Analysis Overview
SHA256
643c97d607099d62fd026d9f94549dc6297bd2bb200f850cd0a408c69ef40d03
Threat Level: Known bad
The file 2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
xmrig
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 08:45
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 08:45
Reported
2024-06-11 08:47
Platform
win7-20240508-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JFHAFrP.exe | N/A |
| N/A | N/A | C:\Windows\System\yKKhqvV.exe | N/A |
| N/A | N/A | C:\Windows\System\YidIICM.exe | N/A |
| N/A | N/A | C:\Windows\System\hQsULnN.exe | N/A |
| N/A | N/A | C:\Windows\System\pgdFZxk.exe | N/A |
| N/A | N/A | C:\Windows\System\wAeGgMS.exe | N/A |
| N/A | N/A | C:\Windows\System\qWGUNda.exe | N/A |
| N/A | N/A | C:\Windows\System\dWerXbU.exe | N/A |
| N/A | N/A | C:\Windows\System\xCJFBzG.exe | N/A |
| N/A | N/A | C:\Windows\System\NIgvoDX.exe | N/A |
| N/A | N/A | C:\Windows\System\iTXGfQm.exe | N/A |
| N/A | N/A | C:\Windows\System\gSErCeE.exe | N/A |
| N/A | N/A | C:\Windows\System\RSsTTqJ.exe | N/A |
| N/A | N/A | C:\Windows\System\QIYndEi.exe | N/A |
| N/A | N/A | C:\Windows\System\NMFdfpo.exe | N/A |
| N/A | N/A | C:\Windows\System\xEoyJuc.exe | N/A |
| N/A | N/A | C:\Windows\System\gXZkyRh.exe | N/A |
| N/A | N/A | C:\Windows\System\xAkiZXA.exe | N/A |
| N/A | N/A | C:\Windows\System\oaakXom.exe | N/A |
| N/A | N/A | C:\Windows\System\bfGSnRv.exe | N/A |
| N/A | N/A | C:\Windows\System\YlZbtsE.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\JFHAFrP.exe
C:\Windows\System\JFHAFrP.exe
C:\Windows\System\yKKhqvV.exe
C:\Windows\System\yKKhqvV.exe
C:\Windows\System\YidIICM.exe
C:\Windows\System\YidIICM.exe
C:\Windows\System\hQsULnN.exe
C:\Windows\System\hQsULnN.exe
C:\Windows\System\pgdFZxk.exe
C:\Windows\System\pgdFZxk.exe
C:\Windows\System\wAeGgMS.exe
C:\Windows\System\wAeGgMS.exe
C:\Windows\System\qWGUNda.exe
C:\Windows\System\qWGUNda.exe
C:\Windows\System\dWerXbU.exe
C:\Windows\System\dWerXbU.exe
C:\Windows\System\xCJFBzG.exe
C:\Windows\System\xCJFBzG.exe
C:\Windows\System\NIgvoDX.exe
C:\Windows\System\NIgvoDX.exe
C:\Windows\System\iTXGfQm.exe
C:\Windows\System\iTXGfQm.exe
C:\Windows\System\gSErCeE.exe
C:\Windows\System\gSErCeE.exe
C:\Windows\System\RSsTTqJ.exe
C:\Windows\System\RSsTTqJ.exe
C:\Windows\System\QIYndEi.exe
C:\Windows\System\QIYndEi.exe
C:\Windows\System\NMFdfpo.exe
C:\Windows\System\NMFdfpo.exe
C:\Windows\System\xEoyJuc.exe
C:\Windows\System\xEoyJuc.exe
C:\Windows\System\gXZkyRh.exe
C:\Windows\System\gXZkyRh.exe
C:\Windows\System\xAkiZXA.exe
C:\Windows\System\xAkiZXA.exe
C:\Windows\System\bfGSnRv.exe
C:\Windows\System\bfGSnRv.exe
C:\Windows\System\oaakXom.exe
C:\Windows\System\oaakXom.exe
C:\Windows\System\YlZbtsE.exe
C:\Windows\System\YlZbtsE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1640-0-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1640-1-0x00000000003F0000-0x0000000000400000-memory.dmp
\Windows\system\JFHAFrP.exe
| MD5 | 5dc45f1983a40145c31b4ffccc437c3c |
| SHA1 | f5acbb6f26466342baa8626bc9b5f525a5ead664 |
| SHA256 | 625a348cc547a385b853be1f4fb854a6f7b10f81b72dcbce9844d08dfbaea00e |
| SHA512 | 9d95c02c3f84f1a54a8f76c0eb7136d54428caeccbae45a52411a34212d74784f3890c2eb6a4d4e5201d0779c251b754ec1eff39bfe28ecaed2b7ca7f1316a0f |
\Windows\system\yKKhqvV.exe
| MD5 | aa1756b717328a0ecd4f3e5aa54b7de5 |
| SHA1 | b10e6ad127d16ac298908e79c160ed04fb993e43 |
| SHA256 | d6e7f77d0154fa673a563e8007dfa463c202a53a883b6009f8a430bee0e05964 |
| SHA512 | 306c6b863baa8d8e56ddc1360d30fafa02afca0e33ae905540d6c484288c530ddd885b1cafb83bc9cb365272ae4ebc7edb43678f283cf44d3cead992bdf0bac6 |
C:\Windows\system\YidIICM.exe
| MD5 | 881e96f2959839f7a419019f52b7d9cf |
| SHA1 | 4c89e863ea72de529d2e3e6b78b38c06d662ac32 |
| SHA256 | 8127126c83d97499ed113076aefa26b742551245a4ba2fa7ff6aa9f9de436c39 |
| SHA512 | 9e97de43a56a7758f0f9225d77a234344406916648b29973edb8195b9a519147b65114f1931397d15c380bd5398487110896ccdc2e379ff081fd9d954694e260 |
C:\Windows\system\hQsULnN.exe
| MD5 | b3f1ed1573c4da8ee182b66b34cbd422 |
| SHA1 | f3947cc71b8eec41860cd57452efbd255c0fa887 |
| SHA256 | 6b836d086c64e2f4e42f6e46ea4cdd7fb7de5b760ba3c19a8e7a17ae7da5f763 |
| SHA512 | 98ce0164f13c083223f454f4d3cc2d1204eeefdd94bd4d70214a5ddf8c07e7a87e5556f2eedf927bac4cba9330b525be2dfaa4b67648a8946136c8961c40748f |
C:\Windows\system\pgdFZxk.exe
| MD5 | 555ff28bf7da3ae1488ece69e137fb14 |
| SHA1 | 8af7a2715d9ff247ad3acf726be0ee01e4099b56 |
| SHA256 | 2b13ba58b1cd88d6ef97d74862f9156c20f46ae14da391d259719c0bffd3297f |
| SHA512 | 1535affe3b002e3fb9a6f9eb2dabe80b1b5a8a8ab9abe8318a4537a7eb8f60c711e8161a7f2251871dff89ed55fb56661c8e4a302c37b6e19885bb8562e5b651 |
C:\Windows\system\wAeGgMS.exe
| MD5 | 2ad03d7c5b8908a7dec35c17ad11dc32 |
| SHA1 | ecb96f3ad8ca4b8dfe14f9d2432c10b02e313863 |
| SHA256 | 165206adb88ae580074da500ac4c44dcaa0cc77b287cc37f5d426f0340e11b22 |
| SHA512 | d169c1fe40d1cd8754a9e6d171482bdffc80513c4f4e0fe3ec3ecb9fad860cf53298c12ff326f039634cff6f4ec4c04510dd3e9dcbf789491f1f57c0b23f17f3 |
C:\Windows\system\qWGUNda.exe
| MD5 | 7873ddcd6f50f332a0fe0090738beb5a |
| SHA1 | 18d2efae95c049124c5377542a70b4214e3c2d9a |
| SHA256 | fba41f34f3cf4a40100455f538c2c74799472f9e9ea95ddc6487435412e94877 |
| SHA512 | 9d330a226a6546f71f711034f80e52e5337aa858a784fc8e4459a366c1d908b4494cba7288c9d94c9d5f9326a43758d239690ec6b510ac51cd4a80cf19f755c3 |
C:\Windows\system\dWerXbU.exe
| MD5 | 41f8b146a43264b8701604047e58f09f |
| SHA1 | 71e25033f71e2d959d2a4402d4c5e7d58e5b4b71 |
| SHA256 | 24a6d3053b537b29b38e4a1bcc6ea510f1b56206d5738684aef5eafa5935d464 |
| SHA512 | 534a8d2d605a1b4dd379c9e75afa24cef8cb6a3164bfb078e21770de3d2536baba941478446c8be9b8837c30f07f871a7839b17c68afbaa9d55f3035df635c59 |
C:\Windows\system\xCJFBzG.exe
| MD5 | 756b7280eb5b3217388c28418879333b |
| SHA1 | 54e049272b1b67a1979b75bc3869e185c3c15a8e |
| SHA256 | 2a3fe943f9614f9c55f3b2edf4639a7381d9cf3a453bf8a2b108b3ed5746ae8e |
| SHA512 | 1971252d101f55a5014f9eb39826689ed4dae1edc3513db686dda8514c1ce3f890b666482a9f4a7c68a1df079070bbf0b4b81d52ff11d6557507456455ef2b02 |
C:\Windows\system\gSErCeE.exe
| MD5 | 856f46aadae7d1015c660761d95f3d88 |
| SHA1 | e9000aad25a378f19afc1f3235b1092df7a2b71b |
| SHA256 | 1ecb240effb2a4ab2d99f64c111105b23ba085270152fe09b1ba531233b7ba9c |
| SHA512 | 10c47881c744b3ded43d1e8cd4e992a3e7eb49e18b14bc38efbd294d645eee59a4b75182720921a4b7350bd3ea5e894d65149ac7c4361fc987ba0b0577b05f6d |
C:\Windows\system\QIYndEi.exe
| MD5 | f8950d81a7d28c909826221d4be97822 |
| SHA1 | 7d4e9f67cbc1223729459882086a1dffd0b513a9 |
| SHA256 | 813703af6f97d8d92abcc954386e11e9197c36e949aec0cb3a5feb02f661b7b3 |
| SHA512 | 78adb240a8ad44055324316cf1a636645dd68303a452edc04df2c576dee7dbcf1e13c34880c3284c56b29833a59b7741b8eb22d5e6ecc88fdde3ad2893f8f45f |
C:\Windows\system\xEoyJuc.exe
| MD5 | 79d8d3b75852e856feded904475a91ba |
| SHA1 | d5dccb8bcc2627e7e339cc2821017be753823d45 |
| SHA256 | d1c63f8ec390a2c944192a86834c2febe22475bd1007d1fdd27ac4f8bd9358ce |
| SHA512 | c51b36a05cf9848d11532f12acff1b52f456b406050988223b3b0b5f51f6eb1e154c740fbe9ca48aca88bc3074c5d76e79edb0d4503c8bf011cefe0607d1617a |
C:\Windows\system\xAkiZXA.exe
| MD5 | 44e79d35874f80d1349b1f0f0cddbaef |
| SHA1 | d8f32fd8ec478b5c3b40ac76b06e19c26d2afcee |
| SHA256 | 974199b67d5b8f164f37feceaec3b07a4f687babf86b87973139e707a91dabf9 |
| SHA512 | 872f598605681e5800b8f131294c1cdb9d466bb2b194b85b5852960335b6b1fcd4da3dfea364bdb3903286576a862baf837b270a54cf379bcd7dc51572a8d4ae |
C:\Windows\system\oaakXom.exe
| MD5 | 7f08a22876db05639ca9f467f4b1fbc5 |
| SHA1 | 6abb41b608415d390561d1b1179460d0e8e8f117 |
| SHA256 | 16c3b798c08f8b02e2c6e7956fbcb8b2e3a1bcccf13a81829e9773d9f568284d |
| SHA512 | a406b7384fff0b97d29de12080b996dc5ba3dd0025daeb999242fe3acdd15bb19198a059a76087e648a0fd4840f001629e3c0143ae366f7c71dc176fe927d40a |
\Windows\system\bfGSnRv.exe
| MD5 | c92ca80669d348cf783acafd40b509d9 |
| SHA1 | 310d9d6c5b98211423af9cbd8f9b870e739e9255 |
| SHA256 | a43c3573bc75b97f61a0b2c10dfb14f81e3591b74f915f5681402df8d9ebbfd5 |
| SHA512 | 5c4fbc191404979079733290344422dee78f1ce4086c7081e5ef34c00c9f8a4d13c740bdc51f3f6d61fd5f921a02af213f0f7e2ef41093ce7a4c0dd18425aba9 |
\Windows\system\YlZbtsE.exe
| MD5 | 570240bc8d7a9fe5763bf40419fc9ee0 |
| SHA1 | cc3304a0c1fb2cea4fca9a244d33f53973a38ec6 |
| SHA256 | b5629a1838fa15e2986be7542db1e565b73e6965176b40f06be627031486c7c7 |
| SHA512 | 82fc894a73606ce921cfd109c92978122cc0ed1c9a633ef419031ed1192156b26558174934c6ea747700fee6ebb09bbb067f6ef805b550ef86bd5fbbce12bc4f |
C:\Windows\system\gXZkyRh.exe
| MD5 | ba291f15fa34edd8f46351c7dd0b6d29 |
| SHA1 | 33fe2de349e2b1d4b43b53c25b8bf2f00b6a058b |
| SHA256 | e1b9fcd53366d4e1d716e9ee35738ede5c5a88b8a0801b3f169aef3d475b1d89 |
| SHA512 | 2b2ac6bb1485f7c830f39612052728bf51e9f376c5bd7ec549911f20264c81182c3cdc799f3f2c7423c1026995329678b58b2d107287a2cdc096a3c54956f7f9 |
C:\Windows\system\NMFdfpo.exe
| MD5 | a411ea605c4016c3a7cee294f39e7a79 |
| SHA1 | 0a74063245b64a1f55fa8da1ea2b3a2ed5a605d7 |
| SHA256 | 894165712cb995bdd264696f7e0e875b793a225f093e6fe0f0a8b4cf94dd3239 |
| SHA512 | 8eb3e60af57586800ae2f4021395d7a54a3bc1442add2407c73f33126dc862f15f73df0213ed966a3e86c2e9d2038d8a37a511ae198e38542e06f68885351b7d |
C:\Windows\system\RSsTTqJ.exe
| MD5 | b7b6bb62f898e75a2786b12f404e21d7 |
| SHA1 | 9d3cfffbefd028e1094ff1fa11b26630eb10bea2 |
| SHA256 | 468a93d1574c9c6bc6a347a5ce940e40e1571b1816bb5cd74d0a265bad7598b2 |
| SHA512 | 2fc8967233d1bef888d6582b8b05d2a805dbec4cc35bf603eded864400ea73ccd2fdf16ed666c1202d784be1499a2eabb8bdacf2bb5d4ba867461ab662bd86b9 |
C:\Windows\system\iTXGfQm.exe
| MD5 | faefa57c83b68ea609d516c7054cb25b |
| SHA1 | f7c9ff94d91628458609bda9cad1fcba88f8a5bd |
| SHA256 | b76ccc0dbb3babeaa98a8aa0763472e35200b3db105fd04102b1841cbc1ccbc3 |
| SHA512 | 1f723c0e8d8aaa6c95f57d21233a5c5a98d83c73a91a339a97345136a317943498daa3993d0ad60a6c386aaff5e6578250cb84e6f3fa84ab71f9a2a7b542ddae |
C:\Windows\system\NIgvoDX.exe
| MD5 | 52d72f96e70b351968844a043ead1302 |
| SHA1 | 69b840364fec3240f4c722774d55c66113bd0d1f |
| SHA256 | b1f481b586cba0f9cd63e0b0828e08e838244d973d2ec5ceff5ee5578f4adc51 |
| SHA512 | 86eafd3a252c320a77ce36432b5b81bcc81c901cc12c9c04ab1dff2c33824e50fa863e00d71448a6cd80d90a1243186c07828737881d86b9a4116de068b1e6a7 |
memory/2252-107-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2168-108-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1640-109-0x00000000022B0000-0x0000000002604000-memory.dmp
memory/1640-111-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2724-114-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/1640-120-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2884-124-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2692-126-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2576-128-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/1640-131-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1640-130-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2540-129-0x000000013F020000-0x000000013F374000-memory.dmp
memory/1640-127-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/1640-125-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/1640-123-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2112-122-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/1992-121-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2652-119-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1640-118-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2668-117-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/1640-116-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2916-115-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/1640-113-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2664-112-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2612-110-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1640-132-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1640-133-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2168-136-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2540-140-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2252-141-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2668-144-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/1992-145-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2576-147-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2884-146-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2724-143-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2612-142-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2692-139-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2112-138-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2652-137-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2916-135-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2664-134-0x000000013FB70000-0x000000013FEC4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 08:45
Reported
2024-06-11 08:47
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NqbgQRH.exe | N/A |
| N/A | N/A | C:\Windows\System\StEgseK.exe | N/A |
| N/A | N/A | C:\Windows\System\HaEnZMQ.exe | N/A |
| N/A | N/A | C:\Windows\System\PPefgPH.exe | N/A |
| N/A | N/A | C:\Windows\System\FPaAvWf.exe | N/A |
| N/A | N/A | C:\Windows\System\ySJuCtm.exe | N/A |
| N/A | N/A | C:\Windows\System\sHvEFTk.exe | N/A |
| N/A | N/A | C:\Windows\System\reAUhRI.exe | N/A |
| N/A | N/A | C:\Windows\System\vePnUlx.exe | N/A |
| N/A | N/A | C:\Windows\System\EfDfSDZ.exe | N/A |
| N/A | N/A | C:\Windows\System\hrxExIA.exe | N/A |
| N/A | N/A | C:\Windows\System\gtziiMn.exe | N/A |
| N/A | N/A | C:\Windows\System\YaIevvv.exe | N/A |
| N/A | N/A | C:\Windows\System\tOeSjjw.exe | N/A |
| N/A | N/A | C:\Windows\System\MkiabEQ.exe | N/A |
| N/A | N/A | C:\Windows\System\OkdKYef.exe | N/A |
| N/A | N/A | C:\Windows\System\xgeTUmM.exe | N/A |
| N/A | N/A | C:\Windows\System\CwPihvG.exe | N/A |
| N/A | N/A | C:\Windows\System\MMGWekM.exe | N/A |
| N/A | N/A | C:\Windows\System\DTIOUkr.exe | N/A |
| N/A | N/A | C:\Windows\System\kmhyBDV.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\NqbgQRH.exe
C:\Windows\System\NqbgQRH.exe
C:\Windows\System\StEgseK.exe
C:\Windows\System\StEgseK.exe
C:\Windows\System\HaEnZMQ.exe
C:\Windows\System\HaEnZMQ.exe
C:\Windows\System\PPefgPH.exe
C:\Windows\System\PPefgPH.exe
C:\Windows\System\FPaAvWf.exe
C:\Windows\System\FPaAvWf.exe
C:\Windows\System\ySJuCtm.exe
C:\Windows\System\ySJuCtm.exe
C:\Windows\System\sHvEFTk.exe
C:\Windows\System\sHvEFTk.exe
C:\Windows\System\vePnUlx.exe
C:\Windows\System\vePnUlx.exe
C:\Windows\System\reAUhRI.exe
C:\Windows\System\reAUhRI.exe
C:\Windows\System\hrxExIA.exe
C:\Windows\System\hrxExIA.exe
C:\Windows\System\EfDfSDZ.exe
C:\Windows\System\EfDfSDZ.exe
C:\Windows\System\gtziiMn.exe
C:\Windows\System\gtziiMn.exe
C:\Windows\System\YaIevvv.exe
C:\Windows\System\YaIevvv.exe
C:\Windows\System\tOeSjjw.exe
C:\Windows\System\tOeSjjw.exe
C:\Windows\System\MkiabEQ.exe
C:\Windows\System\MkiabEQ.exe
C:\Windows\System\OkdKYef.exe
C:\Windows\System\OkdKYef.exe
C:\Windows\System\xgeTUmM.exe
C:\Windows\System\xgeTUmM.exe
C:\Windows\System\CwPihvG.exe
C:\Windows\System\CwPihvG.exe
C:\Windows\System\MMGWekM.exe
C:\Windows\System\MMGWekM.exe
C:\Windows\System\DTIOUkr.exe
C:\Windows\System\DTIOUkr.exe
C:\Windows\System\kmhyBDV.exe
C:\Windows\System\kmhyBDV.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/852-0-0x00007FF748420000-0x00007FF748774000-memory.dmp
memory/852-1-0x000001AC942A0000-0x000001AC942B0000-memory.dmp
C:\Windows\System\StEgseK.exe
| MD5 | 85c8358aa8718ef21b76885f6cdf6465 |
| SHA1 | 9a596b27010d9e74de1976e12d46beccd9c28ff1 |
| SHA256 | b395e1f0cb8802e4e766ee1ca0585f17b6b32e613e1bb667e5278971a97056dc |
| SHA512 | 6fe9d819e1d1b6c2c0fe330463fc2fc199087ac604a300e9cb12834949b247ee3152dd949b4ee7b68b45bbb40c0a110c2f5c288d11d8e2781905134df005be97 |
C:\Windows\System\HaEnZMQ.exe
| MD5 | 87330c05741027a498d9fff6ee3a0987 |
| SHA1 | e94495e84d7eb1d207da624200119f5c97352507 |
| SHA256 | d01f52ea0dfb9c880549b7553dc1bd501b2edd067c2d910be1acdcba87a3f60c |
| SHA512 | dc13d0ef98b61ce20ff26ac6b22332a98382a739f405422ac42b00b2be6a33a6f3ad7c78b6329be5f33c45d7025481fb1b1a34c5343873f6d0ba289bfdbe7e1b |
memory/752-11-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp
C:\Windows\System\NqbgQRH.exe
| MD5 | 08b579111cec1ab7b60b4761131e9c07 |
| SHA1 | 51c30ce8ad188e64422ec63b4b90d1459eed37f7 |
| SHA256 | 7b3569811cbe332418bc67b554928f3bd8061126f9bad347d54df6b94afdfbbb |
| SHA512 | 534ef21d88fba8265a9090996cbab5d1196f3bf2ba5375b4bdd079032bc695d3e1ec1c1c0eea3296b07963be1834e1e4fe1f107bbd80de94f402a725f489547c |
memory/4356-12-0x00007FF78D690000-0x00007FF78D9E4000-memory.dmp
memory/3108-20-0x00007FF7D19E0000-0x00007FF7D1D34000-memory.dmp
C:\Windows\System\PPefgPH.exe
| MD5 | 0447b3751ee092d8e9d37f2e6049af27 |
| SHA1 | d5a0262be0bdfa223935e2278590077390ac2df8 |
| SHA256 | 605f26bce089d5f0775953d4977dbf77453fcaa3ae7c60ae0e51524ac309ef9c |
| SHA512 | f58f29d5e277461c52b12393211ce56edf9f520f3bb65575a22e11d1b21f770db751624d48754df5ef4457cb6523940345ea229043865185a78d3ed404d57161 |
C:\Windows\System\FPaAvWf.exe
| MD5 | 5c8eb99c1e9bfb82720fcde4dbff3d21 |
| SHA1 | 065b302ce88bef2b78da94617d02264c1635316f |
| SHA256 | 04ee2f5a8529b91cb26535e699e962680d19fa4a213cf17c41fc6433e1cc0a6b |
| SHA512 | af13468c0294971f2661133f66e2ca646ad4caed9ebda816c66b4513ec2377115d77201cf82ee49dbd01f805ab45a46699176154183b06f2decc87f638358cc2 |
memory/3360-27-0x00007FF63EEC0000-0x00007FF63F214000-memory.dmp
memory/4132-32-0x00007FF77A1A0000-0x00007FF77A4F4000-memory.dmp
C:\Windows\System\ySJuCtm.exe
| MD5 | d14d729ece374250b9ab4c786ffc4db3 |
| SHA1 | ae9aee482c89d73f15974fd6c35100643494e5f7 |
| SHA256 | 83974eca18d6ee66c15d905fdad0c2b6bd843b4f1048c30bbbda5c6a3a658af1 |
| SHA512 | 7e20ede8df192b82aa74fe73d45d6614b9e1bb288509dc2647d42b209ad946fb5bf1b037cbd891bad3fb18a88f0fa0acf592226cf0260166655663f32a473aff |
memory/4448-37-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp
C:\Windows\System\sHvEFTk.exe
| MD5 | 67ac5c0f7a588009a4d46ed96181c204 |
| SHA1 | b57256a95d9b365eef73cc1efaf86ceee2a3ab90 |
| SHA256 | e250863fda2c63cfd18d1d66f7de189bf56c22f711e8b9ee349a4d70cd064bd0 |
| SHA512 | 4637a5d670f724d5a75614d0f11e03e94e49bf4713a2b5de5ab99ef9fb2dff115140c0c247f9c57b686ce90801f205c28063dcf301f4ced4e405dda458ef1690 |
C:\Windows\System\reAUhRI.exe
| MD5 | 7eddef2c1327a9f122f0574318245e68 |
| SHA1 | 611e4e0ab19804a9da8293bf86911baf23025322 |
| SHA256 | 3fd64e58b0a5d85b7b9db92597f5faf07481b2c09a69c6dc11eaa244baf6ee39 |
| SHA512 | f00979b7fabf1a36a946f9c9052f3e679a0d9a9926546154e3011e001135a992e8b8dce0bab31c9cd87c71e996d200bb3115706530da70bd704a6df353f8a2b0 |
memory/2992-55-0x00007FF6F04B0000-0x00007FF6F0804000-memory.dmp
C:\Windows\System\hrxExIA.exe
| MD5 | 86e83ad8546f770193b055c801552b17 |
| SHA1 | 64b606cec11b5ffa099ecac115243f3d4b53a075 |
| SHA256 | b1c2c654b382efab98baf73b03a6f79d752e45d2d80b441fc07e8461aeb4cdcd |
| SHA512 | 11153f7a04d593c16726e26e6afc9d07a237bf6cc89d49b4013fc733e53091baaae55dd78d9c60da0327071c06b0fe40693b8b7a088c2af80d9ab9df6304ac2c |
memory/3132-65-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp
memory/624-71-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp
memory/2028-77-0x00007FF608E00000-0x00007FF609154000-memory.dmp
memory/3512-85-0x00007FF6DB990000-0x00007FF6DBCE4000-memory.dmp
C:\Windows\System\CwPihvG.exe
| MD5 | 25aea6da8c378238305d10ba71476616 |
| SHA1 | 9391c06903215ab5e12e3221b8f9ed95a1a1894b |
| SHA256 | 5a265991c312b29e7c3dd7b1fc7729976df0816ba5efd7cd73185297a7bb8c3d |
| SHA512 | 0b92334807b60f326c14b6c3b5b46091c285f70588b187b02d060a818f8a176055dbb4e9a25e6e5b8ed7cbf7ab10709ff55c78d39949eb2dc0347bdb25a39de3 |
C:\Windows\System\kmhyBDV.exe
| MD5 | a71b8e3f98e5318d039ee52e9b71f271 |
| SHA1 | 1fc487c9579ad6aa1c94d3cd636c4b9890c54c89 |
| SHA256 | 99957ffa46a1fdb15d571dc55d8be9b67460cc37509b976f2903aabc2f5a5397 |
| SHA512 | b2838847ddfd217b2016df8a11139c1c300deca2e49c3bf019354f41934cbfd689c2964544ee1efb937eb67259298985eb0d4d37c39fad7c6f4eb2a5af26af5c |
C:\Windows\System\DTIOUkr.exe
| MD5 | 89ca264ac8ceb3f14a1a5306532a9bff |
| SHA1 | 303f897dd0ead89ce37dc70da81329df7f9a534b |
| SHA256 | 8f0ba89a4dfe5cbe2e6b0de685abfffa7e06d2a8cf337a0f4b979c8c8504ab7a |
| SHA512 | 99d0e16ad4b3fde421afeb07fcb1b9bd03a1cf315cf22e5a40425db1c58c6b64b99352b4f1c7df8b852e72b1e2b4acc4cad56e5a8cb1186c2f0758fd1c3a8437 |
C:\Windows\System\MMGWekM.exe
| MD5 | db21c29b805538e31a06cfd034f56e5e |
| SHA1 | 6bb2e724403757d8df46b08be8ba1195be695f52 |
| SHA256 | e632d3f639ebb083f4245bcdb69cdcf6e447aec4ded393bc8b315098b9956149 |
| SHA512 | 18fbec528d8ce8cb5ed3f8d38008d47c1e05844b974757e570adf58f2109730949b358a33ada96a6517f9ef801867358f024f6a1cb7176dc149afa19235f4228 |
C:\Windows\System\xgeTUmM.exe
| MD5 | 9797c62ed0a98a0f7615f08eaa1fb616 |
| SHA1 | 3c110589f1a4a9eae66ff1e9143e7252a7ca3395 |
| SHA256 | d3a235593c3a5615371ddfd615134ecf46d08ea1b324c602e037eb90d48343cd |
| SHA512 | b938d5b29955c97c285c6c3709a2d40de353436107fbf3da177ce8979a59fdc76f8fd1d623268ba3a7f0edb1c6c1ee10b188fa058c47853485059cc25824b6f7 |
C:\Windows\System\OkdKYef.exe
| MD5 | 033935b9041ca3eba95982b1f0eea72e |
| SHA1 | b577756c16e2c36e34ae9d4e6c3a2d0fe4c94678 |
| SHA256 | e74dc53b21e39de7a6d1706f72fbb0e52acb8a2dcd2eb0186310577f0d2b4332 |
| SHA512 | 90fa2099ae19571437d07b60941b2902c460ca179b7f8cae140aab82568b739e0d858e7e4c7810c2ef3dcb3f8fe61e7da3c11c6bc10d892bea223e93bdacc5f3 |
C:\Windows\System\MkiabEQ.exe
| MD5 | 80e7a1c795f7a637638e5c5abfae670b |
| SHA1 | 976523e2873f326c952669abc22eeac80e9bc504 |
| SHA256 | b3af4c7154bb447ad10747d73ac25d2ce9c2d8553bfe5d1fda8563a143ebe280 |
| SHA512 | c6e5bc83689964937e6f0f91001b4b7de76e9b2ff6958ddafacd7f90ca40a204ec47e8e3052486291dc26148d82af912b015feb4cef5384e5bad49ede2b29459 |
C:\Windows\System\tOeSjjw.exe
| MD5 | 370a077b01aae66ec9189b9cefccc1b5 |
| SHA1 | e2d9d0a2029973c95beb130653548a35d2f20433 |
| SHA256 | 07078757ef538a26af84cd8de4431994961d46a6f73c61b239a98da9eaa163eb |
| SHA512 | 2993a14b28382f0fb47e7c3d21a94fa127fc5510965cc9564816332cff3cdb1cfaa64e39b4776ce1f29f9fd87ffa42c7eefb96468da93c2c8787c50e3f0c424d |
memory/2760-88-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp
memory/752-84-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp
C:\Windows\System\YaIevvv.exe
| MD5 | e090404d2b9623b771cba4e41e3d5b12 |
| SHA1 | 091875ec30ab7123168ab7a42959fb14f439e516 |
| SHA256 | 686d72d56bdd3b527548740674b4fe4f58425ae262fd69a9d26a4ae3db04e505 |
| SHA512 | 62424e5802f615701cd53f6d97c69dad9b3dcf8389f4e70f139a748229a7aba8cd96e295e9fd8c2875b526e71356aee5ad7f45bf8344666a728d6dad1139f9c9 |
memory/852-78-0x00007FF748420000-0x00007FF748774000-memory.dmp
C:\Windows\System\gtziiMn.exe
| MD5 | 3806d61d05f2d5f3064021e1e6fe50df |
| SHA1 | 97c8a27fb757a88f45482991ffd979b26327182b |
| SHA256 | a0f82d5a0f43d1fc20662843ade2bfc680a556700839db2babae8ce5d20f409f |
| SHA512 | aabf46e67ca28d74cc1be42de83cd3def73c9fd113635cc8c782ccf697bc983529d42cb56aed0e1c017338489cae4e03a4b2f144497e600cae90e1b5abbb406a |
C:\Windows\System\EfDfSDZ.exe
| MD5 | a888a1ef06b5cc875033cae95df4a076 |
| SHA1 | 0dd40d6093ce8402ac62b2d9864d61d5621401e5 |
| SHA256 | fab7e70ae68630a6f97340ea529fd57a3afdd0b328a6479751b18fdf8bbbdb96 |
| SHA512 | d5d91af47e1adf7e7bedf56d614aa1fdc22178eca4aaf71435ee6e043e0447cc0453d9972585fc6a46080218ecf5ee89d3c271b089af317de8571f615f917d7a |
memory/3468-62-0x00007FF650350000-0x00007FF6506A4000-memory.dmp
C:\Windows\System\vePnUlx.exe
| MD5 | 70a274c93041ef6cb8a37c890a68a29c |
| SHA1 | d4c2f2f2a5a8c29d68530c666fe2b398af99c4da |
| SHA256 | 83be60dab5afb8dd88d395a910c2a9e9be52b914c0e0e272f0ec3b0ef862bb90 |
| SHA512 | 7f67e201f356d9105eba5b897a593e2b9cfdddc6abdf5e1d56adde2602abbc0edffacd0f0a7dea54a3f296ab1e1843eb70d0a2cd34ffbf7a84d9d0523b377fe8 |
memory/4004-46-0x00007FF66EE80000-0x00007FF66F1D4000-memory.dmp
memory/4724-123-0x00007FF689750000-0x00007FF689AA4000-memory.dmp
memory/4584-124-0x00007FF7F7650000-0x00007FF7F79A4000-memory.dmp
memory/2636-125-0x00007FF657850000-0x00007FF657BA4000-memory.dmp
memory/4652-127-0x00007FF7EB8D0000-0x00007FF7EBC24000-memory.dmp
memory/2644-126-0x00007FF7A9DC0000-0x00007FF7AA114000-memory.dmp
memory/1936-128-0x00007FF618440000-0x00007FF618794000-memory.dmp
memory/4404-129-0x00007FF76DA60000-0x00007FF76DDB4000-memory.dmp
memory/4448-130-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp
memory/3132-131-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp
memory/2028-132-0x00007FF608E00000-0x00007FF609154000-memory.dmp
memory/624-133-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp
memory/2760-134-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp
memory/4356-135-0x00007FF78D690000-0x00007FF78D9E4000-memory.dmp
memory/752-136-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp
memory/3108-137-0x00007FF7D19E0000-0x00007FF7D1D34000-memory.dmp
memory/3360-138-0x00007FF63EEC0000-0x00007FF63F214000-memory.dmp
memory/4132-139-0x00007FF77A1A0000-0x00007FF77A4F4000-memory.dmp
memory/4448-140-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp
memory/4004-141-0x00007FF66EE80000-0x00007FF66F1D4000-memory.dmp
memory/2992-142-0x00007FF6F04B0000-0x00007FF6F0804000-memory.dmp
memory/3468-143-0x00007FF650350000-0x00007FF6506A4000-memory.dmp
memory/624-144-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp
memory/2028-145-0x00007FF608E00000-0x00007FF609154000-memory.dmp
memory/3132-147-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp
memory/3512-146-0x00007FF6DB990000-0x00007FF6DBCE4000-memory.dmp
memory/2760-148-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp
memory/4724-149-0x00007FF689750000-0x00007FF689AA4000-memory.dmp
memory/4584-151-0x00007FF7F7650000-0x00007FF7F79A4000-memory.dmp
memory/2636-152-0x00007FF657850000-0x00007FF657BA4000-memory.dmp
memory/4404-150-0x00007FF76DA60000-0x00007FF76DDB4000-memory.dmp
memory/4652-154-0x00007FF7EB8D0000-0x00007FF7EBC24000-memory.dmp
memory/2644-155-0x00007FF7A9DC0000-0x00007FF7AA114000-memory.dmp
memory/1936-153-0x00007FF618440000-0x00007FF618794000-memory.dmp