Analysis Overview
SHA256
533968da5f70b15825c3d38ac86568d335d754e3ebdfc6d22b3fdc90f72b8416
Threat Level: Known bad
The file 2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
Cobaltstrike
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
xmrig
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 03:02
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 03:02
Reported
2024-06-09 03:05
Platform
win7-20240221-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ugANaHi.exe | N/A |
| N/A | N/A | C:\Windows\System\WoERXDB.exe | N/A |
| N/A | N/A | C:\Windows\System\nVvBHhw.exe | N/A |
| N/A | N/A | C:\Windows\System\ekPhrzR.exe | N/A |
| N/A | N/A | C:\Windows\System\SVYoKgI.exe | N/A |
| N/A | N/A | C:\Windows\System\rViuXVP.exe | N/A |
| N/A | N/A | C:\Windows\System\XFpUjoo.exe | N/A |
| N/A | N/A | C:\Windows\System\IeTnUhP.exe | N/A |
| N/A | N/A | C:\Windows\System\YixCYSX.exe | N/A |
| N/A | N/A | C:\Windows\System\GBlFSuj.exe | N/A |
| N/A | N/A | C:\Windows\System\thuGTyu.exe | N/A |
| N/A | N/A | C:\Windows\System\qIJzTLK.exe | N/A |
| N/A | N/A | C:\Windows\System\eksiifC.exe | N/A |
| N/A | N/A | C:\Windows\System\FmmJDvD.exe | N/A |
| N/A | N/A | C:\Windows\System\QRhrYfZ.exe | N/A |
| N/A | N/A | C:\Windows\System\GuVABwR.exe | N/A |
| N/A | N/A | C:\Windows\System\fUIXESd.exe | N/A |
| N/A | N/A | C:\Windows\System\EETtwrN.exe | N/A |
| N/A | N/A | C:\Windows\System\FSYHUpz.exe | N/A |
| N/A | N/A | C:\Windows\System\isdfGms.exe | N/A |
| N/A | N/A | C:\Windows\System\uGBaVkU.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ugANaHi.exe
C:\Windows\System\ugANaHi.exe
C:\Windows\System\WoERXDB.exe
C:\Windows\System\WoERXDB.exe
C:\Windows\System\nVvBHhw.exe
C:\Windows\System\nVvBHhw.exe
C:\Windows\System\ekPhrzR.exe
C:\Windows\System\ekPhrzR.exe
C:\Windows\System\SVYoKgI.exe
C:\Windows\System\SVYoKgI.exe
C:\Windows\System\rViuXVP.exe
C:\Windows\System\rViuXVP.exe
C:\Windows\System\XFpUjoo.exe
C:\Windows\System\XFpUjoo.exe
C:\Windows\System\IeTnUhP.exe
C:\Windows\System\IeTnUhP.exe
C:\Windows\System\YixCYSX.exe
C:\Windows\System\YixCYSX.exe
C:\Windows\System\GBlFSuj.exe
C:\Windows\System\GBlFSuj.exe
C:\Windows\System\thuGTyu.exe
C:\Windows\System\thuGTyu.exe
C:\Windows\System\qIJzTLK.exe
C:\Windows\System\qIJzTLK.exe
C:\Windows\System\eksiifC.exe
C:\Windows\System\eksiifC.exe
C:\Windows\System\FmmJDvD.exe
C:\Windows\System\FmmJDvD.exe
C:\Windows\System\QRhrYfZ.exe
C:\Windows\System\QRhrYfZ.exe
C:\Windows\System\GuVABwR.exe
C:\Windows\System\GuVABwR.exe
C:\Windows\System\fUIXESd.exe
C:\Windows\System\fUIXESd.exe
C:\Windows\System\EETtwrN.exe
C:\Windows\System\EETtwrN.exe
C:\Windows\System\FSYHUpz.exe
C:\Windows\System\FSYHUpz.exe
C:\Windows\System\isdfGms.exe
C:\Windows\System\isdfGms.exe
C:\Windows\System\uGBaVkU.exe
C:\Windows\System\uGBaVkU.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2056-0-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2056-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\ugANaHi.exe
| MD5 | 5231ecf85e4883a0d33f187b699e43f9 |
| SHA1 | 987b828002e5b15cd469b4e1ae07fed5e7f7c510 |
| SHA256 | 7f95f0c022e61f17338e9d9e7666beb12393caadda05941c2918c1c05a78562f |
| SHA512 | 26a4b3b23076d78e0fbfb03214b468ebf2cf0cab2ef4f2bcd208d1a225ba44ee78e0bbb5103f43ed9ea2b1fd2c7c51ca05fb422f5257954235a43a2d171f5e29 |
\Windows\system\WoERXDB.exe
| MD5 | 434128fb68957d65431bdb024d30ac25 |
| SHA1 | 6a327e681d8b7582e25ca2d8cbb4d10631b518c6 |
| SHA256 | 7e18e3672d0290ed387d1e8d4c84a4384d9cad7f92e81cb2b0b84d12c887059a |
| SHA512 | 52c9f9ca8f44a8e948c6ab2fa01d10d9216b349acdf07c8929055cd1104da9078664dc1c3da2935e09b463b5bda3b0c45e7e2e0d4e4d4c9335b440a52ebd97f7 |
\Windows\system\nVvBHhw.exe
| MD5 | 6c79d066aceedcfe2bcc1fba32d1f1ed |
| SHA1 | a31b07c549272376b2d4088b2a338bc3318a0122 |
| SHA256 | 59d216ece5b5786cfbbdd7324ba7901b0d5690d548cb99e3d6907ddea423f540 |
| SHA512 | 62860ca8c47eb1e1607cb0e1c84d0f875414ecf073d0e14777b08c86ea4ffcabd6a3cfbc028438667709e72cb3171d815b08a7ebf677b8789eff72c32c7be62a |
\Windows\system\ekPhrzR.exe
| MD5 | 97f5b08370214369426882d4187ee75f |
| SHA1 | fa6864297a037d8272784952421cc5ecaeaf2b71 |
| SHA256 | 58e3a138d07193eace0f292430cbd78c141c6a81dc9312efab923d55752d0856 |
| SHA512 | b7f5735ab8155f9d09b44393ca841b3e5c510128bc4fbb6f7d914e5daf4d2a5e114b52b8afe45eb4332e1e5f1875c3d24a213dccfed6d691035963a172b3523c |
memory/2056-20-0x000000013F390000-0x000000013F6E4000-memory.dmp
\Windows\system\SVYoKgI.exe
| MD5 | 9a577f83242e403e6e9acce33189e722 |
| SHA1 | ad6cdf0b56bdc1e1691f23b55b935a8dc4fa7b03 |
| SHA256 | 209c19a5db46d392382bf1957be98ccc5f81cf099ec10066854af7536de9e2b3 |
| SHA512 | f2c3c45817b8e84b636da9f230ca59ee8c9c65562208874f9b933e9ec7deb92a94e695557719aa9fce15ed4d64c5d96b763a4f78caa55dac4aa3646f7aa8ff8c |
C:\Windows\system\rViuXVP.exe
| MD5 | 65b33a248d58b0ca904e65ea195a63d4 |
| SHA1 | 78a193c79e5c00318fad7cd91191a4472cfc4d77 |
| SHA256 | 6567acdb4c6ca5e7a925f85da35ff7b11f8bb9873ebc5252b95c130fe163c2c2 |
| SHA512 | 1c958ea7a7d72436377d0a60132758fad94b1324496cf0e7605b3366ae21bc7956c05e57f4f422b3654a2738ade4f95a12eed48413ff592343358a170931f035 |
C:\Windows\system\XFpUjoo.exe
| MD5 | 7729e8d3032defa3102f1d7a6fe8c06d |
| SHA1 | 88d89a4a5dd4b6eb01067d34e3e0173ae1f480e8 |
| SHA256 | a54fbe419236e7fbe871318ca375b3102943449b0c48a9452514717991103fde |
| SHA512 | 2ab715f08b5b9fa9da50b5613f2f030fbea21d5ce157bc8339aa67b71b9c0a8fafabd5fae0393d4b340073c5b788e32c40d8934b063d5efded938688255c8d3e |
C:\Windows\system\IeTnUhP.exe
| MD5 | e34eb3c1b2e299addd37f2f77b3648ac |
| SHA1 | 0b14dd673688766768bb9f41ffb1bae6a006f670 |
| SHA256 | 4bd416d82df926044b8b495e2fb36c8ed5b8d118cbefd25e7ff5b5d7d5b021d0 |
| SHA512 | ff2a4e1b000194476fcedfb4a497d0925df45ad93857165f03a80d30716284718f50ccd15ff56cb6f0eb827bbb1c6478abc24e17fe3e5b88c6c4503a9fb68d0b |
C:\Windows\system\YixCYSX.exe
| MD5 | 0c1384f038e23b7adb6203706fe34b2e |
| SHA1 | aca629081c4182141616f0b8937d6c4edf2066a1 |
| SHA256 | 5b874e05eec10a977996199e1edbd15180439aa5be146df29644ce23111af230 |
| SHA512 | 6cb00c0f35c245822bce45c42604473d05949a9b65555f5865051219cc98a8330ccd8a6f5b22c0954d683619f496ea62f8a486c40d0a0cc39c88027d9032c27e |
C:\Windows\system\GBlFSuj.exe
| MD5 | a9da488a58a45636b88ba94b04dfef5c |
| SHA1 | f59f50df33e23708836697f555de15a5356888ae |
| SHA256 | af01684a96d8fdcf5fdb92396b5875855010c2ca0490fc2346c2da2ff3b278e7 |
| SHA512 | 0dad3292465e46ca03716f74e57f9b37f83c662cb4af7109ef353c3b3b68652ceddba75e8b47ad3b20d30854edd2442dd7e25cdcfda8cbbbb81141f8a5f8a6e5 |
C:\Windows\system\thuGTyu.exe
| MD5 | 50def838cb17a1b0dbd8165e55c85c0d |
| SHA1 | eac859a6aad7eac501d70e4e402cc3125ab16fac |
| SHA256 | a818f521620c7c08318ca4bc78f7c7503dcbd432f003bc78e595c1d8b4c02ac4 |
| SHA512 | 98f9ff5d2054b9f45a259b231855ff33fef47ff3ac14535207a2c065b48eb3dd09291a7c89af9361809627910a306d52425ca4f3c6342be93124d340c9f85292 |
C:\Windows\system\qIJzTLK.exe
| MD5 | 57785674a23052952658530bd19fd7e9 |
| SHA1 | 9a94c166e3209329608b87761612bca48cf1d9b1 |
| SHA256 | ba9a18f1fe7dbf93196337518a18c29360a213fed5a63e9ab63c47ff9ad3a016 |
| SHA512 | 1bc07c3db32320aced790eddaf6c5c295595023cda0affce4245b3271f52900293b1ed882ca3e0430f46fa3cfd2186932398452c7a0e606137ba8da356b8e779 |
\Windows\system\FmmJDvD.exe
| MD5 | 2f6338cdc480f6dfaa957421689d1466 |
| SHA1 | e78c2f09bffc985a1ec9171f7738d6870a50929b |
| SHA256 | ad8162be5796c8649b25e5243f8121245aaefb064ef09fc7e4885c5173016615 |
| SHA512 | 03642232408700d2c67697c54a7bf76c35b2170f04d7b7a15e76b08309f3e111c2df77b90b1186b9b09f164e3a4e92b07ce7f86130cf260e1f65bad945d8e592 |
C:\Windows\system\GuVABwR.exe
| MD5 | be5154dae885132bd9163e6e71570585 |
| SHA1 | 8d7b721b1445ef15bc9f6fa9521c620a65bb3909 |
| SHA256 | dc5b599476690e396e0a6a9686bc7eaf5e1f22747a8a299e66f8742203fb58a7 |
| SHA512 | a88fc852dd810cfc6d92e3d97502f5f5fda2ce8463d8950af00fe744ea47aecffdc57d96e551fcdfae226b6d461c6b3014dd6f0d7f8959a79455139fe33369a8 |
C:\Windows\system\isdfGms.exe
| MD5 | b1c0cbf3312db10380e137503f909a2e |
| SHA1 | 02896948a4617909ffc77cabf961e53f9836f6a6 |
| SHA256 | c5563df3f729ece03a9513c07ac38bbb6fd0baf3e43754f6fc20f8a27009a283 |
| SHA512 | d5f7b8621cdd2b9e90cb1aa9ee2685a0ad744353009eded27304ad7732ed1c23b7c8ea409fe4fc370aaf947a1bdf793a190c6d04d5c6ebd5814c78bee7a480dd |
C:\Windows\system\uGBaVkU.exe
| MD5 | cbad39b87355c6c534a2a9e2cfff5134 |
| SHA1 | 58f2b76635cec78e0ba081adf82aac514fb4b3fe |
| SHA256 | 102d3e53ea538888ad67930b27f2f31ce2b6152779790807c952814d8263d267 |
| SHA512 | afb252c58e772053660980d834cf75e2fbddcd92afb18c9e563f8f94054388c95fa3e915acc2612052d970fd61fdeb4c554d49a797c523f774350a56f03f22bf |
C:\Windows\system\FSYHUpz.exe
| MD5 | 1e84ca046ce6ffdbe4abbeadf081be14 |
| SHA1 | 48a8f919a6efb21903aef648562e6966ac772852 |
| SHA256 | 8f2e205b0d24200f9409ae742278e9c936fd6b0df5d02cd833998bf86b7077e1 |
| SHA512 | 2627857f91f45aa7db050e65f167385fdeb5ac5d37fcc87f4c2fd4ed938a0bf3ac2080b8aa88d69a7d4d76eda4fda864b10fa3e6415218c4e6c7dba19043aa15 |
C:\Windows\system\EETtwrN.exe
| MD5 | 248f563b3b539f9c1ecc0a9d463721fd |
| SHA1 | 5031d9ab4e0f52d29357cc733fa792cecf04ca01 |
| SHA256 | 8d4ab302affc4da1290f6e8ab3bcc37685da5e5686faf77f817c9ba5f15be4b6 |
| SHA512 | 46ba1ab2a1a7ce6dac18acaf7135bd43762f01c98838fe27de1757ef684ec44e8cfc6465800da302ba7ddc244455652bf2b899843046cdbfa0e719ad370cb6df |
C:\Windows\system\fUIXESd.exe
| MD5 | c284f2d53989a5915abb11a286d327e9 |
| SHA1 | 9f3d018286f2f6adce0bd553e48d0ef8fff9be83 |
| SHA256 | 49a29f477c026cc8b18fdb93132f74b6b93eca48705dc4e7bafecbda1d646401 |
| SHA512 | 9576d5c10d30b568454cdd91344d8798e8d3e63fb664f76a16ad379747228f573609320d88393b17fedae51990878c81a1b4d6c8edee2e3f75b8fe3dff71bfa2 |
C:\Windows\system\QRhrYfZ.exe
| MD5 | a1a1f6881678f22a7fe1ea8877c5d720 |
| SHA1 | be80c939d96533923f2bc9b981b5080d5ef5d6b2 |
| SHA256 | 1c2dcad46a4e79e16a7781adc3da572f097bfcc8803beda3f5f1c4f9e58e6c1f |
| SHA512 | e6073d1160e32ccdb1e0e5cfb1e29a22f0f6689122a1ed5eb602badd423c524b8f282745be5b26db327f1956eace62d20b7f1f89113afe79e64ce7c67f5c8d27 |
C:\Windows\system\eksiifC.exe
| MD5 | 78c79b1fe5675bf383064f7753d9cd38 |
| SHA1 | 745215c76ed7f8844054c72dc96b628b8e3fd833 |
| SHA256 | 60e9aaba45fbefb3e469326c1940cecb15c17da3b4f3af40b75e7ef58c76ef9c |
| SHA512 | 8b25d1f63adfd6d5ddd69fffb996d97e0db7c46dcd61fcef932615b3d6b8e42bfd635dcfee778255fe733345617f2f2d63bad664162aad57ed145d6f0fed824a |
memory/2392-34-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2552-102-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2056-111-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2724-110-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2056-112-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2056-115-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2056-117-0x0000000002320000-0x0000000002674000-memory.dmp
memory/1948-118-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2620-116-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2568-120-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2056-123-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2056-128-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2604-127-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2056-126-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2776-125-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2032-124-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2492-122-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2060-121-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2468-119-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2140-114-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2732-113-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2056-129-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2776-130-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2392-131-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2552-132-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2724-133-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2604-135-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2732-134-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2492-138-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/1948-137-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2140-136-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2620-140-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2568-139-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2060-142-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2468-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2032-143-0x000000013F6B0000-0x000000013FA04000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 03:02
Reported
2024-06-09 03:05
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xIUttia.exe | N/A |
| N/A | N/A | C:\Windows\System\iXyRZeq.exe | N/A |
| N/A | N/A | C:\Windows\System\OMegZrA.exe | N/A |
| N/A | N/A | C:\Windows\System\EkArEbC.exe | N/A |
| N/A | N/A | C:\Windows\System\BmNilDb.exe | N/A |
| N/A | N/A | C:\Windows\System\iwVjgGD.exe | N/A |
| N/A | N/A | C:\Windows\System\hqmFTep.exe | N/A |
| N/A | N/A | C:\Windows\System\atEjRrl.exe | N/A |
| N/A | N/A | C:\Windows\System\aSpRErZ.exe | N/A |
| N/A | N/A | C:\Windows\System\SbDVbyL.exe | N/A |
| N/A | N/A | C:\Windows\System\PtaeGtp.exe | N/A |
| N/A | N/A | C:\Windows\System\qiEpzmB.exe | N/A |
| N/A | N/A | C:\Windows\System\lsIuKlo.exe | N/A |
| N/A | N/A | C:\Windows\System\hzroJTS.exe | N/A |
| N/A | N/A | C:\Windows\System\HpKpTlJ.exe | N/A |
| N/A | N/A | C:\Windows\System\PSKFIfM.exe | N/A |
| N/A | N/A | C:\Windows\System\wVNGavI.exe | N/A |
| N/A | N/A | C:\Windows\System\CBxtNQT.exe | N/A |
| N/A | N/A | C:\Windows\System\rsZMTQQ.exe | N/A |
| N/A | N/A | C:\Windows\System\xkLJurx.exe | N/A |
| N/A | N/A | C:\Windows\System\GzBpVvt.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\xIUttia.exe
C:\Windows\System\xIUttia.exe
C:\Windows\System\iXyRZeq.exe
C:\Windows\System\iXyRZeq.exe
C:\Windows\System\OMegZrA.exe
C:\Windows\System\OMegZrA.exe
C:\Windows\System\EkArEbC.exe
C:\Windows\System\EkArEbC.exe
C:\Windows\System\iwVjgGD.exe
C:\Windows\System\iwVjgGD.exe
C:\Windows\System\BmNilDb.exe
C:\Windows\System\BmNilDb.exe
C:\Windows\System\hqmFTep.exe
C:\Windows\System\hqmFTep.exe
C:\Windows\System\atEjRrl.exe
C:\Windows\System\atEjRrl.exe
C:\Windows\System\aSpRErZ.exe
C:\Windows\System\aSpRErZ.exe
C:\Windows\System\SbDVbyL.exe
C:\Windows\System\SbDVbyL.exe
C:\Windows\System\PtaeGtp.exe
C:\Windows\System\PtaeGtp.exe
C:\Windows\System\qiEpzmB.exe
C:\Windows\System\qiEpzmB.exe
C:\Windows\System\lsIuKlo.exe
C:\Windows\System\lsIuKlo.exe
C:\Windows\System\hzroJTS.exe
C:\Windows\System\hzroJTS.exe
C:\Windows\System\HpKpTlJ.exe
C:\Windows\System\HpKpTlJ.exe
C:\Windows\System\PSKFIfM.exe
C:\Windows\System\PSKFIfM.exe
C:\Windows\System\wVNGavI.exe
C:\Windows\System\wVNGavI.exe
C:\Windows\System\CBxtNQT.exe
C:\Windows\System\CBxtNQT.exe
C:\Windows\System\rsZMTQQ.exe
C:\Windows\System\rsZMTQQ.exe
C:\Windows\System\xkLJurx.exe
C:\Windows\System\xkLJurx.exe
C:\Windows\System\GzBpVvt.exe
C:\Windows\System\GzBpVvt.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.227.14:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1920-0-0x00007FF6F1480000-0x00007FF6F17D4000-memory.dmp
memory/1920-1-0x000001E6F3940000-0x000001E6F3950000-memory.dmp
C:\Windows\System\xIUttia.exe
| MD5 | 15971c3a967e8175aba8f4fc79a53f8b |
| SHA1 | 52295ffb22935781547d01b1e8dd37c661ab0c87 |
| SHA256 | e50f3e6c8cb686460a57dbc94f8a2f729b6b5acbb6e063cfdfc615c63c9624cd |
| SHA512 | a9eb7aa1c5b998fdac8c031e039041c3f1200322af1a41c69bd310032c70e9df083b9f7742e61d018c4941668b93d89ef36e5e40b873dc02cce8c361ccc771f8 |
memory/3980-8-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp
C:\Windows\System\OMegZrA.exe
| MD5 | 0b19319807c8f302fff7624796b1aa0f |
| SHA1 | 3d8a1f0f3f34bd03baeac3cd584dbf9b18cef349 |
| SHA256 | be8009faa4467007e048c6fc7693d7a0648bd9f1b1209eea9fabd490a45f7b86 |
| SHA512 | 9a919c687dfe283ae218a5d984663788d54f85cdf7ac034b79126e3ec40a24524f3b8ae11b459e70b7eb2351a4c8aeaedf2e9c9e1ac00c1362810a715025d23b |
C:\Windows\System\iXyRZeq.exe
| MD5 | bd5652bea0be3209dafd1c0b22ddf9b1 |
| SHA1 | ae0bcf70fb4717d4fedd04e209da426cf575a6ba |
| SHA256 | bda287214cf31f94c63abef3b62b81da6a132ea6a43f5e29aa35c6033d06fe86 |
| SHA512 | 65ff9451ada555ddb2e7aedc2b14fc4404052049402b7f232078ad85541715a3b46de096e66e6ca078f87ad58b913d2f86e48377d327bc92771be7a5d68dfa85 |
memory/2612-12-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp
memory/4452-20-0x00007FF7754D0000-0x00007FF775824000-memory.dmp
C:\Windows\System\EkArEbC.exe
| MD5 | 6acdb7f94dd7a35d392ffec3a4e773c3 |
| SHA1 | da28ded8d12a97b56b93292a78e5c8adfeb940f8 |
| SHA256 | 3f3b239882ee88da34b691d762588437598ef6b055529a8da31ff69f3164704a |
| SHA512 | 5d44d22d39968eff68901dc28d451959b91d4bcc791f742ee229a0a2e9f8b09de784fdbd2e2937fe2e6ad7f33c090156d9d624546d0a72bc61a2050ec3dc193a |
memory/1832-24-0x00007FF706550000-0x00007FF7068A4000-memory.dmp
C:\Windows\System\BmNilDb.exe
| MD5 | 076d6d7c34d78cfa42c351c6aa5bdf0a |
| SHA1 | 044af3e8604e91738eb2cd8354446e041d9c854b |
| SHA256 | c5fcf08c8e5986fd951ac5d6f1919b178d53c3679bc62e32469bbe3881fd2965 |
| SHA512 | be7c5cd4ad9438a3455bcbeb40470b8794519838dd07db35d86dc8360dcfee0e713c3ffaa90e0e3fcb770ed689c3257fbf677bb03568734a1c5b1d60b64d1d3f |
C:\Windows\System\iwVjgGD.exe
| MD5 | 247d69728a81c5b36ffd3638fa17dc34 |
| SHA1 | ef6b982b1137176448c64d0a74a9cddfc571ecf8 |
| SHA256 | 5d94deb6bf7e26a0816d4e3bc3a5320331c9d6511cc3f341cfbf00716f93f0b2 |
| SHA512 | 9ae7c53d2111c1c8bcbe6f522fb70d04f1b920b53caadaf08667b2614524ae0e781a42e36b55959c2e7cb4b1981ba1ff762bc42e0f325b14370bb791162a56aa |
C:\Windows\System\hqmFTep.exe
| MD5 | add223615610735f034e7b872db43230 |
| SHA1 | 0b01f2618702020a614d5d5d6e2a193f75fcaee5 |
| SHA256 | dbc4990a617b6220792c4248837520cb70099724d013ae28b0160d87301d209d |
| SHA512 | 3caedcbfce6a7d06338d339351be3711b537940443006352c253c46db5f4e146a9c702ec339e4d77c0054439b6f7e4f0bfd5a7356f4a6a249ead0d337f9e15a2 |
C:\Windows\System\atEjRrl.exe
| MD5 | fbdab45f2c133e9cf4527033966f6591 |
| SHA1 | 21c02928ccf114ebcef118882cecf6518286e393 |
| SHA256 | b37df4e22fa8c2915840d7f101a1c75f4e56e4eb1f53e4859b47f91197e963ea |
| SHA512 | 52541dfcd3efd0d3c13d6cfd85f047def6158576f53eef0e58364a787b97f226e2c30d52bd409ce3b876173bd08818b52c27955bd28d915710d4379aa78f1ff1 |
C:\Windows\System\aSpRErZ.exe
| MD5 | a25f03c5ca806657f204038e66c6faf0 |
| SHA1 | 424b9d1c673888c3a9d3edb4bac2ca26312cf0a7 |
| SHA256 | 777bf7fdad74b5487995d69136f04073e859a0efb17eaa70f5723761df49bcdf |
| SHA512 | 044bfffc3cff2e3cfefd42df605294bd33f7ee07f759635b9334df6419ee896f15982c20b4672a59de3c7d0a9eebf003406edcb1833d88c6ef5a7978406e4414 |
C:\Windows\System\SbDVbyL.exe
| MD5 | ea243355682d00abaa75aa5faee76428 |
| SHA1 | 2ce35d89a7515429990400e84c970c33c5002e6c |
| SHA256 | d6b2f340d8eccd57fa9d68e86ad580863e98c7e566e77d1a1e960f3d89fb2052 |
| SHA512 | 6569ad89f52da3931119cf80b911528fb57fea8e2f7afcf8adc6c67227655d045ac5529b66863a3bb6ccf074afff9450b97102c1883e19ccf30238ced9e61f44 |
C:\Windows\System\PtaeGtp.exe
| MD5 | bc951d066d7e8f95d61adffd30336c33 |
| SHA1 | 36782bf83a3fd9575ce65fc5c3fe06588a2737a4 |
| SHA256 | cba3968228a17274f45f2577aa87ce372b12fda31ed47eafe7b47b8cd8fe9cd1 |
| SHA512 | d643a879fecdaaf735398e372e806c8e6244b2b3de8e4ee895b11afbb62fe5ffd2e332c07a08a6dbfa2f167f5728a7cb38c9871c62491bd4917237eeac86dc01 |
memory/3912-62-0x00007FF790CB0000-0x00007FF791004000-memory.dmp
C:\Windows\System\qiEpzmB.exe
| MD5 | ec2cdac2d28aac477b92f59cfda95f8a |
| SHA1 | d2e0980b7c603dd0e302744c8b4b23224882a4c8 |
| SHA256 | 1e23d2cc5c9b29fe28e60b3da1e6e0a8f051d405557bc13518ba78b16fa1f872 |
| SHA512 | 785714f79f08efe90e8a9467788141db4e8280a10951cadac3615255f9875c08aeb59f22853b7dd9b08a6bdceb06b79babb7aa086d58a6e4abaa7106fdd1c885 |
memory/3264-71-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp
C:\Windows\System\lsIuKlo.exe
| MD5 | a683e2890d3d8dc385360c5ead12c5de |
| SHA1 | 9106d5ff524ba0cb89f2160a3387eeaaa2dde4b8 |
| SHA256 | 9a4423f9584fb7e64cc4db5ee51ad9e4a9cce3c0d7a096a64cc662acbd7c55e6 |
| SHA512 | f1f7504d6f69420d9e68b212d1d6b5f49002cab12c5595ca2b350d6097a1ab086005a1e0bd64c570a14cbc12c439a04fc4c52a63f06008d32dd92596fb00cc3e |
C:\Windows\System\CBxtNQT.exe
| MD5 | e06730c8a600ab7aa915e9975e600a7b |
| SHA1 | b15b3e64a25fe283c8c0959665c948e05694aaf9 |
| SHA256 | 4c76ef9292a970dee241182402102457e26ca1ae7d60825dce1ee2a5b31ce584 |
| SHA512 | 8260537b9e7ac43ec39fd0cfd40cf8ee4cdf048f7963927d413586b0a5191774668f30ef0242bc52e724015c2672c753ce8ff7648f6c6e8721180e2cf8c09874 |
C:\Windows\System\GzBpVvt.exe
| MD5 | 173a4d0df9e365310a2f2f232c34afe4 |
| SHA1 | 4301c6add570b5a6ae80b876cc1a838364705b2c |
| SHA256 | b178805e8b4ee5ecb12b6ac655d46d538494d1149934b2ab599e7d140330f829 |
| SHA512 | dc80b2cba61b8ff6a25bc3899b8e1f8630373534e97afc2f795cee178180d5762f76ca3e22f744f6023e53dba2b06d56cc4b7e0b198eecd9d56c6d7d3bf2593a |
C:\Windows\System\xkLJurx.exe
| MD5 | 2bac9d52ad7378bce41051af48afb70d |
| SHA1 | 576487c580ec2b9c826e28527f87fcc0713acd40 |
| SHA256 | 413908d0076fcf04189df16092e07bf0fe9e0aa1d70ba653921dec312720933b |
| SHA512 | 3c800d8a5e28137ae7bc854b698af75ddce4f7d668401e22f2266797274d88541f6f921db4179dd2a4cd5d544af13e87e6cf87aa5b524009fe7f0cfe1a40e43e |
C:\Windows\System\rsZMTQQ.exe
| MD5 | a42ae5c26492287bf9244335554e18d9 |
| SHA1 | d7088eb21c7c2858dbe2d23272cfddd288370bf6 |
| SHA256 | a51c2b5682da955f11d5a38eb4cea43948121dd2472b0ac52bc71e5fb177263b |
| SHA512 | b97d6aefb228056b147377f08aa4bb0aa4acf8b9f353d57c29963cebf83734801a0087485f8f936f9dce08df357a87b3d726439b160a5ba96975287282cae847 |
C:\Windows\System\wVNGavI.exe
| MD5 | 221f66433ed60584cc07a7daa1d537ab |
| SHA1 | 8ea0cae839add18a33a884a8cfa50dbbc29eb1d9 |
| SHA256 | 3fb70b186cd0d79c978470641bdcb67b2594566c850684c3ea464c5f8e0818a6 |
| SHA512 | 087747290829f21a8e9527c239045c25c79297d0765093d5ffae18fc67a313bfe244c71c6f74d4260627df3ecf397123da98990b7d8c4540f84df4d24b66cd68 |
C:\Windows\System\PSKFIfM.exe
| MD5 | e3a60e0aebb2ccde299c1760f6e79f92 |
| SHA1 | bf62c7d1665ad22bb0cace14a7ac9cb55035bb2b |
| SHA256 | 29a2ff4a3be94cdfdc79f86470828bc55efb649fc7198495e6a5737a0897af52 |
| SHA512 | d7ed48073ad567326b6f48a90d929ac852254680233660cfdd5af0723d6ae72ace2a965d6fc03b3a2a9f3eb4274f7371f22f68c9f6196160d6c49f1e2cb4c5bb |
C:\Windows\System\HpKpTlJ.exe
| MD5 | 82cb98afec5ddbf7866e220748323b26 |
| SHA1 | 0052626241510dada42a446fdfb8ee81825cdc7b |
| SHA256 | 9ef5d0deea73bdf3aa72ab953727bbacdd763ae2a9315e539c6716894de5e855 |
| SHA512 | 682ca2f3b89777d90a74e32d8cfd7b62f7f7851eb32fafc7d173bdec9e652dbd01fb311ec26ce61ec23e391d160854b7a5e4c763cf0bc637419aa9e39faae3ca |
C:\Windows\System\hzroJTS.exe
| MD5 | feb30dc6597f3cb193f7d3e94b853a02 |
| SHA1 | f884be67c293357db477c2352d25dd3f9aedb3d5 |
| SHA256 | d5d60c4bb2406a9326dcbf3bcc84a96edd372ba76d722d7832d8137c8ccfdfae |
| SHA512 | 8d0d7be84024cf9630a075e3fc5c0c7372d7d36812f4611ea73c21f99c99b5961bfa6d6eac16b070cf84f3cbed94b57947f27b93c80f47af994e113e2e6e81de |
memory/2140-68-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp
memory/1976-64-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp
memory/1996-60-0x00007FF6BDF10000-0x00007FF6BE264000-memory.dmp
memory/2136-39-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp
memory/2948-36-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp
memory/2144-30-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp
memory/1920-119-0x00007FF6F1480000-0x00007FF6F17D4000-memory.dmp
memory/760-120-0x00007FF775400000-0x00007FF775754000-memory.dmp
memory/3600-123-0x00007FF642D10000-0x00007FF643064000-memory.dmp
memory/2172-124-0x00007FF7FCC90000-0x00007FF7FCFE4000-memory.dmp
memory/1592-125-0x00007FF680C80000-0x00007FF680FD4000-memory.dmp
memory/4188-122-0x00007FF60D320000-0x00007FF60D674000-memory.dmp
memory/1560-126-0x00007FF6609B0000-0x00007FF660D04000-memory.dmp
memory/3136-121-0x00007FF6BAF30000-0x00007FF6BB284000-memory.dmp
memory/3788-127-0x00007FF6DE990000-0x00007FF6DECE4000-memory.dmp
memory/2220-128-0x00007FF6CA7C0000-0x00007FF6CAB14000-memory.dmp
memory/3980-129-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp
memory/2612-130-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp
memory/1832-131-0x00007FF706550000-0x00007FF7068A4000-memory.dmp
memory/2144-132-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp
memory/2948-133-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp
memory/2136-134-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp
memory/2140-135-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp
memory/1976-136-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp
memory/3264-137-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp
memory/3980-138-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp
memory/2612-139-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp
memory/4452-140-0x00007FF7754D0000-0x00007FF775824000-memory.dmp
memory/1832-141-0x00007FF706550000-0x00007FF7068A4000-memory.dmp
memory/2144-142-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp
memory/2136-143-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp
memory/2948-144-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp
memory/1996-145-0x00007FF6BDF10000-0x00007FF6BE264000-memory.dmp
memory/3912-146-0x00007FF790CB0000-0x00007FF791004000-memory.dmp
memory/2140-147-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp
memory/3264-148-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp
memory/1976-149-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp
memory/760-150-0x00007FF775400000-0x00007FF775754000-memory.dmp
memory/3136-151-0x00007FF6BAF30000-0x00007FF6BB284000-memory.dmp
memory/4188-152-0x00007FF60D320000-0x00007FF60D674000-memory.dmp
memory/3600-153-0x00007FF642D10000-0x00007FF643064000-memory.dmp
memory/2172-154-0x00007FF7FCC90000-0x00007FF7FCFE4000-memory.dmp
memory/1592-155-0x00007FF680C80000-0x00007FF680FD4000-memory.dmp
memory/1560-157-0x00007FF6609B0000-0x00007FF660D04000-memory.dmp
memory/2220-158-0x00007FF6CA7C0000-0x00007FF6CAB14000-memory.dmp
memory/3788-156-0x00007FF6DE990000-0x00007FF6DECE4000-memory.dmp