Analysis Overview
SHA256
8172356dc1b04ad9e68c050c1431ef0e0fa20c997c96c0268b202a1298430dd2
Threat Level: Known bad
The file 2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike
XMRig Miner payload
xmrig
Cobaltstrike family
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 21:02
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 21:01
Reported
2024-06-08 21:09
Platform
win7-20240220-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZhIPcfW.exe | N/A |
| N/A | N/A | C:\Windows\System\DMqONTm.exe | N/A |
| N/A | N/A | C:\Windows\System\bJjPdUx.exe | N/A |
| N/A | N/A | C:\Windows\System\EkNabuZ.exe | N/A |
| N/A | N/A | C:\Windows\System\kAOdehF.exe | N/A |
| N/A | N/A | C:\Windows\System\MUVlURR.exe | N/A |
| N/A | N/A | C:\Windows\System\lXyTqhp.exe | N/A |
| N/A | N/A | C:\Windows\System\jVmvyeK.exe | N/A |
| N/A | N/A | C:\Windows\System\jFYCwhm.exe | N/A |
| N/A | N/A | C:\Windows\System\NaIuSAw.exe | N/A |
| N/A | N/A | C:\Windows\System\tXfPMfz.exe | N/A |
| N/A | N/A | C:\Windows\System\LjFcsII.exe | N/A |
| N/A | N/A | C:\Windows\System\OlfgOzD.exe | N/A |
| N/A | N/A | C:\Windows\System\eOFPJhy.exe | N/A |
| N/A | N/A | C:\Windows\System\SGbxzEv.exe | N/A |
| N/A | N/A | C:\Windows\System\cPwZqTz.exe | N/A |
| N/A | N/A | C:\Windows\System\THqgnOx.exe | N/A |
| N/A | N/A | C:\Windows\System\CrrygFG.exe | N/A |
| N/A | N/A | C:\Windows\System\XYAnkdc.exe | N/A |
| N/A | N/A | C:\Windows\System\rnTwbyT.exe | N/A |
| N/A | N/A | C:\Windows\System\jApptUw.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZhIPcfW.exe
C:\Windows\System\ZhIPcfW.exe
C:\Windows\System\DMqONTm.exe
C:\Windows\System\DMqONTm.exe
C:\Windows\System\bJjPdUx.exe
C:\Windows\System\bJjPdUx.exe
C:\Windows\System\EkNabuZ.exe
C:\Windows\System\EkNabuZ.exe
C:\Windows\System\kAOdehF.exe
C:\Windows\System\kAOdehF.exe
C:\Windows\System\MUVlURR.exe
C:\Windows\System\MUVlURR.exe
C:\Windows\System\lXyTqhp.exe
C:\Windows\System\lXyTqhp.exe
C:\Windows\System\jVmvyeK.exe
C:\Windows\System\jVmvyeK.exe
C:\Windows\System\jFYCwhm.exe
C:\Windows\System\jFYCwhm.exe
C:\Windows\System\NaIuSAw.exe
C:\Windows\System\NaIuSAw.exe
C:\Windows\System\tXfPMfz.exe
C:\Windows\System\tXfPMfz.exe
C:\Windows\System\LjFcsII.exe
C:\Windows\System\LjFcsII.exe
C:\Windows\System\OlfgOzD.exe
C:\Windows\System\OlfgOzD.exe
C:\Windows\System\eOFPJhy.exe
C:\Windows\System\eOFPJhy.exe
C:\Windows\System\THqgnOx.exe
C:\Windows\System\THqgnOx.exe
C:\Windows\System\SGbxzEv.exe
C:\Windows\System\SGbxzEv.exe
C:\Windows\System\CrrygFG.exe
C:\Windows\System\CrrygFG.exe
C:\Windows\System\cPwZqTz.exe
C:\Windows\System\cPwZqTz.exe
C:\Windows\System\XYAnkdc.exe
C:\Windows\System\XYAnkdc.exe
C:\Windows\System\rnTwbyT.exe
C:\Windows\System\rnTwbyT.exe
C:\Windows\System\jApptUw.exe
C:\Windows\System\jApptUw.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2204-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2204-1-0x000000013F790000-0x000000013FAE4000-memory.dmp
\Windows\system\ZhIPcfW.exe
| MD5 | 3dd3dcd306f0efc9bbfa800cbd31ae40 |
| SHA1 | d052cb1858658159c0105a89f05e8ea0bb515259 |
| SHA256 | 7c369ff01d831de8701c05e89e10baafecae898266eb16442fd298ec3ac4b304 |
| SHA512 | 59ad00f536a0bf367e7ffc9ae8487c3c876b694bdbdc9cbc067ae6fe30b5ea1fb628f6dff517baa30ac39f6a2825197d0473cb1892c86bc9e668a42a7b74d6a3 |
memory/2204-8-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\DMqONTm.exe
| MD5 | d0f3f08dac10750dbe4af117124973a9 |
| SHA1 | 5bb40e4c05909c11cf0378f90675400c257de839 |
| SHA256 | 226752531ac61381a8900c03379917ef597d02c4b702b8da147f47b01957adaa |
| SHA512 | 22804c2d146a830601c82460e1662705346591f13fc6244984a769ddeebdbae1cefeecdb1deb956eec78269f07450bf9493c850c66c35780e937815ac5925a02 |
memory/3048-11-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2544-19-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2204-22-0x0000000002400000-0x0000000002754000-memory.dmp
\Windows\system\kAOdehF.exe
| MD5 | 70ff90aa4744113bd0310fc0d9642696 |
| SHA1 | 4f02a897376e5e156044a81d440bc1b6f5e73eda |
| SHA256 | 850f0bbecc3dc6f48578257267b2dfc4dd032dd358202c0f6ec3920e2118bcf5 |
| SHA512 | bdc7f055358d137daf4d2e1f7011457331106547b4eec4e5f4ff35dd9f5890da8611a6c345a9ae884d95e4260252b884173921b0ceaa07cb5d1698fa0594012f |
C:\Windows\system\EkNabuZ.exe
| MD5 | b12f50740eef66714200750b921dca91 |
| SHA1 | 8373966e5ed792f21420a1f96bf3bbb6923ce01a |
| SHA256 | 719552d5e050d5b6103aeabc2599e37e66f0dc2dc083f0cf409b7b43085c6d59 |
| SHA512 | 7a4e91a3c8d86a2c7d2864f022b2bc699138cd2829346c866cd8c934865e794d9cf66725904fe7973648c3a72b48057f93b8dc315697f02e4e9bbb78689e94d8 |
\Windows\system\EkNabuZ.exe
| MD5 | 484f9bd860840f7d2331986e4199e3d2 |
| SHA1 | eb5448cac8a274aecd2e2e996f7a8c535ce8dfe2 |
| SHA256 | d792f6a1d133eaf0c847fb75869638ea7611e35c703fc655348b58642f5eef41 |
| SHA512 | 30de83fe0665fd35b3e5b2ef1bcd329c5b3c3cda1a0fab51d4301e97e4af95f143875fb670b8aa6d25ab7572333b6c08ac07f838a0611a2110ce3153537d12d2 |
memory/2652-21-0x000000013F630000-0x000000013F984000-memory.dmp
\Windows\system\bJjPdUx.exe
| MD5 | 0e2fd2a522d2418bc7dbaf689ef76673 |
| SHA1 | 5f1c27d705b7b859dfc3a6c555a6c8b3ab244763 |
| SHA256 | 40742f91cd985eb524bd3891d1dd35d24592ad177108d69ed9cd6d4b18b99360 |
| SHA512 | 64301bc0310c56dee53197109af15147dcdc7fc2e4ce1b977cb7e6dcd2f13af6e165bd17c6af06ed25d21fbd4c9cf4f3e78ae062fc175d24eb2fa93590a4ee28 |
C:\Windows\system\bJjPdUx.exe
| MD5 | b731781bf85531537282fd235875b3ac |
| SHA1 | 59206fda46b1e56bdb976d7da35012e4e6f8f1d4 |
| SHA256 | 2657a1b1a648dd161d8d3ed50a75150d2dc010da365b30b7a3795fcb1daf19d8 |
| SHA512 | 9c8f38979f392f1b992869e4ca74bbf964e203e775e31879ef15724590f704e0e57e3157344250ce39807469b2b0c7b88f0fe314e1bd06187f5de3c3f57f7a8f |
\Windows\system\DMqONTm.exe
| MD5 | 18efd8c69c7a14d378b8475ff681f6c4 |
| SHA1 | 2b1da0506beaecb78e94aad76f14aebfb86a9678 |
| SHA256 | 4278c75a637d678dfa4ac6463d90c2d6e77ae9f9cb3ad2dff76bbdba355ca4d3 |
| SHA512 | 04c788d5c6912701ce96ced72692ab689759b453228b07881060ae26b58129eed0be110e75ca2aeb8de823205c66a043a92d6184c1d83f72a7a44b67b5c42597 |
C:\Windows\system\ZhIPcfW.exe
| MD5 | c855d9545c07cd79979ffc8d326eea3e |
| SHA1 | 4f949d4840815a1121af168d9a1365e7c7438ff5 |
| SHA256 | 4f32f25a3cda26fb2584a341564f7f299b15d891ae61f2a147190344a8b9706b |
| SHA512 | b59c45f40a1aae27eddf3d7b04d8df06abfc9842dcc1d548cc5646ebf986148f6292edead9d39f03cc1942bca037e30cf6865932a09c0db6788398d6998ce320 |
memory/2204-32-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\kAOdehF.exe
| MD5 | f9bb666c375bafe5bb759561167fb359 |
| SHA1 | 8db0504bfc2103d6012f3daba3c9c3b53485f363 |
| SHA256 | 3cb3ce6b25098e8f80c56c963d9195fc1c3535964d63e5973f7c37284dcb50c6 |
| SHA512 | 448c21a8ecb9cbdc1ac62a52f9c18e59b95ad9c895fdbd3e281dcc94d2026ea104c48d56ae789eb7ac1da59c5d78594ff22d85baa63f338d432285e3f512a734 |
memory/2656-40-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2912-37-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2204-47-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2288-48-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2204-49-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2520-46-0x000000013FC20000-0x000000013FF74000-memory.dmp
C:\Windows\system\jVmvyeK.exe
| MD5 | fe57f8188564cd40e581d657eb39a51c |
| SHA1 | a769db5a955895999e8cfad6f9c2156a7679ab61 |
| SHA256 | 509f676438e0a62ce998520d6b512997df34dab53b716afecb70fde12451e067 |
| SHA512 | bedc7b8c666d75b4b2a51cdf1cbb44229891d399ac024af5950af15345f2453cff67fc09503257cefbe1a68d8da92c49e28e020e981fdb43101104e23819a72e |
memory/2412-55-0x000000013F6C0000-0x000000013FA14000-memory.dmp
C:\Windows\system\jFYCwhm.exe
| MD5 | 8501e1b3ec042e7e35c8a420be40052e |
| SHA1 | 9387a8c36b178a4031ee833ba9d467062f0b27bf |
| SHA256 | 586fd82b12dec2e295dad7b24bce29753bf165ba24b0179a447f67e307ffac12 |
| SHA512 | 2feaf4546e56b98718cbacd9b99cd23d02716607d121943151d374b64f8005f9acb6bb2fb4a0e77cd659eeb064ad22db5e63fb4907d0763d44622f3bc9887ac1 |
memory/2204-61-0x000000013F790000-0x000000013FAE4000-memory.dmp
\Windows\system\NaIuSAw.exe
| MD5 | 73a986c9493930f4cd8a8093981caf97 |
| SHA1 | d56e4ec277c46c1f501f0380990a8cb52fc97921 |
| SHA256 | 79658989fc6265b27479193101b06b4d07a3afc14a90cac7cd0c2fd5a470fdb1 |
| SHA512 | df908858efce8052aba32afa73708ab41a555ed2fb2054faebcbf306cccde59229ad974697075f78113c385920705044fa084d6313ac5116bfcc6a59748d37e7 |
memory/2204-73-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/1920-76-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2204-75-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\LjFcsII.exe
| MD5 | 31490ad2606e8a897ca8c4a419bd3e58 |
| SHA1 | 15ea2dbbf80f024fbd088a8352c0dff268e627e1 |
| SHA256 | e7019212e2d60c4f62ca01dd184bf4d01bcefd9b021dae68fd8643a75ee137af |
| SHA512 | 64347a3d4f532f02dc9fadf00483a158d2bc4e2f2cc5f9e65365a844cac9e22d7f0477247deea55649e47fc235d1420588dbea30950d3bdd7d82439013980a5f |
C:\Windows\system\jApptUw.exe
| MD5 | 3abfd04cbd5bfb580962e174eb161ef3 |
| SHA1 | 68b5f3effe81f27b825e1f140f0eaf22a238e86d |
| SHA256 | f6131d94bec376103e933fab80d12e7848ac041ba79efbfe4b10dfcf2ff7c54f |
| SHA512 | faecfac84160a772c5bcb139aedf1f1777b2196aa08cb9fd45f4492847180ca2ad8f5d89fb3c60b385b3df056df6195c523bc250a936606531c9ce28efbb35c0 |
memory/2656-133-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2204-134-0x000000013F420000-0x000000013F774000-memory.dmp
memory/1240-130-0x000000013FCD0000-0x0000000140024000-memory.dmp
C:\Windows\system\rnTwbyT.exe
| MD5 | 6e43ed95cc20d2ddcab2cd2f4ba27ce3 |
| SHA1 | ecfefb0ab2676c2c3b87cc0607c20135ccbbfb8d |
| SHA256 | abeab4c7d15c7e6b5b6307621e131f5923c08c9602baec23757555414a26f396 |
| SHA512 | 8c97da48938db0cf64785262c719fcc498f5129075e51feb2af44bae18db924e8a15bd8b5325e27b27d230e40c730008ca277d0a7c66733c0770c059ca356580 |
C:\Windows\system\XYAnkdc.exe
| MD5 | cf1dfa3398fc7a5a3e4aa28a33021420 |
| SHA1 | 92ec7e1793049f05d8929127974c688764686f20 |
| SHA256 | 7641ca4766ae524c827c88f2ee88ac772b0e00345b34712c04fd3e150364b4d4 |
| SHA512 | a5e45e07e58dc3572cbc5d0ceafd19b3958197e95a20fae2b322066d7372fd3f608cbda4e832e690e9485a6db352f2dedacbdcd1bea9412fa871bbfb05f4fe6b |
C:\Windows\system\CrrygFG.exe
| MD5 | e0f258099dcc71eb5136723dc36b2abf |
| SHA1 | 06369204a4e29aa090f08d64ed6c999554293c3f |
| SHA256 | fc3ecae0284f85748e4163e8d74dc23b78b006a385dbce7949b1a3162c04a129 |
| SHA512 | e5e771b58d729c6c2e5be391c3472852275f9809b6a59989d03020b02587a111724b07f4267210e0379988c9bdeb785b25dc195f7e8ce97d17a6e677d81ad615 |
memory/2204-121-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/1260-120-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2204-114-0x000000013FE40000-0x0000000140194000-memory.dmp
\Windows\system\rnTwbyT.exe
| MD5 | 586c9547493a88de16fd09ad19df758b |
| SHA1 | 8a50178682c692f204a45b7798c63d3f6375432b |
| SHA256 | 991f4d210c6e659974dd43deb7cc93077b9ed3c337c5951172529c0bae179e02 |
| SHA512 | 63d13596bcc59b486c85cd55cf9779d952b67ccbfc54495f389035c1d68fd043ac79c180dc1fc0d479811fe4e468b78c5250d0acdb5b23ce7e1ec600b69b0629 |
\Windows\system\XYAnkdc.exe
| MD5 | 7509e8458dee28959facd3025b7e9a36 |
| SHA1 | 0ade1f20a2a15d90be2344a0fc563c232f7bf9a3 |
| SHA256 | 589bb01ac8b80adfce55adb5008e41471875ed908ff3dc465d08b071ec680272 |
| SHA512 | 4efc0ecc1f03a9031114e57c2fff3197f636dd8af58c9408385f651e0691e450f983fa54e645bcd8a4e601188082edcea1507b380974bcb0aedf148ececd4c3d |
\Windows\system\CrrygFG.exe
| MD5 | 6e1397464b6535c076ff5842da3ba259 |
| SHA1 | f69694ee3d472eab413c8fd02d83b5e6fa530ca4 |
| SHA256 | 12e72caeb348f1251707dc8e4c011dd9ff4872f5b8edb3b121bf9d6ceeec7446 |
| SHA512 | 30e7724f40fda74d45e0024af63d98df69f986157c6032a71356f43c1e1da3b17531b8e5141dc88e6b44178097d95d20bf7f9538455845129403ffbdd774d2ed |
C:\Windows\system\eOFPJhy.exe
| MD5 | 3fa20eb13326e5b476732824f747b31b |
| SHA1 | 98ea1b2abdadbb701a3258939da50b143a8cb926 |
| SHA256 | 7bae0033d47c713d117eec1c07aaa3eef140980655b8b198aad0f7937d990c40 |
| SHA512 | 265d2eb7bf0bb377bd7293693493fb8f081308182c92a635f4d204eed49e589505d7a9b87ae90c0855bcd533a3ebb4453df291278fa55e4d677cbe694e435891 |
\Windows\system\eOFPJhy.exe
| MD5 | 61b53902a9909945443a2a0f4a6d9cf2 |
| SHA1 | adc0c4f5360b33f3051dcaedf7c015ca405ceecf |
| SHA256 | cd9a8e12dd28bcb3020aa95a65af46fe0042cccb3b1780b0320689db61f41a1a |
| SHA512 | 45b5fd41f6b600d12b903b3542ed04969ed84b7b0799282dbf6485993b44f1ae79b788a3804212916d29ab7c15e2255c8f3e1a30cf881e8918822c961a64d094 |
C:\Windows\system\OlfgOzD.exe
| MD5 | 7537d4d189041fd46ee405defda49424 |
| SHA1 | 1243d0acc37471891f237d7377837d138168df73 |
| SHA256 | 05bfdd05401037ad9de4dc7a8cefa0795c8811c0dc30acfa257f645f3b8f3815 |
| SHA512 | 11169b5bd736f6e65e96485ff89b6ba579467ee5521e8b0f09b4bdf057b5efb7e5e369968a036d34fa40a00817f6bbf8c7a0d65d6c79d4f6f151bad6a59fed1a |
memory/1388-84-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2204-83-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2652-82-0x000000013F630000-0x000000013F984000-memory.dmp
\Windows\system\LjFcsII.exe
| MD5 | 39dd9a091374393fe2ae20e4a576d4d3 |
| SHA1 | df178a0d49aacd3b53bbeece54f74f4ad3c2e318 |
| SHA256 | cfaa56d0571c6b53cbccc9dd9e332f731ef5be45ce586506379694d1043cff68 |
| SHA512 | acf6762062831b8a125aac91ae6f4062934e6764b4954e05e8bc0307cee6cb52a64413f14efe520f0827edaf22442bc47b59c351cc2b82224ae1bbc3b15404a4 |
memory/1244-74-0x000000013FE30000-0x0000000140184000-memory.dmp
C:\Windows\system\tXfPMfz.exe
| MD5 | 6590cf9a22e895f317992a11e6673733 |
| SHA1 | dabb0629eade282a86216956c93b81ff12ed079f |
| SHA256 | 74b7b03dacacedda881f7c189ce684981576529c8cbc55be5ff150930716f39d |
| SHA512 | af01b6a743c85790b49c611bcc0fee6de6dbf145277acff81efcae41230036a2a20bd597e1334f29e81dee66b4ef08096a3f19bc8e3d6d0e52470019e6e1a1db |
memory/2204-135-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2480-62-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2204-136-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2204-137-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2204-138-0x000000013F420000-0x000000013F774000-memory.dmp
memory/3048-139-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2652-141-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2520-142-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2544-140-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2656-144-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2288-145-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2912-143-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2412-146-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2480-147-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/1244-148-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/1920-149-0x000000013F530000-0x000000013F884000-memory.dmp
memory/1388-150-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/1260-152-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1240-151-0x000000013FCD0000-0x0000000140024000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 21:01
Reported
2024-06-08 21:09
Platform
win10v2004-20240508-en
Max time kernel
138s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cJlDuGO.exe | N/A |
| N/A | N/A | C:\Windows\System\YvjOPCb.exe | N/A |
| N/A | N/A | C:\Windows\System\CtSumnA.exe | N/A |
| N/A | N/A | C:\Windows\System\mrrlwWL.exe | N/A |
| N/A | N/A | C:\Windows\System\IbLYzHI.exe | N/A |
| N/A | N/A | C:\Windows\System\OmAZqrd.exe | N/A |
| N/A | N/A | C:\Windows\System\vAwDiPy.exe | N/A |
| N/A | N/A | C:\Windows\System\JcXrDgf.exe | N/A |
| N/A | N/A | C:\Windows\System\lpQScHo.exe | N/A |
| N/A | N/A | C:\Windows\System\hBaLbEZ.exe | N/A |
| N/A | N/A | C:\Windows\System\QjLnzau.exe | N/A |
| N/A | N/A | C:\Windows\System\LJBLYjz.exe | N/A |
| N/A | N/A | C:\Windows\System\VuvsiFx.exe | N/A |
| N/A | N/A | C:\Windows\System\HUKtPMU.exe | N/A |
| N/A | N/A | C:\Windows\System\KfbeqVh.exe | N/A |
| N/A | N/A | C:\Windows\System\TsFpKbu.exe | N/A |
| N/A | N/A | C:\Windows\System\bdQBGnq.exe | N/A |
| N/A | N/A | C:\Windows\System\ZLbZyrN.exe | N/A |
| N/A | N/A | C:\Windows\System\IGAAavt.exe | N/A |
| N/A | N/A | C:\Windows\System\yXBaYuY.exe | N/A |
| N/A | N/A | C:\Windows\System\uuwMBfM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\cJlDuGO.exe
C:\Windows\System\cJlDuGO.exe
C:\Windows\System\YvjOPCb.exe
C:\Windows\System\YvjOPCb.exe
C:\Windows\System\CtSumnA.exe
C:\Windows\System\CtSumnA.exe
C:\Windows\System\mrrlwWL.exe
C:\Windows\System\mrrlwWL.exe
C:\Windows\System\IbLYzHI.exe
C:\Windows\System\IbLYzHI.exe
C:\Windows\System\OmAZqrd.exe
C:\Windows\System\OmAZqrd.exe
C:\Windows\System\vAwDiPy.exe
C:\Windows\System\vAwDiPy.exe
C:\Windows\System\JcXrDgf.exe
C:\Windows\System\JcXrDgf.exe
C:\Windows\System\lpQScHo.exe
C:\Windows\System\lpQScHo.exe
C:\Windows\System\hBaLbEZ.exe
C:\Windows\System\hBaLbEZ.exe
C:\Windows\System\QjLnzau.exe
C:\Windows\System\QjLnzau.exe
C:\Windows\System\LJBLYjz.exe
C:\Windows\System\LJBLYjz.exe
C:\Windows\System\VuvsiFx.exe
C:\Windows\System\VuvsiFx.exe
C:\Windows\System\HUKtPMU.exe
C:\Windows\System\HUKtPMU.exe
C:\Windows\System\KfbeqVh.exe
C:\Windows\System\KfbeqVh.exe
C:\Windows\System\bdQBGnq.exe
C:\Windows\System\bdQBGnq.exe
C:\Windows\System\TsFpKbu.exe
C:\Windows\System\TsFpKbu.exe
C:\Windows\System\ZLbZyrN.exe
C:\Windows\System\ZLbZyrN.exe
C:\Windows\System\IGAAavt.exe
C:\Windows\System\IGAAavt.exe
C:\Windows\System\yXBaYuY.exe
C:\Windows\System\yXBaYuY.exe
C:\Windows\System\uuwMBfM.exe
C:\Windows\System\uuwMBfM.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/220-0-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp
memory/220-1-0x00000223870D0000-0x00000223870E0000-memory.dmp
C:\Windows\System\cJlDuGO.exe
| MD5 | 46f9be5751083496640663e25375cee4 |
| SHA1 | a806511c672fa067b067cce2c512fcd8f6f48aae |
| SHA256 | d4bb48839bce4073f71168599d385a8f0359dca5b2e9d85bbeb4bd09239c1112 |
| SHA512 | 22e7585cdee6bfafbd340aec95b7c827dfe324a263102e032db59d1f688ed88d29a5230577b787877035a3e5b5d2ef86255052bf56a39111a3936dbb4287b6b5 |
memory/4064-8-0x00007FF6EEBA0000-0x00007FF6EEEF4000-memory.dmp
C:\Windows\System\YvjOPCb.exe
| MD5 | a1df3420cf46306b933f609aa091bde6 |
| SHA1 | 03ce76e9fe6f2cdeb3378102ed49d48485ec7843 |
| SHA256 | bcae40deb504422275dc41ae536981fa1c76529cec89792a5d25e945abde44e6 |
| SHA512 | 3e324e98cff88b9150fadb48b306851323411ebcf6295fe7b9fbe18ab5bc686dfb423f26e2dbc80e5e8b763023d53f53f102d1a25698637c3423030b33d31eb2 |
C:\Windows\System\YvjOPCb.exe
| MD5 | 9b6c0158e1dab20cf49ce1c4721c0652 |
| SHA1 | 1c2bd4e55434ef33e9dc323e8803634fc6f79ef7 |
| SHA256 | b16ae604a55b306e0dea977ed68646e2464d0027173a9ac88c7477b29563f832 |
| SHA512 | 3ab0895f0c80f02cb087e91e9aa305100a8d62cdada50faf789edf314182b5cb1b3ff1d05695b5c71add94e432ef212232a35b45cd22d7baba8b596eecd522a7 |
memory/2992-14-0x00007FF7C4E40000-0x00007FF7C5194000-memory.dmp
C:\Windows\System\CtSumnA.exe
| MD5 | 8775beabce1671c71176a06f6cdbf36a |
| SHA1 | 4abe5fcbc43a28b5d63eaf9ff751b965dd173c19 |
| SHA256 | c63c8fa6672795a65265984c27592b6beba2f81b001f9a0d06229a21754ec619 |
| SHA512 | e07424d921526b086cb4f8b296472b6dff77c407d757b0d6f11a1a75989113faeec8930540006c788f038bbd602db0fe02cd260731ae93a06a18b18e031eb184 |
C:\Windows\System\CtSumnA.exe
| MD5 | 32041569ce29a5ef50883ca4e87e40ae |
| SHA1 | 62752d482ea7fbac09b013a4fe013fc0d3df3abe |
| SHA256 | 2e3378fbc771dcf65b54c5f4fc3d8b2f4d91a4c0824d0dd8ab6cf9cad9802f08 |
| SHA512 | f73e85b6685b7d4ce370cfab3ac9dd8c2d17fe49cb93ecb85f5f1ba15be35390697e7a824474b95109c653c60fc79b37d0e3c8a6792ee455c62ff2a12d3837b4 |
C:\Windows\System\mrrlwWL.exe
| MD5 | 63935253404add7154a6655ea9205705 |
| SHA1 | a9fce3e1465662e4d184e3e5d47d1f446df6e558 |
| SHA256 | 5bffc53b06da462f255cf695a1a08147fdce101f7fc3dd5fea487929cb40eb06 |
| SHA512 | c4b5ada09b8d7339a435f4fa986570cc0863ae377c5ca6e491fa8477ea87fc5dbe3fc810f937289782292f44b3a168c07fcaf01566ac8077cd946c380a75e521 |
memory/2264-19-0x00007FF796860000-0x00007FF796BB4000-memory.dmp
memory/748-24-0x00007FF680080000-0x00007FF6803D4000-memory.dmp
C:\Windows\System\IbLYzHI.exe
| MD5 | 484f9bd860840f7d2331986e4199e3d2 |
| SHA1 | eb5448cac8a274aecd2e2e996f7a8c535ce8dfe2 |
| SHA256 | d792f6a1d133eaf0c847fb75869638ea7611e35c703fc655348b58642f5eef41 |
| SHA512 | 30de83fe0665fd35b3e5b2ef1bcd329c5b3c3cda1a0fab51d4301e97e4af95f143875fb670b8aa6d25ab7572333b6c08ac07f838a0611a2110ce3153537d12d2 |
memory/2660-30-0x00007FF7A62A0000-0x00007FF7A65F4000-memory.dmp
C:\Windows\System\OmAZqrd.exe
| MD5 | a4e06b7158dc29852442ec95f77ad463 |
| SHA1 | 72dfe8c83f86359ee98b7ac87e7b81cc25873e5a |
| SHA256 | 808f056762ba5054633f674fe838aaf9257fc6ec996be3668c1c4ed992e62344 |
| SHA512 | 6012d18e234b7761e7f0db838af471c05d4921e0229eecf07b25679ec202f736be3d727a6841e2ff9884618a1211fcf0a268e5cd29b9a0d91e6f5c9e22c6a6be |
C:\Windows\System\IbLYzHI.exe
| MD5 | 3dd3dcd306f0efc9bbfa800cbd31ae40 |
| SHA1 | d052cb1858658159c0105a89f05e8ea0bb515259 |
| SHA256 | 7c369ff01d831de8701c05e89e10baafecae898266eb16442fd298ec3ac4b304 |
| SHA512 | 59ad00f536a0bf367e7ffc9ae8487c3c876b694bdbdc9cbc067ae6fe30b5ea1fb628f6dff517baa30ac39f6a2825197d0473cb1892c86bc9e668a42a7b74d6a3 |
C:\Windows\System\QjLnzau.exe
| MD5 | b731781bf85531537282fd235875b3ac |
| SHA1 | 59206fda46b1e56bdb976d7da35012e4e6f8f1d4 |
| SHA256 | 2657a1b1a648dd161d8d3ed50a75150d2dc010da365b30b7a3795fcb1daf19d8 |
| SHA512 | 9c8f38979f392f1b992869e4ca74bbf964e203e775e31879ef15724590f704e0e57e3157344250ce39807469b2b0c7b88f0fe314e1bd06187f5de3c3f57f7a8f |
memory/3460-70-0x00007FF75AD00000-0x00007FF75B054000-memory.dmp
C:\Windows\System\LJBLYjz.exe
| MD5 | fe57f8188564cd40e581d657eb39a51c |
| SHA1 | a769db5a955895999e8cfad6f9c2156a7679ab61 |
| SHA256 | 509f676438e0a62ce998520d6b512997df34dab53b716afecb70fde12451e067 |
| SHA512 | bedc7b8c666d75b4b2a51cdf1cbb44229891d399ac024af5950af15345f2453cff67fc09503257cefbe1a68d8da92c49e28e020e981fdb43101104e23819a72e |
memory/1172-79-0x00007FF777DB0000-0x00007FF778104000-memory.dmp
memory/2676-89-0x00007FF783310000-0x00007FF783664000-memory.dmp
memory/2992-94-0x00007FF7C4E40000-0x00007FF7C5194000-memory.dmp
memory/4308-93-0x00007FF626C10000-0x00007FF626F64000-memory.dmp
memory/3692-91-0x00007FF7B8EA0000-0x00007FF7B91F4000-memory.dmp
C:\Windows\System\KfbeqVh.exe
| MD5 | cc7a67ee7158f6c826584bb99e5602a0 |
| SHA1 | cfd34094e131b689afe9792f5a13c99c0995bc50 |
| SHA256 | 52581cd24b7d6cfb26442d107588d95a37eaa682211dc9ca833b95b8c22824fd |
| SHA512 | d9c0299d2939dabd7405e29b2b26ea3890b828ef1843b85f6c134d4bb03dc7b881c979f169c68c6c769b1f504fb7cb54a32e20cacd40eab9c00956c4834316a6 |
memory/2552-108-0x00007FF652EA0000-0x00007FF6531F4000-memory.dmp
memory/748-109-0x00007FF680080000-0x00007FF6803D4000-memory.dmp
C:\Windows\System\yXBaYuY.exe
| MD5 | 18efd8c69c7a14d378b8475ff681f6c4 |
| SHA1 | 2b1da0506beaecb78e94aad76f14aebfb86a9678 |
| SHA256 | 4278c75a637d678dfa4ac6463d90c2d6e77ae9f9cb3ad2dff76bbdba355ca4d3 |
| SHA512 | 04c788d5c6912701ce96ced72692ab689759b453228b07881060ae26b58129eed0be110e75ca2aeb8de823205c66a043a92d6184c1d83f72a7a44b67b5c42597 |
C:\Windows\System\IGAAavt.exe
| MD5 | 77935f7fa515e2498097f96e331d34aa |
| SHA1 | 485d7f26bd5cb37bc584d5c8f968f5e9fef298cb |
| SHA256 | a24111205f2806993b03daa9bab173a6d11a16cb18878caa1071fd928980464c |
| SHA512 | 36ce0bab4a0434c7a28f678c10a9627666b81884015f70cf5a1069ddfbb17d42082499c523fc5e2c32acfa6cdf63a0b247d285dc0850603412d2d0c0692584cf |
memory/1984-122-0x00007FF662330000-0x00007FF662684000-memory.dmp
memory/2308-121-0x00007FF7552B0000-0x00007FF755604000-memory.dmp
memory/2660-120-0x00007FF7A62A0000-0x00007FF7A65F4000-memory.dmp
memory/1640-116-0x00007FF681680000-0x00007FF6819D4000-memory.dmp
C:\Windows\System\bdQBGnq.exe
| MD5 | 2b9b2bef54472989cbeda5ceb4bcfc61 |
| SHA1 | f42c406c54d876b0104dd76a4bb7bd110ce3f1a8 |
| SHA256 | 3ce4061e372c35951e9e9715456a04701ca4649466006232b89c40b65a5677cf |
| SHA512 | 7e58e106ba007d63bcc9701f264c627e9c99994f16aa069598abaaf9e29af537d63a6c6991f5682135a651e8ebfdca5bf2d6fea7ba695c60cc36a15d44340337 |
memory/4824-107-0x00007FF7257B0000-0x00007FF725B04000-memory.dmp
C:\Windows\System\ZLbZyrN.exe
| MD5 | 807465f58d57bef07c98598a9a990800 |
| SHA1 | 7b19e5316a3dd8012918b2b5c0804f75c53e589c |
| SHA256 | 8858cf337a9d8e987248e003d6cab981f3fd838f4a29ebd2de88e04332b1588c |
| SHA512 | 012966b330020d7dfb161cd340159edfc4a22ce66cdd1794805ef4b2588cf1e637df480af8369917513992383de33cf1658b196a5a62b9d19b23e79e921f104c |
C:\Windows\System\bdQBGnq.exe
| MD5 | bbf23c91072b235dccbb03719d0f1c51 |
| SHA1 | cc1894496de64a877d577c6d924f720bc062b1c4 |
| SHA256 | f2b14f12a3322e4999332550f1eeb7bf5516e56163046f53ef3f2aeaf0704a68 |
| SHA512 | 2d4c36aa5b1abb32c021916d658051e6c37b0399e5b756d786d221806a8e81a3fc61b8802989413cc0d9cd8af4a3f29fd73f375ace04515a21c8f6e3dfd0473f |
memory/2264-102-0x00007FF796860000-0x00007FF796BB4000-memory.dmp
C:\Windows\System\VuvsiFx.exe
| MD5 | 70ff90aa4744113bd0310fc0d9642696 |
| SHA1 | 4f02a897376e5e156044a81d440bc1b6f5e73eda |
| SHA256 | 850f0bbecc3dc6f48578257267b2dfc4dd032dd358202c0f6ec3920e2118bcf5 |
| SHA512 | bdc7f055358d137daf4d2e1f7011457331106547b4eec4e5f4ff35dd9f5890da8611a6c345a9ae884d95e4260252b884173921b0ceaa07cb5d1698fa0594012f |
memory/928-82-0x00007FF74F4F0000-0x00007FF74F844000-memory.dmp
C:\Windows\System\HUKtPMU.exe
| MD5 | 6e43ed95cc20d2ddcab2cd2f4ba27ce3 |
| SHA1 | ecfefb0ab2676c2c3b87cc0607c20135ccbbfb8d |
| SHA256 | abeab4c7d15c7e6b5b6307621e131f5923c08c9602baec23757555414a26f396 |
| SHA512 | 8c97da48938db0cf64785262c719fcc498f5129075e51feb2af44bae18db924e8a15bd8b5325e27b27d230e40c730008ca277d0a7c66733c0770c059ca356580 |
C:\Windows\System\QjLnzau.exe
| MD5 | e0f258099dcc71eb5136723dc36b2abf |
| SHA1 | 06369204a4e29aa090f08d64ed6c999554293c3f |
| SHA256 | fc3ecae0284f85748e4163e8d74dc23b78b006a385dbce7949b1a3162c04a129 |
| SHA512 | e5e771b58d729c6c2e5be391c3472852275f9809b6a59989d03020b02587a111724b07f4267210e0379988c9bdeb785b25dc195f7e8ce97d17a6e677d81ad615 |
memory/220-63-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp
C:\Windows\System\hBaLbEZ.exe
| MD5 | 6590cf9a22e895f317992a11e6673733 |
| SHA1 | dabb0629eade282a86216956c93b81ff12ed079f |
| SHA256 | 74b7b03dacacedda881f7c189ce684981576529c8cbc55be5ff150930716f39d |
| SHA512 | af01b6a743c85790b49c611bcc0fee6de6dbf145277acff81efcae41230036a2a20bd597e1334f29e81dee66b4ef08096a3f19bc8e3d6d0e52470019e6e1a1db |
memory/2464-53-0x00007FF688E00000-0x00007FF689154000-memory.dmp
memory/2600-52-0x00007FF7CBF60000-0x00007FF7CC2B4000-memory.dmp
C:\Windows\System\lpQScHo.exe
| MD5 | ca782e6e0a0804d229da2735af31fd06 |
| SHA1 | 9723e9bc96c63cc03e30f15e6ef819269f1f2475 |
| SHA256 | ba3854cd0a9db88bfaa116cc87b39cc88eaa2db5fbe983ee4a1f94a5d0218c4b |
| SHA512 | 07b94d5d1ef974a4090999815983f7e5b36c85a3213799cf6c31b77a54aef66b9a42096f58731ef03d6bd59ef24aeee37023f9ce335eac6f247402ef24d3b6bf |
memory/1960-44-0x00007FF72CE70000-0x00007FF72D1C4000-memory.dmp
C:\Windows\System\vAwDiPy.exe
| MD5 | b12f50740eef66714200750b921dca91 |
| SHA1 | 8373966e5ed792f21420a1f96bf3bbb6923ce01a |
| SHA256 | 719552d5e050d5b6103aeabc2599e37e66f0dc2dc083f0cf409b7b43085c6d59 |
| SHA512 | 7a4e91a3c8d86a2c7d2864f022b2bc699138cd2829346c866cd8c934865e794d9cf66725904fe7973648c3a72b48057f93b8dc315697f02e4e9bbb78689e94d8 |
C:\Windows\System\OmAZqrd.exe
| MD5 | f4664f4e39afd7529c368aa915ce122b |
| SHA1 | 6964bc8fe00d4d0dbca01701bfaf7a54c0a78999 |
| SHA256 | c7a001af1b70a23d00ffb6474810bcd2092759e47110e2052d917cd92d8a7bb5 |
| SHA512 | 1e6fedcb2989ba40d6730d07f897ff73d90ec7a536d1cb90aaad6a72d9dab0a9b74f266f7d4b3aad29d01ddc59a9fb65047e424c6139f046ad7f1276b03f2dd5 |
memory/3160-36-0x00007FF71A320000-0x00007FF71A674000-memory.dmp
memory/3160-132-0x00007FF71A320000-0x00007FF71A674000-memory.dmp
memory/1292-133-0x00007FF669480000-0x00007FF6697D4000-memory.dmp
memory/2600-135-0x00007FF7CBF60000-0x00007FF7CC2B4000-memory.dmp
memory/1960-134-0x00007FF72CE70000-0x00007FF72D1C4000-memory.dmp
memory/2464-136-0x00007FF688E00000-0x00007FF689154000-memory.dmp
memory/1172-137-0x00007FF777DB0000-0x00007FF778104000-memory.dmp
memory/928-138-0x00007FF74F4F0000-0x00007FF74F844000-memory.dmp
memory/4308-139-0x00007FF626C10000-0x00007FF626F64000-memory.dmp
memory/4824-140-0x00007FF7257B0000-0x00007FF725B04000-memory.dmp
memory/2552-141-0x00007FF652EA0000-0x00007FF6531F4000-memory.dmp
memory/1640-142-0x00007FF681680000-0x00007FF6819D4000-memory.dmp
memory/1984-144-0x00007FF662330000-0x00007FF662684000-memory.dmp
memory/2308-143-0x00007FF7552B0000-0x00007FF755604000-memory.dmp
memory/4064-145-0x00007FF6EEBA0000-0x00007FF6EEEF4000-memory.dmp
memory/2992-146-0x00007FF7C4E40000-0x00007FF7C5194000-memory.dmp
memory/2264-147-0x00007FF796860000-0x00007FF796BB4000-memory.dmp
memory/748-148-0x00007FF680080000-0x00007FF6803D4000-memory.dmp
memory/2660-149-0x00007FF7A62A0000-0x00007FF7A65F4000-memory.dmp
memory/3160-150-0x00007FF71A320000-0x00007FF71A674000-memory.dmp
memory/2600-151-0x00007FF7CBF60000-0x00007FF7CC2B4000-memory.dmp
memory/1960-153-0x00007FF72CE70000-0x00007FF72D1C4000-memory.dmp
memory/2464-152-0x00007FF688E00000-0x00007FF689154000-memory.dmp
memory/2676-155-0x00007FF783310000-0x00007FF783664000-memory.dmp
memory/1172-156-0x00007FF777DB0000-0x00007FF778104000-memory.dmp
memory/3460-154-0x00007FF75AD00000-0x00007FF75B054000-memory.dmp
memory/3692-158-0x00007FF7B8EA0000-0x00007FF7B91F4000-memory.dmp
memory/4308-159-0x00007FF626C10000-0x00007FF626F64000-memory.dmp
memory/928-157-0x00007FF74F4F0000-0x00007FF74F844000-memory.dmp
memory/4824-160-0x00007FF7257B0000-0x00007FF725B04000-memory.dmp
memory/2552-162-0x00007FF652EA0000-0x00007FF6531F4000-memory.dmp
memory/1640-161-0x00007FF681680000-0x00007FF6819D4000-memory.dmp
memory/1292-165-0x00007FF669480000-0x00007FF6697D4000-memory.dmp
memory/1984-164-0x00007FF662330000-0x00007FF662684000-memory.dmp
memory/2308-163-0x00007FF7552B0000-0x00007FF755604000-memory.dmp