Analysis Overview
SHA256
15f24b5aa5013c6881d9c0802a27af972e42de5047472d32d827acbf8f5308e3
Threat Level: Known bad
The file 2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobaltstrike
Xmrig family
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 08:33
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 08:33
Reported
2024-06-11 08:36
Platform
win7-20240508-en
Max time kernel
134s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ynqQhtp.exe | N/A |
| N/A | N/A | C:\Windows\System\uaxEckK.exe | N/A |
| N/A | N/A | C:\Windows\System\aJKdwxj.exe | N/A |
| N/A | N/A | C:\Windows\System\kzadwvi.exe | N/A |
| N/A | N/A | C:\Windows\System\RisSEHb.exe | N/A |
| N/A | N/A | C:\Windows\System\yrcCBwE.exe | N/A |
| N/A | N/A | C:\Windows\System\aqGiCoS.exe | N/A |
| N/A | N/A | C:\Windows\System\AOQNAzX.exe | N/A |
| N/A | N/A | C:\Windows\System\cwzgjyg.exe | N/A |
| N/A | N/A | C:\Windows\System\ZytHwtD.exe | N/A |
| N/A | N/A | C:\Windows\System\zHFdpgr.exe | N/A |
| N/A | N/A | C:\Windows\System\vuwTlUl.exe | N/A |
| N/A | N/A | C:\Windows\System\loEeGQc.exe | N/A |
| N/A | N/A | C:\Windows\System\NMrMNei.exe | N/A |
| N/A | N/A | C:\Windows\System\kYJhcWk.exe | N/A |
| N/A | N/A | C:\Windows\System\OHsInon.exe | N/A |
| N/A | N/A | C:\Windows\System\MjchaFr.exe | N/A |
| N/A | N/A | C:\Windows\System\kkeNjfz.exe | N/A |
| N/A | N/A | C:\Windows\System\liimblG.exe | N/A |
| N/A | N/A | C:\Windows\System\HIRKxBT.exe | N/A |
| N/A | N/A | C:\Windows\System\eitQrJI.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ynqQhtp.exe
C:\Windows\System\ynqQhtp.exe
C:\Windows\System\uaxEckK.exe
C:\Windows\System\uaxEckK.exe
C:\Windows\System\aJKdwxj.exe
C:\Windows\System\aJKdwxj.exe
C:\Windows\System\kzadwvi.exe
C:\Windows\System\kzadwvi.exe
C:\Windows\System\RisSEHb.exe
C:\Windows\System\RisSEHb.exe
C:\Windows\System\cwzgjyg.exe
C:\Windows\System\cwzgjyg.exe
C:\Windows\System\yrcCBwE.exe
C:\Windows\System\yrcCBwE.exe
C:\Windows\System\ZytHwtD.exe
C:\Windows\System\ZytHwtD.exe
C:\Windows\System\aqGiCoS.exe
C:\Windows\System\aqGiCoS.exe
C:\Windows\System\OHsInon.exe
C:\Windows\System\OHsInon.exe
C:\Windows\System\AOQNAzX.exe
C:\Windows\System\AOQNAzX.exe
C:\Windows\System\MjchaFr.exe
C:\Windows\System\MjchaFr.exe
C:\Windows\System\zHFdpgr.exe
C:\Windows\System\zHFdpgr.exe
C:\Windows\System\kkeNjfz.exe
C:\Windows\System\kkeNjfz.exe
C:\Windows\System\vuwTlUl.exe
C:\Windows\System\vuwTlUl.exe
C:\Windows\System\liimblG.exe
C:\Windows\System\liimblG.exe
C:\Windows\System\loEeGQc.exe
C:\Windows\System\loEeGQc.exe
C:\Windows\System\HIRKxBT.exe
C:\Windows\System\HIRKxBT.exe
C:\Windows\System\NMrMNei.exe
C:\Windows\System\NMrMNei.exe
C:\Windows\System\eitQrJI.exe
C:\Windows\System\eitQrJI.exe
C:\Windows\System\kYJhcWk.exe
C:\Windows\System\kYJhcWk.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1368-0-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/1368-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\ynqQhtp.exe
| MD5 | 068f92b91abbebb716975ea038f7130f |
| SHA1 | c82498ee64216d32b51a3f9c569062f472498924 |
| SHA256 | 58b94b4a847d643ad2c4cb45c42a1bf69036c77cf5a4110d69d07c42685a5f70 |
| SHA512 | 2c83c04598aeb4bf3c1c7d6a5b86470bd47bc5763ed5a628e1d7187381ad1747fba14c231e7a4b47a3a069d3dd16bc9bca185589852c672ec6a895349be573ea |
memory/1368-8-0x000000013F550000-0x000000013F8A4000-memory.dmp
\Windows\system\uaxEckK.exe
| MD5 | 9ddc8584ccf11c26b84ca82a06e5caa7 |
| SHA1 | 3c177d8e07fa23a2d1f0b0e62b2354e60962e041 |
| SHA256 | f2119edc69c1cd4837d8c801802dc520c9bb07854b70aa223c216dddb1c76175 |
| SHA512 | 51759b5bc1828576f1a57fa15e7648bc316af15497564a5e1ef137a9adfa4b730410dccb9ea697e0e76972052d12593daee5ad3d6c010650e6c9e54851300852 |
C:\Windows\system\kzadwvi.exe
| MD5 | 43d531bc1eb134c5a563995aa393dad2 |
| SHA1 | f22fe25eb23c96b55ad334cf39bd7b90632448cc |
| SHA256 | 84b1e715d67a93c3d3da824df4edf2aabe7a94b9849bd05e0f1ffe75a882ddc2 |
| SHA512 | 8c8b0809485e0526a9c4b974846cf5ca18a524aa66843eaa1a3be90b4bf71bb9d170d2aabdcebfd34b432fa206591e32d9a40e98045c07ac748326c35a0537ec |
memory/2688-13-0x000000013F550000-0x000000013F8A4000-memory.dmp
\Windows\system\aJKdwxj.exe
| MD5 | 99fd856bedb1e35abe017c3c2903b716 |
| SHA1 | 8a631436d193d61cc6d286a7ecccb995eefdc221 |
| SHA256 | 1a16152df60649727fa4891243d3c45c5120400863552787c52e8cf05baf1020 |
| SHA512 | 2dbacd2f7f2ee39b5c6cccb1f03eecc0729ec7ed0f4c56afbcd17047e59f7a8d197c21a3e6663f06c48e69949e37333b087757a26cc67b795a904031aae23bf0 |
\Windows\system\aqGiCoS.exe
| MD5 | 7625529086167d075d048e95b4dfb84b |
| SHA1 | 7d510f156950a050efb06e591ee26244f2230348 |
| SHA256 | 2683caed1bff6861d13f670fc79e9f21fb8db6ddc134883515dedf5c3dcc560d |
| SHA512 | c9381099ccff988af65e75b74580f519220555d1f705e1c1500176f26145ca96f4be4a0f4d86063f410af2722ee54e0b53446369132474164c3c91759955e525 |
C:\Windows\system\yrcCBwE.exe
| MD5 | 657c53e0916bb1e6f7586d874a39095a |
| SHA1 | f8b9ddff3f4cfe6a8042fda8ba8c3b3b86fcc87b |
| SHA256 | 4db93dec14148d6bd90d035e0bf252b1a1755bb00b5a015beec23143f82bb56c |
| SHA512 | cb84f996db1bec3e850a43551685272c6c07412d2c50c682607450a06957a73bc5b86644b40c5506d8ddd6d7087facc06b777e8c50e4f760dcd1df0875176298 |
C:\Windows\system\RisSEHb.exe
| MD5 | c0f9261ee22d20ce262ea0b7418d4df7 |
| SHA1 | 70ab3d21eecac0693f054c5ef6d4909346ec4749 |
| SHA256 | 949e924f61dbc74334902cd0eece6c28b4516aa6031e4da12d39035bd0195632 |
| SHA512 | 0671ce802f1a8b4418d8497ef267012edef40087e0f57953c40102bc75c6f43450034bcd698b35930b939096eb15b4dd426bd36c72074f17009cc7e3624d1980 |
memory/1368-27-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/1368-56-0x0000000002270000-0x00000000025C4000-memory.dmp
C:\Windows\system\AOQNAzX.exe
| MD5 | c545177fead0c467771959cf4ab34f3b |
| SHA1 | e3ae35aaaa42ea12c5f0b0552d66bbff9513c557 |
| SHA256 | 4d689beba75bbfdb5f94295edafadc89344febc7295f48f519c761b7f1694c19 |
| SHA512 | 569697b08a97f50cc7ea8d3236f96db8a90aecf831526dae5450adf850acff7c5091bfa0a5ebead709f5404a03594c3cbfb2592b4958ef1888b85235e44360c6 |
memory/2716-54-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/1368-46-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2628-45-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/1368-116-0x000000013F200000-0x000000013F554000-memory.dmp
\Windows\system\kkeNjfz.exe
| MD5 | 07ed965d6dfd42aeb3ba390540c37a28 |
| SHA1 | 39524935b0d56d594c255a6c3245252ef511399c |
| SHA256 | 9a55bc354dd57ac7d6dc851112ada5a9041db848cdd4420945427697f9f3a814 |
| SHA512 | 4f747b01fd526f097f9d69e2a809a1b52ff68da7dade5531ef8a81d345cc9270c3539a8a1c4469d9e0295be81f85c500a67e26b98dd030a3aae643d27d4e8a46 |
\Windows\system\eitQrJI.exe
| MD5 | 5435b539d64db51d176a744b2a6f8089 |
| SHA1 | ccde6a853c4ee536451bd319653c6f1c3a2ae47c |
| SHA256 | cff0885a1f5c8fbda0671bee9693dea13157301f85a7be1eff1e67b9646dcd52 |
| SHA512 | 82d31ae5a2368cf732d571b65fc6682299db5faf4de89ce77c41ea6d55dd60e736503da7af4ad28f1d031445de33d032178320961bbfc1899cf3eb48277d1045 |
\Windows\system\HIRKxBT.exe
| MD5 | f31feb19b0212b9240b497b351f566bc |
| SHA1 | 526541a25a39a1da863334fb7bc1fb125fea4606 |
| SHA256 | 580af207a8c6528f31b0d660f65692d8d17a543c3c848cbaca4bd4abd74e9ced |
| SHA512 | 65deb9fd4f04a6b2bb8cf2557c93ab4d002122e8077361b629612d287034079f2279f9531dfc0061750b341bff9cd7e767be55861375a9b6f3a6b07c816a7801 |
C:\Windows\system\vuwTlUl.exe
| MD5 | 020bd63b5509b9c6a0a94771c5ca50d9 |
| SHA1 | 0d7478b4c998400596fe031c4cf257a85ecceb57 |
| SHA256 | d5137a8648302139f8f604d1f09d31c9c5540a1faf67b4a840cd0193dcff7618 |
| SHA512 | 893c1ed5f1b72b14619cdfbcbee6d27b303612b89003e40e823ba2349d83e2b04f0cce548483f514d3d18fb7b986da0ac8f3460bcbd4ca50561696f7d4506049 |
C:\Windows\system\zHFdpgr.exe
| MD5 | 5b26442481fb657f0a92cb731d487b85 |
| SHA1 | 5c8020f02a266fc0cbba5325b48135a4c327b215 |
| SHA256 | ddb30cb9601a95526813159654df6bf6ae2135836e7cfc64468898e1b547b038 |
| SHA512 | 8e0830936dd354d99b0c260e9523ed18f65b99910a062daef1dee161c92321c1921da841f557dd007fff828912b5312c51f743b7572dc5e3cedea63c03adcbfc |
C:\Windows\system\ZytHwtD.exe
| MD5 | be9e59253a05810ee64b1c47c04b6a0e |
| SHA1 | 76df9733b57a59a142b13db01857c5b65fefd3f0 |
| SHA256 | 9a8896ba69d422ede3da69def9c0628c83e996ed99ca61a3530ef7abc9e9ee3c |
| SHA512 | 6aa43e39844d09b9c50fadfcd963a9682f348f7c8abe339ddfb2c4d0d6127b2428177d2db36fccc321fce38e96d6fc0b36a97d5ffdbcab44d576e0230526f7cb |
\Windows\system\liimblG.exe
| MD5 | c481ee3f767ef885c181569bd442bf6c |
| SHA1 | dfee8aabb9d343ad41a01335c3ad5e369b6ab28f |
| SHA256 | ce41a1d498783ec10e90ab0e7ab1e70c7955652431543638a3ebdafa9bb1643d |
| SHA512 | d2a692d039cdcc72e719dc30dee2acd990f0ae3d0cf2318dadc207c780dcc2088e775d5578474289acd5860a446577c764d1d5688c238121a0421a1ebb343ac9 |
C:\Windows\system\cwzgjyg.exe
| MD5 | 1e05d19411d42a4854318f142998bcd4 |
| SHA1 | 4c10042510a07417ad3a1c1604a7fc09732fec71 |
| SHA256 | 8302b4e140055e2bf9827af230b707ddda5c2f3533abd0b4c2bfc914dc93a440 |
| SHA512 | 1e934adff38cf89417841fae97491009b5e452f039e27517c97d3fab0a0eb811c168bb7529dea9310a4c19e2831f8bd5e098ef99e9daf34b1eda62033590f666 |
\Windows\system\MjchaFr.exe
| MD5 | df507bce532580e78b0c5f1eb08456aa |
| SHA1 | dcebc7e99f8ed00aea3f3b4558e86d5baf3b5cc7 |
| SHA256 | 6eea5584614ab3042190f61bbf4bc1fcd8dda58f39a59f3b0194c5b4886bd3a6 |
| SHA512 | 108965cc2b7bcef115b2c1e658d5a7ceb9d53cfb1ee2857b468d5bb4602c3502f4759100d587a45214b8d33aa82ba73093b5398bda1627683298fdd14b5493e5 |
\Windows\system\OHsInon.exe
| MD5 | ccd73f8685aa4a93afd031db5b4b41e0 |
| SHA1 | d87492c70bcc393f67f4a723e9065b55310a2e26 |
| SHA256 | 8efa808cee3b993afcfb0f89f5bfc9325814339344681bef0d20cdc24e9b8d63 |
| SHA512 | 7ae016565beaf512b2abe09dc6231ce7e552d066c2e7e27971e3fd86a87535576e596a686fe7105b1e4c86688d7e980ce724876bf3332f6fba6a1560b288b9ea |
memory/1368-117-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/1368-115-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1368-114-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2984-113-0x000000013F610000-0x000000013F964000-memory.dmp
memory/1368-112-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2420-111-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/3000-110-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2708-109-0x000000013F510000-0x000000013F864000-memory.dmp
memory/1368-108-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/1368-107-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/2632-106-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/1368-105-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2512-104-0x000000013F9E0000-0x000000013FD34000-memory.dmp
C:\Windows\system\kYJhcWk.exe
| MD5 | a941d4f48b00452fb81404be927289dd |
| SHA1 | f183f1d62ee866863da8fff3661dbb216cd09228 |
| SHA256 | 590a2afa816cfe2f4bebae95956fd4ed638370eae25325c3436ac3f420197ddf |
| SHA512 | acda9cf9577c25dfbedbde15210fa54af34522c61564497beeab816d6c6196367a879f24c4ade49bfe290b6eed35f091ab7094c6921443108716fdc94dbfdea8 |
C:\Windows\system\NMrMNei.exe
| MD5 | ded0e90332d07db04b5c706e8b6fbca8 |
| SHA1 | 0df7065ee1896701414191a1d238b0142fa2245a |
| SHA256 | 559712ab8f5f1390ba0735f6208eea0aabb3a52d867b61944c892fbb139c663a |
| SHA512 | 9a7eac0955d0accd9eb5d79a1a390b77124f206572288b80c48e0ac396938905b4426cc9b151b458f8f6e3ca20356ef214d1dc1e292118258fe21f271251a2bd |
C:\Windows\system\loEeGQc.exe
| MD5 | 550fa75b0d2893aed796d5dc30afdae0 |
| SHA1 | 6e503ee017bf6824fc45307bb5900492027b3693 |
| SHA256 | 491252df6c126a008cdc46315f2f5bba474e9f82cf420c2287551714bb9c651b |
| SHA512 | fd11881f540f608540a572418ec637ee480e7421af2bd4c8889953e7aa36e4c522f956c661b3df5dcf61ec043c06acd609ed7077f234599057abf21d78a3f55b |
memory/2868-63-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/3044-40-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2884-57-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1368-131-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2868-132-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2688-133-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2628-135-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/3044-134-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2716-136-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2884-137-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2868-138-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2420-142-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2512-141-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2632-139-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2984-140-0x000000013F610000-0x000000013F964000-memory.dmp
memory/3000-143-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2708-144-0x000000013F510000-0x000000013F864000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 08:33
Reported
2024-06-11 08:36
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pqSSlZM.exe | N/A |
| N/A | N/A | C:\Windows\System\sZRwWqr.exe | N/A |
| N/A | N/A | C:\Windows\System\ihYoFKS.exe | N/A |
| N/A | N/A | C:\Windows\System\tsgqlQR.exe | N/A |
| N/A | N/A | C:\Windows\System\VxJhAaj.exe | N/A |
| N/A | N/A | C:\Windows\System\VAlFYil.exe | N/A |
| N/A | N/A | C:\Windows\System\VUlTxej.exe | N/A |
| N/A | N/A | C:\Windows\System\UtXhBeM.exe | N/A |
| N/A | N/A | C:\Windows\System\WXsaUbE.exe | N/A |
| N/A | N/A | C:\Windows\System\NEMRlBo.exe | N/A |
| N/A | N/A | C:\Windows\System\dWYHfem.exe | N/A |
| N/A | N/A | C:\Windows\System\fqJuZQZ.exe | N/A |
| N/A | N/A | C:\Windows\System\NQoSaGj.exe | N/A |
| N/A | N/A | C:\Windows\System\GSpislx.exe | N/A |
| N/A | N/A | C:\Windows\System\DMGZRpA.exe | N/A |
| N/A | N/A | C:\Windows\System\CGZRxrG.exe | N/A |
| N/A | N/A | C:\Windows\System\vdfNkwm.exe | N/A |
| N/A | N/A | C:\Windows\System\HKdLQmt.exe | N/A |
| N/A | N/A | C:\Windows\System\yXyahai.exe | N/A |
| N/A | N/A | C:\Windows\System\lVvfKUB.exe | N/A |
| N/A | N/A | C:\Windows\System\BjlYNxe.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pqSSlZM.exe
C:\Windows\System\pqSSlZM.exe
C:\Windows\System\sZRwWqr.exe
C:\Windows\System\sZRwWqr.exe
C:\Windows\System\ihYoFKS.exe
C:\Windows\System\ihYoFKS.exe
C:\Windows\System\tsgqlQR.exe
C:\Windows\System\tsgqlQR.exe
C:\Windows\System\VxJhAaj.exe
C:\Windows\System\VxJhAaj.exe
C:\Windows\System\NEMRlBo.exe
C:\Windows\System\NEMRlBo.exe
C:\Windows\System\VAlFYil.exe
C:\Windows\System\VAlFYil.exe
C:\Windows\System\VUlTxej.exe
C:\Windows\System\VUlTxej.exe
C:\Windows\System\UtXhBeM.exe
C:\Windows\System\UtXhBeM.exe
C:\Windows\System\WXsaUbE.exe
C:\Windows\System\WXsaUbE.exe
C:\Windows\System\dWYHfem.exe
C:\Windows\System\dWYHfem.exe
C:\Windows\System\NQoSaGj.exe
C:\Windows\System\NQoSaGj.exe
C:\Windows\System\fqJuZQZ.exe
C:\Windows\System\fqJuZQZ.exe
C:\Windows\System\DMGZRpA.exe
C:\Windows\System\DMGZRpA.exe
C:\Windows\System\GSpislx.exe
C:\Windows\System\GSpislx.exe
C:\Windows\System\CGZRxrG.exe
C:\Windows\System\CGZRxrG.exe
C:\Windows\System\vdfNkwm.exe
C:\Windows\System\vdfNkwm.exe
C:\Windows\System\HKdLQmt.exe
C:\Windows\System\HKdLQmt.exe
C:\Windows\System\yXyahai.exe
C:\Windows\System\yXyahai.exe
C:\Windows\System\lVvfKUB.exe
C:\Windows\System\lVvfKUB.exe
C:\Windows\System\BjlYNxe.exe
C:\Windows\System\BjlYNxe.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/116-0-0x00007FF6C1EF0000-0x00007FF6C2244000-memory.dmp
memory/116-1-0x000001EF7D740000-0x000001EF7D750000-memory.dmp
C:\Windows\System\pqSSlZM.exe
| MD5 | 41ca49f1593ef2fa8fd2cb53389fbf00 |
| SHA1 | 3a1c0a4da7d1cd364ebec361910586d8d585f3fc |
| SHA256 | f0da27f8f7be3254a6ce57c2bfea47c851c427a778b946321b6f8a2e244b31ae |
| SHA512 | 87a2383db3df4acb77972d97194d3a690f3c3bfeb851c92dfdef4481bc0499b62fe2a5678f0ec0ed355383efdaa2d7d3b95ada6e95bea973492dd195fefd9b65 |
C:\Windows\System\ihYoFKS.exe
| MD5 | 8dcd74649ddf5d5f4b6beffb17dba502 |
| SHA1 | 444de198a9504829ff84ec092bcd8ed98c0d0e28 |
| SHA256 | ce7cb3b99c68fa10a1e39924c24fa88c4a749a40d9aa046f6129e084dd553d8b |
| SHA512 | 3e3d2b3387bb76e6d7118148dada3428bce4193847257d8bb588b91ee807bd9b08f8adf771a1d2c898b06aff1b8cfae1a2f1132895829762ecd87ecb923b4e6b |
C:\Windows\System\sZRwWqr.exe
| MD5 | f239eb7b1d2138595a0ee9ea88c78ccb |
| SHA1 | 3e5c6fadeaa182c52fa246b6e6d20130be41f3cb |
| SHA256 | eaa218f07558ef946ec065c260884db0209c097bfcb1b8a54b430dc805ea2fef |
| SHA512 | 9278f173ec963a94035c4ecc07ecd8a88b780edf61fe36955f3b4e615cdc18d55632f65436273d786eef2b600736098519b1ce2779044fd420704c69239b9246 |
C:\Windows\System\tsgqlQR.exe
| MD5 | b7dacb49e03177b9c4024896c1cef494 |
| SHA1 | 67c492ea76090d348b10307e0a02110abdbba240 |
| SHA256 | 9f3e18530ed45e359ff16fcaf2a3c200451b19c2eb21140fbf59f0a96641061e |
| SHA512 | 7e841e8fcde7c18d7aa4920449527443044d02fa8b39744532bbd7c9da64f67230babcea16776a2c473ce5eb591f30a29eb71d6e5c0185364e14bed206d89c5a |
C:\Windows\System\WXsaUbE.exe
| MD5 | 89ad9129d88651c3975f8f4fedba857a |
| SHA1 | f4a49efda301ae24f207ec84be79f605690b403c |
| SHA256 | c0108b00d3941cd7de9b6d88441b73a36afcd396e5ec455a440a5c517916447e |
| SHA512 | d609ace7df0c7d70dda7a72bddc075b6eae3ac59d5460f8ce52a7dd965619d3c01f21da6fc0357b6a800e64308711065f96762c7e568bcd19aeca9e4d3517a4b |
C:\Windows\System\NEMRlBo.exe
| MD5 | 03de567986abb9cfd760174e84416438 |
| SHA1 | 6f52d8d7f9bd345c247de4256b3b86e9b6155707 |
| SHA256 | b023b5733bb2445542bd3c35acbc6dc62be973d9b6b0e3692cef28884bdfadff |
| SHA512 | d360d5863f71e0591325c648c32591ec3bb54acb0afa51924dbe4d207839cd38d8402958b49549199bc45313a1818b1bd9b96f8e1dcd2884fce665ca69a10edd |
C:\Windows\System\dWYHfem.exe
| MD5 | ed37b1b41c9755c5bf587398b976c431 |
| SHA1 | 6b97264629cf8c1731a0d35da7ac2fe5363cc17b |
| SHA256 | a51e5b9bb37222b5e47933b5d6695442ebe5ea0d7a5ec1569b13c95f5ea3b96e |
| SHA512 | 7e302fc7e3c228693da27d64be2529984cc1535b1b586d7805afb4052f4c254b46c31624395c492c17c3e1c7441ba68e5cbc65ba4c3b78812cb7b6d989a22a41 |
memory/4376-66-0x00007FF60E480000-0x00007FF60E7D4000-memory.dmp
C:\Windows\System\GSpislx.exe
| MD5 | 60efe542952f4528030d41e44773eecd |
| SHA1 | c38d0673ece0ebc3031efeb4b1fd25bc546230ee |
| SHA256 | aeb6734171d4d8798368ce44f6ab31bf2d5843529726009dca139105aa020343 |
| SHA512 | 118ddb3ff7e576e905d28370afba72ecc8e26e19dfba2d6f2e947fff6d045210ec986b391fee45ced8e8f10f57033c0f358a3f3d29613e71910984b543e2f96f |
C:\Windows\System\CGZRxrG.exe
| MD5 | 368005177623e05e176c8369f17c6dcf |
| SHA1 | 178d9b95334d070afaf9476ec3205e91424244fe |
| SHA256 | 35b6563ccab6fc20bcd355601bcaa730bc8cdcca09338a95db8fbb4a80d6aa6c |
| SHA512 | 77af24e4935c144dc9cee720850dadacdf4e5365cb9190b3582cefc1866038871706c9c104f306c1c125bf413bc9aa941a240d562177218d2288e02015678b47 |
memory/4628-115-0x00007FF7F7270000-0x00007FF7F75C4000-memory.dmp
memory/2240-116-0x00007FF783160000-0x00007FF7834B4000-memory.dmp
C:\Windows\System\BjlYNxe.exe
| MD5 | 68d5426641efb4db1a2954d3ad020195 |
| SHA1 | ee257d30b5fc954a432e573849972f0a8e6e97cb |
| SHA256 | c5572d320f980f855a5a8659328cb2a0efa7811f2e8d9294c07c7b03385e9ebb |
| SHA512 | 8cb3edb5774c82cf3bdeb2576db07515049f2471fd22a673a508f9a70ec829758709096fc5bd36e5d8434aa9b43bbfb46fcab80f5e0fc9bdd8592c7baf974ab8 |
C:\Windows\System\lVvfKUB.exe
| MD5 | a70d0b205ca3b77500c70f09714311cb |
| SHA1 | 664ba0649ba9831d8fbe7cd23ac34d9eb81b5ca1 |
| SHA256 | d5f39677eb02dfab9d1825f3a8174ce701d05eb64582075e305dbaea8dc8bcf6 |
| SHA512 | 41d706af05e48c0ca51b2fc9245e3bb0ecef29d127e330122675c6a00710e63dbe788bf239c07a980ee0dc784f79b6f742f25629fe910ce2462bc7dc545c5704 |
memory/3972-114-0x00007FF6F1D60000-0x00007FF6F20B4000-memory.dmp
C:\Windows\System\yXyahai.exe
| MD5 | 70ac081b22faf0113950ca67a18c0520 |
| SHA1 | 85796cef387f6c8eab80a03bdab63483251be50d |
| SHA256 | e4373463ab8357bd0e05f9b2403ad13933ccf5fdd522433bb6656e018a84cf05 |
| SHA512 | 5545aafcca00a3d213e90df12b8c1ae76ea77449907bc92eb8ac54b0d4b0168a72bf24a0d90ed2e2c81cb5c77df0cd9ea93c9c90defac690eea8a31c06ef454a |
C:\Windows\System\HKdLQmt.exe
| MD5 | d22b6e3c78a43db26ec54aedd87cca32 |
| SHA1 | e8b586b82c855ae91279864d09aaba485ec93dee |
| SHA256 | 8bd58ad90d010777975dcdf3cd0e2ae719d115b7f5e8ca4ca748b677cfe3ef96 |
| SHA512 | 55e0aa3d6759fb0e98bc281076df88a38bbea68e425b36cbe4909cf395b3a77bbd5d32fb45ada3961d7e34fa36335d763d9d5b9341ff9a37b53f5a8963b389ce |
C:\Windows\System\vdfNkwm.exe
| MD5 | 60562d07889b59d0f494bd896f8f9174 |
| SHA1 | 8d17cde7b29b7105f44b8ffd9f8c14acd8a40919 |
| SHA256 | 9f982195ce41b30f9bc3156c9796385442f972b08f3b797c08c65bd6ba4d1f4c |
| SHA512 | d3522c3f0ebeed821b2cf200f809503830b1d2fe7f9fcad59350fc16f121ecf3bff86f47cfe91fb29cd39fff48af4a59a41e88b4ca188ffc6a6281186ce92a00 |
memory/2176-107-0x00007FF67B790000-0x00007FF67BAE4000-memory.dmp
memory/2804-104-0x00007FF6DB5A0000-0x00007FF6DB8F4000-memory.dmp
C:\Windows\System\DMGZRpA.exe
| MD5 | bade5d650b1fcfaf3372afdeda423ed8 |
| SHA1 | 56c068e8a6a4cb05eeab873e084fe8c957200754 |
| SHA256 | 701752b22a675f6fa92f38702a3fe35a75335ecf459d85e61f40e14d41968d96 |
| SHA512 | f8a2982cd27b094fed5492de3761cf8449ea924f3fc90a9e48ae5e304c9d5559b6e02c82dc7dce94212e9798b5c84abe5ceb5535ec2eef0f0ccaa3dcf6280520 |
memory/5032-96-0x00007FF7B43D0000-0x00007FF7B4724000-memory.dmp
memory/1344-85-0x00007FF6227F0000-0x00007FF622B44000-memory.dmp
memory/4172-83-0x00007FF6A12D0000-0x00007FF6A1624000-memory.dmp
C:\Windows\System\NQoSaGj.exe
| MD5 | c7151f24d3141df3b1d91a3ef6a9be53 |
| SHA1 | 568942750d9547644b83252a8ac4295ca9c1d73c |
| SHA256 | 0e8788233594b00b233158aa997b44bd86143c5318c6b4bc4ca603bf8ec73bce |
| SHA512 | bbe6ce1540fc1b139229a32781a05d6efadbc7d8ee55f6d84ef897a6704f8b9db9b55147fd9f99ddbddbe96c215dd809ede6cdee3c86ec0d9e172420a397ec05 |
C:\Windows\System\fqJuZQZ.exe
| MD5 | 178875a883d1d0ccfcc5dd61dd2712c2 |
| SHA1 | 0da9f0d17a6718a249109ff2b727ac1f03ebfe8d |
| SHA256 | ce9f46a0f25612f36c556e2c1d6c32816fb1611a333ca52334f38ffc4b982ce7 |
| SHA512 | 77ac9c256dafeff7d97c0381db2af3adb4455de90505e400d3bcf66f85d8ade2dbb6aa358e5e543eed2abc219e479b07e277e4918bed99944c37a2ecebfd8a1a |
memory/3056-74-0x00007FF651B80000-0x00007FF651ED4000-memory.dmp
memory/1672-71-0x00007FF6B69B0000-0x00007FF6B6D04000-memory.dmp
memory/4484-67-0x00007FF766440000-0x00007FF766794000-memory.dmp
memory/4816-62-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp
C:\Windows\System\UtXhBeM.exe
| MD5 | 9dad78d67b7f1525418f4218e9fcc9a8 |
| SHA1 | f08a86dc638d24bd17f2ba30ad94432a8654f353 |
| SHA256 | b98dfacbaa7beab56f6ae408e7e17bde05f74d0afcfe1456fd0f79453f09c43d |
| SHA512 | 628951d92523750f64511c28916e938a9fa3abf75e81633c90a8bd05b0932cf4eeb7f45c83102fc9c3eb148fbc83ac355c192bdbad1622f3a14e74cb3bde88aa |
C:\Windows\System\VUlTxej.exe
| MD5 | 2617356bd7219e078525bb6a6e25a089 |
| SHA1 | 1fc3bb5b2448ffcce37b0c256acc58ef81965bdc |
| SHA256 | f4208076a4325f5dd09af2badc69e9944d30597b787d5cb8d70fd2e5b1a1b350 |
| SHA512 | 588c9e60d541464dc3c079ff7cc48f9fbc8e2c357eb51eba65c418265bb9ba8f2d282ff0f739f794af1286ba23ac16c401335be043319eaaf5c258568257d961 |
C:\Windows\System\VAlFYil.exe
| MD5 | 91c1660850d18270d3d31bbf5ce97545 |
| SHA1 | 77ce7a21b3b62b9afe2b0286b1701e4d03034cc9 |
| SHA256 | e26de3e5da8de43715f10b8111c1d2ff5363a6de0e449c2c4533481d31a7d9a7 |
| SHA512 | 57517abb422b316963dfdf7e6cb5c60057a6e90a7c22708bccab7982031d54523d80868fdc1d89fc2cff3ccf4d2c83ade42da9c8d2028290e82505f3d6425bfb |
memory/4516-49-0x00007FF770530000-0x00007FF770884000-memory.dmp
memory/4752-46-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp
memory/1080-45-0x00007FF70F3E0000-0x00007FF70F734000-memory.dmp
memory/220-36-0x00007FF679400000-0x00007FF679754000-memory.dmp
C:\Windows\System\VxJhAaj.exe
| MD5 | b8279073387f53dfc484bc309e347eb6 |
| SHA1 | 3dd9053b32c16a664120000d28c78bb974ee5765 |
| SHA256 | 90594333bb10d735e7445e9f7cf3f434f604a6ad59ff144adf4b5075cd130ba3 |
| SHA512 | 8035ce99bcafe5081d08fb8867340c5223dbc0f8bfbb38a30d1245d603915c6cc87371c0b2dac8880bedc1da9538187a5051b60d6551146d4a0dab661fbd7c7e |
memory/4956-18-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp
memory/3040-9-0x00007FF7F6400000-0x00007FF7F6754000-memory.dmp
memory/4432-127-0x00007FF606920000-0x00007FF606C74000-memory.dmp
memory/1260-126-0x00007FF6889C0000-0x00007FF688D14000-memory.dmp
memory/116-128-0x00007FF6C1EF0000-0x00007FF6C2244000-memory.dmp
memory/4956-129-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp
memory/4752-130-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp
memory/220-131-0x00007FF679400000-0x00007FF679754000-memory.dmp
memory/4816-132-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp
memory/4516-133-0x00007FF770530000-0x00007FF770884000-memory.dmp
memory/1672-134-0x00007FF6B69B0000-0x00007FF6B6D04000-memory.dmp
memory/5032-135-0x00007FF7B43D0000-0x00007FF7B4724000-memory.dmp
memory/2804-136-0x00007FF6DB5A0000-0x00007FF6DB8F4000-memory.dmp
memory/3972-138-0x00007FF6F1D60000-0x00007FF6F20B4000-memory.dmp
memory/2176-137-0x00007FF67B790000-0x00007FF67BAE4000-memory.dmp
memory/3040-139-0x00007FF7F6400000-0x00007FF7F6754000-memory.dmp
memory/4956-140-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp
memory/220-141-0x00007FF679400000-0x00007FF679754000-memory.dmp
memory/1080-143-0x00007FF70F3E0000-0x00007FF70F734000-memory.dmp
memory/4376-142-0x00007FF60E480000-0x00007FF60E7D4000-memory.dmp
memory/4752-145-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp
memory/4516-146-0x00007FF770530000-0x00007FF770884000-memory.dmp
memory/4484-144-0x00007FF766440000-0x00007FF766794000-memory.dmp
memory/4816-147-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp
memory/3056-148-0x00007FF651B80000-0x00007FF651ED4000-memory.dmp
memory/1672-149-0x00007FF6B69B0000-0x00007FF6B6D04000-memory.dmp
memory/4172-150-0x00007FF6A12D0000-0x00007FF6A1624000-memory.dmp
memory/1344-151-0x00007FF6227F0000-0x00007FF622B44000-memory.dmp
memory/5032-152-0x00007FF7B43D0000-0x00007FF7B4724000-memory.dmp
memory/4628-153-0x00007FF7F7270000-0x00007FF7F75C4000-memory.dmp
memory/2240-154-0x00007FF783160000-0x00007FF7834B4000-memory.dmp
memory/2804-155-0x00007FF6DB5A0000-0x00007FF6DB8F4000-memory.dmp
memory/2176-157-0x00007FF67B790000-0x00007FF67BAE4000-memory.dmp
memory/3972-156-0x00007FF6F1D60000-0x00007FF6F20B4000-memory.dmp
memory/4432-158-0x00007FF606920000-0x00007FF606C74000-memory.dmp
memory/1260-159-0x00007FF6889C0000-0x00007FF688D14000-memory.dmp