Analysis Overview
SHA256
08ba7247d4902ce16b25fbcb774b566ae7af2bfce7129efa4a3a57a460430fc0
Threat Level: Known bad
The file 2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Cobaltstrike family
Xmrig family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 08:05
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 08:05
Reported
2024-06-11 08:07
Platform
win7-20240221-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cvRnjAV.exe | N/A |
| N/A | N/A | C:\Windows\System\kLMNJqX.exe | N/A |
| N/A | N/A | C:\Windows\System\XvoKymr.exe | N/A |
| N/A | N/A | C:\Windows\System\CNWzrob.exe | N/A |
| N/A | N/A | C:\Windows\System\jvyitwm.exe | N/A |
| N/A | N/A | C:\Windows\System\wHPATcA.exe | N/A |
| N/A | N/A | C:\Windows\System\VWYMcdX.exe | N/A |
| N/A | N/A | C:\Windows\System\XBlnUHy.exe | N/A |
| N/A | N/A | C:\Windows\System\JfwNyJM.exe | N/A |
| N/A | N/A | C:\Windows\System\ifgbWcd.exe | N/A |
| N/A | N/A | C:\Windows\System\RtqHxll.exe | N/A |
| N/A | N/A | C:\Windows\System\sKyfPSp.exe | N/A |
| N/A | N/A | C:\Windows\System\RIOFTqv.exe | N/A |
| N/A | N/A | C:\Windows\System\ODDwZpb.exe | N/A |
| N/A | N/A | C:\Windows\System\JaFTsvt.exe | N/A |
| N/A | N/A | C:\Windows\System\qMemRFO.exe | N/A |
| N/A | N/A | C:\Windows\System\SKTtlAV.exe | N/A |
| N/A | N/A | C:\Windows\System\LzWpdIv.exe | N/A |
| N/A | N/A | C:\Windows\System\ucOhBqU.exe | N/A |
| N/A | N/A | C:\Windows\System\XVwFTwF.exe | N/A |
| N/A | N/A | C:\Windows\System\PxupwtV.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\cvRnjAV.exe
C:\Windows\System\cvRnjAV.exe
C:\Windows\System\kLMNJqX.exe
C:\Windows\System\kLMNJqX.exe
C:\Windows\System\XvoKymr.exe
C:\Windows\System\XvoKymr.exe
C:\Windows\System\CNWzrob.exe
C:\Windows\System\CNWzrob.exe
C:\Windows\System\jvyitwm.exe
C:\Windows\System\jvyitwm.exe
C:\Windows\System\wHPATcA.exe
C:\Windows\System\wHPATcA.exe
C:\Windows\System\VWYMcdX.exe
C:\Windows\System\VWYMcdX.exe
C:\Windows\System\XBlnUHy.exe
C:\Windows\System\XBlnUHy.exe
C:\Windows\System\JfwNyJM.exe
C:\Windows\System\JfwNyJM.exe
C:\Windows\System\ifgbWcd.exe
C:\Windows\System\ifgbWcd.exe
C:\Windows\System\RtqHxll.exe
C:\Windows\System\RtqHxll.exe
C:\Windows\System\sKyfPSp.exe
C:\Windows\System\sKyfPSp.exe
C:\Windows\System\RIOFTqv.exe
C:\Windows\System\RIOFTqv.exe
C:\Windows\System\ODDwZpb.exe
C:\Windows\System\ODDwZpb.exe
C:\Windows\System\JaFTsvt.exe
C:\Windows\System\JaFTsvt.exe
C:\Windows\System\SKTtlAV.exe
C:\Windows\System\SKTtlAV.exe
C:\Windows\System\qMemRFO.exe
C:\Windows\System\qMemRFO.exe
C:\Windows\System\ucOhBqU.exe
C:\Windows\System\ucOhBqU.exe
C:\Windows\System\LzWpdIv.exe
C:\Windows\System\LzWpdIv.exe
C:\Windows\System\XVwFTwF.exe
C:\Windows\System\XVwFTwF.exe
C:\Windows\System\PxupwtV.exe
C:\Windows\System\PxupwtV.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1096-0-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/1096-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\cvRnjAV.exe
| MD5 | 83232cccf15d5124d6a48ee250fad2bf |
| SHA1 | 02630e47fbd75573b3fc9acd99106b187821b054 |
| SHA256 | f953287ce09fa90eb065313c708b9fa24587bafa67819cc7fdb5d5f5f9931dd5 |
| SHA512 | 2828bd24298a3f70854a4f4b1be6793b2b7250f95726e4e32d979f2b60b80bf9e079813c86a576c2664bf1dcc29c2240701b68091d0a14b97e466799314d8749 |
memory/1068-9-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/1096-8-0x00000000023A0000-0x00000000026F4000-memory.dmp
\Windows\system\kLMNJqX.exe
| MD5 | 686f673fb71b5bc07bdd185ca85966cc |
| SHA1 | f26d7f026d4840eab25435809cbbee2c8d9b89f5 |
| SHA256 | fb2095865f210a721e8baf4cc4027478042281cfbe8e1bc16912c330bb1a5980 |
| SHA512 | 2ea2af6989a131ba1e412bbd673364538c2728a907819894c25977c42c7b283bf84d35d5a6ef5460968deabd184ef6efe73ed6ede6cd467e05bb32dc0fa5a23d |
memory/3048-23-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/1096-28-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2836-36-0x000000013FF90000-0x00000001402E4000-memory.dmp
C:\Windows\system\wHPATcA.exe
| MD5 | 7e082520a846f9b807a62b68bd7cec6d |
| SHA1 | 0242669ce7cceea59ce1e5c554e761d06b214c95 |
| SHA256 | 18fca08770d4febbe563a8abd2f4660210b0ad90c38a0af833679e97caf14263 |
| SHA512 | 2bc06555c2729ee80a8e91bdd94423880f448054c21a01946aabffde791da5efa1297cf50f19fd81065bc22ca3673dd121a3e5bebdc252889abd6781f1b33e78 |
memory/1096-40-0x000000013F260000-0x000000013F5B4000-memory.dmp
C:\Windows\system\VWYMcdX.exe
| MD5 | 42c0886b147454d537fd5970397d403b |
| SHA1 | 100fb1010bcc0f615e12cbd128f4d1ca9994d655 |
| SHA256 | 135642eaaad3842259a15ce959db3665578203b60d8395bacaebb3d6d29527d8 |
| SHA512 | 6e94faf7def12ef6dea54fc7b3f701d52ec909a7f6d69614eb892bb57161b98008bbef66789085b37ef0cada4bdbf4c4e5e161e6d964662cf2f1cebdf7dc0c88 |
memory/2488-65-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2920-79-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2708-94-0x000000013F850000-0x000000013FBA4000-memory.dmp
C:\Windows\system\LzWpdIv.exe
| MD5 | 5acae8af6a3452edb94065b8ac11e3e0 |
| SHA1 | f8c54344ea76ab21a4f7842cbb34b2eba45ea5c4 |
| SHA256 | 35930e1be6d4f84818d9471e0d23c5f3f918a272de2807544c0a256b9fb1ae57 |
| SHA512 | 6cfec00b0fdc332868414eb0b0e4efb94606426dd83b70d8a05f47914c366f4897d6f078835710ab1212f7a135cfbca3c01bf9acfe4426882e31bb03f6baaa5d |
C:\Windows\system\XVwFTwF.exe
| MD5 | 028ee117a567cb051e3c7b790f68db13 |
| SHA1 | f35fbbfcf8a78c28d150af237be371a45b8fd3e7 |
| SHA256 | ce4079e62fa572f8e5902511722da8d14348996dd766955064f4d3228e9ae647 |
| SHA512 | bfa36d8b0b1495fd88e87a2e1dfb74d6efd6a9f1ed97d1c0b9ef58b477b2b72960d36eb47edf2c2c6779d2837fb9c3dac25ea19d8ef8da59d4d11fcef54056b9 |
C:\Windows\system\ucOhBqU.exe
| MD5 | 77e343eab688e0104b5bc974c7c6fdf3 |
| SHA1 | b33f2e38c6a9bfcd7c8ee0c1d89a68385368c57b |
| SHA256 | 758b8a703004d84ec1be044344a555961e5d40f84cb51d58d97fd8d4f1aaef0d |
| SHA512 | cabcca5f38056552b3219854c4c0e66c65fdcc8de3a2a5ce093f578847a228f91eff5f72ee6c6e31890689df9defa4ee1738a1e822052a1d2545d35587ecb298 |
C:\Windows\system\PxupwtV.exe
| MD5 | 68f1ecf87f69d359f653155bd7bab7e9 |
| SHA1 | c231805153da8172310d816e6acef81845c25cc6 |
| SHA256 | 40445a3c725189adb2196f4927aa157fb92828110923f4e24533c6596c437893 |
| SHA512 | 12c9ecc3b2b162bca515ddb3acdbc521cad7b8ba5e853dbcdc491007aed5d4418d35e5be0d3fbf2bd472564a4538c2c8df87ced0426270931a3a1b82961959aa |
C:\Windows\system\SKTtlAV.exe
| MD5 | dea0e01b021b5667b6549bec32bd2cb8 |
| SHA1 | 9d4c3e1b50abbaf9e5aeaa80a92630db2c6d8c2f |
| SHA256 | 004d5bb145be0d1dd90f38413e4ffc22cb6678248087204c79432e386207a9cc |
| SHA512 | 6583b68193cb0193081ddd886834835d8bed160e86584a5891af12d6dc088f9aa0a9260b21af60a331924509e69237766b5979541ac899773f5af54f06fde325 |
memory/1988-102-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2836-101-0x000000013FF90000-0x00000001402E4000-memory.dmp
C:\Windows\system\ODDwZpb.exe
| MD5 | 1f1f86c6c6fda4811e4794c4b65ae966 |
| SHA1 | 718e5b05b32bf51f4403c60ba68b793e83242f05 |
| SHA256 | 9b982c3ce6111b189fd53b9a74739d582c7f35747a7bed1221f53cb228e964d3 |
| SHA512 | 6eb5654537049288e6c7e11212ec1d0a96ee91d509fc4a599e22fbc4b6b52cd22f26d243716203b9ae8dd0b653a853c444287bf227cc279492500468c64a8348 |
memory/1096-98-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/1096-116-0x000000013FAF0000-0x000000013FE44000-memory.dmp
C:\Windows\system\qMemRFO.exe
| MD5 | 28b27082e9f8458715d8ab6291627c60 |
| SHA1 | c30c7a348208ffa4d3b2c87c9f228eeece2007f8 |
| SHA256 | 584c3c43350c6163d6a6e4659c79301119eb38a1924ac266e646aa38a35d001c |
| SHA512 | 26e1403979f52de14670687a8668c1eae74ccba606ec378dc02845f3f344be850efc8305a4dff7e25d6a7f9eeaa0cb9126a0936ea3f0c4d9c6c394841bfba705 |
memory/2660-114-0x000000013F260000-0x000000013F5B4000-memory.dmp
C:\Windows\system\JaFTsvt.exe
| MD5 | 3c4ab555ef6df3cea6a11abd813684ef |
| SHA1 | 882093919bfaacbce60a90d7dc2a61c869c356be |
| SHA256 | d3ff2dfa2219dd0dd01d7ff0e90613ad0faf359d5c5e4e08610da346582231eb |
| SHA512 | 18bad97580cbef990045ca0c45f5e83c78ce9dac5c24335147801552cb6a2810872cd9a1539b3e44be0412352a5d229747b4a6f3d6a87f9fc539f0e378fef045 |
memory/1096-93-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\RIOFTqv.exe
| MD5 | d577a8f98e545918e5bf490516c38571 |
| SHA1 | 2a5b35e389785cb60f5c472ee5863da0ab53b77c |
| SHA256 | eabb99e7ca52599910a1a256acd8018956cff6c1dfe99a0b31b66f56dba6d18e |
| SHA512 | 7ac385806c25a0af04315c2f5a9a0c2c0811b58422a46237a6d90daffd0ca1ad75b5746ef256a9f9b10b01e1ac4b98d8d6ffa9e2fe12a85ce09a7033339c5378 |
memory/500-87-0x000000013F640000-0x000000013F994000-memory.dmp
memory/1096-86-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2632-85-0x000000013FB90000-0x000000013FEE4000-memory.dmp
C:\Windows\system\sKyfPSp.exe
| MD5 | 17f40aec255fad2a1b22a2827d86538a |
| SHA1 | a30d30aa9e3b26093585ad55b5a3e7ad7773c25c |
| SHA256 | 9c79eae1fb5384dae0afa9b94e688192559d4e55be6d2c25801acc671f2d58b5 |
| SHA512 | e46467a4cd5fb92a153e32186a01d7e73cc14be5404f0a260c8936eaa845991d74e909b1a6187b85cfd400dea3c25e7adc9b4b6e9cfa326b5579a6bb2921950c |
memory/1096-78-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2816-77-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\RtqHxll.exe
| MD5 | bac106e44630a8ae0cb89a928d62399e |
| SHA1 | c146dfec45d4f4220713ce3ac515a8330943d5a8 |
| SHA256 | a01ebcbd66d844a2dd3d01802595c15880b894ecd26a172148cadcf23e72f501 |
| SHA512 | f4b70b55fd6edd862be4cd2e6a5d8cde86643f4fa03f52605aec07b3cff47c0848b49297e60d4bdb4672b75731073e40f7e6e302a1e1aba871c45d82337c58a7 |
memory/2464-71-0x000000013FFE0000-0x0000000140334000-memory.dmp
C:\Windows\system\ifgbWcd.exe
| MD5 | 7b3742cca3522b73735a0b0bad3f61b7 |
| SHA1 | 0315fd554a30e3338a60125d44dbbbb5adfa17c4 |
| SHA256 | 48a70a9870fab4add583c600ebcd5da913a76e94299465a716222ee4d5a9f856 |
| SHA512 | a56dbef520686596b1894688f1bd2d4019d84e07c5e6cca4aa3e99c3be18d590419e2b0c3c981dbcd0f5314eab6abd44a4bbfa7108399cd38cce9ad48c7144e0 |
memory/1096-64-0x000000013F770000-0x000000013FAC4000-memory.dmp
C:\Windows\system\JfwNyJM.exe
| MD5 | c4fe9f52a687102476b2a963fd192025 |
| SHA1 | 06b0a1e2cbc9160d2a1aa27d204fe938242312b0 |
| SHA256 | f72ad486a7df474751ee2aa00abd2de826829e11437daff0f4aeff7334cb3c20 |
| SHA512 | ea493b370c923b46fcf6b65394cab329008786775e559c3e1846b961d495694a5e7984fc4b226d5b16ea6f8aca0a82a42e2974583f67f3caa1db9ad51064257a |
memory/2960-58-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1096-57-0x000000013FFA0000-0x00000001402F4000-memory.dmp
C:\Windows\system\XBlnUHy.exe
| MD5 | b75fb5f828c9531fe007510e748b7742 |
| SHA1 | 18dbe18adbfd55afb49a7b5eef906d19789b6a57 |
| SHA256 | d2278c20259d5676fc858dbf55666051ede2f624e2fd4cf100ca64619459ff92 |
| SHA512 | a1a9de78058669d8014017bc874f2802568eaa474b7b9041d31fca15acb24ae47e55805f0b909b20294e4e805865b93d952787b2338fb5cec1a952f30cb73be5 |
memory/2748-51-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1096-50-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2660-41-0x000000013F260000-0x000000013F5B4000-memory.dmp
C:\Windows\system\CNWzrob.exe
| MD5 | 03d6cb8ea680fc8786f3fdc3b56c67b5 |
| SHA1 | 4f9ff30fc3c9b928caafbfce07fb608f0e90466e |
| SHA256 | 9028cdad6a9e120064a720cb324d72767e820907d13b8f9bc9fff6198433a82a |
| SHA512 | dd056d544c4910aa82570c75b51582c36919541d24ebfe3c31b0421fd0d626164431026d34b2584c2aeaf873df030f30ba720904ebdddee3124deb64d7fbcace |
C:\Windows\system\jvyitwm.exe
| MD5 | 7c4acb9ddeb2996fc44472249f09393c |
| SHA1 | 78f9d5c3e152a196352913df283797ab615237be |
| SHA256 | 0c590af1a68089114e438b6623c7e2a1487a05c7103bd167ebb6b713db2f5856 |
| SHA512 | 632844f3030a14a6fdb1c8deee2e9dddce4311465a8ed843a46ce8d71614ea3e2bffc62972db5d769730177bb39bc33b697ed5f42bebc622a6549850dccf506b |
memory/1096-33-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2632-30-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/1096-22-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2816-15-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\XvoKymr.exe
| MD5 | 602feb8164872fda747c33d430c23f13 |
| SHA1 | 1ff73af6672fb869f58983667acf280e5c01643c |
| SHA256 | 8f997654b1a6ca8810c2b80d0dd5b5877919bcda98a78595e4a14d6a6980c66e |
| SHA512 | b134f4c2962433028558d12426cfe6539f56bfc1d6ee913cab48ec6d98a45443338b62beceff367a7e1fb76ff1103056f5ac4afcdb0e90524382540be214a4de |
memory/1096-14-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/1096-139-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/1096-140-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/1096-141-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/1096-142-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/1068-143-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2816-144-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/3048-145-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2632-146-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2660-147-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2836-148-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2748-149-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2960-150-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2488-151-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2464-152-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2920-153-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/500-154-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2708-155-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/1988-156-0x000000013F0E0000-0x000000013F434000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 08:05
Reported
2024-06-11 08:07
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ggtSCTN.exe | N/A |
| N/A | N/A | C:\Windows\System\FCGVLZM.exe | N/A |
| N/A | N/A | C:\Windows\System\ynPpQwu.exe | N/A |
| N/A | N/A | C:\Windows\System\cVISEXN.exe | N/A |
| N/A | N/A | C:\Windows\System\zevdOdh.exe | N/A |
| N/A | N/A | C:\Windows\System\HYtopJN.exe | N/A |
| N/A | N/A | C:\Windows\System\XzNpNTg.exe | N/A |
| N/A | N/A | C:\Windows\System\pQejRJb.exe | N/A |
| N/A | N/A | C:\Windows\System\LPvkebO.exe | N/A |
| N/A | N/A | C:\Windows\System\uNpjggG.exe | N/A |
| N/A | N/A | C:\Windows\System\nNWfsgf.exe | N/A |
| N/A | N/A | C:\Windows\System\sltNDBX.exe | N/A |
| N/A | N/A | C:\Windows\System\XQeZnwh.exe | N/A |
| N/A | N/A | C:\Windows\System\qIJbfUx.exe | N/A |
| N/A | N/A | C:\Windows\System\IGqRvJd.exe | N/A |
| N/A | N/A | C:\Windows\System\jhIxsjY.exe | N/A |
| N/A | N/A | C:\Windows\System\zVkdmau.exe | N/A |
| N/A | N/A | C:\Windows\System\rYsoJOi.exe | N/A |
| N/A | N/A | C:\Windows\System\EhWBTjM.exe | N/A |
| N/A | N/A | C:\Windows\System\mFejIsC.exe | N/A |
| N/A | N/A | C:\Windows\System\arBEvEu.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ggtSCTN.exe
C:\Windows\System\ggtSCTN.exe
C:\Windows\System\FCGVLZM.exe
C:\Windows\System\FCGVLZM.exe
C:\Windows\System\ynPpQwu.exe
C:\Windows\System\ynPpQwu.exe
C:\Windows\System\cVISEXN.exe
C:\Windows\System\cVISEXN.exe
C:\Windows\System\zevdOdh.exe
C:\Windows\System\zevdOdh.exe
C:\Windows\System\HYtopJN.exe
C:\Windows\System\HYtopJN.exe
C:\Windows\System\XzNpNTg.exe
C:\Windows\System\XzNpNTg.exe
C:\Windows\System\pQejRJb.exe
C:\Windows\System\pQejRJb.exe
C:\Windows\System\LPvkebO.exe
C:\Windows\System\LPvkebO.exe
C:\Windows\System\uNpjggG.exe
C:\Windows\System\uNpjggG.exe
C:\Windows\System\nNWfsgf.exe
C:\Windows\System\nNWfsgf.exe
C:\Windows\System\sltNDBX.exe
C:\Windows\System\sltNDBX.exe
C:\Windows\System\XQeZnwh.exe
C:\Windows\System\XQeZnwh.exe
C:\Windows\System\qIJbfUx.exe
C:\Windows\System\qIJbfUx.exe
C:\Windows\System\IGqRvJd.exe
C:\Windows\System\IGqRvJd.exe
C:\Windows\System\jhIxsjY.exe
C:\Windows\System\jhIxsjY.exe
C:\Windows\System\zVkdmau.exe
C:\Windows\System\zVkdmau.exe
C:\Windows\System\rYsoJOi.exe
C:\Windows\System\rYsoJOi.exe
C:\Windows\System\EhWBTjM.exe
C:\Windows\System\EhWBTjM.exe
C:\Windows\System\mFejIsC.exe
C:\Windows\System\mFejIsC.exe
C:\Windows\System\arBEvEu.exe
C:\Windows\System\arBEvEu.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 198.121.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1256-0-0x00007FF7B9140000-0x00007FF7B9494000-memory.dmp
memory/1256-1-0x000001E5F1540000-0x000001E5F1550000-memory.dmp
C:\Windows\System\ggtSCTN.exe
| MD5 | 9ca442d0d7929257e171c2a9c19ff610 |
| SHA1 | 32b0a7c38ec04d2968b03307a3f0e1179055bb67 |
| SHA256 | 0813ba54a7fff818893464b4f3e901403392e5c3c52891082010d13bf547080d |
| SHA512 | 30039a0be7ddc98d70cb29a52ca7b2333b79952efc172d5fbebad7ce1f86388a3c06b772eab33e5c3b5957bb5263dc00e2455bbd69ead0d1f0f850c3f3a41fad |
memory/2452-8-0x00007FF6B3BE0000-0x00007FF6B3F34000-memory.dmp
C:\Windows\System\ynPpQwu.exe
| MD5 | 11c62d0841dd85e69e560f52dcdd9eaf |
| SHA1 | 33519b58197d307b4de22517d960d8fc4deabf5a |
| SHA256 | 64efb63774f69a421465fc52ea49b15043dd9e09544a35cc808bd0374917d47a |
| SHA512 | de17dc9d9d3a45efb2fe6c517857969772bf2fe2d4129ebc78566a6b5e474b34bfcd2a4ab2fbf5c3d03f5911e1a925c2960736356bdafb41ac86256ab6b340ef |
C:\Windows\System\FCGVLZM.exe
| MD5 | 7e20ed8bbebde295b31746f4e4ad6280 |
| SHA1 | ab52a986d5ba13f690ba7c000a5f3abbc6a06a26 |
| SHA256 | 0c75297d70735222964134fda850575e9d36854ec3b0694b82d439ef7f32ce3c |
| SHA512 | 64b2d6a5d59232a5362a7b2604b0bc9cd4915b123e9e475fd8b87cd14526440b20e5e01e85613195bfeef7e71b408ada09e1aa467e87189ad5f68025ef00485d |
memory/3156-14-0x00007FF7B0E70000-0x00007FF7B11C4000-memory.dmp
memory/1044-20-0x00007FF699280000-0x00007FF6995D4000-memory.dmp
C:\Windows\System\cVISEXN.exe
| MD5 | 97a036a571071399ebbd5a223b0c096e |
| SHA1 | 10413d56331407101fa8b9c4403387af322a25d9 |
| SHA256 | 82a6354e466e7dac776efab5134354118b13c098f254d067652408a233104bb8 |
| SHA512 | 47a2d5d4d4d84efb124c92a8994d3824a8139247e6a47fe64eb603091cd698aac5eff5d1f0f71402a3ae00f29b5684fe062d5947bc5fae008e01f46879cc7ad6 |
C:\Windows\System\zevdOdh.exe
| MD5 | 63e922a373883a16848cc8dcc0a9f216 |
| SHA1 | 1c7c4690269e887a65c4d65293e98502b1b5b1c5 |
| SHA256 | bdfd365ad88eca958d50d265914556ac402164a7cfc8ccd66d7142e7f1b76c7f |
| SHA512 | 2e8029a16907053f0a4b472162051524c5f5353408233e8dcb1b2519a5eebe99a1b8df703260419fbed1abf9eb848484059f5fdc701cc035250c2338f69c2878 |
C:\Windows\System\HYtopJN.exe
| MD5 | 926e84fa2c0094041b229843dd27baa4 |
| SHA1 | 05d00700457d4f654fe1118b9b114c0e04ef2a98 |
| SHA256 | f6ed9a7b647d43886b9025a16cbb3d5a7de29a3db27f7bfbff825a7289e253f5 |
| SHA512 | d67d8dd0028b25318f9697ce35357c614776606937277be0714bb9c18cda9566709339fff577c907db74a5aae04194640cbeeded81561c675ce0102d787b0237 |
memory/3092-36-0x00007FF7F5EF0000-0x00007FF7F6244000-memory.dmp
memory/408-35-0x00007FF65A180000-0x00007FF65A4D4000-memory.dmp
memory/1584-24-0x00007FF716590000-0x00007FF7168E4000-memory.dmp
C:\Windows\System\XzNpNTg.exe
| MD5 | 6a85d286d84dab4d193c59211b0d12a4 |
| SHA1 | 58ece7c45fb8e087e7f9eef3d5c841b72ea481ab |
| SHA256 | 532338adbb8be9a4999334da29651da8a2d6ade8e93e86145c3753644418a64c |
| SHA512 | 38f8c0146ee08c6b04d36e31e1fb80d2f6410f4e2ef989efb4e5e1a5ff1e4fbde3eb6bd15ee0b1e353186518d10cd6b3fd38029ac63240a8e4a34f36d3d54f65 |
C:\Windows\System\pQejRJb.exe
| MD5 | faf9e34e8ba9d5df656f893fe8636a67 |
| SHA1 | ac6237094f49c821e07eca98e0ff1eda9e611d79 |
| SHA256 | f3740764c6c0063fa7544d3648c0cfb8b3ed31bd483eccef8f48da333cfb9238 |
| SHA512 | 0d3e3b04bc72daa69ebc974656c306c02966230925820a60f2f939609820ff00eace217b712cfb89830530ca1dbc93887966a101fc43c03dbead5245663c4660 |
memory/3656-49-0x00007FF65B030000-0x00007FF65B384000-memory.dmp
memory/4500-43-0x00007FF6B6BD0000-0x00007FF6B6F24000-memory.dmp
C:\Windows\System\LPvkebO.exe
| MD5 | 9d217d8390a09d0f33f0478f132ffc3c |
| SHA1 | 5faf81b697f4530fd407002a88fec541bf18c24e |
| SHA256 | 7c1ec8097c200f5ffe5872400f036a07d705c70dd9d4b78ae7d4034987e8252a |
| SHA512 | 0dd2bde6c651ce462979a8111bb78fc2b80b62de0c621e6f2ddbdcef7b0bf7a79a1dd684f9cfc31859d19548a5cad8b7669404981813905fd8c54b289963e940 |
memory/1872-55-0x00007FF61A700000-0x00007FF61AA54000-memory.dmp
C:\Windows\System\uNpjggG.exe
| MD5 | cd3d6014ff14f2fea9e4483d92a0c4b2 |
| SHA1 | c8e6b5c380be3e61136f9effe7e33e4a23b388f4 |
| SHA256 | ddba55265d1bab1a6d7acb0c49ca455c263472b8453dbbde455eb024d158e4dd |
| SHA512 | 8eee32ada9ddacd6a7ed637275d0aefa2560ecfaadec2b2e94de39557fdd715e3c36553e9cc5211588aa20cea46c866b1f1f0341ec9c343f4b66c4b681c08a64 |
memory/1256-66-0x00007FF7B9140000-0x00007FF7B9494000-memory.dmp
C:\Windows\System\nNWfsgf.exe
| MD5 | e15d304daddf0e6123538b7ad653c2c5 |
| SHA1 | 7a26d092d80e9c3fd320873c9468b076a5bc80dc |
| SHA256 | f0760aa3b8881cb537ab892b5149ee21473b0c3e16516e1a3f75a2a1627d46b5 |
| SHA512 | 5ac063c10da806b204d08bf46306e36f6f6d42ec8f1dca1aef115a66b102837be1f5bc50a42a83b452ea29a7637f7eb71ae47eb2fc7c57e668ec89d871aee463 |
memory/1356-67-0x00007FF682F00000-0x00007FF683254000-memory.dmp
C:\Windows\System\sltNDBX.exe
| MD5 | cb9d04e10ab487ff3b6d6080957708aa |
| SHA1 | b35d70d5ba357a25ac5578817000ff6e7dbbbdb2 |
| SHA256 | b1833669d8f7789a6491063b702709438338cf26f99344eb4ef9ab0505e93a03 |
| SHA512 | bb46ec3290b0d4ea7e07f72cabf69004853e0cb0cb45c2763e717761ad6b615bcb84f7d1c638a6aa8395959e9a4999fb86146b7260601509677c6502b86da300 |
C:\Windows\System\XQeZnwh.exe
| MD5 | 77b6bf3d4a4f8a4042da7cffe15f1e94 |
| SHA1 | 071c8630ebca7c8f34669d4afbb6e73d709346ab |
| SHA256 | 7a9df16b3541cbd2d9d8504f49dd4372bc9867e5fa16745766ed388ee7adc6c0 |
| SHA512 | 1925fd8cfd49b25b8959c43bb7869cfc2d0bc74bc4a3bb033ebcbf14c179a108947313d0d0bd484d7e110a63d1343ae9cb00f9f77524eb28591b6c44f3bbdaf5 |
C:\Windows\System\qIJbfUx.exe
| MD5 | b9846647f754474587c9e9a426dc3fb7 |
| SHA1 | 238635fe5b917affd397c004e4890b3118f4c5af |
| SHA256 | ad4561d43ac983818097592f763b5d923ebcf21766a19259521bdd442c298041 |
| SHA512 | 7544791c2d5fcdac5903fc420dfc4aefd920611c919f35a1e74a210f00f2bceee3780485a5827f68e24506c5c9245706880d8045eb7c13421af40a6055108a9b |
C:\Windows\System\jhIxsjY.exe
| MD5 | 167d9108b158b734b22357e6bb4b1d3d |
| SHA1 | 9f9ff11a51d99ba7e151b765a36b5f743968a5b0 |
| SHA256 | a9e751c707922c67f3f9dfb12c3cf388e5a713c95d849ef634df18a247684fdd |
| SHA512 | 7a555bd53ad641f9d261b9ad177ad5e916a5ff04fdc6e2348b384152cd2b26a48eb2baf8a28ed8d3aa5bd03724772f4c1bf335ae5e090475b4db18b4380ea596 |
C:\Windows\System\EhWBTjM.exe
| MD5 | f6353a888b7be0ec8741be485a011a04 |
| SHA1 | 8430e4da749d03839bd922d2bae8373ba8c5b705 |
| SHA256 | fbc94c1bfeb9e90a4006e0fe4135437bab02c55a78519cfb27139b596c85fd66 |
| SHA512 | cc90f8aa4c971b5328090e4931ab1425d79389114c1d5327ecddfb4d8e0190e71b7522a4fe9ba621878df92d0dbc29601dc79f134871c04c0f22d38bc1da46c8 |
C:\Windows\System\arBEvEu.exe
| MD5 | 362ccf606940cac5b496286e968ad0bd |
| SHA1 | be905a7d648c1ba9e4dda8321a46ea4abc371ed1 |
| SHA256 | 8712a3eb4b2a791706767dd24ad2e09f8f4be04122fa4135e04884bcffea77fa |
| SHA512 | 6adb17cb0d3d1d453b582320c88ca83056d383832aa528f4155988529060b865bbffd17d9778241b344a1b0c1fddea4ddd45f896996c2d5e5233f004b9b9c65d |
C:\Windows\System\mFejIsC.exe
| MD5 | 0b9b0e6776c5dcbbdc1b4e83583bbb55 |
| SHA1 | 0746fe836d51e3157dd5714fbb8ee6b0eb53443a |
| SHA256 | 9fb157143c77ad31c0ac6f43778bd4e945402674f5d06fe91e1827e642fa3bc8 |
| SHA512 | 04d0ddfe6843ec3294e244ad9bea1cfe7d24eed78d1623c9b2d26f9475d327ddd92e23c841c5aaad2c124539a56eb98e8fc96bb4e9d969dbab90e2ef3ded1396 |
C:\Windows\System\rYsoJOi.exe
| MD5 | 82161797b1efff9f36f6b789b4a52f04 |
| SHA1 | 6593e9c715d02ecd095f345b793789db6f81e4be |
| SHA256 | 30b77c295ef143a9e8ec4c526c879c3aca5a78ab5d4eb0db21055f709c82fe1a |
| SHA512 | 6a24f8dbd65b6183c4c0513297cce74635ba779d38c96fcb04ac5baaa0eafbf1eb66941c6b8ecf522a6fddef400f4b5e12081d1f6cd5e45d7d263465426d6321 |
C:\Windows\System\zVkdmau.exe
| MD5 | 4c4bd70dbdd907f31fe3fd2f8aa82d45 |
| SHA1 | 6a9b97bfe17ab0ab660451cec12bd68453208da9 |
| SHA256 | cb232e47b05636fc3ac33f90a24e3e120f3d826d5c0f1612296406df4c43a21f |
| SHA512 | fddb3befbf32ec94f7723347408142017444e127ad825f17fae673e00b68e346d985a350f63c646dae2c803ffe6e93df7708c4785757d0c5ed14a6afad22f253 |
C:\Windows\System\IGqRvJd.exe
| MD5 | 4448a99985cbd19b6f260ff0b624ef43 |
| SHA1 | bc27809460754786e21dcc5b9aabbc9d7b027e9f |
| SHA256 | 73d21f07548cfe6d91be177739489389681850e38cad6a03f2de5a8414ec8171 |
| SHA512 | c09f4b3c9eca6190a8b32ee03e9e28609e86d6208efe356bbde16300195012ac793881d9b40a17fd2bf7cd026769a168519c26f827f18fa900e3027a1d846ceb |
memory/2896-61-0x00007FF6AC4F0000-0x00007FF6AC844000-memory.dmp
memory/2224-119-0x00007FF65FD70000-0x00007FF6600C4000-memory.dmp
memory/1936-121-0x00007FF69F300000-0x00007FF69F654000-memory.dmp
memory/376-122-0x00007FF76D120000-0x00007FF76D474000-memory.dmp
memory/2692-124-0x00007FF781EA0000-0x00007FF7821F4000-memory.dmp
memory/2148-123-0x00007FF728A30000-0x00007FF728D84000-memory.dmp
memory/4172-120-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp
memory/1880-125-0x00007FF74F190000-0x00007FF74F4E4000-memory.dmp
memory/3992-126-0x00007FF62A8E0000-0x00007FF62AC34000-memory.dmp
memory/448-127-0x00007FF74A980000-0x00007FF74ACD4000-memory.dmp
memory/2116-128-0x00007FF6D7ED0000-0x00007FF6D8224000-memory.dmp
memory/1584-129-0x00007FF716590000-0x00007FF7168E4000-memory.dmp
memory/3092-130-0x00007FF7F5EF0000-0x00007FF7F6244000-memory.dmp
memory/4500-131-0x00007FF6B6BD0000-0x00007FF6B6F24000-memory.dmp
memory/3656-132-0x00007FF65B030000-0x00007FF65B384000-memory.dmp
memory/1872-133-0x00007FF61A700000-0x00007FF61AA54000-memory.dmp
memory/2896-134-0x00007FF6AC4F0000-0x00007FF6AC844000-memory.dmp
memory/1356-135-0x00007FF682F00000-0x00007FF683254000-memory.dmp
memory/2452-136-0x00007FF6B3BE0000-0x00007FF6B3F34000-memory.dmp
memory/3156-137-0x00007FF7B0E70000-0x00007FF7B11C4000-memory.dmp
memory/1044-138-0x00007FF699280000-0x00007FF6995D4000-memory.dmp
memory/1584-139-0x00007FF716590000-0x00007FF7168E4000-memory.dmp
memory/408-140-0x00007FF65A180000-0x00007FF65A4D4000-memory.dmp
memory/3092-141-0x00007FF7F5EF0000-0x00007FF7F6244000-memory.dmp
memory/4500-142-0x00007FF6B6BD0000-0x00007FF6B6F24000-memory.dmp
memory/3656-143-0x00007FF65B030000-0x00007FF65B384000-memory.dmp
memory/1872-144-0x00007FF61A700000-0x00007FF61AA54000-memory.dmp
memory/2896-145-0x00007FF6AC4F0000-0x00007FF6AC844000-memory.dmp
memory/1356-146-0x00007FF682F00000-0x00007FF683254000-memory.dmp
memory/2116-147-0x00007FF6D7ED0000-0x00007FF6D8224000-memory.dmp
memory/2224-148-0x00007FF65FD70000-0x00007FF6600C4000-memory.dmp
memory/4172-149-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp
memory/1936-150-0x00007FF69F300000-0x00007FF69F654000-memory.dmp
memory/2148-152-0x00007FF728A30000-0x00007FF728D84000-memory.dmp
memory/376-151-0x00007FF76D120000-0x00007FF76D474000-memory.dmp
memory/448-153-0x00007FF74A980000-0x00007FF74ACD4000-memory.dmp
memory/2692-156-0x00007FF781EA0000-0x00007FF7821F4000-memory.dmp
memory/1880-155-0x00007FF74F190000-0x00007FF74F4E4000-memory.dmp
memory/3992-154-0x00007FF62A8E0000-0x00007FF62AC34000-memory.dmp