0x00007FF7842B4000-memory.dmp
memory/4448-139-0x00007FF7F4BE0000-0x00007FF7F4F34000-memory.dmp
memory/460-140-0x00007FF74C830000-0x00007FF74CB84000-memory.dmp
memory/1604-141-0x00007FF674610000-0x00007FF674964000-memory.dmp
memory/2764-142-0x00007FF6E28C0000-0x00007FF6E2C14000-memory.dmp
memory/2772-143-0x00007FF7C84B0000-0x00007FF7C8804000-memory.dmp
memory/4388-144-0x00007FF652A10000-0x00007FF652D64000-memory.dmp
memory/5048-145-0x00007FF770430000-0x00007FF770784000-memory.dmp
memory/5008-146-0x00007FF7BCF70000-0x00007FF7BD2C4000-memory.dmp
memory/4792-147-0x00007FF74A250000-0x00007FF74A5A4000-memory.dmp
memory/980-148-0x00007FF7E2480000-0x00007FF7E27D4000-memory.dmp
memory/436-149-0x00007FF7047F0000-0x00007FF704B44000-memory.dmp
memory/656-150-0x00007FF73A180000-0x00007FF73A4D4000-memory.dmp
memory/3532-151-0x00007FF7218E0000-0x00007FF721C34000-memory.dmp
memory/1872-152-0x00007FF7CFDF0000-0x00007FF7D0144000-memory.dmp
memory/2628-153-0x00007FF7A05C0000-0x00007FF7A0914000-memory.dmp
memory/2256-154-0x00007FF61A780000-0x00007FF61AAD4000-memory.dmp
memory/4576-155-0x00007FF7B8A00000-0x00007FF7B8D54000-memory.dmp
memory/3136-156-0x00007FF6BFD90000-0x00007FF6C00E4000-memory.dmp
memory/520-157-0x00007FF783F60000-0x00007FF7842B4000-memory.dmp
memory/460-158-0x00007FF74C830000-0x00007FF74CB84000-memory.dmp
memory/4448-159-0x00007FF7F4BE0000-0x00007FF7F4F34000-memory.dmp
memory/4900-160-0x00007FF78FB70000-0x00007FF78FEC4000-memory.dmp
memory/1836-161-0x00007FF6B9A10000-0x00007FF6B9D64000-memory.dmp
memory/1604-162-0x00007FF674610000-0x00007FF674964000-memory.dmp