Analysis Overview
SHA256
942bf36f1fc406ca964d9ac4a4c6fe8b49eec8e43bf9ad80a98de32b28cdd8f2
Threat Level: Known bad
The file 2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike
UPX dump on OEP (original entry point)
Xmrig family
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 00:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 00:48
Reported
2024-06-10 00:54
Platform
win7-20231129-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AsJmpyP.exe | N/A |
| N/A | N/A | C:\Windows\System\SWpdKIu.exe | N/A |
| N/A | N/A | C:\Windows\System\hFsQOmO.exe | N/A |
| N/A | N/A | C:\Windows\System\APYlEso.exe | N/A |
| N/A | N/A | C:\Windows\System\tacmDdG.exe | N/A |
| N/A | N/A | C:\Windows\System\rEQQcMX.exe | N/A |
| N/A | N/A | C:\Windows\System\MfwHadr.exe | N/A |
| N/A | N/A | C:\Windows\System\buCiXxL.exe | N/A |
| N/A | N/A | C:\Windows\System\WZsgImR.exe | N/A |
| N/A | N/A | C:\Windows\System\PXVxHyX.exe | N/A |
| N/A | N/A | C:\Windows\System\sezrjfT.exe | N/A |
| N/A | N/A | C:\Windows\System\ZpatCZO.exe | N/A |
| N/A | N/A | C:\Windows\System\YLnsKZA.exe | N/A |
| N/A | N/A | C:\Windows\System\mCREGnj.exe | N/A |
| N/A | N/A | C:\Windows\System\pzlCMQU.exe | N/A |
| N/A | N/A | C:\Windows\System\REEmgRW.exe | N/A |
| N/A | N/A | C:\Windows\System\YVhsGaW.exe | N/A |
| N/A | N/A | C:\Windows\System\hVVfVgN.exe | N/A |
| N/A | N/A | C:\Windows\System\BzyimRJ.exe | N/A |
| N/A | N/A | C:\Windows\System\aBkOZPQ.exe | N/A |
| N/A | N/A | C:\Windows\System\CwUINnv.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\AsJmpyP.exe
C:\Windows\System\AsJmpyP.exe
C:\Windows\System\hFsQOmO.exe
C:\Windows\System\hFsQOmO.exe
C:\Windows\System\SWpdKIu.exe
C:\Windows\System\SWpdKIu.exe
C:\Windows\System\APYlEso.exe
C:\Windows\System\APYlEso.exe
C:\Windows\System\rEQQcMX.exe
C:\Windows\System\rEQQcMX.exe
C:\Windows\System\tacmDdG.exe
C:\Windows\System\tacmDdG.exe
C:\Windows\System\MfwHadr.exe
C:\Windows\System\MfwHadr.exe
C:\Windows\System\buCiXxL.exe
C:\Windows\System\buCiXxL.exe
C:\Windows\System\WZsgImR.exe
C:\Windows\System\WZsgImR.exe
C:\Windows\System\PXVxHyX.exe
C:\Windows\System\PXVxHyX.exe
C:\Windows\System\sezrjfT.exe
C:\Windows\System\sezrjfT.exe
C:\Windows\System\ZpatCZO.exe
C:\Windows\System\ZpatCZO.exe
C:\Windows\System\YLnsKZA.exe
C:\Windows\System\YLnsKZA.exe
C:\Windows\System\pzlCMQU.exe
C:\Windows\System\pzlCMQU.exe
C:\Windows\System\mCREGnj.exe
C:\Windows\System\mCREGnj.exe
C:\Windows\System\REEmgRW.exe
C:\Windows\System\REEmgRW.exe
C:\Windows\System\hVVfVgN.exe
C:\Windows\System\hVVfVgN.exe
C:\Windows\System\YVhsGaW.exe
C:\Windows\System\YVhsGaW.exe
C:\Windows\System\aBkOZPQ.exe
C:\Windows\System\aBkOZPQ.exe
C:\Windows\System\BzyimRJ.exe
C:\Windows\System\BzyimRJ.exe
C:\Windows\System\CwUINnv.exe
C:\Windows\System\CwUINnv.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1404-0-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/1404-1-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/1404-7-0x000000013FC50000-0x000000013FFA4000-memory.dmp
C:\Windows\system\tacmDdG.exe
| MD5 | 3e9ae2924c3c104a7c90b08e3e7acd45 |
| SHA1 | 5ab39c27dfabf5fb9dbd2a44310816a56018d20c |
| SHA256 | 706cc4318f6f5062a2369f314f0df2e3f273d110dbd899cd95870c60ee38023c |
| SHA512 | 5879c7f873c8ceeb28e1f7811d1e7713cbd3021e525f26eb0f0be541ba4feec739955ad0e27111dd45018917651665cc6149704aed5a699266a9ca169a8e1b8c |
\Windows\system\rEQQcMX.exe
| MD5 | 727e777d96ed5568549d778633225cee |
| SHA1 | f05edfd04082e6bc6a3bdd598f40f206e733a0ce |
| SHA256 | 4ff725d155ceadab4a6e67a21228a63a469d5bd118d8cca6f679be9c6a2c5c59 |
| SHA512 | e4fa9d8cf53108ab7571d9eae564748c1e39a93ab1801331899bfce9f5540ed753d24db4888834f92426b321fb76ab2d63f6483c0bb1f9514b27af59430d5281 |
C:\Windows\system\APYlEso.exe
| MD5 | ae5a606d6eeb1a38a20dde2c1d858cd2 |
| SHA1 | 65617100db6552cdf2b09f261c5afddd36c175d5 |
| SHA256 | e2dcd3c156d5c15e9fb18e732702bfbebd2ae784362c3cc6d1d9cc005e52ba11 |
| SHA512 | 1a8262228dc66a1adcc26a12151000d47f08c15c504e27a007323c2e37b3d05968f048237e5806c5fcf58d5c8566bf685172a01b3040011cac72892e852163f8 |
memory/3028-40-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2748-38-0x000000013F640000-0x000000013F994000-memory.dmp
C:\Windows\system\MfwHadr.exe
| MD5 | b947826bbd9784436ea143eeb72cb7e6 |
| SHA1 | 8ece86382634c8376de37b0f8e502dead522987f |
| SHA256 | 7cb8ce52a418a2848860c63f94f0647433e907d027a2566b0b4e5eb5499aabe7 |
| SHA512 | c4916083b03b6515fae041056f27f5d45676932d88b883747ff92e58abd54af07d43d2e991124733880630ec73d5091989c4916ed745b8303f45ee2dacb5e20f |
memory/2868-48-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/1404-45-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2164-36-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2384-34-0x000000013FAC0000-0x000000013FE14000-memory.dmp
C:\Windows\system\hFsQOmO.exe
| MD5 | 052d3e58516c3738da70b2f0dd291705 |
| SHA1 | c09b813fc271b3e44b0d900648a98d2443ac5eb6 |
| SHA256 | e5b38c0caaf0afa67e34967906854432ae259e71d3e960ac226f8b211ec6829b |
| SHA512 | e253db481ed1e10bec8221c4cefef41b36d63f28cf5e702c8e4cb151a1afb98a99bb9d4e90318036514002d98c0908b384062ca235145047e7e8189002061d78 |
memory/1404-29-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/3064-28-0x000000013FA40000-0x000000013FD94000-memory.dmp
C:\Windows\system\buCiXxL.exe
| MD5 | 2e958e280a6a3cd2981c5fb74f0a3b40 |
| SHA1 | 69f72d0838628b4842c0d672b4c4372ec763c9d0 |
| SHA256 | d44a5d0e6e7dbe6e6fb16a1c927645c3982fbee0461733f8bfea9f369a7dbe7c |
| SHA512 | ff85ce78617421ed3a08a320d1346aa55566dea0c376df537e98925fbe24c1d34647f83cfd0ad6c6cde70e60dbf6ad29b85f6c646675bb18444902e77c92b3bd |
memory/1404-53-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2464-55-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2216-61-0x000000013FC50000-0x000000013FFA4000-memory.dmp
C:\Windows\system\WZsgImR.exe
| MD5 | a3d7b65906dde928b445879709896f31 |
| SHA1 | 4676414489764667b18a6b9c1f91e17c73290c58 |
| SHA256 | fe4d8e740ae7df98b6e93e4fc54937a240d4703d97b48bf965312dcaf0022bb1 |
| SHA512 | 814559d737bfbe0d38d708a74bb0ec8518cc8ff7d59331be0562cbbed17880e91418f04c5fefb10a46b8868d95755e7331c5d5e879741db45799201b7bfc93ee |
C:\Windows\system\PXVxHyX.exe
| MD5 | f63dbc8995dc3bf2879b3a54a52c4226 |
| SHA1 | 419b93c5de716e8b7d5765a02572cb47ee188ec7 |
| SHA256 | cfec0be2a21e3e9fda22578a92f8228803ed89500bf777885a98d3dd1383623b |
| SHA512 | 02c64c2bca372b612dc5c569ec3df57bc6c40abe56ee0b5b2852965db6c90b47d1533783ab10f5af9ac70bb5cb820972233ef5edb72b264075da0fdc2673c886 |
memory/2460-69-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/1404-67-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2628-62-0x000000013FA80000-0x000000013FDD4000-memory.dmp
C:\Windows\system\SWpdKIu.exe
| MD5 | 70dfd2be147a3fa4cc92c4df44a24e18 |
| SHA1 | 4a4c9d75ea5553ecc79a0f995b4fe03728607577 |
| SHA256 | 2d071272fee87b5a796334bf96715d4abf9f755605cda1b2329e4f934a1539c0 |
| SHA512 | 007aecd7b6c4f865c917757146c85dfc4077a0981c67cc4cb7d44412df917b57a154ffc63ce2ef27cac575c2e3ce17698b2a663a1a83a5a44de61f892ad1ada5 |
memory/1404-18-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2216-11-0x000000013FC50000-0x000000013FFA4000-memory.dmp
C:\Windows\system\AsJmpyP.exe
| MD5 | 81c2406e4b4016a9b7ef55bad5435474 |
| SHA1 | 157f1ce9165f767df4e38d40b70104a67a919da8 |
| SHA256 | 59097513dd65a94cca9d4ccac3004cc2854072a4fd74417245e80ececcec50dc |
| SHA512 | 05adb956e0dc9f46c6384ee7338ac75989863ff41ac93b716c2f37b363ba2dcbdd43f610bb601c5ea00f331c282e893fb9e776eacb832e6ea2d9c1c4105f399d |
C:\Windows\system\sezrjfT.exe
| MD5 | eeff70f3b9091c5d1e07310ab11b4b06 |
| SHA1 | 4ca451e10230ff6f5a3db26f9d2236adba0e31f8 |
| SHA256 | 1fe0485d61131cb5d3264116acd3ebd6e2c1d8a9f35322e1eaf8f5b30cc3db72 |
| SHA512 | cb0e42579f5564c8ff2a3582c3ee44afec5a506a8e7bbc0d93dd30f4057895b406fe45fb5ad2b5bfb9fe22143a40b8372ed0ff6d58990abedcb08e4ce1e21585 |
C:\Windows\system\ZpatCZO.exe
| MD5 | 6a29b5f70bed0620a0fbddca1ecbb197 |
| SHA1 | 9f942e588f9f6371faf63d0a97456000cd1826d7 |
| SHA256 | b1415bb87b499a14926d4079fda261456f07b20f224c5ae66d2a85b0304a6829 |
| SHA512 | 23b9e655068d12e7de30733ee931174c3bdc53e697096714db749d4ea483a73ae86b4a9afd88938b40f6602414594b8154c2675e94b7e762e85e6cabd49fdd86 |
\Windows\system\mCREGnj.exe
| MD5 | 8d14462d7f0362a0821b23436951a10f |
| SHA1 | 03f88b9f125172988751bf58840ebc42b8e81dbd |
| SHA256 | 7a3f9e453ab7c8773d869579926854000105ab1b895f26fbea6aab4933ef536f |
| SHA512 | 1c15f5554f8fb9c8663a540f77fa1a400900ca042e6f7343a2f9293a250ba7a99c57acebb6fd25a59107f3f413f1192a8e8ab13aedda5ebd7ac50571155b4da4 |
memory/2188-114-0x000000013FBC0000-0x000000013FF14000-memory.dmp
C:\Windows\system\CwUINnv.exe
| MD5 | e592fedbeaddb1863dc54547015d669a |
| SHA1 | 1c07ea51def64fee66d2758e80c6d5dcc5f89842 |
| SHA256 | 5c5cd6634c60942a55bd606834360389db5e06bd5fc18cd04048279714e6626a |
| SHA512 | 7ef2cbd307c149b1864f93cca709cfce1bfb41ca08d3c2d2175a50cc45d0a317d11e298a217d31638a5837a3d665c4f1a49ee2733c432b3f8dd4844d690009a2 |
memory/1404-130-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2396-129-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/1404-128-0x0000000002440000-0x0000000002794000-memory.dmp
memory/2532-125-0x000000013FF90000-0x00000001402E4000-memory.dmp
C:\Windows\system\aBkOZPQ.exe
| MD5 | bdd259efbff527b54eb29cd81e3214f1 |
| SHA1 | d5d85d8362d2928aa9e9252fe9f76fab3bd02e63 |
| SHA256 | 177ef8daee1be5a60f041d4e97e54b238f4ce871beaf06c221886417c4d1b985 |
| SHA512 | 02590594f60865e27f5d48b010f2687fd3fa35fb0d9fab5b7998236631ff257fd5a2f5b94efc4e0e12a13b4b4e7018f03c62c1774827cb555a26ca0a4044810c |
C:\Windows\system\BzyimRJ.exe
| MD5 | b96bcfe818ee9f624631ecf5d64302cf |
| SHA1 | d2a2feef269d707d7921298358d48f92099969fc |
| SHA256 | 59cc44ac2a08a69e34f70d13c1e21b1b3ad48e27fbc9c91c2d97234e716f6220 |
| SHA512 | 7cf71c18ab75fbd4b14f7bda5bf76d110cfae3bc2b2150e6a4df4588663449d92b16a48bb8567be6fbbec9edab7a0fc4c0f10f1a900adabec08280ba783a49b7 |
C:\Windows\system\hVVfVgN.exe
| MD5 | 3987c2fa71f02a8ad1edca608f3b60a7 |
| SHA1 | bca59479246ff30e24ffb64d69c90797484c8880 |
| SHA256 | 0770e8f88bc9e4759b26713e62dcd5ca839f84f770f738bf5828fdf9d5cca8b2 |
| SHA512 | e337f2bbbf400f012f823a434d812c50f4b17ca6d4a513573146057e6e1b15f7c3034b1cdabe309b1d9c29336a1aef5fe337be57f1d41d2c8f3627834fdd1191 |
C:\Windows\system\YVhsGaW.exe
| MD5 | 03ffeef72b5be2e2f6f88516c85e02fe |
| SHA1 | 3c5dbfd8a475dce3921a688c9269210b2f0cde63 |
| SHA256 | 6415a6ea8be0ebde4e034c96f66ee6db51ca37f6f02688df37e38dba5ed37e8a |
| SHA512 | d08326391e17000a415ce991c8db9ebc2772f7efa0cefbd130c5a89786ac04afba4630e961195d8d1b5044939f57549577099271173b4bc7d404ad6d02c9fca0 |
C:\Windows\system\REEmgRW.exe
| MD5 | c830eba0e0e18f51b987dd4c7f8c05d0 |
| SHA1 | e1aa8b5911b1448e8a64a38fb3c0279490a9b290 |
| SHA256 | 50dc71da99867e907361fb626665a821f69a165142613fcea8f76357d8082c6f |
| SHA512 | c037d8ebfe857a09c9afcd7df523498c3053e5fab657a306ea54945ac4ecddb76209c1ed40c3c03bdae82e0ff61dd936f9d3d2f7b8c0e784f5a2c2a900a1c249 |
memory/1404-99-0x000000013F8D0000-0x000000013FC24000-memory.dmp
\Windows\system\pzlCMQU.exe
| MD5 | a14d9fea3563c88e84a8f04d5f5f274c |
| SHA1 | 0e5b5f7002c2dfb736c7be7013c85a844dc754dd |
| SHA256 | 604976b3cc4e4359b796155c3b61d2306279ab326c14cc09c5c23bbe4dec6d2a |
| SHA512 | acfa9115132c43d895c75474766226f90077ea846ac0be82198a7f76cb8d0df3bee061265220742a2b79f27b148a64c76f6b8474d805c6c8e3bac11fe573b7da |
memory/2000-95-0x000000013F800000-0x000000013FB54000-memory.dmp
C:\Windows\system\YLnsKZA.exe
| MD5 | d7f5ced23b8bca9763eae1c4a390931d |
| SHA1 | a0cf9bd5cc5adc6802e52d5a21d3ec957e8628fb |
| SHA256 | 4ff9f9f664532b5696527ad1efaa7dfcf790bd6e00b777d1b6578dfd959c2b55 |
| SHA512 | e30a5254ed5f2f0fe0ed6f8882ed63da103dbe75367a303d3591ea719a8fe365c025c7f4d948cf45f001c392572d8f4dca01f5ad3a2b5ee900826402f64a435a |
memory/2164-131-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2748-132-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2868-133-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2460-134-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2216-135-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/3064-136-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2384-137-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/3028-138-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2748-139-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2164-140-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2868-141-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2464-142-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2628-143-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2460-144-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2532-145-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2000-146-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2396-147-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2188-148-0x000000013FBC0000-0x000000013FF14000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 00:48
Reported
2024-06-10 00:54
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HFGFSzA.exe | N/A |
| N/A | N/A | C:\Windows\System\WXfYTEs.exe | N/A |
| N/A | N/A | C:\Windows\System\cyznkdJ.exe | N/A |
| N/A | N/A | C:\Windows\System\BXgOuEL.exe | N/A |
| N/A | N/A | C:\Windows\System\YOKyLTV.exe | N/A |
| N/A | N/A | C:\Windows\System\xBlOnsf.exe | N/A |
| N/A | N/A | C:\Windows\System\ftiUKAC.exe | N/A |
| N/A | N/A | C:\Windows\System\UQhaZJC.exe | N/A |
| N/A | N/A | C:\Windows\System\SmkKVeN.exe | N/A |
| N/A | N/A | C:\Windows\System\vgvOZGd.exe | N/A |
| N/A | N/A | C:\Windows\System\tCLhRNB.exe | N/A |
| N/A | N/A | C:\Windows\System\ZiJaWhn.exe | N/A |
| N/A | N/A | C:\Windows\System\kbcPGkY.exe | N/A |
| N/A | N/A | C:\Windows\System\tRELYaE.exe | N/A |
| N/A | N/A | C:\Windows\System\kGezFIu.exe | N/A |
| N/A | N/A | C:\Windows\System\jIhvDkb.exe | N/A |
| N/A | N/A | C:\Windows\System\OeoFVeY.exe | N/A |
| N/A | N/A | C:\Windows\System\aOrsWXi.exe | N/A |
| N/A | N/A | C:\Windows\System\EIknOAy.exe | N/A |
| N/A | N/A | C:\Windows\System\XcNqfKT.exe | N/A |
| N/A | N/A | C:\Windows\System\ZjkuUJk.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\HFGFSzA.exe
C:\Windows\System\HFGFSzA.exe
C:\Windows\System\WXfYTEs.exe
C:\Windows\System\WXfYTEs.exe
C:\Windows\System\cyznkdJ.exe
C:\Windows\System\cyznkdJ.exe
C:\Windows\System\BXgOuEL.exe
C:\Windows\System\BXgOuEL.exe
C:\Windows\System\YOKyLTV.exe
C:\Windows\System\YOKyLTV.exe
C:\Windows\System\xBlOnsf.exe
C:\Windows\System\xBlOnsf.exe
C:\Windows\System\ftiUKAC.exe
C:\Windows\System\ftiUKAC.exe
C:\Windows\System\UQhaZJC.exe
C:\Windows\System\UQhaZJC.exe
C:\Windows\System\SmkKVeN.exe
C:\Windows\System\SmkKVeN.exe
C:\Windows\System\vgvOZGd.exe
C:\Windows\System\vgvOZGd.exe
C:\Windows\System\tCLhRNB.exe
C:\Windows\System\tCLhRNB.exe
C:\Windows\System\ZiJaWhn.exe
C:\Windows\System\ZiJaWhn.exe
C:\Windows\System\kbcPGkY.exe
C:\Windows\System\kbcPGkY.exe
C:\Windows\System\tRELYaE.exe
C:\Windows\System\tRELYaE.exe
C:\Windows\System\kGezFIu.exe
C:\Windows\System\kGezFIu.exe
C:\Windows\System\jIhvDkb.exe
C:\Windows\System\jIhvDkb.exe
C:\Windows\System\OeoFVeY.exe
C:\Windows\System\OeoFVeY.exe
C:\Windows\System\aOrsWXi.exe
C:\Windows\System\aOrsWXi.exe
C:\Windows\System\EIknOAy.exe
C:\Windows\System\EIknOAy.exe
C:\Windows\System\XcNqfKT.exe
C:\Windows\System\XcNqfKT.exe
C:\Windows\System\ZjkuUJk.exe
C:\Windows\System\ZjkuUJk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3200-0-0x00007FF7E7470000-0x00007FF7E77C4000-memory.dmp
memory/3200-1-0x0000021DF0E60000-0x0000021DF0E70000-memory.dmp
C:\Windows\System\cyznkdJ.exe
| MD5 | a8f7f644546e253aabdb5b3efecb37ca |
| SHA1 | 2c655b8b892e05ae46befae95b123d04dc8c6347 |
| SHA256 | 305627b2b8c4c0432058e3c378b59c00084422ef0f74db798d47d14024d2d1a7 |
| SHA512 | 295fef48f2a21cc2eaae577383d9898a368c1cded8b149fc4da21c5605c697c68294be329d79d1594553899326b04bd58b3d36a18d84a3dd00e2de0010a08207 |
memory/3592-13-0x00007FF6A6330000-0x00007FF6A6684000-memory.dmp
memory/2400-20-0x00007FF73BA80000-0x00007FF73BDD4000-memory.dmp
C:\Windows\System\BXgOuEL.exe
| MD5 | 6983bc19e65f8ef7ffb04ea889f43ecb |
| SHA1 | 17bc108c85f9ed46185a54efbcba6f4a525aaad3 |
| SHA256 | 585e72280fb7a37eb1789d6663a9ca74f43901ca2f506ad7ee3b68d5f8041c51 |
| SHA512 | 6f5b0695633783ad17bcf8afabbe9eb2201eed24825af38c29d2cde3f1fccaee8cee9f7efb6104e94ba0018a120d21757906358cd8b292de5cc03744d2e136aa |
C:\Windows\System\YOKyLTV.exe
| MD5 | 41ad33e9900a5142e4ef2b3f7efed00e |
| SHA1 | e99b98d85324f252075d3889e09e1ec4e712cd7d |
| SHA256 | 37abccc41cde65d907c0b3c1fcb0816a2b595fca259b2bdea9da02c54f8fb79a |
| SHA512 | 56050f3fa9e621f64a47188aeabd7baf828623c644f95bfbd2a06990fba0c764ed993da22e387b5d896ff4eae23f551b5aa790def31a56c6b452b11bba314632 |
C:\Windows\System\xBlOnsf.exe
| MD5 | 1dc64ec77f5f57f434a9b2e77dd14027 |
| SHA1 | 4ab3e46a491189eaa9f020335405f0b6826730e3 |
| SHA256 | 4345688e2c2058bf0c7aa64c97ac29dc44ecd60569fa6556385f1d8406f0e9f2 |
| SHA512 | 4e8efc5e5cb56220891cd303ff0d1ecbe6028ef8a63dc701b763e6f92b4d6c335860d728606ca56f7324f89677b32f1defddb27bb3ec473b9ed2645a7897dee6 |
C:\Windows\System\ftiUKAC.exe
| MD5 | 65b7bbac9d56542ee157a2c35862c1d3 |
| SHA1 | f74de6644a3adccb085da822482a1398172470ae |
| SHA256 | f4d7a1ede690a757a6460563e385fb2e618ee6bdd4094009a8293124bdbafffc |
| SHA512 | ddcaf4098ab3ab33032f3440201962032ebfdc6c972f753c20b64d0de7b02865743ca529b8b9554cc61d56242d65c8bd5be1e5611b6914a8fb3da5657f19516e |
C:\Windows\System\UQhaZJC.exe
| MD5 | b9a88964daebc7be5cc5c5c16faccb8d |
| SHA1 | 6a50f09a88652fdadc9fcb9c9c267404aa576126 |
| SHA256 | 21a18336474020511c721fa86439cf5bb5e0171a39c7bba8875331257eb72846 |
| SHA512 | 57bb8066ead2c57e4abf99ca8b4499a4b5bf4f213e89b31729e34e2f19ff0b2225c17e77be35e94dd6058f1b1ea8a608e3c0a44f79ccb644d532b9f5edae3d28 |
C:\Windows\System\SmkKVeN.exe
| MD5 | 644228c2fe59155b6fe9b1c9d0ab2a5b |
| SHA1 | f2d86f320647a66d7cc5c7aabfb09964fbd22b20 |
| SHA256 | 96d0cd35e7da155f803826dbebfc5a2090b0eb3f42037d9aba11a4c962d3566a |
| SHA512 | 95b0ce0f94f0794c8bbed8c4f6defc914623d44bc0380c1f446d6ab3897107584f4ca934c03aeea031f9638832609a802a2a07b0dcbfa057cc6dfa501616ed19 |
C:\Windows\System\vgvOZGd.exe
| MD5 | c4db6800d1ea3d2cefacbbe712768d79 |
| SHA1 | ae2d8509c3cb04878ea953989ee31e14bc40b4cc |
| SHA256 | 80eee4b6b51c97380ffa4e20c71f18b6743239f5c4524b2408dbf29230277e29 |
| SHA512 | 58b72eb1588523ffd1d80cc9e3af77bee64c3bbc32102b9bf13c6e45e5a70e403c6d12bdea54dcd2d78a3efe46a94df97e55cb40f47ef98abf3bd9c2412d42a1 |
C:\Windows\System\tCLhRNB.exe
| MD5 | 79f2a0e63abbf0823606566bddc7b949 |
| SHA1 | 9d64b45bfbd6924532c53182275aad04fd8cfcdc |
| SHA256 | bde9baddee334771c21b8264b1cda58a1903475f86b34933dd966a9799b2cd71 |
| SHA512 | 2930d11132c55e71f019d2731e3260dabf4b7b61296a0ceff65a4091b8ee26f000e4e1916a66152bd77578be068a878602ffe906c8640c18cf8243e7f8c2bdbb |
memory/3108-63-0x00007FF6F1A60000-0x00007FF6F1DB4000-memory.dmp
memory/3200-62-0x00007FF7E7470000-0x00007FF7E77C4000-memory.dmp
memory/1476-58-0x00007FF76BD30000-0x00007FF76C084000-memory.dmp
memory/2080-52-0x00007FF779E40000-0x00007FF77A194000-memory.dmp
memory/3076-45-0x00007FF67E4D0000-0x00007FF67E824000-memory.dmp
memory/3592-73-0x00007FF6A6330000-0x00007FF6A6684000-memory.dmp
C:\Windows\System\ZiJaWhn.exe
| MD5 | effdd93eabf21916f8676efd5d26370f |
| SHA1 | 30d73328cb98dd5df5bc5a9632c989fc58d80872 |
| SHA256 | 789f1be15a66a26caf62f38aad99e15d2206f54ea1383117a6ea8e6e578d5987 |
| SHA512 | a0545470d3a0fc681c5d29a9209864049dcca1afeb718c3f6de7887c2f4808497bd6acd8c7f018b792a36f8e92878282a189810f750eaf49fe7b59cbbf80e6bd |
memory/3172-74-0x00007FF6F5850000-0x00007FF6F5BA4000-memory.dmp
C:\Windows\System\kbcPGkY.exe
| MD5 | d7cb07e4e0b293127c0d37b769b7d076 |
| SHA1 | bea5a5740ec3bfd3338e87f4b164e0a0c1ba6ec3 |
| SHA256 | e46ef55818d4195872da43111207cacb3feef833c67895e1566e157552e3f40f |
| SHA512 | b42dfd911ffa9b9d6d006415e9733dfec8c8c1417560115acd6333540067f09234d0429bc866c6e62f6e143fcb945c690995bd206accbab6e373a3d04b8c2232 |
C:\Windows\System\tRELYaE.exe
| MD5 | 0c86c72ad6b214a03c279adb0807be82 |
| SHA1 | d795d52755c9599fcd66dc8466aa511ffbb417dc |
| SHA256 | 973fa6c54a549940fd0c9d00c53e17fbb0cba9ad55f7ec1cfa1fe267ccbe411a |
| SHA512 | 1522d88a1b4432fe2c9806774f7d331a6b54fd4979532bd62d4f7bdb61f86137053368493ba4167a30fb86522b60b75fa6bd0cd3d2b934b2f6ffa8dcfb6b1c85 |
C:\Windows\System\kGezFIu.exe
| MD5 | b833d2cfd2925abebea21db84ce5a117 |
| SHA1 | 8c7f61240af8719d0b74a2c89e4cbba51e60ee6d |
| SHA256 | 342ba317b755bef9f6d4b99a60d5a2acfabad6298fcc55ffdf55e75c92350813 |
| SHA512 | dde1f127c04bc7f9c99e984f355f8a89c504fa5ea46b955e6057679013382e33f96ddc3061a73bd783560cba9459775ec2bc7c0681c212de905dfc1a3530c601 |
memory/376-90-0x00007FF657D60000-0x00007FF6580B4000-memory.dmp
memory/392-96-0x00007FF7490B0000-0x00007FF749404000-memory.dmp
memory/3672-97-0x00007FF675990000-0x00007FF675CE4000-memory.dmp
memory/2916-89-0x00007FF674810000-0x00007FF674B64000-memory.dmp
C:\Windows\System\jIhvDkb.exe
| MD5 | cf223ce4776c5648f980fa22b44d2fcc |
| SHA1 | 2bb444728b3796af1bca90076afbf88c541a7cf7 |
| SHA256 | c5ad644700d6083959df4f168c95d96d7d20b3ca8dd5951fb13b5d0d8201a663 |
| SHA512 | 4cf909ad0773a802283a95deaabf82c1a234b5aa584e790677829052fd20c527334251f6f3a971d73dea7de6c828a5aebf3438fb4f0b63e9da3e250e02405d2b |
memory/3076-109-0x00007FF67E4D0000-0x00007FF67E824000-memory.dmp
C:\Windows\System\EIknOAy.exe
| MD5 | 0072ab2140362b064f1e718809f531f1 |
| SHA1 | 01f897d03238c6aa05150b3c33e4a370c09b3642 |
| SHA256 | f9ad9dc49af81f5d2607363c1375e362dc0c859870f3caaaeb3c1f413c750309 |
| SHA512 | e9b55e2499d9353991f3dd7d900e4f834b41c465bee70adac85bc8722390ad69f5c7e029ae07b0584f1e329047dc4a6c62f6ab7062467c9400fe92816914cf04 |
C:\Windows\System\aOrsWXi.exe
| MD5 | 4bd96f314d25c6a69144a065a890bc76 |
| SHA1 | b63befbdb4b8699a32ab4f14984dd24e501fd181 |
| SHA256 | c12702295ded6b2b901282025459f170710628e56aeb171c7c70311a8e671114 |
| SHA512 | 83b8c0d92648d37ee7efcf52e8c2f2f15bdf881b132ba501a4e17082d257c4a836988089edcd8b9318c81a84326e7973be02936ac39d74e71ae4b5bb81bb67cc |
memory/3948-116-0x00007FF6FBDB0000-0x00007FF6FC104000-memory.dmp
memory/2080-114-0x00007FF779E40000-0x00007FF77A194000-memory.dmp
memory/1144-113-0x00007FF7D4510000-0x00007FF7D4864000-memory.dmp
C:\Windows\System\OeoFVeY.exe
| MD5 | 982a8cb9d5c6a2751a6ae0895e2fe0a9 |
| SHA1 | ea14f70a28e31c293720ddc30e7121650548934b |
| SHA256 | c4fe21295b9fb9b70731a0f072448cb59632ef1e8d16e82e97b8a0008554bfa9 |
| SHA512 | 6519fdcfd400cac25cb3a094930265e549ebbf61bbd8e31557ca7169308f05c60801dcf526e49994ca50309f523f2c8e63727a831f2c8461c543811ea2095e7b |
memory/4932-103-0x00007FF687140000-0x00007FF687494000-memory.dmp
memory/3644-83-0x00007FF63FA20000-0x00007FF63FD74000-memory.dmp
memory/2400-81-0x00007FF73BA80000-0x00007FF73BDD4000-memory.dmp
C:\Windows\System\ZjkuUJk.exe
| MD5 | eaf546b028ce3052f67f0d802d74ace9 |
| SHA1 | d87d39a5dabf68f9f4c6b96ddf66271a6d6597ae |
| SHA256 | 112fb47ed7f63a10506a455f585f0527d1cbd383c71fc25dcd79d659636552c1 |
| SHA512 | ca667baaf01efe12a099f9dc8e320859d55ff3d6a7cc66f56c35901aeefbbf80c09643bd17d13ee7e2d1a00fa94867bfe97c4440761a7894421154fd743e77f4 |
memory/3108-132-0x00007FF6F1A60000-0x00007FF6F1DB4000-memory.dmp
memory/1312-135-0x00007FF600880000-0x00007FF600BD4000-memory.dmp
memory/1384-134-0x00007FF79FD60000-0x00007FF7A00B4000-memory.dmp
C:\Windows\System\XcNqfKT.exe
| MD5 | 69af52f0b691edc4b31b477aef0f02e9 |
| SHA1 | 0fdad5822ac11c378f16ab7a6b4627b8416ce63e |
| SHA256 | 4bd17f65c9929607027e71ffef98383e15ebd3c1c8100eab0288058e1073aca3 |
| SHA512 | f940bf296a4ace330272d91395c3536799710d104c19a9bb0cbf9d99d1dc289107076ad4bc40c79d9fafcc332d199df49ebaeaa6849fd7b955614a0a78ebec61 |
memory/4880-123-0x00007FF622390000-0x00007FF6226E4000-memory.dmp
memory/2772-72-0x00007FF6D1BA0000-0x00007FF6D1EF4000-memory.dmp
memory/1212-38-0x00007FF661F20000-0x00007FF662274000-memory.dmp
memory/392-32-0x00007FF7490B0000-0x00007FF749404000-memory.dmp
memory/2916-26-0x00007FF674810000-0x00007FF674B64000-memory.dmp
C:\Windows\System\WXfYTEs.exe
| MD5 | 75e690d009d830364944978f245c2c52 |
| SHA1 | 0664a2ea6add0c030aaf8ad7c9bfbc2e676ed359 |
| SHA256 | 0b9ec064973da55cb7e598324f2467502e030c4ce3de53e7903fc66cadfbe8b7 |
| SHA512 | f0a3694fd4efc0e7cee10c430479a1e30e397e84c237861b5ec383c2bf89aa459609007abae42c8b6a642f574861755bfa2e6ddb3e0b95f10d2d60cc960d55f3 |
C:\Windows\System\WXfYTEs.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
memory/2932-8-0x00007FF644060000-0x00007FF6443B4000-memory.dmp
C:\Windows\System\HFGFSzA.exe
| MD5 | ba6393375a710d32fc0db99a153a873d |
| SHA1 | 0fadd7a63307cd70e80c66ba9349daa6bbb2491a |
| SHA256 | 9ee39e87c011ea5196eceba878c211492d64a3e05bfbe8ae77fb8a78bb285f0e |
| SHA512 | 4188e7981001a1bdd0f12e40e8821bddaf23474ffe1e21986314b28db730e2dbf60b83ca5f20c92c0cf47caa60d4934253775a99e81897bd54e6436c80832ce1 |
memory/3172-136-0x00007FF6F5850000-0x00007FF6F5BA4000-memory.dmp
memory/3644-137-0x00007FF63FA20000-0x00007FF63FD74000-memory.dmp
memory/1144-139-0x00007FF7D4510000-0x00007FF7D4864000-memory.dmp
memory/4932-138-0x00007FF687140000-0x00007FF687494000-memory.dmp
memory/3948-140-0x00007FF6FBDB0000-0x00007FF6FC104000-memory.dmp
memory/2932-141-0x00007FF644060000-0x00007FF6443B4000-memory.dmp
memory/3592-142-0x00007FF6A6330000-0x00007FF6A6684000-memory.dmp
memory/2400-143-0x00007FF73BA80000-0x00007FF73BDD4000-memory.dmp
memory/392-145-0x00007FF7490B0000-0x00007FF749404000-memory.dmp
memory/1212-144-0x00007FF661F20000-0x00007FF662274000-memory.dmp
memory/2916-146-0x00007FF674810000-0x00007FF674B64000-memory.dmp
memory/3076-147-0x00007FF67E4D0000-0x00007FF67E824000-memory.dmp
memory/2080-148-0x00007FF779E40000-0x00007FF77A194000-memory.dmp
memory/1476-149-0x00007FF76BD30000-0x00007FF76C084000-memory.dmp
memory/3108-150-0x00007FF6F1A60000-0x00007FF6F1DB4000-memory.dmp
memory/2772-151-0x00007FF6D1BA0000-0x00007FF6D1EF4000-memory.dmp
memory/3172-152-0x00007FF6F5850000-0x00007FF6F5BA4000-memory.dmp
memory/3644-153-0x00007FF63FA20000-0x00007FF63FD74000-memory.dmp
memory/376-154-0x00007FF657D60000-0x00007FF6580B4000-memory.dmp
memory/3672-155-0x00007FF675990000-0x00007FF675CE4000-memory.dmp
memory/4932-156-0x00007FF687140000-0x00007FF687494000-memory.dmp
memory/1144-157-0x00007FF7D4510000-0x00007FF7D4864000-memory.dmp
memory/4880-159-0x00007FF622390000-0x00007FF6226E4000-memory.dmp
memory/3948-158-0x00007FF6FBDB0000-0x00007FF6FC104000-memory.dmp
memory/1384-160-0x00007FF79FD60000-0x00007FF7A00B4000-memory.dmp
memory/1312-161-0x00007FF600880000-0x00007FF600BD4000-memory.dmp