Analysis Overview
SHA256
3090993f6749f4e20b04c27cb3f31a778194e0363cb3a955491f82f4f7418d52
Threat Level: Known bad
The file 2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
Cobaltstrike
Xmrig family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
xmrig
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 17:29
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 17:29
Reported
2024-06-08 17:32
Platform
win7-20240221-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MgRUbvI.exe | N/A |
| N/A | N/A | C:\Windows\System\oTbVVpb.exe | N/A |
| N/A | N/A | C:\Windows\System\EfmvSSQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ohYJwSA.exe | N/A |
| N/A | N/A | C:\Windows\System\fjWqgBE.exe | N/A |
| N/A | N/A | C:\Windows\System\MEchGDj.exe | N/A |
| N/A | N/A | C:\Windows\System\azLekOi.exe | N/A |
| N/A | N/A | C:\Windows\System\yCxvrOY.exe | N/A |
| N/A | N/A | C:\Windows\System\wATUqzA.exe | N/A |
| N/A | N/A | C:\Windows\System\pLTSqbE.exe | N/A |
| N/A | N/A | C:\Windows\System\FHaaNBF.exe | N/A |
| N/A | N/A | C:\Windows\System\hvmjpsC.exe | N/A |
| N/A | N/A | C:\Windows\System\NtRbIBT.exe | N/A |
| N/A | N/A | C:\Windows\System\HfZRGnU.exe | N/A |
| N/A | N/A | C:\Windows\System\GGaRNCK.exe | N/A |
| N/A | N/A | C:\Windows\System\xicyXau.exe | N/A |
| N/A | N/A | C:\Windows\System\Mlorqcq.exe | N/A |
| N/A | N/A | C:\Windows\System\UVOMQdG.exe | N/A |
| N/A | N/A | C:\Windows\System\RvoIVAx.exe | N/A |
| N/A | N/A | C:\Windows\System\oBYiOdX.exe | N/A |
| N/A | N/A | C:\Windows\System\oSVXiuQ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\MgRUbvI.exe
C:\Windows\System\MgRUbvI.exe
C:\Windows\System\oTbVVpb.exe
C:\Windows\System\oTbVVpb.exe
C:\Windows\System\EfmvSSQ.exe
C:\Windows\System\EfmvSSQ.exe
C:\Windows\System\NtRbIBT.exe
C:\Windows\System\NtRbIBT.exe
C:\Windows\System\ohYJwSA.exe
C:\Windows\System\ohYJwSA.exe
C:\Windows\System\HfZRGnU.exe
C:\Windows\System\HfZRGnU.exe
C:\Windows\System\fjWqgBE.exe
C:\Windows\System\fjWqgBE.exe
C:\Windows\System\GGaRNCK.exe
C:\Windows\System\GGaRNCK.exe
C:\Windows\System\MEchGDj.exe
C:\Windows\System\MEchGDj.exe
C:\Windows\System\xicyXau.exe
C:\Windows\System\xicyXau.exe
C:\Windows\System\azLekOi.exe
C:\Windows\System\azLekOi.exe
C:\Windows\System\Mlorqcq.exe
C:\Windows\System\Mlorqcq.exe
C:\Windows\System\yCxvrOY.exe
C:\Windows\System\yCxvrOY.exe
C:\Windows\System\UVOMQdG.exe
C:\Windows\System\UVOMQdG.exe
C:\Windows\System\wATUqzA.exe
C:\Windows\System\wATUqzA.exe
C:\Windows\System\RvoIVAx.exe
C:\Windows\System\RvoIVAx.exe
C:\Windows\System\pLTSqbE.exe
C:\Windows\System\pLTSqbE.exe
C:\Windows\System\oBYiOdX.exe
C:\Windows\System\oBYiOdX.exe
C:\Windows\System\FHaaNBF.exe
C:\Windows\System\FHaaNBF.exe
C:\Windows\System\oSVXiuQ.exe
C:\Windows\System\oSVXiuQ.exe
C:\Windows\System\hvmjpsC.exe
C:\Windows\System\hvmjpsC.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1964-97-0x000000013FA70000-0x000000013FDC4000-memory.dmp
C:\Windows\system\FHaaNBF.exe
| MD5 | 83f3c094c5cc8eb03b8385eec5f1c30f |
| SHA1 | 3027db39271408628d9eeb0b74eb8f814351a8e4 |
| SHA256 | 9339144e25aa3a7f3f1a58bb99b4d64aac002cef67b6b3be6b1e61a5cf873982 |
| SHA512 | 97a077710860e54b0eee8a79b29f1545fcd798bf5a17705829feb84a2ac2fc2dce29a996b38503fc5121e651689dc8098feaf14ea2ab3bd409915a6975558e92 |
\Windows\system\oSVXiuQ.exe
| MD5 | 6b15e30939b3e541c9c1a4780e4d6c6a |
| SHA1 | be73f3045506d6534b3fd7f7c464bda02bed38b5 |
| SHA256 | bf596f75562bfb9ad9fe34b3ed5dd076521d5c4bb9e17e7e876686fa0337b40c |
| SHA512 | b21ecf3210d196a03e2642246656c3367d73ed4eb1050413dd6cace7ddae796b2d0c3c9e6e93f2d8bd0955d94e4a62ceab3a3b821a7f5aa2c92791ae6ffd4017 |
memory/1152-88-0x000000013F140000-0x000000013F494000-memory.dmp
\Windows\system\oBYiOdX.exe
| MD5 | bac023fa4ad6a13ef7ed381f07d8addb |
| SHA1 | 51ca2a85044ad71252e7c0439412d89d31f5e8ae |
| SHA256 | 7350a7f523341b8f75aa6afc976587c5e60571a8afad0117421bd4b5c619a16f |
| SHA512 | 8e1b79711cb2cbb0d5a3533151de1ddc2f6362963a0a6731adcbde583ce82aa07e472e0b24feed568ad5f59f22b556db6a7778d0f036718fc32f65d25e1535d6 |
\Windows\system\RvoIVAx.exe
| MD5 | d7f67856d8e26aa1b4a2f79b5d080c3b |
| SHA1 | 831d153a71665434dfc9d154a8dcd85977e77549 |
| SHA256 | b0bdf36332eb31c0f87ae9b6c27f2dbcea6a0492b3412ed154fa470e2ccb1733 |
| SHA512 | ed6741f427eaf6a8224617572df74979df7616055fcb763d919a9eafd2b6486ac229a66e828c16b461cef7eb5c9ef4ec3225571653f6802a05aa25978d8ec493 |
memory/1152-71-0x000000013F240000-0x000000013F594000-memory.dmp
\Windows\system\UVOMQdG.exe
| MD5 | dc8f6e350b915ebecdc8b194a8c20e75 |
| SHA1 | cb10067c9c6e6719d99ccca8c6ead3a28976f2c4 |
| SHA256 | b057516b6a858301e02de32b784248c32cc2e10cbf32a235b895f252834055f9 |
| SHA512 | f439d43c8d22a8bb9bc9bd6a490cb80aa0b79df94519e553352f7573b9e23f581c9893bdf8e7d97a9633ff62b72ffa993de866c34637488e712ae05f83ad0f89 |
memory/2536-62-0x000000013F640000-0x000000013F994000-memory.dmp
\Windows\system\Mlorqcq.exe
| MD5 | 084a4272ea999564cdbe9cedff6546f3 |
| SHA1 | 8f3a5d9c668c81ec3901e61d927f17f5c10c1c02 |
| SHA256 | 23403177d501b2288aa2a8619f2e08176d99b17e84ac4bb56150fffa123dbf6a |
| SHA512 | 73cbd957fdd7ee56d65c6f127a570c23a7f217e9da9aca82fc8ea2537ac428ccbe4a4f482eedc53bab6e3ea513be63286b6a524c2952a27a0e5e3a291abe5b99 |
memory/2744-50-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\MEchGDj.exe
| MD5 | b2960617dca0130cf68f33182f0e56a9 |
| SHA1 | 0ade6d75e04402dca3ca37b382a85d4c3925233a |
| SHA256 | d96c983f0c8433a3b3ca1095cf56a14d8f348859189ff4786875b76cf7d47b8a |
| SHA512 | dc9066ba7f12bdd85e9cc82faeff4d8c4349a2d2cd53b3f4a85944aa49b1b965d2b6d641678ad7a330cb9e44cc83a18f8095e1784dd1bdd703332fb42623844e |
\Windows\system\xicyXau.exe
| MD5 | be12c7b9afa42bf05098e383586a2ead |
| SHA1 | 6d03f4e70f978f5ea9731689019f100b5038a8a8 |
| SHA256 | 4287e95a4d4931eebd0c1b5795e1cf201b59931c9f322dc1195ec73f3843f5c4 |
| SHA512 | 0de7585d184e7fa680b24e88c52b10b4b04f2047bb45838b059588d320f50de80484e812167fea5a771627a1df9e64b91c7ddbff43f1dbbd8d0bb3f3a6e0efca |
C:\Windows\system\fjWqgBE.exe
| MD5 | d850ef4ed63980659792ed06d85f275b |
| SHA1 | 9e7c24532e52d6498850c419fb5f53ced460f9c1 |
| SHA256 | a465b578deccddf4c780ec2cffb0f4d9176b82d4d741566141b5615322ce93a3 |
| SHA512 | 995e5f81b17919f24777b03950ad8160b17bfadf286580620fc87cf8afe367335a50725f7a0a5ea95888ef77d7c1dca461d9ddf98be2fe554f9ee3bcd62b0f23 |
\Windows\system\GGaRNCK.exe
| MD5 | adaf843e3bd2f2319374b825c9ba8f4e |
| SHA1 | c2974964444d81ae52cef2e4320358b357e9f567 |
| SHA256 | 35c60e7d91f1e9b1c54774497b49f59b21e9e5227e9a499f30336757262d9584 |
| SHA512 | 575e05c3a7e3d9a1c3408f81822a42198993eb8ee55de0c01ec1ee99dcab11cfb595c77502228e4bf479ac148e17ea688561e8782fd950d18d92e212d21bb98f |
C:\Windows\system\ohYJwSA.exe
| MD5 | 33305bba916abdde1b415da20ed1c67d |
| SHA1 | aae0d62e84e8fecdf9d1b9f4e78ac1a6dc656475 |
| SHA256 | f5e4fa843a828aa7daa12caebdc79e18ed4a11f5f32fcc46159a12b4544d9d80 |
| SHA512 | 04d4db84293bb5d5f91e16fb5ff5c2c3b21e5ff1dc7d68c53b64444e727ba6a43edb85ea59f5da9f48a635cc067022cfea62f55739834892bdd9fed6ec3d96de |
memory/2200-30-0x000000013FE80000-0x00000001401D4000-memory.dmp
\Windows\system\HfZRGnU.exe
| MD5 | a3884fed2fea2a3e210641818139ba95 |
| SHA1 | 7518123243f151db7f7bba3b83c6c8f042e124b9 |
| SHA256 | 7a8c5c58ebe864c0ef705d580f4c058cdea601ad0482368ab2c80ccba5eee8ac |
| SHA512 | b92f1e78c9a4b5dc0c57a4057495006f1a612d8e351f2e688b3579e6eb599f645e1803d35de4ae95e4fb28890008797bc68eb629b272073e6364afff4ecdfa1e |
memory/1152-21-0x000000013FE80000-0x00000001401D4000-memory.dmp
\Windows\system\NtRbIBT.exe
| MD5 | 987ec693daae89f725c901069d108702 |
| SHA1 | d7290c0f0675f36aabe84c257ce27c4d170e7c78 |
| SHA256 | f7ddbb4df09c10051af1faaccb16c788eab9f49d95a2ae26ea773936fe010eff |
| SHA512 | 14c4e92d223e3df4db695cc11882d4f9900151d750ea23efbbd5443db24acdec9b4c772de7af1a0bee731f95e87635e1384d09457b9183b9a522eb94fd63f858 |
memory/1152-106-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/1152-105-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/1152-104-0x000000013F300000-0x000000013F654000-memory.dmp
memory/1788-103-0x000000013F300000-0x000000013F654000-memory.dmp
memory/1152-102-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/1152-101-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\hvmjpsC.exe
| MD5 | 383600fb7fa6c875393a011b5e168aaa |
| SHA1 | 96a0be911b38296f46915ec89e561ead316cc66d |
| SHA256 | 53dd4be8d847eeffa2688e6bc79df23bad45c61fe62a362cecf6eb6975867ef7 |
| SHA512 | eac01f86c6bf94693ba8e02c0a8a734a473e3c04a3e133fe9fa90f7f6f8bd9250a04c0e7d145baae6c255866b1c0b59283af19d0255031543e757183979d5298 |
memory/1152-92-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2660-84-0x000000013F240000-0x000000013F594000-memory.dmp
C:\Windows\system\pLTSqbE.exe
| MD5 | 6197790ef98475071e84e9214fc4589a |
| SHA1 | ab1056ec402f78a0fbfae60b243408830e12c96c |
| SHA256 | 0d77d38feb8f6e99abd289009d3117cb7699ab8346731a35942ede3a6c0ba9bf |
| SHA512 | 0ac773cd65d1a22f646c5a446acc1fef15acb2ab7419af776f654d40376bbf9b6612c9f919684ed9ee5f6f72e04b77a3b83af8589109636bee81b8b2dc1799b4 |
memory/2824-76-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\wATUqzA.exe
| MD5 | f097dc34eb765050c0729f9d66551596 |
| SHA1 | b7cb72ee587669833b6036041bed36637d57c56d |
| SHA256 | aa14bf3fa3dd7141c0a7c561ff094985e41fa0be8a6b6c094e263d3d76fe2bc4 |
| SHA512 | 4c084a6e15aeeb16268f897608c4f4652c5c0179fb7cf3448e021e061d392e719df90ebf3dcac92c9d14c4b72a0ec125511b954d329cee23d3fea9377f8d79d0 |
C:\Windows\system\yCxvrOY.exe
| MD5 | 94705f8dfd7bdc02d0023d15f6496b81 |
| SHA1 | 1dc355e32145681c09f41902b07e17d93444f73d |
| SHA256 | 073f6e53b95662c50b0bc1230a5bfec9b87e4e17e1dc56bcdad7c8a5a54310f1 |
| SHA512 | 2eae69b7b221164661b7f7be2887caf11c7899564e48de095a5b990145abae754b4ad20b8738e6b861282d0bf6b924530581925e655dbe2e27141d129d997711 |
memory/1152-66-0x000000013F320000-0x000000013F674000-memory.dmp
memory/1152-58-0x000000013FE50000-0x00000001401A4000-memory.dmp
C:\Windows\system\azLekOi.exe
| MD5 | 7864ad7c0c195d45eebeb696986eeb9b |
| SHA1 | fc04c66f5b2a198ca37eb481e48f48505565608a |
| SHA256 | b2c21283c8c0305262233e851f56ff227ce20f1a6485b95d03f12c964609e903 |
| SHA512 | 738ab80df6797fb80e31b5f2dd77670c9b9111727fe922767caede632dc942e1146f1b3a972207f6f2d88e8a5cca12a43ae1abce2da3e08bfc1ec5ee17e317ad |
memory/2556-54-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/1152-52-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/1152-35-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/1152-27-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/1680-18-0x000000013FD60000-0x00000001400B4000-memory.dmp
C:\Windows\system\EfmvSSQ.exe
| MD5 | c068c17b2539792848e066c385f4ca20 |
| SHA1 | 43e592bec686d5958c74e5f2f23fb3a4f1186e2a |
| SHA256 | 07bbff86ed80d9551c7fe3a50dc6c5353e38adca663d7b023279af419215484d |
| SHA512 | 3093bf7937fbeabf0da777b661626d4edbfbbfad5ec6e6042559b33c66ef9f8a0f96a95b225a705fbce265191ff15d8afc4320959d8c3ddf9f1b643e028527a9 |
memory/1292-16-0x000000013FD50000-0x00000001400A4000-memory.dmp
C:\Windows\system\oTbVVpb.exe
| MD5 | 5273135dc2b444d029e06872f0b1242c |
| SHA1 | 8907d141d57d893ffb540177b053f508085a0074 |
| SHA256 | a1ec9aba739b63882471e1c444a9994d0612140c45da1f3956702cf6e495d3ec |
| SHA512 | 4e178511e6ba56bfec64b0d4391ad73d121bd22a8c3c12f1c075266b927747d3baf3dde9c1063b89dfffec5ae3d9fb00805a2b5916fd1e83c62f3c049258fe98 |
C:\Windows\system\MgRUbvI.exe
| MD5 | bccf552072e9142c51a66286dd1e773a |
| SHA1 | db2b7a23c2304a4e044eea4665329d121390f9bf |
| SHA256 | 5d427c300bb23c3faaefa5184c028c6ed674ff3df9de6b65c485d5578fc007fa |
| SHA512 | e9a028c771b7c5f32dcf807639788afe740e806bf254b655f9528d598b4ce01a6a86b883165839ca814db1f304d1346a56e8b3c3fdb050558058d6bd5a8541cd |
memory/1152-1-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/1152-0-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/1152-131-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/1152-132-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2556-133-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2824-134-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2660-135-0x000000013F240000-0x000000013F594000-memory.dmp
memory/1964-136-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/1788-137-0x000000013F300000-0x000000013F654000-memory.dmp
memory/1292-138-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2200-139-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/1680-140-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2536-141-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2744-142-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2556-143-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/1964-147-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/1788-146-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2824-145-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2660-144-0x000000013F240000-0x000000013F594000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 17:29
Reported
2024-06-08 17:32
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CiAWfTm.exe | N/A |
| N/A | N/A | C:\Windows\System\mKuNGvI.exe | N/A |
| N/A | N/A | C:\Windows\System\LEBGamz.exe | N/A |
| N/A | N/A | C:\Windows\System\ftXoxOC.exe | N/A |
| N/A | N/A | C:\Windows\System\kwpYsdI.exe | N/A |
| N/A | N/A | C:\Windows\System\snmBIyk.exe | N/A |
| N/A | N/A | C:\Windows\System\JkftEwk.exe | N/A |
| N/A | N/A | C:\Windows\System\uUKVWgq.exe | N/A |
| N/A | N/A | C:\Windows\System\OHtoFtl.exe | N/A |
| N/A | N/A | C:\Windows\System\xycRENT.exe | N/A |
| N/A | N/A | C:\Windows\System\LITQOlx.exe | N/A |
| N/A | N/A | C:\Windows\System\VTBcqlj.exe | N/A |
| N/A | N/A | C:\Windows\System\ndtLbpG.exe | N/A |
| N/A | N/A | C:\Windows\System\oxqYpoz.exe | N/A |
| N/A | N/A | C:\Windows\System\HXNboQE.exe | N/A |
| N/A | N/A | C:\Windows\System\qUfosyx.exe | N/A |
| N/A | N/A | C:\Windows\System\zBuJUPO.exe | N/A |
| N/A | N/A | C:\Windows\System\oMsbiPy.exe | N/A |
| N/A | N/A | C:\Windows\System\pSaohxy.exe | N/A |
| N/A | N/A | C:\Windows\System\vFYmBFJ.exe | N/A |
| N/A | N/A | C:\Windows\System\zOOaaLw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\CiAWfTm.exe
C:\Windows\System\CiAWfTm.exe
C:\Windows\System\mKuNGvI.exe
C:\Windows\System\mKuNGvI.exe
C:\Windows\System\LEBGamz.exe
C:\Windows\System\LEBGamz.exe
C:\Windows\System\ftXoxOC.exe
C:\Windows\System\ftXoxOC.exe
C:\Windows\System\kwpYsdI.exe
C:\Windows\System\kwpYsdI.exe
C:\Windows\System\snmBIyk.exe
C:\Windows\System\snmBIyk.exe
C:\Windows\System\JkftEwk.exe
C:\Windows\System\JkftEwk.exe
C:\Windows\System\uUKVWgq.exe
C:\Windows\System\uUKVWgq.exe
C:\Windows\System\OHtoFtl.exe
C:\Windows\System\OHtoFtl.exe
C:\Windows\System\xycRENT.exe
C:\Windows\System\xycRENT.exe
C:\Windows\System\LITQOlx.exe
C:\Windows\System\LITQOlx.exe
C:\Windows\System\VTBcqlj.exe
C:\Windows\System\VTBcqlj.exe
C:\Windows\System\ndtLbpG.exe
C:\Windows\System\ndtLbpG.exe
C:\Windows\System\oxqYpoz.exe
C:\Windows\System\oxqYpoz.exe
C:\Windows\System\HXNboQE.exe
C:\Windows\System\HXNboQE.exe
C:\Windows\System\qUfosyx.exe
C:\Windows\System\qUfosyx.exe
C:\Windows\System\zBuJUPO.exe
C:\Windows\System\zBuJUPO.exe
C:\Windows\System\oMsbiPy.exe
C:\Windows\System\oMsbiPy.exe
C:\Windows\System\pSaohxy.exe
C:\Windows\System\pSaohxy.exe
C:\Windows\System\vFYmBFJ.exe
C:\Windows\System\vFYmBFJ.exe
C:\Windows\System\zOOaaLw.exe
C:\Windows\System\zOOaaLw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1660-0-0x00007FF6E10F0000-0x00007FF6E1444000-memory.dmp
memory/1660-1-0x0000027D42B20000-0x0000027D42B30000-memory.dmp
memory/2568-9-0x00007FF7DE770000-0x00007FF7DEAC4000-memory.dmp
C:\Windows\System\CiAWfTm.exe
| MD5 | d915eea473d11e5e02cb9559597c33ab |
| SHA1 | 8ed1f977abd951c237ae33ac561867ad271b9dd2 |
| SHA256 | d32c8c50369298ff380b63d72a51ec1481810c5d453b1e3575b265b289509d33 |
| SHA512 | a84726215b6890c5a1fa4152e4b3699c0e9b8e1ad35e18c65de201fa60de3ade4496aaa02183a1c7c2e1c90d948cde27fa8eb7931bd2819f3864e1b1619a89d0 |
C:\Windows\System\LEBGamz.exe
| MD5 | 27938f4b72df530e7f36e75daec72cad |
| SHA1 | 43a994772795e4dfee839fa6c177631c1c19fbfc |
| SHA256 | 46daa201a53489b37cd1c0a383dee7dc3a2b4397ff412bbac68c64581c76e179 |
| SHA512 | 123d23dcac218ee66a75e80c21e32a92cba4c11611ee335091389af92db5ea704bda979575bc07e23ed3daf79b1e76fff4e39c75d523224560c254d36ffaa3b7 |
C:\Windows\System\ftXoxOC.exe
| MD5 | e61d3c41fb24d40656b3b2b2575aba81 |
| SHA1 | ff7635fa7493571d81f8da125dacb882cecb5774 |
| SHA256 | e769661bd045635df7fcc4a8c7457e4c14c53e3075a8c9174f2ab92a445a8d36 |
| SHA512 | 4cd528ff77403d0496a021c36bacf310cf99ce2da718870799aad98eb72d40211014c09644b72c755b22e8910155a9584120fb7daa0e913a75c2b532ec5f255a |
C:\Windows\System\kwpYsdI.exe
| MD5 | 1b241fbb8d2eea14a3ccb31f8e529569 |
| SHA1 | 0e2d63e11319eaccc077ff72fd6c15fdfde1f205 |
| SHA256 | 41e3d5537fd91c0a4032d8059790aeae16086d013c4a9b3c18495acbabca6943 |
| SHA512 | 0590a74b4e61cd96ffb5c9d41cbd0b9ef00b727f23e26a6a3e21fc39566c1bba7cf319b49067ddd3c00ca26eba249a394919cf37187b2a712e7b61c8d13d62fa |
memory/644-33-0x00007FF744A90000-0x00007FF744DE4000-memory.dmp
memory/3716-38-0x00007FF6FA4E0000-0x00007FF6FA834000-memory.dmp
C:\Windows\System\OHtoFtl.exe
| MD5 | 1e1c1c293c632aa1f81b3c93616fb065 |
| SHA1 | 4dbae8202d8b058d096cb07f251610881eea393e |
| SHA256 | 88ead4a562c24fb5326ddc10084a7ef9ca9bec2f66510628604cb766d1e50db2 |
| SHA512 | c3e416808cec0853ca6ceb38c794e8f168f7e9bda023e2daa5670db003fe61b158d30d5686aba04c83f07b7458dcfb6a697e66195903ee509b71355c19397d4d |
C:\Windows\System\LITQOlx.exe
| MD5 | 15f6a10165848e4b6e35e26980e8a229 |
| SHA1 | ff1bd273e40ca2c26ecc7a003aa2cd39ca1a46db |
| SHA256 | 09c551ab823a8b89f592cdfc68f16493fe9bb3e0bf943b1e05289efc7fc56397 |
| SHA512 | 4077348a31cd131313b4aba9fcb24a93f36e987ade3bd9c809c57cd44d3914804ea0e0453f86d9f1ef38198fb04fa7eafda8d730132eadf06a79b59ed4c3a06e |
C:\Windows\System\xycRENT.exe
| MD5 | be36d7568b153d18a02920e8c1da0a98 |
| SHA1 | d0f01cae27337a12dbfbd36df26a062f102b3f1e |
| SHA256 | 76e238ff1ec8a919eb21395c8b35a7f74b00723e96a27f1ee18e39e071e0eb58 |
| SHA512 | df41ea432aeb141b28177ca396504143f71daaf8341d6530710889c28a93b381eda5d0a00451223b3029de6b78db126d4fe186ddc242de35cb38a46087895881 |
C:\Windows\System\oxqYpoz.exe
| MD5 | 6a0fb4d576c1a215127bb6432ede3431 |
| SHA1 | 85502488ad1bba454fc76577bc48b16a7ac375e2 |
| SHA256 | 94b25afbfe25dad767e1bff32d2e522777c6e9a227f9ed6ed86e227c052c8ae0 |
| SHA512 | cc94df00533ad990607f9765aa05e3f8bcfb9f4a9be87f008a01447543d22d1d7add72fced9c8059993bf71edada0a4c44723f4411a2eb74446180b8dbdefdc9 |
memory/448-89-0x00007FF7AA400000-0x00007FF7AA754000-memory.dmp
memory/2596-95-0x00007FF7A9960000-0x00007FF7A9CB4000-memory.dmp
C:\Windows\System\zBuJUPO.exe
| MD5 | cffdfb0a9a2f4322964f76bdab9956c3 |
| SHA1 | 05b782fab2988806b015d096ca0dca122d8e3b15 |
| SHA256 | 8f0d9d4409ecdd5265ded724b5b8b2226d781a2a384673557fbc94a72b802d13 |
| SHA512 | e8ea5b93cb854b5c9e9c989a291e8db88b980dca0ef433282f451af78d4cd00e234c933355b1a4aafb03a314d5383e34a75c29a3a8664e83029e03dd4f07dbf0 |
memory/4404-113-0x00007FF610250000-0x00007FF6105A4000-memory.dmp
C:\Windows\System\vFYmBFJ.exe
| MD5 | d293b0e79e76e2b69a6685f290f2ac3f |
| SHA1 | a5b2b2972608f194ec59fbded237c0e515e0b036 |
| SHA256 | 792a30ff6f4901466e42dffe83ef81a46cbbe1cf1fa39a3e3618e9e90d9b6110 |
| SHA512 | e94e29b417824a07e3ec5ccf6c3a37ece395b27caf8cead8254476f3b8c4ce4a123262f83f544509841a9ca2ec1e855ccdb5072d6cc0a1f717781108a6936b42 |
C:\Windows\System\pSaohxy.exe
| MD5 | 8a74a01f38f873e6d52b164377e1fb53 |
| SHA1 | 1d65af29ed2692acfb1b558166d03a7fa11ee9e7 |
| SHA256 | 59c5ca9977d8283a3b1ac0b407c39ce9a84a9cb8d964771343aea1c577c6852e |
| SHA512 | a645900ee32374ea0bf9b620fa2519f7f4b9b815c4c8277e502978f4176b538d55afb159a6865d58700a1c264aaeae6bd5da6dfc99d483bc55d9900bb21efe9a |
C:\Windows\System\oMsbiPy.exe
| MD5 | ddbf34037698b878d355f273f2a00941 |
| SHA1 | db8b047c82229998c7707fdbb20df702f676fffa |
| SHA256 | 7e6caab7b1432662f6bfcb62a0e2366e2a4ba68524c1161d763f4fbd3d2adb44 |
| SHA512 | 17091c132f03edda2f32d1651b8efa3d1902bce00758ae187234a08850f815aac13af82d1d6e2da0c20edcaa79b775fdd9cc05b97000b654b9ee9d42fc5ca6ee |
memory/4364-116-0x00007FF663E40000-0x00007FF664194000-memory.dmp
memory/2568-115-0x00007FF7DE770000-0x00007FF7DEAC4000-memory.dmp
memory/1660-114-0x00007FF6E10F0000-0x00007FF6E1444000-memory.dmp
memory/4864-112-0x00007FF6768F0000-0x00007FF676C44000-memory.dmp
memory/3412-111-0x00007FF760FC0000-0x00007FF761314000-memory.dmp
memory/1620-102-0x00007FF65F510000-0x00007FF65F864000-memory.dmp
C:\Windows\System\HXNboQE.exe
| MD5 | a222431e51359acc19d24af0088b693a |
| SHA1 | 6f5d51d3e190c953c0eb527169329fc56bf6b522 |
| SHA256 | 6e476dfbc2ac6f545f3fd4f2985602777841395c48d8c264d1568f780260fd12 |
| SHA512 | 44bd0ef4d9796befb1df7c79c16b14f28a1d9c82985f0541b02a79dccb763fc6944148e981f883bb5f9ffe8d7b319b3b09b950129ab526e2748fcdfd41059dff |
memory/392-92-0x00007FF7116D0000-0x00007FF711A24000-memory.dmp
C:\Windows\System\qUfosyx.exe
| MD5 | 5bc36b3e22684ef7fec8834d1a90e4f6 |
| SHA1 | 90b2e26494ce0620a40a939197c1d023a8061fd7 |
| SHA256 | 742519804179746d7111b8080843d11e1df8c4b78f228a0adc5efc46222399b1 |
| SHA512 | 693b53381bb83db6cb28f578234dd293eecf91e9db21a5cfb6a2197ff8ff8163c4729ea48ae2ad1b2edb3249a13399465aeedca0f265aff7ff27da9a905f64a0 |
memory/1836-91-0x00007FF602E60000-0x00007FF6031B4000-memory.dmp
memory/3880-84-0x00007FF791E60000-0x00007FF7921B4000-memory.dmp
C:\Windows\System\ndtLbpG.exe
| MD5 | 3c6c17ca52fd44a1c1e43e7c406954a9 |
| SHA1 | ecb70205833db9a5cda83af30e6dfd1f9a805e17 |
| SHA256 | b004830d08fbedd4a26ee92c66630de6048135657a31d44fd0792896aed0b7a2 |
| SHA512 | 499b98af81d672792704290f4247715856b69147b5eaea1005212ba75758c1754b35034deb16c604e90bbf2c63f09e8b1fb70c9d88e586cf03ec91f3f365c80e |
memory/3584-76-0x00007FF631240000-0x00007FF631594000-memory.dmp
memory/4984-75-0x00007FF7EED30000-0x00007FF7EF084000-memory.dmp
C:\Windows\System\VTBcqlj.exe
| MD5 | b10e1cb1e54910a267b73b122c83bf68 |
| SHA1 | f8b677f4139138b5c554025100a612bee19af246 |
| SHA256 | 15b15e56e1ca366bdee191e3325183bf2f3c4740894078b4b84573bfdf5382da |
| SHA512 | 355eefe3c5915e4b845c1389ba209d32c9ed9bd668b7e884aaecc36db015ba201acba2908373f2d8b6d09c30cba93a0bdf1d752b083c4d5b6ae9210b3ed92791 |
memory/1460-74-0x00007FF79E410000-0x00007FF79E764000-memory.dmp
memory/3516-68-0x00007FF71A570000-0x00007FF71A8C4000-memory.dmp
C:\Windows\System\JkftEwk.exe
| MD5 | 18d1042c6a6fcbe34dccb381135627b5 |
| SHA1 | 1d777d39daafbbb073a539c0672a6a11bf609e12 |
| SHA256 | ef067bc6901aa7b6ab594dfaa2f91bb939c81608e76a28f5b4d0f301a18ab9e1 |
| SHA512 | aa03438edc33598d8d1a416ffd4168300759ecb08fe0440207ee85b778366bac7b73e00932e3324d5d55f54b54d8fa7e49648803acd66df82f76264b242192e9 |
C:\Windows\System\uUKVWgq.exe
| MD5 | 8be1635a310131b4e30d0ecabb20699e |
| SHA1 | eaa30af38a76595d98cbddd837506d97b4d69dde |
| SHA256 | 2212279a4b75cdaeec44fa304b9fd39098191605800284c27689f2d02e486522 |
| SHA512 | 9bd79ff86a07d9658af33889ec5347e90cf507b65f2d5dc2e4915439711c5e9b64ec5fd2cc54bbeb6c61d5ac5fe6ee002bbda20c89c9100e17472424bcb9a7cc |
C:\Windows\System\snmBIyk.exe
| MD5 | 3cc70ab162f036cb0607ff3d9ebd1128 |
| SHA1 | 8057168bbe56c1c13c12bf641e7b09456cce6980 |
| SHA256 | 04d0423daad12265ad3cbbe900f0fd074125ef689d93079c3cf80ecc5b0f4116 |
| SHA512 | 8fe655ab4066a217be58aaaa1c9bd277f8f9dd21a1245d6c6307bee3b8888ef985a935388446e3499159e138e0efc8f10824c0973ea8e3c39a0b78ffef15219f |
memory/208-29-0x00007FF6C5E70000-0x00007FF6C61C4000-memory.dmp
memory/1492-20-0x00007FF79FE80000-0x00007FF7A01D4000-memory.dmp
memory/792-14-0x00007FF71D480000-0x00007FF71D7D4000-memory.dmp
C:\Windows\System\mKuNGvI.exe
| MD5 | 635eb898251bcfb4b72d3ddc159e3c15 |
| SHA1 | 9ff0954384af6a14ac9e1f87a838bf96bc5d31c7 |
| SHA256 | eb522163620c834bde9ccc5740d9bb03a84100e0d0a6be015667ea369036809a |
| SHA512 | a31f5092d51095a07766a3f219512f9943b3c630f8178a5f8ce5287f2bf5a9aaf35a6076887e2a51972e7175572d1ceb2c5c6afdede3641bc2d3f60db9c885cf |
C:\Windows\System\zOOaaLw.exe
| MD5 | 1ee05fde9984d1e3251dc69000aa2562 |
| SHA1 | 3e336e52f7e48b2879fe259d4dfe579c470d5b35 |
| SHA256 | 96bbed340b189b198d81334a1a11b8be45b35c45eab0f0a05b5445346af268f5 |
| SHA512 | a0aca4576c2cd209d074e435806533c45f7405bce96833eec3b246c9a4aaed75508fdbf6c82d7f2d7c43dfd8ab50f6337292ec7108a03bf6b1c6915e7b0edc8e |
memory/1032-129-0x00007FF62B0E0000-0x00007FF62B434000-memory.dmp
memory/792-130-0x00007FF71D480000-0x00007FF71D7D4000-memory.dmp
memory/1492-131-0x00007FF79FE80000-0x00007FF7A01D4000-memory.dmp
memory/3716-132-0x00007FF6FA4E0000-0x00007FF6FA834000-memory.dmp
memory/644-133-0x00007FF744A90000-0x00007FF744DE4000-memory.dmp
memory/3516-134-0x00007FF71A570000-0x00007FF71A8C4000-memory.dmp
memory/448-135-0x00007FF7AA400000-0x00007FF7AA754000-memory.dmp
memory/1620-136-0x00007FF65F510000-0x00007FF65F864000-memory.dmp
memory/3412-137-0x00007FF760FC0000-0x00007FF761314000-memory.dmp
memory/4864-138-0x00007FF6768F0000-0x00007FF676C44000-memory.dmp
memory/4404-139-0x00007FF610250000-0x00007FF6105A4000-memory.dmp
memory/4364-140-0x00007FF663E40000-0x00007FF664194000-memory.dmp
memory/2568-141-0x00007FF7DE770000-0x00007FF7DEAC4000-memory.dmp
memory/792-142-0x00007FF71D480000-0x00007FF71D7D4000-memory.dmp
memory/208-143-0x00007FF6C5E70000-0x00007FF6C61C4000-memory.dmp
memory/1492-144-0x00007FF79FE80000-0x00007FF7A01D4000-memory.dmp
memory/644-145-0x00007FF744A90000-0x00007FF744DE4000-memory.dmp
memory/3716-146-0x00007FF6FA4E0000-0x00007FF6FA834000-memory.dmp
memory/1836-147-0x00007FF602E60000-0x00007FF6031B4000-memory.dmp
memory/3516-148-0x00007FF71A570000-0x00007FF71A8C4000-memory.dmp
memory/3584-150-0x00007FF631240000-0x00007FF631594000-memory.dmp
memory/1460-149-0x00007FF79E410000-0x00007FF79E764000-memory.dmp
memory/4984-151-0x00007FF7EED30000-0x00007FF7EF084000-memory.dmp
memory/392-153-0x00007FF7116D0000-0x00007FF711A24000-memory.dmp
memory/448-152-0x00007FF7AA400000-0x00007FF7AA754000-memory.dmp
memory/3880-154-0x00007FF791E60000-0x00007FF7921B4000-memory.dmp
memory/1620-155-0x00007FF65F510000-0x00007FF65F864000-memory.dmp
memory/2596-156-0x00007FF7A9960000-0x00007FF7A9CB4000-memory.dmp
memory/4404-158-0x00007FF610250000-0x00007FF6105A4000-memory.dmp
memory/4864-157-0x00007FF6768F0000-0x00007FF676C44000-memory.dmp
memory/3412-160-0x00007FF760FC0000-0x00007FF761314000-memory.dmp
memory/4364-159-0x00007FF663E40000-0x00007FF664194000-memory.dmp
memory/1032-161-0x00007FF62B0E0000-0x00007FF62B434000-memory.dmp