Analysis Overview
SHA256
ab853546f24ea8c63b089757006dd9c181266bcf69b2cc62fa29939b527a2f67
Threat Level: Known bad
The file 2024-06-11_41beadbe5c7ed36e683e690c64011be5_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Xmrig family
xmrig
UPX dump on OEP (original entry point)
Cobaltstrike family
XMRig Miner payload
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 22:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 22:42
Reported
2024-06-11 22:45
Platform
win7-20240221-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cBEHEGt.exe | N/A |
| N/A | N/A | C:\Windows\System\jrDcDra.exe | N/A |
| N/A | N/A | C:\Windows\System\GsGnuTJ.exe | N/A |
| N/A | N/A | C:\Windows\System\doLTHRs.exe | N/A |
| N/A | N/A | C:\Windows\System\lToKUlO.exe | N/A |
| N/A | N/A | C:\Windows\System\umfofwZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YLrRGJU.exe | N/A |
| N/A | N/A | C:\Windows\System\FgOWUyb.exe | N/A |
| N/A | N/A | C:\Windows\System\ZzoJWIN.exe | N/A |
| N/A | N/A | C:\Windows\System\rHBofTV.exe | N/A |
| N/A | N/A | C:\Windows\System\wFRKUDf.exe | N/A |
| N/A | N/A | C:\Windows\System\cUmNqNM.exe | N/A |
| N/A | N/A | C:\Windows\System\jbYsMCR.exe | N/A |
| N/A | N/A | C:\Windows\System\BvsMZeC.exe | N/A |
| N/A | N/A | C:\Windows\System\TXIdnFZ.exe | N/A |
| N/A | N/A | C:\Windows\System\UARmtHg.exe | N/A |
| N/A | N/A | C:\Windows\System\UmfPKKY.exe | N/A |
| N/A | N/A | C:\Windows\System\gPqmsKm.exe | N/A |
| N/A | N/A | C:\Windows\System\JdhpAMV.exe | N/A |
| N/A | N/A | C:\Windows\System\avxwWaP.exe | N/A |
| N/A | N/A | C:\Windows\System\xRFPOka.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_41beadbe5c7ed36e683e690c64011be5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_41beadbe5c7ed36e683e690c64011be5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_41beadbe5c7ed36e683e690c64011be5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_41beadbe5c7ed36e683e690c64011be5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\cBEHEGt.exe
C:\Windows\System\cBEHEGt.exe
C:\Windows\System\GsGnuTJ.exe
C:\Windows\System\GsGnuTJ.exe
C:\Windows\System\jrDcDra.exe
C:\Windows\System\jrDcDra.exe
C:\Windows\System\doLTHRs.exe
C:\Windows\System\doLTHRs.exe
C:\Windows\System\lToKUlO.exe
C:\Windows\System\lToKUlO.exe
C:\Windows\System\umfofwZ.exe
C:\Windows\System\umfofwZ.exe
C:\Windows\System\YLrRGJU.exe
C:\Windows\System\YLrRGJU.exe
C:\Windows\System\FgOWUyb.exe
C:\Windows\System\FgOWUyb.exe
C:\Windows\System\ZzoJWIN.exe
C:\Windows\System\ZzoJWIN.exe
C:\Windows\System\rHBofTV.exe
C:\Windows\System\rHBofTV.exe
C:\Windows\System\wFRKUDf.exe
C:\Windows\System\wFRKUDf.exe
C:\Windows\System\cUmNqNM.exe
C:\Windows\System\cUmNqNM.exe
C:\Windows\System\jbYsMCR.exe
C:\Windows\System\jbYsMCR.exe
C:\Windows\System\BvsMZeC.exe
C:\Windows\System\BvsMZeC.exe
C:\Windows\System\TXIdnFZ.exe
C:\Windows\System\TXIdnFZ.exe
C:\Windows\System\UARmtHg.exe
C:\Windows\System\UARmtHg.exe
C:\Windows\System\UmfPKKY.exe
C:\Windows\System\UmfPKKY.exe
C:\Windows\System\gPqmsKm.exe
C:\Windows\System\gPqmsKm.exe
C:\Windows\System\JdhpAMV.exe
C:\Windows\System\JdhpAMV.exe
C:\Windows\System\avxwWaP.exe
C:\Windows\System\avxwWaP.exe
C:\Windows\System\xRFPOka.exe
C:\Windows\System\xRFPOka.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2968-0-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2968-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\cBEHEGt.exe
| MD5 | 78c88d8a60afaed5bc1082bc5255f383 |
| SHA1 | 1446a3b4805244e174d491c9563234955e17bc86 |
| SHA256 | 1c1c9f853f460dd6ad118b09e542b0191221b20129d23f1fe25eaf7b02716aa4 |
| SHA512 | 6bfbb81375c84e8c39de1cb1daa3f29c324f21f5aec4861fa7d456df71c6778bd3b6e5e8fc74a51a5e09d04cc6b51bec6fde3703625055b23e3b40acc845b9a8 |
memory/2512-9-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2968-8-0x00000000024D0000-0x0000000002824000-memory.dmp
\Windows\system\GsGnuTJ.exe
| MD5 | a3a58fb9182bfbb929292a9812660b49 |
| SHA1 | e7d05a19fd6641df6658cc5335f0a1ea666e3978 |
| SHA256 | 127e38865f82b79ad07ef2b7550844354df5fe4c55c36d492ccd81de0dbaf44c |
| SHA512 | c6b2088e080d82d910074441891b231daaa7f89293a0237e788bfb88a2cb472893fae4840931b8f3f7c4841ab137d03ff09a991374ac542fffa8ae2661f569a2 |
C:\Windows\system\jrDcDra.exe
| MD5 | b933b49dfbdd26b80a3f691e5141b70e |
| SHA1 | 53e7b476437a4de82b2d0f992ff8cbb3a6cd878d |
| SHA256 | 0f3b583c13c71abb0abd7ccd9d7edbc92196659eda858b1c83dcd6300e9c178d |
| SHA512 | 7dc16cbe0a1306756d094e5993aae2e836396714ffad73e83c2f18dfe721fafed0825fcbbfd98badcf2942941fe4076f7af746860bf0fefb43f46482a51278ab |
memory/2524-31-0x000000013FF20000-0x0000000140274000-memory.dmp
C:\Windows\system\lToKUlO.exe
| MD5 | a847d8e1f24c5c62eb98d911419c2691 |
| SHA1 | 3fd970870796a8ba47d7c7c866522f6409347c45 |
| SHA256 | e9f96cd0c7efc5d5d209950c2e2c2ed703f2f4ee72e9e7142a6cb6cc2631750f |
| SHA512 | f6811358a4e62ddaa9a8f704c2a42f4fe5eba7e2d2fef5edb5aa4d8d8ab449ff85e3ec2c1796388d90ca7ace63a8ca52195c13748c1b7c0368590f8dd6ddfce9 |
memory/2736-42-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2720-41-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2968-38-0x000000013F0F0000-0x000000013F444000-memory.dmp
C:\Windows\system\umfofwZ.exe
| MD5 | 1fee15e5e67d3fd85f1781c866a2dd0d |
| SHA1 | 612fdbba65ebbc8a1111310f2ab27df6c5665944 |
| SHA256 | 765b9469c9d94d7207fd6b2885bff65e2e1043ab2e0c47d5d6cc55dfb948bb7b |
| SHA512 | a650e561488179bc3736613002353d08b35cc7208df2c686fffb6a2e4c87267db73a692efa949ac1c85ebf764484836318adc04d0f1001da42567f7190dfe93b |
memory/2968-35-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2644-27-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\rHBofTV.exe
| MD5 | c5e261d396d064a55835e038b8c981e2 |
| SHA1 | 9a00db16b0902fb41d23feb63c7795d0e6e2ca5a |
| SHA256 | 42558e800293c253445fbd56e78bbcbc72da7e9dee020a55d514421500a384e3 |
| SHA512 | db7e439c3461a39f902b5bf7a45f0d2dab50f7988889c4ae1db04a84d73dc12fe5269009649c39671551358881175ce09f5f3ec13dd9d794c35b3d6621dca7c3 |
memory/2968-71-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2060-73-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2540-64-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2024-79-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2968-78-0x000000013FB10000-0x000000013FE64000-memory.dmp
C:\Windows\system\wFRKUDf.exe
| MD5 | c9333164a981bd567c22642ea086ebb2 |
| SHA1 | f54588535cc87f815f5bd8bdb8d3f17741a1113d |
| SHA256 | de14ff1d5612b49ddc5cc05a6ccbf1e2aa3f016d902bbd9a47b78f178acb897c |
| SHA512 | 67d59f0e15a8e09aaebfcf86f8c48c60049a538a8530940d173dc9e949c663e71cbe634f5bcc5f4285accebbde13a781ce401019321fae593d1810689a8c2e99 |
memory/2692-88-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2968-86-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2716-85-0x000000013FA60000-0x000000013FDB4000-memory.dmp
C:\Windows\system\cUmNqNM.exe
| MD5 | a747bcc245a81b5ba684ed8f1bec1b5f |
| SHA1 | 158234c64794a8bdc67af1ddd40c2f3b5a8f21d3 |
| SHA256 | 4cd2885c7bd9c3fd4a3f8725ce3f66fdd5affbcf794ad8cda73e4b88ae7a486f |
| SHA512 | b13007cd020364a56ed4f501d41bb61509a33efc1edb0a07f1e47a6ef8543f92d1b3465aed5ebdeac67a041c4cba2b9c791a0d573013430a542dccab3c0dfccb |
memory/2968-72-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2968-63-0x000000013F950000-0x000000013FCA4000-memory.dmp
C:\Windows\system\ZzoJWIN.exe
| MD5 | 95b5535f52a7135c551458ccddb972f9 |
| SHA1 | 8a6a58737df511948f4c8c442de2cb6e34e4cd44 |
| SHA256 | c439d84c3db855fdae6299cbbe0f883735669857c2da3caca733cf1d343cd80c |
| SHA512 | f022aca017247de3fbcaffc16085838ab54e5201f69782d7b94eb797d1584808832462cedfcb8f6092a331ba0fa72a7c13d99aaa99bf690882eb307b9a070847 |
memory/2420-56-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2968-55-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2968-54-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2620-49-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2968-48-0x000000013FCF0000-0x0000000140044000-memory.dmp
C:\Windows\system\YLrRGJU.exe
| MD5 | ba5ec21b608d010ee3f9e5aeab4556ce |
| SHA1 | 0ef515eda3409f53f4f5241f0f333b2b89e8bbcb |
| SHA256 | 14bb5caf65a2f72d68b8610e1d5168b39e5fd9252fc6a2cb8b72c64c4a121c99 |
| SHA512 | de93542b0e7fe2a5fcf3e7a3f54505367bb32b946b82c700a5d6c0b1c555dd05d820623345c79820e3658b508e635669794608ff18e3677bda1dbfa7302ff78b |
memory/2968-53-0x000000013F550000-0x000000013F8A4000-memory.dmp
C:\Windows\system\FgOWUyb.exe
| MD5 | 43f6f4e9378f13e1900f4e04bc971430 |
| SHA1 | e67b3cde24f6e18132026357c83e9e06a7d81a83 |
| SHA256 | fa3166f45e277c9561f7937d06dc39d05b657c934c236a277c07509507e0ffd4 |
| SHA512 | 50b7f428f35f75be1df5bb5689342054d4906815307eb0544524caa884eed6644146aa39fc58f60e8cca7a4c7ae5cafdbd826e7741b4a15dcdeea394b5ea87a8 |
memory/2716-26-0x000000013FA60000-0x000000013FDB4000-memory.dmp
C:\Windows\system\doLTHRs.exe
| MD5 | 26e51fe17b6a0dcf48d2f2be788bfe8b |
| SHA1 | 98b0a5b2706c9fcec1979106189962ab4fe2d5c9 |
| SHA256 | b112fc60f10c8f01394fca32788b0fe2f909643887ecaa709dbc3ec932a528ce |
| SHA512 | 802d2a2a78d65a286f8a2a90071808c34f4b521f1a917895530196d621d343287e53ac3222f668b7e956e059bd82c79a1478b4d10f8e71b13dfe391f72bc7ee1 |
memory/2968-19-0x000000013F090000-0x000000013F3E4000-memory.dmp
\Windows\system\BvsMZeC.exe
| MD5 | 16e74c458d623be7b6d6b49b7dbcb619 |
| SHA1 | f824e909ba0dafe545903c539471036f16c6dd4a |
| SHA256 | 9991f4ed4d19a93e3241a0dd90748af8213f8e751265dcf15ab7755ec0ec775e |
| SHA512 | 7792beef135306ea1642b8c573e81b8a529cbcebf6f190fc74768465fc75594e77b4ba9da1ec672b77fe61231388505ba9c633fea4b0096c792710d6172b9b3e |
C:\Windows\system\jbYsMCR.exe
| MD5 | 8aca068c6649e7d8de35368ed02b00c8 |
| SHA1 | 49ae2c52e13ad2ca044b999fa4df7e70839d7794 |
| SHA256 | 29455b1bf380c3e7931de93b067c0035a50b98e67b84075bd161ada41f51a33f |
| SHA512 | 4dd36debc02ffd0d3d225abd24788902e43017d7fe3ff381d49311543773201ad9ab031fcc8aed27b8a316db9ef1c4cd297c89ed436d60855bbfa82325ca252c |
\Windows\system\TXIdnFZ.exe
| MD5 | bf63938626b65f47c1d50dbb816e3b99 |
| SHA1 | d0ed120bfd2b72260c350af776e8b95c4475cce5 |
| SHA256 | 29fbbae570458ee1ce48d9e7bd1937bfb9d47d4ec1684156b385e7413f4b7834 |
| SHA512 | 82574e33f2d58d28ccd694ed80a6d7268769fc269c6ba7a0ec4099cf66f9383b3ad03d356f868eb4f9363eb1b9bc91d1262a10f1604f89358b5a6a82b74e1b4d |
memory/1960-102-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2968-105-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2296-106-0x000000013F3E0000-0x000000013F734000-memory.dmp
C:\Windows\system\UARmtHg.exe
| MD5 | 01c88c41e876dc04d780ec62ed02cf6b |
| SHA1 | adef0d358f51e755e9207452fc8c4f701e8419ba |
| SHA256 | 01521a7f11213b8aaa09b7e7057a8b208ae32333e62aeacd0d80c8917b034143 |
| SHA512 | 882b26854ce085eef799d6a74662e3d6f4f501f8149fae2782d26d3f1bcc210f638d5e469971f9cd0236f960f5e046d13d60d5a771d5e784adbbb30786bf887c |
C:\Windows\system\UmfPKKY.exe
| MD5 | b54f3046ce60db41a3057f763c21a64c |
| SHA1 | 9befeaad11656f8a002859ad061a51f4ecc2a7b5 |
| SHA256 | a003f1a0cbf357f1033952cad28ec040a6828d2a85eb399bb6061f99f760d3dc |
| SHA512 | 2368131348992d3b2ecbc361dc7d1c86ea084b365df43cddb22246448cff4aadecd952b900d9fedbfbc5a886eb37b4d8d62178f5e87c426d772f44344bbfab69 |
C:\Windows\system\gPqmsKm.exe
| MD5 | 760d3a7c1f33c1f08b1400a9d19436bf |
| SHA1 | 83dca6787ff2ad09aa97b7736a72c668d1a4f267 |
| SHA256 | fc7987b47442940f238d5e5d3bd2c9cd96779223dc43871fb4a1628d55fc9638 |
| SHA512 | 396745e77e1111b9b279b908c07e36d25e2407424ab1abd5e10b05cab03f3c973a9f70fc7feb4255433fb898b008a067885a91572409abf807c1f68b8a86bd54 |
C:\Windows\system\JdhpAMV.exe
| MD5 | c691faaac693bf140b6779e653ed585b |
| SHA1 | 86204f4020ed0b5993bae451ba4f8ca7f7eb0741 |
| SHA256 | 92d6a5697d4d365e64b3c8ac10fd23963ceeb87b146be6ed60f98a34b8d46634 |
| SHA512 | 17400afd1fa843dd42dd38ca2a753d0ef368c6dd1597fb7abd03f36dc58ecfc4e2594f72eee92bf65fc8dc33c374506ecaa92659bf786d69dffad5e9641b2932 |
C:\Windows\system\avxwWaP.exe
| MD5 | 791f38fb23285a563a4240e691bc5873 |
| SHA1 | 66560c747550a33cab289b9d0a7f92523361c386 |
| SHA256 | b2fc8e7ccc579c7c77c54ec4a75643ec0696a47f8a23b13af2c501d83cc02ddc |
| SHA512 | d00628deb8ffe4124679bedfaf1c0b856cb7ce092268681241439e87ed3d1b1ae003e638da67db5e3cb1394e1d47431919f288d8c5fc4065148b159e58812b7b |
\Windows\system\xRFPOka.exe
| MD5 | ffc1465b2fca14c63ec235b5d5474f6b |
| SHA1 | 1f4d55521d9d1f00e5f9ceb80618030061b2cb0e |
| SHA256 | 2cd04741963472ccd953ee93bb272159730f95623f09a3178e7a21b3c163fafe |
| SHA512 | be6f006314c88cd6f8934c31b404fb00ada133f121183d948758333f7afbf16298e8fff400eab3b6073761be0f7c7c6e0dbc478c15b523340746cd79079d5277 |
memory/2968-136-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2420-137-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2540-138-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2968-139-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2968-140-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2024-141-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2692-142-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2512-143-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2644-144-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2716-145-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2524-146-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2720-147-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2736-148-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2620-149-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2420-150-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2060-151-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2540-152-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2024-153-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2692-154-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/1960-155-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2296-156-0x000000013F3E0000-0x000000013F734000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 22:42
Reported
2024-06-11 22:45
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fmgmWhl.exe | N/A |
| N/A | N/A | C:\Windows\System\abAnwuG.exe | N/A |
| N/A | N/A | C:\Windows\System\SjfHUCd.exe | N/A |
| N/A | N/A | C:\Windows\System\Dopectl.exe | N/A |
| N/A | N/A | C:\Windows\System\BulFpTJ.exe | N/A |
| N/A | N/A | C:\Windows\System\wvKctdm.exe | N/A |
| N/A | N/A | C:\Windows\System\hooCyzd.exe | N/A |
| N/A | N/A | C:\Windows\System\YnASSIE.exe | N/A |
| N/A | N/A | C:\Windows\System\bjohDiP.exe | N/A |
| N/A | N/A | C:\Windows\System\LiSxoYy.exe | N/A |
| N/A | N/A | C:\Windows\System\SRxbHya.exe | N/A |
| N/A | N/A | C:\Windows\System\cmhDenu.exe | N/A |
| N/A | N/A | C:\Windows\System\pjoEhHD.exe | N/A |
| N/A | N/A | C:\Windows\System\eIxrfJQ.exe | N/A |
| N/A | N/A | C:\Windows\System\JDlajLA.exe | N/A |
| N/A | N/A | C:\Windows\System\dgxqAqj.exe | N/A |
| N/A | N/A | C:\Windows\System\lvlGgfD.exe | N/A |
| N/A | N/A | C:\Windows\System\eTVuAjr.exe | N/A |
| N/A | N/A | C:\Windows\System\vDhCyen.exe | N/A |
| N/A | N/A | C:\Windows\System\pofaLWM.exe | N/A |
| N/A | N/A | C:\Windows\System\ILNmOnz.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_41beadbe5c7ed36e683e690c64011be5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_41beadbe5c7ed36e683e690c64011be5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_41beadbe5c7ed36e683e690c64011be5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_41beadbe5c7ed36e683e690c64011be5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\fmgmWhl.exe
C:\Windows\System\fmgmWhl.exe
C:\Windows\System\abAnwuG.exe
C:\Windows\System\abAnwuG.exe
C:\Windows\System\SjfHUCd.exe
C:\Windows\System\SjfHUCd.exe
C:\Windows\System\Dopectl.exe
C:\Windows\System\Dopectl.exe
C:\Windows\System\BulFpTJ.exe
C:\Windows\System\BulFpTJ.exe
C:\Windows\System\wvKctdm.exe
C:\Windows\System\wvKctdm.exe
C:\Windows\System\hooCyzd.exe
C:\Windows\System\hooCyzd.exe
C:\Windows\System\YnASSIE.exe
C:\Windows\System\YnASSIE.exe
C:\Windows\System\bjohDiP.exe
C:\Windows\System\bjohDiP.exe
C:\Windows\System\LiSxoYy.exe
C:\Windows\System\LiSxoYy.exe
C:\Windows\System\SRxbHya.exe
C:\Windows\System\SRxbHya.exe
C:\Windows\System\cmhDenu.exe
C:\Windows\System\cmhDenu.exe
C:\Windows\System\pjoEhHD.exe
C:\Windows\System\pjoEhHD.exe
C:\Windows\System\eIxrfJQ.exe
C:\Windows\System\eIxrfJQ.exe
C:\Windows\System\JDlajLA.exe
C:\Windows\System\JDlajLA.exe
C:\Windows\System\dgxqAqj.exe
C:\Windows\System\dgxqAqj.exe
C:\Windows\System\lvlGgfD.exe
C:\Windows\System\lvlGgfD.exe
C:\Windows\System\eTVuAjr.exe
C:\Windows\System\eTVuAjr.exe
C:\Windows\System\vDhCyen.exe
C:\Windows\System\vDhCyen.exe
C:\Windows\System\pofaLWM.exe
C:\Windows\System\pofaLWM.exe
C:\Windows\System\ILNmOnz.exe
C:\Windows\System\ILNmOnz.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4320-0-0x00007FF7F7190000-0x00007FF7F74E4000-memory.dmp
memory/4320-1-0x000001D4797B0000-0x000001D4797C0000-memory.dmp
C:\Windows\System\fmgmWhl.exe
| MD5 | 2a7d9402335102d4ab1f8e8a8bf521f0 |
| SHA1 | 7a6aa297f48f4c6dd8f79a78b1503571025be49c |
| SHA256 | 305b765957bbe5d43ec8e49062290fe32fd8ab8399007f0dd581103ecbc1b7a7 |
| SHA512 | fadbbbd3a05d35fd982fddb4bc6f04546f590b6ea2b0c2963623d594e61ba9a3931b851525dc3d3d7898dec9cb41e70d9cb2c320b1e8b494addcb028ec2ff6c3 |
memory/3508-7-0x00007FF7A27D0000-0x00007FF7A2B24000-memory.dmp
C:\Windows\System\abAnwuG.exe
| MD5 | f02803ee3b3873dbfebed7117288dcf5 |
| SHA1 | 4c93826f4b49327e7efd54fb7cdc1f779b3b389d |
| SHA256 | c9d76fe623bfd7c404d3efeba1cc8a1c03cf9dfed6c22fb48b42ec86868382b1 |
| SHA512 | 0fabde1a248847e0eb7eeb898398012754cbeaf279d83f67962b3b2043dd2782d7aa5d42da9e75dafc24a87e52ef42aa73c3494d12760afa0c70cc10e484ce58 |
C:\Windows\System\SjfHUCd.exe
| MD5 | 41705962f3bfef441663f58dfec3ebe3 |
| SHA1 | 8e2e1dbc6d51e3e5d281a31aca1583263fee6db6 |
| SHA256 | 26274177eb8ca3fc92ae2a4ab7b0c0e924315c6968b22919e1b42aea858fdc5d |
| SHA512 | 3f3ed2457d9be018904afdf434927d42917c03d544c3ab6f24deb9eef1ba5d3ef4c24fd11845c61996dbae274b5df86d1c5c26e46aa5d8dee0f295b0b5cc906a |
memory/3088-16-0x00007FF7BD910000-0x00007FF7BDC64000-memory.dmp
C:\Windows\System\BulFpTJ.exe
| MD5 | 5756c1abd3cbcadf5140b81b79e5bc9e |
| SHA1 | bc6c391a9e5d497a0727e599685aca46e68d474b |
| SHA256 | adb1e56f2423811bec9ab381ca91d42b2be809ec78609ade527e965dccb4c117 |
| SHA512 | 11ffe291a20ad99a80a433baa95094c3baf4b02671c486014655308e2a555924fff5be2191ccc9a084def5e28604230112b53b5d87b705a93aafef5269951d00 |
C:\Windows\System\YnASSIE.exe
| MD5 | b469f71a178c47ddcde4c4d44e6feeff |
| SHA1 | d4eefb0596e802b21b258e5cd532f6877e90f797 |
| SHA256 | b5e8faae222a7b6da8f3fe45c11ba5ede97c5a0f4ffd517879e7508a242fe37e |
| SHA512 | 260986cb8511f12b753af5442a92e6508c90d2a3df8ca5824113267452d10850aadca6aad58c3af6f819b14089624b36f89898313572146d25514d3d7257da13 |
memory/4536-48-0x00007FF769C00000-0x00007FF769F54000-memory.dmp
memory/1240-47-0x00007FF7FD150000-0x00007FF7FD4A4000-memory.dmp
memory/4668-45-0x00007FF74C780000-0x00007FF74CAD4000-memory.dmp
C:\Windows\System\hooCyzd.exe
| MD5 | 8bc354a3480220fb2be7724a33c4aa38 |
| SHA1 | 102ac4710dce439e11be070e6db148b4ab9426fb |
| SHA256 | 61c2b051ca92192721c5b9cd6a1d2cac08e15f32aff0d0897aa788bde42ac523 |
| SHA512 | 380ff582e2d84f624023a83ddadf58e8fdf0712ade2ded60650d978cc2217ff94de2710a4a7f6db1829e49d97ccceae837675fb4be616ffb2b814d456eef5d2c |
C:\Windows\System\wvKctdm.exe
| MD5 | 8b6b652d7f167c82d9906278b5a97810 |
| SHA1 | d970005e29567f5610ab2c127d21f22161dd8bbb |
| SHA256 | a04d1740e2710b7cbb4c694e95ef6441536975349460204afd286184c4935c82 |
| SHA512 | 1c428762d42eed145368a32af587f42f9043de269f106d99efc795911bd9824af03f9fcd1b8a6b989f92d312808f7f4d436ae1030ecf23d66c3585b59a1f3d01 |
memory/3628-32-0x00007FF7F5B00000-0x00007FF7F5E54000-memory.dmp
memory/1056-31-0x00007FF60BBB0000-0x00007FF60BF04000-memory.dmp
memory/4288-25-0x00007FF6EDCA0000-0x00007FF6EDFF4000-memory.dmp
C:\Windows\System\Dopectl.exe
| MD5 | 4b0c4e9874f353b3fb82783414d321d9 |
| SHA1 | 269ae4f586d48518ce80b53e1f0fb7f873cd3865 |
| SHA256 | a94ffe20583c8dd58454274f6e83a9e0295ab73bc2d35d077210e6783075baff |
| SHA512 | 3ec07b4807cdd392ac5ddd28d89debc1185a9d49553938c4a4940fff27a7a2376517fc6992af51934a82d5ca3121fe363288196b91b8d5358ea93a64abc4818a |
C:\Windows\System\bjohDiP.exe
| MD5 | a1de4f312396499e3309ea27237e981b |
| SHA1 | 63a28ba234aca56c653770a9f6c22c71fd13ce4b |
| SHA256 | 836df5d4be6f2c5dc0f0c89d33650776eaa87efc87b822fbee5488652548d77c |
| SHA512 | 21b3b1e21ac748f5167998e74295e86182522b54448174e4eaeb40da3f719f8329ebb861c5903c8698069ae4c9a4f2a22a8f92d762545b30987ab90fe76b63c4 |
C:\Windows\System\LiSxoYy.exe
| MD5 | d9014ef4f118790851ed92ce36e1b8ec |
| SHA1 | 27d2c881bcdfb5eeb23ce2c724ee08afbfbbf1f4 |
| SHA256 | 7f9c81915ec6e7b36e5a115f92093b6db3d1be0de324623ce2237c1281658c1c |
| SHA512 | 7145c9d977cf3a2982193d36f8cab4e27c08c3caa80aabb11cc566cb617cb7710a1a1bec1b979de71fa2a1b51fe1ab461583c26b5c3efbeb6faa2b08bb5f3b6d |
memory/1204-69-0x00007FF6E4260000-0x00007FF6E45B4000-memory.dmp
C:\Windows\System\pjoEhHD.exe
| MD5 | 8b3a775b58c9209703b58e4ad9296a4c |
| SHA1 | 1ab1d006f4732b4ef7262ebd3ee7c987a6bf3fb9 |
| SHA256 | 84fd73a075baca7c253f48b39beaf9bd5785608ac89c093c2a79269a9ea2246f |
| SHA512 | 45669573e7a64f7d6020885120d46ff5be22c3f23b4d07a41ade67c802327a39f1885db92905015b989b03ac99dd8af304c19fe2e9e0296e7f1cd7d5b68c8874 |
C:\Windows\System\cmhDenu.exe
| MD5 | 849f7eb95f5d36db2f2346bdf0e6a5e6 |
| SHA1 | 082e2f53e6f02c1fde42176525f25ab0e25ab5e0 |
| SHA256 | 669a83f7a71e5bc0c546f683d75a328769550c24a7e73593083ed0f7f2b2184d |
| SHA512 | 56ab1ac77acc9e0d61ca348b8b8b1a76108fd99dbd6beac564f81f1c7e36440ca563df1595cdfcb16c5bb47a6537450982b4eb4b5c8392cf843847ffa5aae7b8 |
memory/4552-67-0x00007FF6D0C10000-0x00007FF6D0F64000-memory.dmp
C:\Windows\System\SRxbHya.exe
| MD5 | 6aa34c7804608e7b89def697b8970c77 |
| SHA1 | 8ab8e64a003e0156a31fd393245cb5b621e0c545 |
| SHA256 | 4977720e5404170f753cf2a5e8a9070945c15a24ee492d54a9f8013747c3699e |
| SHA512 | 4a9be790ae50137c369a5610cff0ccaf603c227598532bdfdcb4736c49ab38ce4b3c0944a7a75e5e372f86eb092e4c6fb1461522d36d4e991f0a4e7c4a33518e |
C:\Windows\System\eIxrfJQ.exe
| MD5 | 2b5e246feef9d8d4f8a59f19eb8b5fb0 |
| SHA1 | b7abfbe15c74da8e9fef0b8ae8cce5e9993d3f31 |
| SHA256 | 0167d50eb48b9dc52a98605bf50e4b285cfcc5d19a15bea599ce804360447c61 |
| SHA512 | cf8005cd0f52477bfc3dd80959758882f656b0b5ee6015e1029fa2ee33b8493b74ec2bdc17a9462a3794561f1e485ed42b7ac8a934a708e52e9640e840eb7927 |
C:\Windows\System\dgxqAqj.exe
| MD5 | 605c35f8b730f6fa4f29e039faa3e4c3 |
| SHA1 | 753b2642365555de0f03876ddc7a2363b595a42d |
| SHA256 | 23cddd0b399dfe2dcd238186959624c8846bfafb2a8c4bf06903e0ce22410959 |
| SHA512 | 1973972c7f581d873de3e1687f10c7313d264df5a48101c00c76c1ce81a53293256ac80af8c49732aae5a710d05d712c9600f54391a0440febb33a1c9510639c |
C:\Windows\System\eTVuAjr.exe
| MD5 | 50a4f7721db630d70cc9e30014d92695 |
| SHA1 | 471b9635eca79bc2fbbbb9d1371e8884e4570e31 |
| SHA256 | 2ed3809df597194aaa6cc4ef55be067de7e2e1cc08245ae7e535ee4d5c455152 |
| SHA512 | a995edbbfef33ef2855186fa411d7e0684a6653b412e8de6a8eb6912d70569065c570b47b4f28767e4b081759376d90c8c673659cf89ae5588bb77b69b498416 |
C:\Windows\System\pofaLWM.exe
| MD5 | 9b4a503bc917a503275a92c32c03a818 |
| SHA1 | 4af7934573141b9cb76ecf82cc85e47306f6ee3a |
| SHA256 | 693c414988aaff0848f49f4428fb94f751dd3feb216d19862ec9f661ba5dc1a2 |
| SHA512 | 48eba7bb7367db2aa59e5952c019c23571b23d94cc285f03d6d7c2ec9cae834459a7e02413c9be661b0cc27f32a1640a9926d91267426a4cb63529fb1df5d6b9 |
memory/1356-115-0x00007FF6340A0000-0x00007FF6343F4000-memory.dmp
memory/728-119-0x00007FF71D320000-0x00007FF71D674000-memory.dmp
C:\Windows\System\ILNmOnz.exe
| MD5 | 357d88108f534be523e2fafa70783c86 |
| SHA1 | 22b4815f0d6c99fc263d1548e7ba8e841513f5b8 |
| SHA256 | fe065b0671b9a8182cb6243a88d810efd4d5b935704dff6bb8597c59d23aab9c |
| SHA512 | 4d0d73208fa8f7e8649dc4f34f204cc966c19ebd20e0590c8937b4e84945e304caf76ed19996ba78774d33699ff5212c074f012bce48e4accacda0d62ef1c634 |
memory/4600-121-0x00007FF63B1B0000-0x00007FF63B504000-memory.dmp
memory/3508-120-0x00007FF7A27D0000-0x00007FF7A2B24000-memory.dmp
memory/4540-118-0x00007FF68E950000-0x00007FF68ECA4000-memory.dmp
memory/1808-116-0x00007FF7C4490000-0x00007FF7C47E4000-memory.dmp
memory/1044-113-0x00007FF666520000-0x00007FF666874000-memory.dmp
memory/4320-112-0x00007FF7F7190000-0x00007FF7F74E4000-memory.dmp
C:\Windows\System\vDhCyen.exe
| MD5 | 107b7f7aa21a30ce694c0d52f677b5db |
| SHA1 | 4715f023208bc118af6d939b5dae259cf343f58f |
| SHA256 | c7116273bb7a3a8d4e6fe881cc2090386916e913f2fee0b62c25bf39a75bf57d |
| SHA512 | 27279ccce679170e0439a97742e8fb317180e3187d06d5fc466f3ac84120df9f6ff2a527c3a43a7847e8dae7789e33a14afb3300dfc9ddd420746e8d0b34979e |
C:\Windows\System\lvlGgfD.exe
| MD5 | 12aca48fdfd24937073597e1c4c00c2b |
| SHA1 | 05f41584ad63ea919a4f96da6ccd1184345b1922 |
| SHA256 | c84f04347145e27d10b4303a98d9e66116978f01884487c00a6bdc372b809e3d |
| SHA512 | faf31e9d4763164f86a77e7db0a99efbfd03780a54342e7ddd05f055ee93961763a7a79b44ab67b6f8510bad281c1189bf70baf898c983fba4d0cfbce270dc89 |
memory/920-107-0x00007FF735340000-0x00007FF735694000-memory.dmp
memory/3044-106-0x00007FF6BEE00000-0x00007FF6BF154000-memory.dmp
memory/4912-100-0x00007FF723B50000-0x00007FF723EA4000-memory.dmp
C:\Windows\System\JDlajLA.exe
| MD5 | 6a5587ab91d3d6534ed57b1f0de3003f |
| SHA1 | 7134c1d5725a67646fdb50aa9f1ac9b9c277b4cd |
| SHA256 | 68c7800619a60d4e951daed21d83f43870f60b81398c2f2ced8a2acc33961c70 |
| SHA512 | e1a13305165b702378eb0d601594182046ff9a90a7fe3509c32c660ebdd6111c1354f805e52972a8df5b135c20a8b2de493fdecfdee1973071b1fffb35deac8a |
memory/3096-88-0x00007FF6C32F0000-0x00007FF6C3644000-memory.dmp
memory/976-56-0x00007FF79A340000-0x00007FF79A694000-memory.dmp
memory/3628-130-0x00007FF7F5B00000-0x00007FF7F5E54000-memory.dmp
memory/4536-131-0x00007FF769C00000-0x00007FF769F54000-memory.dmp
memory/976-132-0x00007FF79A340000-0x00007FF79A694000-memory.dmp
memory/4552-133-0x00007FF6D0C10000-0x00007FF6D0F64000-memory.dmp
memory/1204-134-0x00007FF6E4260000-0x00007FF6E45B4000-memory.dmp
memory/3096-135-0x00007FF6C32F0000-0x00007FF6C3644000-memory.dmp
memory/920-136-0x00007FF735340000-0x00007FF735694000-memory.dmp
memory/1808-137-0x00007FF7C4490000-0x00007FF7C47E4000-memory.dmp
memory/4540-138-0x00007FF68E950000-0x00007FF68ECA4000-memory.dmp
memory/728-139-0x00007FF71D320000-0x00007FF71D674000-memory.dmp
memory/4600-140-0x00007FF63B1B0000-0x00007FF63B504000-memory.dmp
memory/3508-141-0x00007FF7A27D0000-0x00007FF7A2B24000-memory.dmp
memory/3088-142-0x00007FF7BD910000-0x00007FF7BDC64000-memory.dmp
memory/4288-143-0x00007FF6EDCA0000-0x00007FF6EDFF4000-memory.dmp
memory/1056-144-0x00007FF60BBB0000-0x00007FF60BF04000-memory.dmp
memory/4668-145-0x00007FF74C780000-0x00007FF74CAD4000-memory.dmp
memory/1240-146-0x00007FF7FD150000-0x00007FF7FD4A4000-memory.dmp
memory/3628-147-0x00007FF7F5B00000-0x00007FF7F5E54000-memory.dmp
memory/4536-148-0x00007FF769C00000-0x00007FF769F54000-memory.dmp
memory/976-149-0x00007FF79A340000-0x00007FF79A694000-memory.dmp
memory/1204-151-0x00007FF6E4260000-0x00007FF6E45B4000-memory.dmp
memory/3096-150-0x00007FF6C32F0000-0x00007FF6C3644000-memory.dmp
memory/1044-153-0x00007FF666520000-0x00007FF666874000-memory.dmp
memory/4552-152-0x00007FF6D0C10000-0x00007FF6D0F64000-memory.dmp
memory/4912-154-0x00007FF723B50000-0x00007FF723EA4000-memory.dmp
memory/3044-155-0x00007FF6BEE00000-0x00007FF6BF154000-memory.dmp
memory/1356-156-0x00007FF6340A0000-0x00007FF6343F4000-memory.dmp
memory/4600-157-0x00007FF63B1B0000-0x00007FF63B504000-memory.dmp
memory/1808-160-0x00007FF7C4490000-0x00007FF7C47E4000-memory.dmp
memory/920-159-0x00007FF735340000-0x00007FF735694000-memory.dmp
memory/4540-158-0x00007FF68E950000-0x00007FF68ECA4000-memory.dmp
memory/728-161-0x00007FF71D320000-0x00007FF71D674000-memory.dmp