Analysis Overview
SHA256
3a8ba6ddbc11450d959a3f27a5813f7dd1529baea18a76f11188d85f41553e25
Threat Level: Known bad
The file 2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobalt Strike reflective loader
Xmrig family
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 02:58
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 02:58
Reported
2024-06-09 03:01
Platform
win7-20240508-en
Max time kernel
134s
Max time network
147s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\THxTOpC.exe | N/A |
| N/A | N/A | C:\Windows\System\KMcaJFM.exe | N/A |
| N/A | N/A | C:\Windows\System\RPdlwsG.exe | N/A |
| N/A | N/A | C:\Windows\System\hDHvdiL.exe | N/A |
| N/A | N/A | C:\Windows\System\rbPQtOl.exe | N/A |
| N/A | N/A | C:\Windows\System\duwrwxj.exe | N/A |
| N/A | N/A | C:\Windows\System\krYcvAR.exe | N/A |
| N/A | N/A | C:\Windows\System\xruDmfP.exe | N/A |
| N/A | N/A | C:\Windows\System\gjQmkmK.exe | N/A |
| N/A | N/A | C:\Windows\System\lsXjILy.exe | N/A |
| N/A | N/A | C:\Windows\System\Cpkiggi.exe | N/A |
| N/A | N/A | C:\Windows\System\lTXvxSr.exe | N/A |
| N/A | N/A | C:\Windows\System\UELpAPs.exe | N/A |
| N/A | N/A | C:\Windows\System\ceAwzsZ.exe | N/A |
| N/A | N/A | C:\Windows\System\SDBIdkk.exe | N/A |
| N/A | N/A | C:\Windows\System\tMcUdVL.exe | N/A |
| N/A | N/A | C:\Windows\System\evObAsa.exe | N/A |
| N/A | N/A | C:\Windows\System\DZwfCfW.exe | N/A |
| N/A | N/A | C:\Windows\System\QfzWkyQ.exe | N/A |
| N/A | N/A | C:\Windows\System\BjJqzVl.exe | N/A |
| N/A | N/A | C:\Windows\System\cxxGbPe.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\THxTOpC.exe
C:\Windows\System\THxTOpC.exe
C:\Windows\System\KMcaJFM.exe
C:\Windows\System\KMcaJFM.exe
C:\Windows\System\RPdlwsG.exe
C:\Windows\System\RPdlwsG.exe
C:\Windows\System\hDHvdiL.exe
C:\Windows\System\hDHvdiL.exe
C:\Windows\System\rbPQtOl.exe
C:\Windows\System\rbPQtOl.exe
C:\Windows\System\duwrwxj.exe
C:\Windows\System\duwrwxj.exe
C:\Windows\System\krYcvAR.exe
C:\Windows\System\krYcvAR.exe
C:\Windows\System\xruDmfP.exe
C:\Windows\System\xruDmfP.exe
C:\Windows\System\gjQmkmK.exe
C:\Windows\System\gjQmkmK.exe
C:\Windows\System\lsXjILy.exe
C:\Windows\System\lsXjILy.exe
C:\Windows\System\Cpkiggi.exe
C:\Windows\System\Cpkiggi.exe
C:\Windows\System\lTXvxSr.exe
C:\Windows\System\lTXvxSr.exe
C:\Windows\System\tMcUdVL.exe
C:\Windows\System\tMcUdVL.exe
C:\Windows\System\UELpAPs.exe
C:\Windows\System\UELpAPs.exe
C:\Windows\System\evObAsa.exe
C:\Windows\System\evObAsa.exe
C:\Windows\System\ceAwzsZ.exe
C:\Windows\System\ceAwzsZ.exe
C:\Windows\System\DZwfCfW.exe
C:\Windows\System\DZwfCfW.exe
C:\Windows\System\SDBIdkk.exe
C:\Windows\System\SDBIdkk.exe
C:\Windows\System\QfzWkyQ.exe
C:\Windows\System\QfzWkyQ.exe
C:\Windows\System\cxxGbPe.exe
C:\Windows\System\cxxGbPe.exe
C:\Windows\System\BjJqzVl.exe
C:\Windows\System\BjJqzVl.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1944-0-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/1944-1-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/1944-21-0x00000000023E0000-0x0000000002734000-memory.dmp
C:\Windows\system\hDHvdiL.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
C:\Windows\system\xruDmfP.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
memory/2728-48-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/1944-54-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/1944-58-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/3052-59-0x000000013FE10000-0x0000000140164000-memory.dmp
\Windows\system\Cpkiggi.exe
| MD5 | fbb6a602f644dbf57142122f30692c9a |
| SHA1 | 8158aaa7168744874ea387599d6d2cead21e28a3 |
| SHA256 | 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d |
| SHA512 | 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe |
memory/1928-125-0x000000013FAD0000-0x000000013FE24000-memory.dmp
C:\Windows\system\tMcUdVL.exe
| MD5 | ca2c8fc23ac2c4dd58545d16927e5bef |
| SHA1 | b94b35150eb75787af3ce6aea401e04f2ec70fc4 |
| SHA256 | 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef |
| SHA512 | 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce |
memory/1944-126-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/2712-127-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2832-128-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/1944-129-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/1944-130-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
\Windows\system\QfzWkyQ.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
\Windows\system\DZwfCfW.exe
| MD5 | ce95ecfd82cad989d07f01bb5a4e0e62 |
| SHA1 | 9c404e62c6a147d88e2c4214a4a0c1206972e9c1 |
| SHA256 | 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576 |
| SHA512 | c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084 |
memory/2988-81-0x000000013F410000-0x000000013F764000-memory.dmp
\Windows\system\tMcUdVL.exe
| MD5 | 93bacfc3d845f374627b012c3a61a1e5 |
| SHA1 | f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae |
| SHA256 | 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d |
| SHA512 | 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83 |
\Windows\system\lsXjILy.exe
| MD5 | 170dd624fc04fc3839f9c4b66a089ce7 |
| SHA1 | 689050489367e9d7989856de58d7dae4b3e867bb |
| SHA256 | 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b |
| SHA512 | 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a |
memory/1944-64-0x000000013F130000-0x000000013F484000-memory.dmp
memory/3008-63-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/1944-62-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/1944-61-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2496-60-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2720-56-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/1260-50-0x000000013FE30000-0x0000000140184000-memory.dmp
\Windows\system\xruDmfP.exe
| MD5 | 0b1dc771469fa6753e7aace834956918 |
| SHA1 | ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7 |
| SHA256 | 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6 |
| SHA512 | 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60 |
memory/2796-36-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2236-26-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/1944-19-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2084-13-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/1944-10-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/1944-131-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2988-132-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2084-133-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2236-134-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2796-135-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2728-136-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/3008-139-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/3052-140-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2496-141-0x000000013F130000-0x000000013F484000-memory.dmp
memory/1260-138-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2720-137-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2988-142-0x000000013F410000-0x000000013F764000-memory.dmp
memory/1928-143-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2712-144-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2832-145-0x000000013FC40000-0x000000013FF94000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 02:58
Reported
2024-06-09 03:01
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NmBIdnR.exe | N/A |
| N/A | N/A | C:\Windows\System\VupaEva.exe | N/A |
| N/A | N/A | C:\Windows\System\HgTbNPs.exe | N/A |
| N/A | N/A | C:\Windows\System\ZvzSnWo.exe | N/A |
| N/A | N/A | C:\Windows\System\QTnQMiK.exe | N/A |
| N/A | N/A | C:\Windows\System\DRVaCHn.exe | N/A |
| N/A | N/A | C:\Windows\System\QdePLcH.exe | N/A |
| N/A | N/A | C:\Windows\System\cOYIYuG.exe | N/A |
| N/A | N/A | C:\Windows\System\LUXLsSY.exe | N/A |
| N/A | N/A | C:\Windows\System\FixSpDs.exe | N/A |
| N/A | N/A | C:\Windows\System\CJYtGys.exe | N/A |
| N/A | N/A | C:\Windows\System\lbfOdJS.exe | N/A |
| N/A | N/A | C:\Windows\System\gvvxhKn.exe | N/A |
| N/A | N/A | C:\Windows\System\gqsgCPO.exe | N/A |
| N/A | N/A | C:\Windows\System\PlzfoEH.exe | N/A |
| N/A | N/A | C:\Windows\System\Kbgodhb.exe | N/A |
| N/A | N/A | C:\Windows\System\eXdNDoL.exe | N/A |
| N/A | N/A | C:\Windows\System\YLzINuQ.exe | N/A |
| N/A | N/A | C:\Windows\System\uYGxDMa.exe | N/A |
| N/A | N/A | C:\Windows\System\yciyiWc.exe | N/A |
| N/A | N/A | C:\Windows\System\mwtwszv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\NmBIdnR.exe
C:\Windows\System\NmBIdnR.exe
C:\Windows\System\VupaEva.exe
C:\Windows\System\VupaEva.exe
C:\Windows\System\HgTbNPs.exe
C:\Windows\System\HgTbNPs.exe
C:\Windows\System\ZvzSnWo.exe
C:\Windows\System\ZvzSnWo.exe
C:\Windows\System\DRVaCHn.exe
C:\Windows\System\DRVaCHn.exe
C:\Windows\System\QTnQMiK.exe
C:\Windows\System\QTnQMiK.exe
C:\Windows\System\QdePLcH.exe
C:\Windows\System\QdePLcH.exe
C:\Windows\System\LUXLsSY.exe
C:\Windows\System\LUXLsSY.exe
C:\Windows\System\cOYIYuG.exe
C:\Windows\System\cOYIYuG.exe
C:\Windows\System\FixSpDs.exe
C:\Windows\System\FixSpDs.exe
C:\Windows\System\CJYtGys.exe
C:\Windows\System\CJYtGys.exe
C:\Windows\System\lbfOdJS.exe
C:\Windows\System\lbfOdJS.exe
C:\Windows\System\gvvxhKn.exe
C:\Windows\System\gvvxhKn.exe
C:\Windows\System\PlzfoEH.exe
C:\Windows\System\PlzfoEH.exe
C:\Windows\System\gqsgCPO.exe
C:\Windows\System\gqsgCPO.exe
C:\Windows\System\Kbgodhb.exe
C:\Windows\System\Kbgodhb.exe
C:\Windows\System\eXdNDoL.exe
C:\Windows\System\eXdNDoL.exe
C:\Windows\System\YLzINuQ.exe
C:\Windows\System\YLzINuQ.exe
C:\Windows\System\uYGxDMa.exe
C:\Windows\System\uYGxDMa.exe
C:\Windows\System\yciyiWc.exe
C:\Windows\System\yciyiWc.exe
C:\Windows\System\mwtwszv.exe
C:\Windows\System\mwtwszv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
memory/4512-0-0x00007FF61CD30000-0x00007FF61D084000-memory.dmp
memory/4512-1-0x000001F166F30000-0x000001F166F40000-memory.dmp
memory/3576-8-0x00007FF7422C0000-0x00007FF742614000-memory.dmp
C:\Windows\System\VupaEva.exe
| MD5 | aa6f0198422c7a19fe25df62876b8d35 |
| SHA1 | 4b33c442156e704c479f271186fe7f3b650477d2 |
| SHA256 | 115ca2322798a7e2eaef5f6b25ab02cf2fb962b641c449610d7a5b14cb377d26 |
| SHA512 | 0cf3d9a9bfda25448b260c5c0d6b9e25b0a44aa808e632e39768bac0bb40409e8812e855e7d56f3075e7b427eb62a3ea25c83992069198a16e42a0041f379e31 |
C:\Windows\System\NmBIdnR.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\System\HgTbNPs.exe
| MD5 | 12abbaa263f00f0106257ac4b60d57ce |
| SHA1 | 1d3bdf80fe8e8ebb84ee859a49d9d621fd59d440 |
| SHA256 | 0b7b3044cd28e07a04ce7803eafa1e53777f37ce9dde99b6224b77d4b706c0d9 |
| SHA512 | fc1c11614c35a2870b7f1c2ad74fe7e0d310d3a5f9242d66534117f43e3f78bb9659102c89d7c5b9250611067000d772a20e2ebb27a5f82c635680cbf5f1e2df |
memory/116-19-0x00007FF705C80000-0x00007FF705FD4000-memory.dmp
C:\Windows\System\ZvzSnWo.exe
| MD5 | d35178cabc640615654c6f7ad9c405b0 |
| SHA1 | cc1daa32418a0851d378deb62798f537115276d1 |
| SHA256 | 7210eed7b373a2ff61061a597ff2cf824f2ffab974d0b322a22aff289773ae6b |
| SHA512 | f10a5de5f14ece9006e399ae07700396b4e8223720dd72890a15331eae1814c16122fc17ad34536a3003c005dcac5889c522ae7ae35d9ee06e9964a0803c7ff6 |
C:\Windows\System\QTnQMiK.exe
| MD5 | 39ab8a376aba8a9fa379fe4dd2b36679 |
| SHA1 | b57fa2e9c621f45aabcaf6527a16212bfef8cc97 |
| SHA256 | 14d3e453a8141e6eba8129d180bbd9550ce42354678381a1c96b8a4817973499 |
| SHA512 | 2b6af04ef892466041da770141951aebb0dd43da12f0975a5e46c8cf78ea85a033335d2374b310eb02e83652fa51723ccf1a3e1af758171ff6142dd13401e926 |
C:\Windows\System\DRVaCHn.exe
| MD5 | 0a25687d30d23ec24000803905b5fb77 |
| SHA1 | e707caaee01c897617b2f1294df28b9d4577dfcf |
| SHA256 | def554a0e3ae16527aa73abb5aa1b18c55197332438edc7eb886dc31a24ddce5 |
| SHA512 | ce4180011ff56b33b35f005e4c530101ea9ec5637594a0011a951ec739780dc98fe75b5203c85be1cb045fedb561217a77a52ef7ae8cfb7e9efb59317d7ae439 |
C:\Windows\System\QdePLcH.exe
| MD5 | da49f1b1f2b96b49705866203751f59f |
| SHA1 | 1fb490e694febd4abb5609eba7058906c7c62fc1 |
| SHA256 | db17ce16538e3104d76c2865f6043929089867615332842fb4539363fa1e158f |
| SHA512 | 64230d121060a4ecf7e8546c8f3f841eea180c2377add458625a54155c0dd3d899c021538950ea3047fd426aed50dfc97cdf1f7e2bcab143f2777fd079bf8bf0 |
memory/2860-47-0x00007FF60C820000-0x00007FF60CB74000-memory.dmp
C:\Windows\System\LUXLsSY.exe
| MD5 | e9d236934eeb7485d5aef6ede7d8b090 |
| SHA1 | f844b2db6f02c06013a9fd8ab8ff059c14f90c0b |
| SHA256 | dc6ad74e50e840a6e3827483a5e282aa608e96a0692e3f4723661f0e31d716d1 |
| SHA512 | 408085b25718b8f500d2fbe168d90adaf53c5a6fdc8c0cd34b5d0b3c35587c86d59de32e1b39161b454f4efda14d3c4721507abbe4500fdb29b8b9669f85c6c0 |
C:\Windows\System\lbfOdJS.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
C:\Windows\System\CJYtGys.exe
| MD5 | ab6dcca99ea698d52e203ca3e14bebc3 |
| SHA1 | a8cd7cd95ca94ec721107784f887b67ed8c55199 |
| SHA256 | 54b0af043f811f85c33e2c4351c023ed730e5e312641c47d65df499a619b9e49 |
| SHA512 | af185aba403e67005f849ecbd1524a7931368aa95c514a49a562b6824e7cf306c5d5fb15e1b9bd5ef18ae5a122b22593f8bf09b9cd61f0718ca57f2e0812006f |
C:\Windows\System\gvvxhKn.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
C:\Windows\System\PlzfoEH.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
C:\Windows\System\PlzfoEH.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
C:\Windows\System\gqsgCPO.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
C:\Windows\System\lbfOdJS.exe
| MD5 | 30e1295d464805afc949314110e4cc20 |
| SHA1 | fcfb1be1b25fa213ae6134eb487884ae6916fce8 |
| SHA256 | 0e740e202eee26e0458d4b70c0851cf34c1d85dd6ac5c1c8ca31949b4a710be0 |
| SHA512 | 1a707278af616e434c71c679869e8bca239e90d314514e9b206e987d846d5fac09c8e3b83383b770398f7b579407a224f719e89ad5adb8ff2bba6f8bdc173323 |
memory/3776-75-0x00007FF77FA60000-0x00007FF77FDB4000-memory.dmp
memory/4512-74-0x00007FF61CD30000-0x00007FF61D084000-memory.dmp
C:\Windows\System\gvvxhKn.exe
| MD5 | 8a74009f7dd9c036cc12b3f189bd9ac6 |
| SHA1 | e53d33c260bb77d6ec7f4c05d6b7a52ccd5f9de0 |
| SHA256 | b349cfcd57c9962c2310b863621992c24963856bb8765a72596762e3d22c0932 |
| SHA512 | 6b058797ebf39246aeec4041256bec3900d2fe258c40c7a628ad2f0a7c71cd84516d0e4598c1b869d273f2d776086698842e42f21ab1a8adea547d9c55a56876 |
memory/2204-73-0x00007FF78CC80000-0x00007FF78CFD4000-memory.dmp
memory/3372-71-0x00007FF6DBA40000-0x00007FF6DBD94000-memory.dmp
memory/3356-59-0x00007FF792730000-0x00007FF792A84000-memory.dmp
C:\Windows\System\FixSpDs.exe
| MD5 | 244978123d3f930dccec1edc78468a31 |
| SHA1 | 3889d55f33b4e323440153ffaf2ef67669da6f39 |
| SHA256 | c8c50148a597c8b3f81e7ff012a10df2b087158cf522a39a4b5fb4bd5f0f59bf |
| SHA512 | 19e55714bda6020360e25bac1a0bef703253c3e157f4a385620ad6447703f49edab71172f6516c4378accc374fa6abca94f1bf6d2815dbe5525abafc9e3673ef |
memory/2144-55-0x00007FF662940000-0x00007FF662C94000-memory.dmp
C:\Windows\System\LUXLsSY.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
memory/1848-52-0x00007FF6219F0000-0x00007FF621D44000-memory.dmp
memory/1772-46-0x00007FF634250000-0x00007FF6345A4000-memory.dmp
C:\Windows\System\cOYIYuG.exe
| MD5 | 4732b5f966db453f7d82262f3c83ef1a |
| SHA1 | cedc9d8adafdf1c92e253a78e485591e44383c22 |
| SHA256 | 994befea2f561fbbe7273c826bab5449e91e04b47821fa7a7c6a7d89f32a6364 |
| SHA512 | 1b76f1fba027844200a6d4ef85b505cf4609ced29dd4bbe4805d98720cf9305b85429e53ef708b42ff875bec87dc9ced9ddeea2fd56536b491509784044e79c5 |
C:\Windows\System\QdePLcH.exe
| MD5 | ec131343b8baf3ec5af94b115752bd91 |
| SHA1 | 07894e7267080dab74460e17ad7156af3d60bc64 |
| SHA256 | ab2d0996b63b514506741259e21d48f43377a610a9ba10d5402a6770421dc606 |
| SHA512 | 2beaa28e6c5708ceffa373a33e0fb57b48443c2a9bf3fac6019fa5c59d36bb9795933cb27515ba002252a42541f24442768c93fb3558fb118a530e6eacaefea7 |
memory/3800-41-0x00007FF664DB0000-0x00007FF665104000-memory.dmp
memory/1184-27-0x00007FF6FA290000-0x00007FF6FA5E4000-memory.dmp
memory/1680-14-0x00007FF766AC0000-0x00007FF766E14000-memory.dmp
C:\Windows\System\NmBIdnR.exe
| MD5 | 615dca6e6f3a0a960d07d9964283148c |
| SHA1 | 8560055a0fe16d466dd76d59d43f93377b35d8c5 |
| SHA256 | cacbcc401a79ceda645b72339c2c650840414ada1682ff26ab4a4a56b4a4e4ef |
| SHA512 | 87003865bca269dfcb87512ea93da88691db24f60f04ad1e90d3c71e156da0fbfba5604ca32a3b10f97222a488806018e0562a9f1780094dbf4015a262fa3b27 |
memory/2584-91-0x00007FF7F0BE0000-0x00007FF7F0F34000-memory.dmp
memory/2724-92-0x00007FF712440000-0x00007FF712794000-memory.dmp
memory/1184-110-0x00007FF6FA290000-0x00007FF6FA5E4000-memory.dmp
C:\Windows\System\eXdNDoL.exe
| MD5 | 0b1dc771469fa6753e7aace834956918 |
| SHA1 | ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7 |
| SHA256 | 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6 |
| SHA512 | 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60 |
C:\Windows\System\mwtwszv.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
C:\Windows\System\uYGxDMa.exe
| MD5 | 0003cb25d8e5fcf51d1ea8407b9410fc |
| SHA1 | fc0940ac8a56e45a19f31c325aba00f814dae439 |
| SHA256 | f5fa7230c7358dee6dd18f92cbc76b430b9f4ae3743c5a87ae43ab57b0f17dc2 |
| SHA512 | 3e0a7f0919968a398f15d36d7bf5f20d80e4d21e13f2a12bc61387d700f7223beda84fce19bb9725494efe691fdd480b4475f6cce34df5d279cf37a6a2663e87 |
C:\Windows\System\mwtwszv.exe
| MD5 | 520306f0af217a723b94881629ed2c1f |
| SHA1 | edfebe61571cd3958f1312a9985e7616d97f5058 |
| SHA256 | 753b1655c90b67a0e9ef8ac7f9ad5137a5f68ca7523e64de621b55f82736ad40 |
| SHA512 | 9ac6a96dd03c1ec975477a89483a2d662a3a654c6c49304a4eef6675c320419be317a4ea86000c6b38c10beb98f86f51309fa6427a10328bb6e8081fbc42222e |
memory/5096-118-0x00007FF689680000-0x00007FF6899D4000-memory.dmp
C:\Windows\System\YLzINuQ.exe
| MD5 | e8c4508a392ccf08590d3627a36cc3c3 |
| SHA1 | 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2 |
| SHA256 | cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d |
| SHA512 | f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410 |
C:\Windows\System\uYGxDMa.exe
| MD5 | fbb6a602f644dbf57142122f30692c9a |
| SHA1 | 8158aaa7168744874ea387599d6d2cead21e28a3 |
| SHA256 | 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d |
| SHA512 | 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe |
memory/4764-109-0x00007FF631FB0000-0x00007FF632304000-memory.dmp
C:\Windows\System\YLzINuQ.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
memory/116-105-0x00007FF705C80000-0x00007FF705FD4000-memory.dmp
C:\Windows\System\Kbgodhb.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
memory/1300-99-0x00007FF735910000-0x00007FF735C64000-memory.dmp
memory/1772-128-0x00007FF634250000-0x00007FF6345A4000-memory.dmp
memory/3800-131-0x00007FF664DB0000-0x00007FF665104000-memory.dmp
memory/1504-133-0x00007FF775700000-0x00007FF775A54000-memory.dmp
memory/1848-134-0x00007FF6219F0000-0x00007FF621D44000-memory.dmp
memory/840-132-0x00007FF607530000-0x00007FF607884000-memory.dmp
memory/596-130-0x00007FF6AFB00000-0x00007FF6AFE54000-memory.dmp
memory/2860-129-0x00007FF60C820000-0x00007FF60CB74000-memory.dmp
memory/2204-136-0x00007FF78CC80000-0x00007FF78CFD4000-memory.dmp
memory/3356-135-0x00007FF792730000-0x00007FF792A84000-memory.dmp
memory/3372-137-0x00007FF6DBA40000-0x00007FF6DBD94000-memory.dmp
memory/3776-138-0x00007FF77FA60000-0x00007FF77FDB4000-memory.dmp
memory/1300-139-0x00007FF735910000-0x00007FF735C64000-memory.dmp
memory/5096-141-0x00007FF689680000-0x00007FF6899D4000-memory.dmp
memory/4764-140-0x00007FF631FB0000-0x00007FF632304000-memory.dmp
memory/3576-142-0x00007FF7422C0000-0x00007FF742614000-memory.dmp
memory/1680-143-0x00007FF766AC0000-0x00007FF766E14000-memory.dmp
memory/116-144-0x00007FF705C80000-0x00007FF705FD4000-memory.dmp
memory/1184-145-0x00007FF6FA290000-0x00007FF6FA5E4000-memory.dmp
memory/3800-146-0x00007FF664DB0000-0x00007FF665104000-memory.dmp
memory/1772-147-0x00007FF634250000-0x00007FF6345A4000-memory.dmp
memory/2144-148-0x00007FF662940000-0x00007FF662C94000-memory.dmp
memory/1848-149-0x00007FF6219F0000-0x00007FF621D44000-memory.dmp
memory/3356-150-0x00007FF792730000-0x00007FF792A84000-memory.dmp
memory/2860-151-0x00007FF60C820000-0x00007FF60CB74000-memory.dmp
memory/3372-152-0x00007FF6DBA40000-0x00007FF6DBD94000-memory.dmp
memory/2204-154-0x00007FF78CC80000-0x00007FF78CFD4000-memory.dmp
memory/2724-156-0x00007FF712440000-0x00007FF712794000-memory.dmp
memory/2584-155-0x00007FF7F0BE0000-0x00007FF7F0F34000-memory.dmp
memory/3776-153-0x00007FF77FA60000-0x00007FF77FDB4000-memory.dmp
memory/1300-157-0x00007FF735910000-0x00007FF735C64000-memory.dmp
memory/5096-158-0x00007FF689680000-0x00007FF6899D4000-memory.dmp
memory/840-160-0x00007FF607530000-0x00007FF607884000-memory.dmp
memory/4764-162-0x00007FF631FB0000-0x00007FF632304000-memory.dmp
memory/1504-161-0x00007FF775700000-0x00007FF775A54000-memory.dmp
memory/596-159-0x00007FF6AFB00000-0x00007FF6AFE54000-memory.dmp