Analysis Overview
SHA256
2422aef9cf3190afce395339bf0d4e2e7d839ac42fa2834fa3291359f4d1fb65
Threat Level: Known bad
The file 2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
Xmrig family
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 12:39
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 12:39
Reported
2024-06-11 12:42
Platform
win7-20240508-en
Max time kernel
138s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AmRhTsH.exe | N/A |
| N/A | N/A | C:\Windows\System\lSgDTVk.exe | N/A |
| N/A | N/A | C:\Windows\System\qzpudnC.exe | N/A |
| N/A | N/A | C:\Windows\System\rmwvXBZ.exe | N/A |
| N/A | N/A | C:\Windows\System\MqLINHp.exe | N/A |
| N/A | N/A | C:\Windows\System\wffrIeg.exe | N/A |
| N/A | N/A | C:\Windows\System\ekZvGcd.exe | N/A |
| N/A | N/A | C:\Windows\System\XHRIPeN.exe | N/A |
| N/A | N/A | C:\Windows\System\WuRDoqQ.exe | N/A |
| N/A | N/A | C:\Windows\System\sypGsgl.exe | N/A |
| N/A | N/A | C:\Windows\System\HcwQtQU.exe | N/A |
| N/A | N/A | C:\Windows\System\ASEUvZO.exe | N/A |
| N/A | N/A | C:\Windows\System\sNtubhY.exe | N/A |
| N/A | N/A | C:\Windows\System\pLFnqhM.exe | N/A |
| N/A | N/A | C:\Windows\System\IyWUqQH.exe | N/A |
| N/A | N/A | C:\Windows\System\lEupEYl.exe | N/A |
| N/A | N/A | C:\Windows\System\mYoaiME.exe | N/A |
| N/A | N/A | C:\Windows\System\yOulYcf.exe | N/A |
| N/A | N/A | C:\Windows\System\vdZEYwG.exe | N/A |
| N/A | N/A | C:\Windows\System\SlFGmYj.exe | N/A |
| N/A | N/A | C:\Windows\System\dwGMYmk.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\AmRhTsH.exe
C:\Windows\System\AmRhTsH.exe
C:\Windows\System\lSgDTVk.exe
C:\Windows\System\lSgDTVk.exe
C:\Windows\System\qzpudnC.exe
C:\Windows\System\qzpudnC.exe
C:\Windows\System\rmwvXBZ.exe
C:\Windows\System\rmwvXBZ.exe
C:\Windows\System\MqLINHp.exe
C:\Windows\System\MqLINHp.exe
C:\Windows\System\wffrIeg.exe
C:\Windows\System\wffrIeg.exe
C:\Windows\System\ekZvGcd.exe
C:\Windows\System\ekZvGcd.exe
C:\Windows\System\XHRIPeN.exe
C:\Windows\System\XHRIPeN.exe
C:\Windows\System\WuRDoqQ.exe
C:\Windows\System\WuRDoqQ.exe
C:\Windows\System\sypGsgl.exe
C:\Windows\System\sypGsgl.exe
C:\Windows\System\HcwQtQU.exe
C:\Windows\System\HcwQtQU.exe
C:\Windows\System\ASEUvZO.exe
C:\Windows\System\ASEUvZO.exe
C:\Windows\System\sNtubhY.exe
C:\Windows\System\sNtubhY.exe
C:\Windows\System\pLFnqhM.exe
C:\Windows\System\pLFnqhM.exe
C:\Windows\System\IyWUqQH.exe
C:\Windows\System\IyWUqQH.exe
C:\Windows\System\lEupEYl.exe
C:\Windows\System\lEupEYl.exe
C:\Windows\System\mYoaiME.exe
C:\Windows\System\mYoaiME.exe
C:\Windows\System\yOulYcf.exe
C:\Windows\System\yOulYcf.exe
C:\Windows\System\vdZEYwG.exe
C:\Windows\System\vdZEYwG.exe
C:\Windows\System\SlFGmYj.exe
C:\Windows\System\SlFGmYj.exe
C:\Windows\System\dwGMYmk.exe
C:\Windows\System\dwGMYmk.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1640-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/1640-1-0x000000013F100000-0x000000013F454000-memory.dmp
\Windows\system\AmRhTsH.exe
| MD5 | d4f8b84e755181a22b53426335b7512d |
| SHA1 | cf40ef3c659ca19a0907b809af8db438716cf875 |
| SHA256 | 468b3f26676928d3c00a69651c02db83a45ded67342aea3dc09578154fe4c5ee |
| SHA512 | 3921a08540b99f987f13da631d963c27e299a31c6974c3e6de85af53a631bd6b8989861e8b433c174e23ffae753c5813a0f2a88e6a7fd77e16d3b3cfb53d0340 |
C:\Windows\system\lSgDTVk.exe
| MD5 | 8a5501254527f310a50c53242d5dd901 |
| SHA1 | 5b5519f05cd8bdb9fc7028fcf709e24ead1337de |
| SHA256 | caf0cba3213423715d16f38622a2e7aa87abf3579653495355038e59971ad48f |
| SHA512 | eaec87a88cabcd35d5a49ee2d6cc7b9610a372f0d95b915189e1f48a1c4b25a48aeaacdb4b32cbffd24302ca2b0f26fdcbe2946b69b60108b4a0e9fbd5afad41 |
memory/1640-16-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/1640-7-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2804-14-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2252-12-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2664-25-0x000000013FD00000-0x0000000140054000-memory.dmp
\Windows\system\rmwvXBZ.exe
| MD5 | 20103a60e8f888d846c10139da60a6c1 |
| SHA1 | be3cffccad9715e551ffa4a261a8f9ef535156d0 |
| SHA256 | 40404bac691d19ac231da4f280f378cff0a6178a5efa5f2ab9ce8822b7fb6d21 |
| SHA512 | 3d4152beb5e6174b85394307f3983321cd6cf56e66a1b8672725aea169e298907cecf4b00ba764f22d19dcd44efd4b514a41858171709be50ced25a60b90c231 |
C:\Windows\system\qzpudnC.exe
| MD5 | 84acf51839b7e7576ed56c7f6a609d92 |
| SHA1 | 2c679d4830c30d740fbca02f67cf27fd5cc002a8 |
| SHA256 | bddede14e71f7ac4f2dca9f012cfcffa1b315ca7c4475ec096082347e9611f58 |
| SHA512 | 0b454dc5cb7025bf5c634199ba69cffc28572587372c3b4aa82eb316ca6504cecd021c56c6861fa0215485abe08b95fb50816611d905a2e76afa2c6cac6bd180 |
memory/1640-31-0x0000000002340000-0x0000000002694000-memory.dmp
memory/2744-30-0x000000013F560000-0x000000013F8B4000-memory.dmp
C:\Windows\system\MqLINHp.exe
| MD5 | 425428da19a1d06e9f486eb62e588647 |
| SHA1 | 1398484a2c8183d20448654674331b6a74c7adfd |
| SHA256 | 83af974acce1d0a69236a398fb24b1981b9f20f2591c0f99f985701dabff108a |
| SHA512 | 03f9668c21e49120261ee4b5813d985875403e4e7b73051d952eedb0fa6ad5dc9385d5403153ab5984dec18a64f49fbc60ced23bce4906fc9bf1710ec238d7d9 |
memory/2628-36-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/1640-28-0x000000013F560000-0x000000013F8B4000-memory.dmp
\Windows\system\wffrIeg.exe
| MD5 | 67414322c0790d081c4da841959f7bf8 |
| SHA1 | bae7a6892d981b02fab974d3ac2422f2ae116fd1 |
| SHA256 | 9add6aad6f6a416ed1cb03505ab387510347a1fc100d8087b07779300b15583e |
| SHA512 | 7df11d52c3628a26b5db6f7cdaa016ecade9cb9f2eb179a9be7e1634a86db14c736f17f0f690e42b5181e69822e182b9f744237a87d5c7ed18759566845864f5 |
\Windows\system\ekZvGcd.exe
| MD5 | 3710d9a064a64bd4092f1fffc76f206b |
| SHA1 | 8413525e14a42da7e34be82a8859ae1d3f6dd22a |
| SHA256 | 4d8607547d8c0e8667b47c21f7cd40cb79a4f2489e084e6b80d57de5f1cf8abd |
| SHA512 | 3e52ce88c42cddb9352f05fb1d039c11dfdedba7e9d64a2e1984e0eb0b7d97caf5fc7021cb6864acc7ee73d3f8bc478ab44ae808499362c733dccad00ee71f9f |
\Windows\system\XHRIPeN.exe
| MD5 | 6cdfc56ee3d3f496be4f13d1b5ee586f |
| SHA1 | 1360ecc995cfb961bb489ef74930a444bee21980 |
| SHA256 | bfde40ce191757a1a836b61048feac5984036dba9b816d3b2b31c66d220bcbb8 |
| SHA512 | fd2a0c142f4647a005d03a28b1636d6c4f66737c93af2b7068c3a102b667f5aa2e693a0d0cc4e5fbb9e7e366a5ba4c33da88260a585c5b9333f2aaafa762634f |
memory/1640-51-0x000000013F930000-0x000000013FC84000-memory.dmp
C:\Windows\system\WuRDoqQ.exe
| MD5 | f5f86a7d00ecfd1a40b6828c87ecfa30 |
| SHA1 | 33323f9782bb421b74e53dc8f38a92df1f6a3c23 |
| SHA256 | c4bc57a986265121ce913ab631a6c807bc7ef8f42ab2f138ef202041e7c3042a |
| SHA512 | 6700a8ffea5d46f55d1fc3c787f290aa821e207f1e3ad76caad2d0ed81045dfbaa73476901bc08068cb272e2a51b9b37cd661e6f8e563d63e67466eef87b80fe |
C:\Windows\system\sypGsgl.exe
| MD5 | 8cbe063c64a608e5d97d519bb406a083 |
| SHA1 | c5a29a791bac3a1e113c990b3e129fad394b68ff |
| SHA256 | 683fe1f08e6e22d494ffe6002afd1b8eba527baf1917b953c39981fe570dfcdf |
| SHA512 | 4bfe0bd328b2cdc939f51e835f7f3f90213fee232e78ee30923c9470d04312f3f96cca44170c17c56912f081dbabcf05dcf2a5de507158cebe17f3bfb9d3b145 |
C:\Windows\system\HcwQtQU.exe
| MD5 | 82d8a52e3c6f08f16be1bc0747e978cd |
| SHA1 | 5f4d28ed6fc9cf663c6e99da70dd60967d70c894 |
| SHA256 | bffcf5bff92ad503fe1822a9fd1f621336021f5f112766ec3f0dee91a1b7f1de |
| SHA512 | 1308eb4029757dffe8ed6a8eecbfa4341657c64104a8ade3148e2ea6f74ae2513e27531c3db1f2870cb3939071a4f39af8975b17dda2a4991197fe782529c857 |
C:\Windows\system\pLFnqhM.exe
| MD5 | 4447bbb23f5c6e743ad41083dcb03d71 |
| SHA1 | 0a441afbe8721ee2a1f4e52289e836fcf11702fd |
| SHA256 | d966a20e215fd012ddf47ea42e50a23526800121baae029f69d771e75267c387 |
| SHA512 | f987ca3acf15f9d3b430a834ee50765be2ca10fbe7f7f6a817b9ac57041d264769de589d7058dd51b41e207c732c07bf7e6fba0c1dc2a4cfed655adeffb203f4 |
C:\Windows\system\yOulYcf.exe
| MD5 | 24aae99f7d4ea9f2b8a60b4f15215bbe |
| SHA1 | 0cd6c5bf7e7b0acef47c41154b52c476c2b3f0a4 |
| SHA256 | 5275e0ccb4b00a6f271f71a1a65456a1009cebe982b823a376de9636b77b2f2d |
| SHA512 | f39fc62f41365f85ea65b2906bd409cad5e003a888b2549e2c012e0d741e2023b2dc8408cb4808c52ac83110b0c5de7fc709f22d0441a705ae8491af268c1d40 |
C:\Windows\system\SlFGmYj.exe
| MD5 | 736a65c01938b3666b66d6faea453e09 |
| SHA1 | d4c5d33dc4ff03ae03a62879aae4f8a085e5d136 |
| SHA256 | ddb9a3f64ac9e06475b1578409a85a39b67f0a4dc8541080fdccfc145f1d9a17 |
| SHA512 | 14b8d5739d0439cb63556d3da78f2e3d1acb146830201ad602fd3e9ad859265abb934bd1e2450487637660d37e1038687207e7b5ef3ba3eb141cab3b0c392017 |
\Windows\system\dwGMYmk.exe
| MD5 | ab4a2e223099549419d4d25445e43124 |
| SHA1 | c34a8cd55e5a179b5cf60250fa17392c61ade002 |
| SHA256 | 08bc4a09fe5b05d4ee1cc96b0cb7bcc9c767ad4ad50aaac571b88a27124b55c7 |
| SHA512 | de0122c05fa7d789dd4973d834ccf14618c9e34765fe8807916609a8b5f7115d901f1e47fa5e39f12106a3916a0fabf8c9e409b94bdffd3733f3844cf82b9efa |
C:\Windows\system\vdZEYwG.exe
| MD5 | 6e606a99e99a244aa59be5c0c59d1a92 |
| SHA1 | c05d8360547c47bc36efc57f7fc1f17313a0916d |
| SHA256 | 14551c16344b47d5ae25c2fa9c2652f77b4ad74147f1cbe8a2ee33dbae844e7c |
| SHA512 | 96019ea05c6b3619b03c1a6918949ef79bea1d07d473a2af8a314dafdc62ee0e79daa13e028f024b7fa9213b55ea20729ead877b2a424e9c098b52f853db6b4e |
C:\Windows\system\mYoaiME.exe
| MD5 | 79cfa1b042129658085ece6a3f548824 |
| SHA1 | d7b55117bfe60711200594e8edf86fca912df95f |
| SHA256 | 5f4484f32b207bcdd68a5ef577f52e9eca1eb2856e37486311407e64fd77f0c8 |
| SHA512 | b47a25021725384098a63d6f5de0b2956e8fefa0200675270d00d89b25ff8df7c31e6aa3843e5fd1d26066193bb2d634c648cb8445ec5a9b9b85d941bd89c354 |
C:\Windows\system\IyWUqQH.exe
| MD5 | c4cc7b22d8f54729068c6e7ab8c925a3 |
| SHA1 | 0e530dc249c8ff839b44c6bcd4950dd764d33d55 |
| SHA256 | 8fb11028e94451b60449d3834aa4cf653a01fee968a00f953ec505095f2c4404 |
| SHA512 | 136a955ecb6f5346474ed3c6b1c20eaa697471dc25b5c83cd010d756907f346f96f2c41bcf24dec93e28a6138856b2bfc3f4a27946ed881e91709123385f0524 |
C:\Windows\system\lEupEYl.exe
| MD5 | 490b86c769f2015f10fe519c4c70ca07 |
| SHA1 | f1461b77615256f7b1c699ad3b6d47d5f443faf1 |
| SHA256 | 6bf40af11cd2f2763a4d430871c574d7cd91c0cbd6515c42313355fb7d31543c |
| SHA512 | 5f84cb336eb6b17b5ddd48f463175b41a231f35198c68b8e33ce7a2b3e68735a49f51e6ef99c4370cfe8e292934454bdc541a45f41ab2bbd3084fc85cff60416 |
C:\Windows\system\sNtubhY.exe
| MD5 | 1336fd68087158e50ae8c43d53e55415 |
| SHA1 | e589ffe22533493a6f9525683e402284cdd87adb |
| SHA256 | 0954b5cce7b4bb8f747096368ae887a6eb08285f282faec355d099cfe95ebcd1 |
| SHA512 | bd2d775c7c5561ded88961e6c70842ff53e18a99b0b5d527946b0d4ff11173187931cc156d825d3c7f03a3d0100d837ff9f25254d30a475b2265036ee6e5809e |
C:\Windows\system\ASEUvZO.exe
| MD5 | 4f2d11f77dcbdb6a50cc7eb2f49d9a41 |
| SHA1 | 493d25344b316174ec166125bf20e77ce52d4cf3 |
| SHA256 | 71da0ff650b69780632146e87c7fce3ba168a6888365adf14976b894cf27c7f6 |
| SHA512 | f08421c57a671dc382ac80ef3fe8352637ff078bd17932608b3e5ae85a30f58dd3d70141503ba870b965b1867c11595fd2b630c9dc579bd2eb2fd68ebbffb5da |
memory/2780-49-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1640-41-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2756-119-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2516-120-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/1640-121-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2596-122-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/1640-123-0x0000000002340000-0x0000000002694000-memory.dmp
memory/2788-124-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/3004-126-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1640-128-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2544-132-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1640-131-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1640-130-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2836-129-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2580-127-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1640-125-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1640-133-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2804-134-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2780-135-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2252-136-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2804-137-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2664-138-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2744-139-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2628-140-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2780-141-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2544-142-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2516-143-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2596-145-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2756-144-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2788-146-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/3004-147-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2580-148-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2836-149-0x000000013F7C0000-0x000000013FB14000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 12:39
Reported
2024-06-11 12:42
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\GzNzwus.exe | N/A |
| N/A | N/A | C:\Windows\System\arUDXfO.exe | N/A |
| N/A | N/A | C:\Windows\System\AizELIQ.exe | N/A |
| N/A | N/A | C:\Windows\System\smDYNMw.exe | N/A |
| N/A | N/A | C:\Windows\System\sAFyEOm.exe | N/A |
| N/A | N/A | C:\Windows\System\IGoTktE.exe | N/A |
| N/A | N/A | C:\Windows\System\xyUHqzn.exe | N/A |
| N/A | N/A | C:\Windows\System\IdvAJrM.exe | N/A |
| N/A | N/A | C:\Windows\System\aHIhIiU.exe | N/A |
| N/A | N/A | C:\Windows\System\YzQgKor.exe | N/A |
| N/A | N/A | C:\Windows\System\HIIGTyK.exe | N/A |
| N/A | N/A | C:\Windows\System\AKwtPpf.exe | N/A |
| N/A | N/A | C:\Windows\System\EeaRQBE.exe | N/A |
| N/A | N/A | C:\Windows\System\teYwCrx.exe | N/A |
| N/A | N/A | C:\Windows\System\GCrHplS.exe | N/A |
| N/A | N/A | C:\Windows\System\DIPybji.exe | N/A |
| N/A | N/A | C:\Windows\System\ThHsZCO.exe | N/A |
| N/A | N/A | C:\Windows\System\AGElxSy.exe | N/A |
| N/A | N/A | C:\Windows\System\SkZeOio.exe | N/A |
| N/A | N/A | C:\Windows\System\oOUFXQt.exe | N/A |
| N/A | N/A | C:\Windows\System\sjVygAS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\GzNzwus.exe
C:\Windows\System\GzNzwus.exe
C:\Windows\System\arUDXfO.exe
C:\Windows\System\arUDXfO.exe
C:\Windows\System\AizELIQ.exe
C:\Windows\System\AizELIQ.exe
C:\Windows\System\smDYNMw.exe
C:\Windows\System\smDYNMw.exe
C:\Windows\System\sAFyEOm.exe
C:\Windows\System\sAFyEOm.exe
C:\Windows\System\IGoTktE.exe
C:\Windows\System\IGoTktE.exe
C:\Windows\System\xyUHqzn.exe
C:\Windows\System\xyUHqzn.exe
C:\Windows\System\IdvAJrM.exe
C:\Windows\System\IdvAJrM.exe
C:\Windows\System\aHIhIiU.exe
C:\Windows\System\aHIhIiU.exe
C:\Windows\System\YzQgKor.exe
C:\Windows\System\YzQgKor.exe
C:\Windows\System\HIIGTyK.exe
C:\Windows\System\HIIGTyK.exe
C:\Windows\System\AKwtPpf.exe
C:\Windows\System\AKwtPpf.exe
C:\Windows\System\EeaRQBE.exe
C:\Windows\System\EeaRQBE.exe
C:\Windows\System\teYwCrx.exe
C:\Windows\System\teYwCrx.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
C:\Windows\System\GCrHplS.exe
C:\Windows\System\GCrHplS.exe
C:\Windows\System\DIPybji.exe
C:\Windows\System\DIPybji.exe
C:\Windows\System\ThHsZCO.exe
C:\Windows\System\ThHsZCO.exe
C:\Windows\System\AGElxSy.exe
C:\Windows\System\AGElxSy.exe
C:\Windows\System\SkZeOio.exe
C:\Windows\System\SkZeOio.exe
C:\Windows\System\oOUFXQt.exe
C:\Windows\System\oOUFXQt.exe
C:\Windows\System\sjVygAS.exe
C:\Windows\System\sjVygAS.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3672-0-0x00007FF76CC10000-0x00007FF76CF64000-memory.dmp
memory/3672-1-0x00000211297C0000-0x00000211297D0000-memory.dmp
C:\Windows\System\GzNzwus.exe
| MD5 | a08e26de7d72313f1168cee04cf1bd25 |
| SHA1 | 57df32127a5d803e2ee8d5ce343b2f1c68fbff73 |
| SHA256 | aa77f4330a02f794eadffa4f244c413d1256a79bebf03dd1bcf0412606550869 |
| SHA512 | 5681276e89f7a81aad39cb3e88fd0a1a1644f89bd7a262d7708117a4424d1aa36a5d99fcd56a21b891579f8bcfdbf9021854bb90be8e19984e07cc211c88e7d4 |
memory/464-8-0x00007FF612CE0000-0x00007FF613034000-memory.dmp
C:\Windows\System\arUDXfO.exe
| MD5 | 98f70b204ecce6bbb7c8708390d836ca |
| SHA1 | 8b1823c1a5594da6cd2d8cf5b35abc3c44ce1d02 |
| SHA256 | 9eece92896de9df1197cff80aba1f9126b78825705661fb0407606c6083adbdc |
| SHA512 | 7f19f9eecb345e06194071d9fa5185af62397c2456cec9c2910e54a0e6fb241a7d23139de257db6f23f3e4960aae8b6ce3035f721dcdc94788e292963e6dab2e |
C:\Windows\System\AizELIQ.exe
| MD5 | 16511d3fbf984064aa4afa80e465e4ae |
| SHA1 | e86d43b8ec3f7ee2bfc92e33369595764d6d62b6 |
| SHA256 | 66d3141212d099a6fe9f270e5abc03e310fd3033be5e5ead3fd4fc7df3af76bc |
| SHA512 | aec7f10cb754a12627549dd4fa9b2c0784eb33eccc9e7a5f2541b01b038f7b551d4f5ba19704c032c89769f135661fc35488e5e2390ba9fc2a1bf4dcdfa4929d |
memory/2868-14-0x00007FF7C18B0000-0x00007FF7C1C04000-memory.dmp
memory/1380-20-0x00007FF6D4A00000-0x00007FF6D4D54000-memory.dmp
C:\Windows\System\smDYNMw.exe
| MD5 | 36d883317be83e322d1bd6b32aee39af |
| SHA1 | 29ac95b501bf165a3d57203efb55fe44c56cf47b |
| SHA256 | e533b24d84376ab6a9da17148ec81fa88559f6df886ca41962ca52eb24c68140 |
| SHA512 | 3592f1338e96a2218f909c39c908885efe881adbdd22bc1d455382080daa685cfd8a2eb1c773a2e5bc2824a59060c0bd179418669e14ca7243311b08bdc52e2c |
memory/4212-26-0x00007FF6FB050000-0x00007FF6FB3A4000-memory.dmp
C:\Windows\System\sAFyEOm.exe
| MD5 | 91ecd12773e4a0d90610ae304abcffd5 |
| SHA1 | f0bb139d8bf6fb7a1d134ee4aaabfbe8d71b6aec |
| SHA256 | 276056a125aaa4cbb646618e442b65af79b6c5dd80db5df9ded524fbcbc96029 |
| SHA512 | 00123d0432a352c8da70c54d416d7557136806c6cb21a557c54600057b012b35839a378533774dad73dbe121d7098a8bccdbca85937519bdc31266b9441cd6c8 |
C:\Windows\System\IGoTktE.exe
| MD5 | 9330ec702be38dd873e078e5deca0e61 |
| SHA1 | 7987e6e36d4669b7a34315b7ffe6b2ceeae5edd5 |
| SHA256 | 7c393fcf312a600fbd637160078a3090f395aaff21b46eaefa72358e79875857 |
| SHA512 | c8d34a845cfe10a1d51cdb83889f9ff68ab8374cf1b2167194f9dc887ffc15f5da9f75af20ec3b432192f01f1fa9656ffa3c5c0bef270696749a83eca70da169 |
memory/4992-37-0x00007FF6BFE60000-0x00007FF6C01B4000-memory.dmp
C:\Windows\System\xyUHqzn.exe
| MD5 | 02d1d029a3c44657da4a190c7a4ae65b |
| SHA1 | c1348b41461e4ddac501224ed4e0ad5590d2ce3f |
| SHA256 | ea36ffee02e2398e6011ecc356248fde71bd5d9bf334d7868cbbf48bf7243a44 |
| SHA512 | 4d449b3f7a321252318bfe5e31972dfafd609c2512379667f157e2f8b6976c6e20e8b0145f5fe3e51eafe4052946197c142750ca52f6037bcdcab529335a1498 |
memory/3784-41-0x00007FF7434E0000-0x00007FF743834000-memory.dmp
memory/2980-42-0x00007FF6394F0000-0x00007FF639844000-memory.dmp
C:\Windows\System\IdvAJrM.exe
| MD5 | bf0f9fb09f48d50abc0196aab71bf4cf |
| SHA1 | 89d3048ba18b9d970548ae6c53261293d920ab69 |
| SHA256 | 386c78ec6a84fd98329d35b688950303546c579d020870a8741aeb8c3a9a79b1 |
| SHA512 | 7a3c61f3cb5c4678b03279e6b9910d859ab0912a8f0790685995350ebfe68089cf93d3491b6a59c8070d494aaec65f49b97d1f6203068e9b4862775111a4f0f6 |
memory/4080-50-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp
C:\Windows\System\aHIhIiU.exe
| MD5 | 12ed092ae077a62dbbd52413b5360df4 |
| SHA1 | 8cdee273eed3a3eb7aa18fbba53daf6de76a2a4d |
| SHA256 | 49af7cd791832d3f7aa9ac82d85aa23656aeb018b45ed6d92f5fd3cb502c0b64 |
| SHA512 | 9c83bf98a9585ec41c26d676d5acd5b6753e8c98eba5b641c168213a60d6fc5ede7bc2ca249383cf776e2f9552b56ad2d6fceaee7a61ff814625d51f53938a28 |
memory/4500-56-0x00007FF7F5500000-0x00007FF7F5854000-memory.dmp
C:\Windows\System\YzQgKor.exe
| MD5 | ae009d23b5c2ff7cd5eeab6d83ed6301 |
| SHA1 | be8eec4e45a8a8c2695ac2b627cffc56b7965f58 |
| SHA256 | 11a3dcd0d872bbbbb1eb99fa3572e6c150c5411cd2df25d3e7bce8776c9310d9 |
| SHA512 | d28a6bebb533f94bb6efd9b791bc6e8967ef863f7cf51e787e4725db4d305422cbeb4a52bfb1701863654891f5555c0e8e897c059dbe43ee615e644544a7b4d4 |
memory/1016-62-0x00007FF7711A0000-0x00007FF7714F4000-memory.dmp
memory/3672-66-0x00007FF76CC10000-0x00007FF76CF64000-memory.dmp
C:\Windows\System\HIIGTyK.exe
| MD5 | 9d8d94bb08aab8475353bb73b136eddb |
| SHA1 | 738549078a466080eff9234671707f5fc005f4fe |
| SHA256 | 3e0622fe15f3ed0794d06eee20d20b0247094edd1b29d3d8d07dc7dd4ee458d0 |
| SHA512 | 9d049a7170fb4d1dca89b9bd40ae8a997524bba6edc87c15a98221318c1f98d26c6e92645b463c320c2b01ee6fd6d84c225a5107f829c81ffb98af56648acfde |
C:\Windows\System\AKwtPpf.exe
| MD5 | 861e54b2b513a032a90d3efd84663abe |
| SHA1 | edc70c01e5c7224c0c417084824adc969d52765b |
| SHA256 | b5ab0511990894a3d563114d8c4fdfe96812fe127ce6e5f2e0bc3efb9a982cf3 |
| SHA512 | b23d856a383f370dd7bf6312a1572085fe358a2e6b743361bbb1bf7c0d2fb0e57e38e67afb6868e00094b65830ad6240cc77ea2e67fde2a69e9827fd4726927e |
memory/3016-67-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp
memory/464-75-0x00007FF612CE0000-0x00007FF613034000-memory.dmp
C:\Windows\System\EeaRQBE.exe
| MD5 | e150996d5517418d6aa8af411ac330be |
| SHA1 | 984df17c6bbfa7fe48c7c34d8f2ccb0b8d99f995 |
| SHA256 | fbb8252b9a36bbf7c84b2dc81e24db7cf0d21e973f3dbac89682aea90397b8da |
| SHA512 | 25e0043c258b26c9073099ecbf7772f8a93c43c2148593bd68b9155d41d43f160d70a706f1b7f0944fe9291c26caec155584dc7391db29d321acd6c5757e4915 |
memory/2940-76-0x00007FF730680000-0x00007FF7309D4000-memory.dmp
memory/3604-84-0x00007FF703220000-0x00007FF703574000-memory.dmp
C:\Windows\System\GCrHplS.exe
| MD5 | 32bdf71b2c92fdb1cdd22882dd6add1b |
| SHA1 | 50ae2fa5b94dd769cb0f568d454f71d52180b243 |
| SHA256 | cc7c1dfda9a5719e17e1da4d0374f8e359484d94c1f90a87cc43fed5eed01560 |
| SHA512 | 76ad08d3668a7804e0636e2e3571bd6b1d93a54f3bef1ef4cec08902160af2a8ef744b40e9c91f82d0af7fc6897ac20ab0afd592ae076e52c5fb1747e9d45181 |
C:\Windows\System\teYwCrx.exe
| MD5 | b60a2ce0a832bcd28b5e376d920b6a49 |
| SHA1 | be598efe9bb2cc0a02c6d0ba2fb3100ea5defffd |
| SHA256 | 7a1a67b1a5560fb6e67bb8ec44863656771478e3d4ee11e62d81f0968cab8aaa |
| SHA512 | cc8ea3ca83ac40eabbe6e3eeb15150ead2fa6bf52117b7157108571cb1d16d782c8bb71e408d326812bdfd382a5f5dd39cbe5f1a8af4eb221871b5bf744f130e |
memory/1124-93-0x00007FF791BB0000-0x00007FF791F04000-memory.dmp
C:\Windows\System\DIPybji.exe
| MD5 | 2d0394aa2d8c4a32a0019a1177a1f697 |
| SHA1 | 998589ebcdcb7c4bf05dd72eccf887f7bf945c3c |
| SHA256 | b2cc0385e97d4db2bb23a3a50222720a955784e11061be4aba0dd7929c2f611d |
| SHA512 | eb98b7a7a26bb1c315999eb8d994046565dae5af7c0852e77d203d26f512634f648c6fb444dca9c43fbd34128ecb933908c8d694ac89c12adda19939900ee31c |
memory/3440-94-0x00007FF782F40000-0x00007FF783294000-memory.dmp
C:\Windows\System\ThHsZCO.exe
| MD5 | 51a875ba806f5ef1b3f65622771f6f91 |
| SHA1 | 65637941f91263b0f874ac1ea53e86f88768654f |
| SHA256 | 7c4c8f0060dd046db4b4186026496c6256e468f21c4bc4b3b81909d7c554a161 |
| SHA512 | 6b543e58aadda55505f040824393c7eb91a8c56cfc1bd36d11365bd168638b4ecfc1a1eef3e5c3b224b5f3d4315d63b5e0f0ea123f0f5caa1beb2c73c07104fe |
memory/4592-106-0x00007FF713960000-0x00007FF713CB4000-memory.dmp
C:\Windows\System\AGElxSy.exe
| MD5 | bc85fdfc2e780bd11137bf76b6046422 |
| SHA1 | 5b49ca483da50da79aa4e3fe0b6681eae8c86407 |
| SHA256 | 22683a4563a3a23387eb1a8c8a9504c45aee7ad074de061a93e39e8fdc0196c9 |
| SHA512 | 0f9935b9010d5332f5540e9e2b87b1a511d511fb516c1e015a73c48225a7f7466016601628d231e84ef295131625da74bceb338c9d52dfe541d50199544b47a9 |
memory/4100-111-0x00007FF7A3900000-0x00007FF7A3C54000-memory.dmp
memory/2980-110-0x00007FF6394F0000-0x00007FF639844000-memory.dmp
C:\Windows\System\SkZeOio.exe
| MD5 | 434924e49fa5c97e25f096ed796cc452 |
| SHA1 | 6e12c8ad9e58632bbf4c95f418881618446103dd |
| SHA256 | 9b5966303542f3d036f540b90276dfcf36818255e07751091e3ee2ba46c8f0b8 |
| SHA512 | 1f3d1d8c93c75e5e20d6ed7f266f58234c6e9a9f51e60650a5920d12d21915a8dbd34024b7a97abf2f4f691a621a399a8e5d339386789ded231ed48323610546 |
C:\Windows\System\sjVygAS.exe
| MD5 | 4393bcf9bddaa6d82e6ac0175c61fc1d |
| SHA1 | efe328d11636db1f812748dbf9887546b94d0f06 |
| SHA256 | 527ff44d857cc592d5fd588e0896a1bcc12c1f04f1ddf39b1c943754206a3f6f |
| SHA512 | b58436ad160d252a674dc27a1c3dd2de8dfefcb730f16e255e88b1d491235a54fb642cf6119ddc8aab1ac72f157d9febc9f7aa1461e6bd52d0ff42f0a56c0817 |
C:\Windows\System\oOUFXQt.exe
| MD5 | d64118d0199f94fc73aa03703f74c623 |
| SHA1 | f7458edbd41ce6dd36ba903328d6d63e273babc0 |
| SHA256 | f7ecf5fadb7a6d63c90af087790cc2ca9a7b8ac39633a96fc43a29cb054fc041 |
| SHA512 | e7d29603273dcba56215d55d3a25c7b2a1b5607d43e2e473fc6a9996385a19f19a0e5464899a72cb5d6cb698d5e250563115d67e311563898c33cf057925381a |
memory/3716-109-0x00007FF6F0B60000-0x00007FF6F0EB4000-memory.dmp
memory/3784-104-0x00007FF7434E0000-0x00007FF743834000-memory.dmp
memory/1444-130-0x00007FF79E460000-0x00007FF79E7B4000-memory.dmp
memory/3280-131-0x00007FF7A8120000-0x00007FF7A8474000-memory.dmp
memory/2020-129-0x00007FF7DF880000-0x00007FF7DFBD4000-memory.dmp
memory/3016-132-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp
memory/2940-133-0x00007FF730680000-0x00007FF7309D4000-memory.dmp
memory/4100-134-0x00007FF7A3900000-0x00007FF7A3C54000-memory.dmp
memory/464-135-0x00007FF612CE0000-0x00007FF613034000-memory.dmp
memory/2868-136-0x00007FF7C18B0000-0x00007FF7C1C04000-memory.dmp
memory/1380-137-0x00007FF6D4A00000-0x00007FF6D4D54000-memory.dmp
memory/4212-138-0x00007FF6FB050000-0x00007FF6FB3A4000-memory.dmp
memory/4992-139-0x00007FF6BFE60000-0x00007FF6C01B4000-memory.dmp
memory/3784-140-0x00007FF7434E0000-0x00007FF743834000-memory.dmp
memory/2980-141-0x00007FF6394F0000-0x00007FF639844000-memory.dmp
memory/4080-142-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp
memory/4500-143-0x00007FF7F5500000-0x00007FF7F5854000-memory.dmp
memory/1016-144-0x00007FF7711A0000-0x00007FF7714F4000-memory.dmp
memory/3016-145-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp
memory/2940-146-0x00007FF730680000-0x00007FF7309D4000-memory.dmp
memory/3604-147-0x00007FF703220000-0x00007FF703574000-memory.dmp
memory/1124-149-0x00007FF791BB0000-0x00007FF791F04000-memory.dmp
memory/3440-148-0x00007FF782F40000-0x00007FF783294000-memory.dmp
memory/4592-150-0x00007FF713960000-0x00007FF713CB4000-memory.dmp
memory/3716-151-0x00007FF6F0B60000-0x00007FF6F0EB4000-memory.dmp
memory/4100-152-0x00007FF7A3900000-0x00007FF7A3C54000-memory.dmp
memory/2020-153-0x00007FF7DF880000-0x00007FF7DFBD4000-memory.dmp
memory/3280-154-0x00007FF7A8120000-0x00007FF7A8474000-memory.dmp
memory/1444-155-0x00007FF79E460000-0x00007FF79E7B4000-memory.dmp