Analysis Overview
SHA256
0580ceaa067653d75937f6c77bc24679ecb3818a6362883615739eb5f5cd8b3a
Threat Level: Known bad
The file 2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike family
Cobalt Strike reflective loader
Xmrig family
Detects Reflective DLL injection artifacts
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 12:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 12:44
Reported
2024-06-11 12:47
Platform
win7-20240508-en
Max time kernel
136s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RUDYbdX.exe | N/A |
| N/A | N/A | C:\Windows\System\UTftjcX.exe | N/A |
| N/A | N/A | C:\Windows\System\AJvJekb.exe | N/A |
| N/A | N/A | C:\Windows\System\zOLvLVM.exe | N/A |
| N/A | N/A | C:\Windows\System\wzdvfWx.exe | N/A |
| N/A | N/A | C:\Windows\System\mqoRaLO.exe | N/A |
| N/A | N/A | C:\Windows\System\WmfNMpa.exe | N/A |
| N/A | N/A | C:\Windows\System\dlWtEUd.exe | N/A |
| N/A | N/A | C:\Windows\System\iImCbvm.exe | N/A |
| N/A | N/A | C:\Windows\System\nCZqIKN.exe | N/A |
| N/A | N/A | C:\Windows\System\yLxBYAc.exe | N/A |
| N/A | N/A | C:\Windows\System\tGJlmzA.exe | N/A |
| N/A | N/A | C:\Windows\System\mqHcAWZ.exe | N/A |
| N/A | N/A | C:\Windows\System\iwByyRE.exe | N/A |
| N/A | N/A | C:\Windows\System\YVHFXOF.exe | N/A |
| N/A | N/A | C:\Windows\System\gIzWCUF.exe | N/A |
| N/A | N/A | C:\Windows\System\BKApAke.exe | N/A |
| N/A | N/A | C:\Windows\System\NkGDSqw.exe | N/A |
| N/A | N/A | C:\Windows\System\ErWWhhS.exe | N/A |
| N/A | N/A | C:\Windows\System\UQlQmBf.exe | N/A |
| N/A | N/A | C:\Windows\System\cEqKFHF.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\RUDYbdX.exe
C:\Windows\System\RUDYbdX.exe
C:\Windows\System\UTftjcX.exe
C:\Windows\System\UTftjcX.exe
C:\Windows\System\AJvJekb.exe
C:\Windows\System\AJvJekb.exe
C:\Windows\System\zOLvLVM.exe
C:\Windows\System\zOLvLVM.exe
C:\Windows\System\wzdvfWx.exe
C:\Windows\System\wzdvfWx.exe
C:\Windows\System\mqoRaLO.exe
C:\Windows\System\mqoRaLO.exe
C:\Windows\System\WmfNMpa.exe
C:\Windows\System\WmfNMpa.exe
C:\Windows\System\dlWtEUd.exe
C:\Windows\System\dlWtEUd.exe
C:\Windows\System\iImCbvm.exe
C:\Windows\System\iImCbvm.exe
C:\Windows\System\nCZqIKN.exe
C:\Windows\System\nCZqIKN.exe
C:\Windows\System\gIzWCUF.exe
C:\Windows\System\gIzWCUF.exe
C:\Windows\System\yLxBYAc.exe
C:\Windows\System\yLxBYAc.exe
C:\Windows\System\BKApAke.exe
C:\Windows\System\BKApAke.exe
C:\Windows\System\tGJlmzA.exe
C:\Windows\System\tGJlmzA.exe
C:\Windows\System\NkGDSqw.exe
C:\Windows\System\NkGDSqw.exe
C:\Windows\System\mqHcAWZ.exe
C:\Windows\System\mqHcAWZ.exe
C:\Windows\System\ErWWhhS.exe
C:\Windows\System\ErWWhhS.exe
C:\Windows\System\iwByyRE.exe
C:\Windows\System\iwByyRE.exe
C:\Windows\System\UQlQmBf.exe
C:\Windows\System\UQlQmBf.exe
C:\Windows\System\YVHFXOF.exe
C:\Windows\System\YVHFXOF.exe
C:\Windows\System\cEqKFHF.exe
C:\Windows\System\cEqKFHF.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1520-1-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1520-0-0x0000000000300000-0x0000000000310000-memory.dmp
\Windows\system\RUDYbdX.exe
| MD5 | 331d95777bf52a8f06052834c6c241dd |
| SHA1 | e263cda4aeaaed59aabf42ff91ebd3457fb4e45b |
| SHA256 | c2cbebad4c4ac1aae80adee73ac81a4ac1d5b6f09bb07129c91a67af0e7a56c9 |
| SHA512 | f9ac074ef5f0a6acfefab22b5cc761f92be32da518c82da082ffbbc90b607f336ec8c02bb5ac310e2de0b3e120a83e9059ba2f563dbe330333d3194954835ee7 |
C:\Windows\system\UTftjcX.exe
| MD5 | 23fec13af1b81636f7f5b0e014d46adb |
| SHA1 | 6e273ef3ac36e572853bf450021b7c8426cc853f |
| SHA256 | a3e3d6ec5deb0cd5b15ee827f58e721618d03597511efbeb6d80fdb8a50597bc |
| SHA512 | 23351450dfa0034bc21cdeb391e01db5339480b788ac2e98d2aaa00e9eaa797b9f06ee7bab0affa12145aae4cc4b745923dcaa643c84f540261940877f8bb282 |
memory/1532-16-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2360-14-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/1520-12-0x000000013F140000-0x000000013F494000-memory.dmp
memory/1520-11-0x000000013F1E0000-0x000000013F534000-memory.dmp
C:\Windows\system\AJvJekb.exe
| MD5 | e65774df286db516baa7efa426e8baa9 |
| SHA1 | 9e7d0bc7cb12937a6fcb15dd0f36f47c8224e7e7 |
| SHA256 | 231fa48c00cae94e0b431f4442dee3242492d6947f40b1960ea6e5cfecfb1d11 |
| SHA512 | 12369e1f2a884723d578681cb794455fd9a62bb0c658b5b32aac8d30c126c1e90b1860a6429a08441186cd1ee8775bb27ede054a2b7b1b95158dc946c21632c4 |
C:\Windows\system\zOLvLVM.exe
| MD5 | 0169c44c64beaf6e303b5b6b7da37a7c |
| SHA1 | 8ff599847e9e50576b46f8ce40505f70f3b4c1ca |
| SHA256 | 5895c15b8e8780b468e88c93db97771d44e2bfdc051019789fb3737d3b897326 |
| SHA512 | 5f8513723601ae63f61a05383c3d4c8c52261462466aae20bcc168e7060ae961aab234c69889a713ab4ecf8ca8927a719cbec2dd572a2b4459db18215b569bdc |
memory/1520-28-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2828-27-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2248-26-0x000000013F9B0000-0x000000013FD04000-memory.dmp
\Windows\system\wzdvfWx.exe
| MD5 | d38fd6b3b6c239944b3bf8f12abadcce |
| SHA1 | fdcc974a7ac765768383ce4f06cc963e4e428540 |
| SHA256 | 239efb5d9880eaf459298bd353f053f9146b42a2e9ba578492e4ec3e6fd77e29 |
| SHA512 | 516cd2353aac91cdee2af8a4cb6304b8ca0cb6a3a15a951adf9bafedc2ebf415fa87692a3ea02d4d2a2cbf7df60d83b5c2153d175a0169354d28364da088bf36 |
C:\Windows\system\mqoRaLO.exe
| MD5 | 1a2cb4f3c64d08565ce99f3b2a782044 |
| SHA1 | d29e73dca57bf428b6f1a1f54a9786234ac3af52 |
| SHA256 | 7d66569b265bcc7859dbef47e4f090d0b512ff32601127bf294b317978d51233 |
| SHA512 | 05f28077a16770646d0080379a95be4525d62a3879078c251d3640c65a13c5f01ee78c3b5ad8399cce40c1bd4caed0fc56aa5415266d24a6bd44a50f63537614 |
memory/1520-41-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2896-42-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2656-35-0x000000013FC30000-0x000000013FF84000-memory.dmp
\Windows\system\WmfNMpa.exe
| MD5 | 026d980d7b4bb11dea3f8a49f4784166 |
| SHA1 | 492dc94e631e9797893e511644de3ea70336a89f |
| SHA256 | d083bbc6df8dcad8254203017deeaf07df93073e13c813c9e5c45b8d8e63d81f |
| SHA512 | c94a65ed15a8b0fd65d859e60ff0acc8ea04cabdc262c0e15d1fb3b1f87f476baf8b14d5c6c621b5715e89353bd3efc04443f4cf60fe2a4dcd912fa32c671817 |
memory/1520-44-0x000000013F040000-0x000000013F394000-memory.dmp
C:\Windows\system\dlWtEUd.exe
| MD5 | c32a3146eb66abeee92051ee6541f99b |
| SHA1 | c081d4052d639806c63134eee14df5c211b14d78 |
| SHA256 | b1ed598df9f6359e85173b8fe1e91ffc64e2591950ae17c8900130994b806eda |
| SHA512 | 21351401a5ce0e843d4151d7270f610a718e3c2fb940946e1efef4669aa3a1c334e28a19a07a35c770f6531d8741e57a040cc8588d4fda56dae9542fb29f46cf |
memory/2832-57-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2524-51-0x000000013F040000-0x000000013F394000-memory.dmp
memory/1520-50-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/1520-49-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2248-72-0x000000013F9B0000-0x000000013FD04000-memory.dmp
C:\Windows\system\tGJlmzA.exe
| MD5 | 2ca1041dbc658610faf630960d958cc7 |
| SHA1 | 6fc9e47dfb3b0eeba160a23b5febdc94b7b77df6 |
| SHA256 | 4e03767fe5234b734b6e28fbe4926ca0b181a935a1e352443cdc1b8936efc006 |
| SHA512 | 6a660097289f3b5e184066c30b3210853009e6a1c507fb19b97e0b5c17f6d886c0d10efd7d526fc44f77e95f69b4902ad4f64fdd19501d66d1108343a5c1db30 |
C:\Windows\system\iwByyRE.exe
| MD5 | 52cad4a4df933a83f0fee457a028d0d4 |
| SHA1 | 5e71e99bdfeee835f8b06818985bf70a13f1f512 |
| SHA256 | 7cb70aa80c35b9ee4951dcda808bf500eecf7cc26297268a1f4ce452d8457c8f |
| SHA512 | 32c831b758e8a08a32392fb4f6890d0cd64c586178547db1c647b7d7125f966af8ac24ce3db994ff3c4ef0681c203b9a9f22b661deb20b731fdee8a92b1aae10 |
memory/1520-117-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/1520-120-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
C:\Windows\system\iImCbvm.exe
| MD5 | d1a8bd3bcb40dc3ffae1473dc209ee54 |
| SHA1 | cf6b092179d7a80e86ab71a5b75c5a5507dcc940 |
| SHA256 | 795e77873a90a6f74fe433467c1767564c0bfaa8a9c46f7d363b9950b60ff6c6 |
| SHA512 | 5562a1bbea583e84297ff2c267dd0936641597b7f718964cc3d7d1f9d7fe1d046df679ae401fb55fbed1f35752c6cc85718d85329e7579ee5c8bfb13e051caca |
\Windows\system\gIzWCUF.exe
| MD5 | b7d6a09103695c8357f328cddc75c5dd |
| SHA1 | 43352d8b8621a61a73bb067ba27b47a42aa4658a |
| SHA256 | 2f1559b9ccffe5ac6e4c5bcc9a51e79a56cc4511ef5ff60b5c3758b105971ff8 |
| SHA512 | 9b5d8b83881acff29899c5ee54c4d617c7430c6202ed2c9af7e3e4400815573dbdd7ae976df7ffa468336e96ff2d4064daeec523b78de7255fab1a194c8afa14 |
C:\Windows\system\NkGDSqw.exe
| MD5 | 905f4ac8268a616e6df684358d84a7ad |
| SHA1 | 688d6f8a9ea338b8cca48a17c5f0ddbc757b53f1 |
| SHA256 | cdf9a874e0da1e9b65e633bf64d3324dbcd851778c8ccdc7afe645a1e55a0a57 |
| SHA512 | 09e56759cc9c61474fca73b73fe1badae6eff0412f3a416715cbbc3e5851fcb92311316ec089e8c991f0449c68f05302983a9fe8e5ce06ca5f0d9100d0bf752c |
\Windows\system\cEqKFHF.exe
| MD5 | ad0f20db10900c6f2866788fdc3b958a |
| SHA1 | ca6857c07b888f92c8318b4e860f4fa5fb7e553b |
| SHA256 | ea5335648aef9b3bbca171a2b97e8d87de5ec3c0a6a7d49507cb23cafba254f9 |
| SHA512 | bfadcdf6b7b60e1540115c0c49b7dc2bc785c1e2ae07f0f894efc8b05e6d1df998ad8813d3e0cf2eb301469e24cc8538ae060b8f6b937bd3df96ee504b442a6c |
\Windows\system\UQlQmBf.exe
| MD5 | f9151ac357509927a3a65a753db44be4 |
| SHA1 | 4f90339b969703857165675a27473cade1e7b910 |
| SHA256 | 9a010c54b64fbbb76d29af96843a8f435add0d2097a329462989bb2276006faa |
| SHA512 | 6d447fd4064e3d8609db38f0071a07f0d4a010ae3fd2da60cf2de40aaf6476b12113bcaa4f527e5b98465bb915c9e1d318556f477e4331d8fd2f6a3e239f0456 |
\Windows\system\ErWWhhS.exe
| MD5 | 69de93702911b037b2a405aebffb1699 |
| SHA1 | f808c6e39a16efc57a007e9d824515f5754f48c1 |
| SHA256 | 117632220e728b3c0ed0b3e245ea07ca4e40dc248de16fa77e8f118abea43af3 |
| SHA512 | 0a8448f590faeeba4b2a15d10f2cadc1df567d29a62a591160be587660bb03ffd5780181c36b3b1153b91406336ab0fd4da3ee714e221de2f9f8c9db4c348426 |
memory/2960-86-0x000000013FD20000-0x0000000140074000-memory.dmp
\Windows\system\BKApAke.exe
| MD5 | 49a5604ce4ed5020ab15ecec3ca7114a |
| SHA1 | ed85a8aa348a58c0cdec114b5e5a3b93be4841ce |
| SHA256 | 81f3cac444d30b5038f71cd924933993eae2dafe842717fd38735799f7c7f608 |
| SHA512 | b6dbadd27ebca58bd62645205f3330ea102bfafcacd3510b415a4007c6e23704806d8562342eec6c9162d19e77a0eb121e241712b09fc719ca988bc53f9bb080 |
memory/1532-69-0x000000013F140000-0x000000013F494000-memory.dmp
memory/1520-121-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2828-118-0x000000013F5D0000-0x000000013F924000-memory.dmp
C:\Windows\system\YVHFXOF.exe
| MD5 | d0f015347d06223c642f9a73d2211a5c |
| SHA1 | 510555403f458873c1326acd0960bec21acc27d7 |
| SHA256 | 0369b21ea4332d4d4193d9d366ce4103a187943eff4f31975428a5f74b8ddd2f |
| SHA512 | 88d5c763d397ac51498c9020875375f97ace3b4c5299c63fee9069359dfbe32b4f43256656636766ed51f6f13a7c42f843e093e82006ca739c63f77b554f68c4 |
memory/2568-110-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2240-107-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
C:\Windows\system\mqHcAWZ.exe
| MD5 | 453f016633a4bd3d6d1fdcdd9315b66f |
| SHA1 | df9b6677bd3d411e8b8a2f5685c61604afb96b73 |
| SHA256 | 370301e6cf8ad3c3973a1ba336603712e205a1645d7005395a7a5d2a9be4fa8e |
| SHA512 | a9efa9f559f0e0b990cb53976487498af2a784d368f05f76bb4ed369c494ef27d721d2732b93668f12b8fdb69f290749b466d17107ae652474abeaea225794f2 |
memory/1520-100-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2564-90-0x000000013F550000-0x000000013F8A4000-memory.dmp
C:\Windows\system\yLxBYAc.exe
| MD5 | 01e1d40b01ac6596ffe2d4b91c2e7a18 |
| SHA1 | 4db6c050b696c4507841804a730f86892021b87f |
| SHA256 | d6b23b981947e903ffc07f71505e5f2132e81b57a2d06493879a67ee3a7480ed |
| SHA512 | b2b3f4369267579c8930cf31bc7dcc39b11b39e5a280b994bd4dd0f5f4f593992a486641035c50f1c40ee54a8f6e7ace78efd0565e39d76031a7e39419044ded |
memory/1520-81-0x000000013F550000-0x000000013F8A4000-memory.dmp
C:\Windows\system\nCZqIKN.exe
| MD5 | 729432aaa5b114ff03ad680fa4950adf |
| SHA1 | 40714493e02f1ffd585bff7b9533c2cfc36224ba |
| SHA256 | 453d5fe7c6eeb11f6e4528642fe8c8372813abe7192f9ddc15484fcdb34a9e95 |
| SHA512 | 5f7283593868484658eee73a9efa99402877f452763ea8dbf25e398fb51f88bb8d1d53364cb377559cf0e1cc1b791f625805440588c38d16e77317fcd2ade5da |
memory/1520-63-0x0000000002320000-0x0000000002674000-memory.dmp
memory/1520-135-0x000000013F320000-0x000000013F674000-memory.dmp
memory/1520-136-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2960-137-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/1520-138-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2360-139-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/1532-140-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2248-141-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2828-142-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2656-143-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2896-144-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2524-145-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2832-146-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2564-147-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2568-148-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2240-149-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2960-150-0x000000013FD20000-0x0000000140074000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 12:44
Reported
2024-06-11 12:47
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UFXEtEP.exe | N/A |
| N/A | N/A | C:\Windows\System\gCZBlMM.exe | N/A |
| N/A | N/A | C:\Windows\System\iAWovvm.exe | N/A |
| N/A | N/A | C:\Windows\System\iNpFgxG.exe | N/A |
| N/A | N/A | C:\Windows\System\MiaqAvs.exe | N/A |
| N/A | N/A | C:\Windows\System\pzTFwta.exe | N/A |
| N/A | N/A | C:\Windows\System\gXcxEWb.exe | N/A |
| N/A | N/A | C:\Windows\System\vAHpBez.exe | N/A |
| N/A | N/A | C:\Windows\System\kseZHNn.exe | N/A |
| N/A | N/A | C:\Windows\System\zliyROq.exe | N/A |
| N/A | N/A | C:\Windows\System\DTnnxHs.exe | N/A |
| N/A | N/A | C:\Windows\System\ymtsEbL.exe | N/A |
| N/A | N/A | C:\Windows\System\HSQJUqP.exe | N/A |
| N/A | N/A | C:\Windows\System\WMOQseW.exe | N/A |
| N/A | N/A | C:\Windows\System\MJrtNxg.exe | N/A |
| N/A | N/A | C:\Windows\System\EWwgIGT.exe | N/A |
| N/A | N/A | C:\Windows\System\VscFDCx.exe | N/A |
| N/A | N/A | C:\Windows\System\otgGGqS.exe | N/A |
| N/A | N/A | C:\Windows\System\FpldlTF.exe | N/A |
| N/A | N/A | C:\Windows\System\fNpjUKC.exe | N/A |
| N/A | N/A | C:\Windows\System\nyyhNKW.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UFXEtEP.exe
C:\Windows\System\UFXEtEP.exe
C:\Windows\System\gCZBlMM.exe
C:\Windows\System\gCZBlMM.exe
C:\Windows\System\iAWovvm.exe
C:\Windows\System\iAWovvm.exe
C:\Windows\System\iNpFgxG.exe
C:\Windows\System\iNpFgxG.exe
C:\Windows\System\MiaqAvs.exe
C:\Windows\System\MiaqAvs.exe
C:\Windows\System\pzTFwta.exe
C:\Windows\System\pzTFwta.exe
C:\Windows\System\gXcxEWb.exe
C:\Windows\System\gXcxEWb.exe
C:\Windows\System\vAHpBez.exe
C:\Windows\System\vAHpBez.exe
C:\Windows\System\kseZHNn.exe
C:\Windows\System\kseZHNn.exe
C:\Windows\System\zliyROq.exe
C:\Windows\System\zliyROq.exe
C:\Windows\System\DTnnxHs.exe
C:\Windows\System\DTnnxHs.exe
C:\Windows\System\ymtsEbL.exe
C:\Windows\System\ymtsEbL.exe
C:\Windows\System\HSQJUqP.exe
C:\Windows\System\HSQJUqP.exe
C:\Windows\System\WMOQseW.exe
C:\Windows\System\WMOQseW.exe
C:\Windows\System\MJrtNxg.exe
C:\Windows\System\MJrtNxg.exe
C:\Windows\System\EWwgIGT.exe
C:\Windows\System\EWwgIGT.exe
C:\Windows\System\VscFDCx.exe
C:\Windows\System\VscFDCx.exe
C:\Windows\System\otgGGqS.exe
C:\Windows\System\otgGGqS.exe
C:\Windows\System\FpldlTF.exe
C:\Windows\System\FpldlTF.exe
C:\Windows\System\fNpjUKC.exe
C:\Windows\System\fNpjUKC.exe
C:\Windows\System\nyyhNKW.exe
C:\Windows\System\nyyhNKW.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| IE | 52.111.236.23:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4276-0-0x00007FF67D6D0000-0x00007FF67DA24000-memory.dmp
memory/4276-1-0x000001E194580000-0x000001E194590000-memory.dmp
C:\Windows\System\UFXEtEP.exe
| MD5 | ae99c37a3dab579b5440571216d4b201 |
| SHA1 | 9fa096bbbb95002fe5d6bfe9defad4ad00e4e6b7 |
| SHA256 | db0b977f105ffd1bcc7025c44d69f117dedb5e2db08aaa03696b691d68824ce7 |
| SHA512 | c3900200563aece188cc8b61cf3ce9097449130f363240453bbe377657b28cf260fb0b8bbe645300c63eb4259f5ec7e6aeb02e0784a06369dc1c02522b51c111 |
C:\Windows\System\iAWovvm.exe
| MD5 | ddb18809fe091ddeac3a93b61d7081f9 |
| SHA1 | d9767cd34967a84dadb6f423b0beb06e3c8477c0 |
| SHA256 | fb2f42be05c10040e76a2d75c06be091e60abb54a102ddd983f97126b1d7190e |
| SHA512 | 57ac7e508398e81e3fb5352cf707d3bb370fdcc0cdcf83a644c664b195b6b776f09aa6187f3467046f6a26b626f8f09dbf8d3fd93ce75d9ee7a0a00f0d2deabd |
C:\Windows\System\gCZBlMM.exe
| MD5 | 4be11b422107747f8c4fe2a6c984c58e |
| SHA1 | 70400cfbf1c97957d491b616784d70dcf0150cf0 |
| SHA256 | e322f848fc0e0ba64aeffb7188675abc455619f39f9636627040ad56b284344e |
| SHA512 | 89064e56996c5f2fb51a23d18db38907ccf17ff0f5ad2deb942b8b69068f95a9c197bb1397c66dd639039d3181e9110e0e94a4e3af17c0d56d9b58bec87c7300 |
memory/2624-16-0x00007FF6CC660000-0x00007FF6CC9B4000-memory.dmp
C:\Windows\System\iNpFgxG.exe
| MD5 | 0db2339d2102072afb3b59ad59358841 |
| SHA1 | edb350ac97dc0d20a7de97fd0c764d3b2b14ee87 |
| SHA256 | 28cb46d69799f3789cae96a3bd7bdf96bc1f57661e9c63e3b025cf24c404a0c4 |
| SHA512 | 7fa833363b39c52234a34d1d5f6cdddfaeeb242b7f25283d33823c66b96ab4e9ef9e35e568d1606481e0092bb98e6422e25ce728bf6d29aa5f1552188bfc8cfb |
C:\Windows\System\MiaqAvs.exe
| MD5 | bd0bb4a48c0fd644dfdb1592c208bdfb |
| SHA1 | ae1d4694fc97f04823600865d8ba5afd41842dbc |
| SHA256 | 52506c7b54bbb3bb52dd35fa84ff9ec3430bbf3fec11c104b795a12d837df5b8 |
| SHA512 | be7144d78e9f512ba1cb30d9a2d323460679b9d61eed2fa425f5606450f5a3710c18d3a13ddfa507c590e9a8cc8a3eddb3537bdfe36e50603be2bd9eb15c03c0 |
memory/3640-32-0x00007FF7B6A70000-0x00007FF7B6DC4000-memory.dmp
C:\Windows\System\gXcxEWb.exe
| MD5 | c44ea4f97f217ab5b3f9a894ba1b9c95 |
| SHA1 | 8eb57eda27aa017661cceec0088fad0081100597 |
| SHA256 | a8e6cf18f2b7b817bed2cde462262cf7f0030aad8fd586e6b68a41b7465edba4 |
| SHA512 | c14f765ba34ed923d84563e97f564fc7defe7ee7f3de59e68fabeca64611110f816ac8d93c5ccfbb14a03d2f70ca404a697f2fc1dd7a0c32ef62746efeafa2c0 |
C:\Windows\System\vAHpBez.exe
| MD5 | 8ca3ce559fc71f2bbf22623aaa71fec4 |
| SHA1 | a50bf611a7716d7ca0dbfabd625e4d3a2731b955 |
| SHA256 | 299f50ae42ef576f551cd83b6cce6b58198fe0ace29d14441873dccddc091f1f |
| SHA512 | 3ac46a75ee7caabd49f81482b19d75ab16ea8d3b91bbf92bfa81419f646cbaff7864aca88c9d3b2ab5a14e08bae19300816ac01c100584288b105159c6177b4c |
memory/3284-45-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp
C:\Windows\System\pzTFwta.exe
| MD5 | d7d3323badba4657766eb374aa88d352 |
| SHA1 | d3ee9ab8871ed32e981a219f3f7df9dbd94db025 |
| SHA256 | 01a3db23226235fe6a14df081c5700e74d8d88721330b949078c882a4898f1cc |
| SHA512 | d5f10b993a7905831dc73a71ce2a58b38c7463c3541678cc4ee2937ed1de638f3b96518f91c7aaa2e16bf1fc0c0eff2d3690b526d17e51e4cfeee3ebaee0469b |
memory/1132-40-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp
memory/3896-37-0x00007FF660C40000-0x00007FF660F94000-memory.dmp
memory/3100-27-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp
memory/3656-26-0x00007FF7CE640000-0x00007FF7CE994000-memory.dmp
memory/4204-10-0x00007FF7C33F0000-0x00007FF7C3744000-memory.dmp
C:\Windows\System\kseZHNn.exe
| MD5 | b63243134836b8742019b2b677501d90 |
| SHA1 | 1fc45dc8b9e1bdaf01e8fa1a6d6922320698fea3 |
| SHA256 | 50255be8e7eee73a5201c5b77d33dc6cf1d1668de66c3202558909e4c846034a |
| SHA512 | 67733d416c9df5e4da22d9200ddf711e59b23914539e792192b6a6976c453a59eaefceb2e48be9712549e2a5abb76164af91210c6d8c62710b7dd08fc27fb254 |
memory/3588-54-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp
C:\Windows\System\zliyROq.exe
| MD5 | 9b8f0349223c94f905079d1924800bc4 |
| SHA1 | bbdfebe3c07749eff7d727fb1b6bd90a7689057b |
| SHA256 | 94839ae1b8f594bbc9b6af16b127f8eba2e45295b70c3dd228691a9106f89fd5 |
| SHA512 | 9740a732cc6a26e9c7f9dd3ed893a92868928299f03573737b5f150c7a40294e41a5482144d03e9f7deb2c8140335692fb00f895ce70ff9b79b0805e24f513d3 |
C:\Windows\System\DTnnxHs.exe
| MD5 | da0c3854edd879edbcd7df917078fdc0 |
| SHA1 | 4f95bf3b9cf6ce18cf116de0b79da033af948f6f |
| SHA256 | 87b39f0a383aba62cec3d7a89aca21a4887c28059ac071f90eb1fd1e2ec96240 |
| SHA512 | e327a1b74702a01dc55140a8a0aba3bd3a4b28f6f7c3dd180880fbc6bbb2db6fb42cb38d56841f5f5fc737381f8625b438a35c84801e07c041d3fb1f8310ddd5 |
memory/600-68-0x00007FF7DA2F0000-0x00007FF7DA644000-memory.dmp
memory/1620-70-0x00007FF668980000-0x00007FF668CD4000-memory.dmp
C:\Windows\System\ymtsEbL.exe
| MD5 | 1e4f3d22e6aafad119d1bbcf929ce469 |
| SHA1 | e48cc7c3e30961ce6f340f6ee6984c2e1a7a9a1e |
| SHA256 | f7ac2c64198eb4ed51f0b0abcac15f4c830e82109f4a3d0a4ff02305f9bd0595 |
| SHA512 | d8ab2364b2c87d5928304e487766d7c47387615ebb761b649c1e0e2c870f27122cafe590df5a2a50d3ffeccb38b8863a87588fbcbaceba34551551419c81af4b |
C:\Windows\System\HSQJUqP.exe
| MD5 | 3a1ad934433ff98b3774cbc2b15bca68 |
| SHA1 | 69992675a2f8211a436350fc62350228433b5e1c |
| SHA256 | 3c38e8c1fb09e206ad127a5e0d082c13427adff0b547955697e54c4f49831a57 |
| SHA512 | 338c24534df19f446a52da0a8546067bacb79c6d1534b266b7788d0ef959580e46309c3a3acd8add621f2673f5791e01f75d271de918987c39d8040db594e0bd |
memory/3100-87-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp
C:\Windows\System\EWwgIGT.exe
| MD5 | 12157465e1191ed355098311cd1437f4 |
| SHA1 | 2de4e5e2e8d3e3084371a9f79472612573206d95 |
| SHA256 | b89942aab932012d61b58ef25b1e45dc7f6bb320b0ecac5b49b18c94338b6054 |
| SHA512 | caf34671f0530f53034ae8ce0328813ca91fbf6de020e133fb8d9c4cbaf1e5d68cc1bee28b8669a9329206d7756b3910c6cb87481089a188b0ee43baa0695a7a |
C:\Windows\System\MJrtNxg.exe
| MD5 | 08c2fb9400746cd9f0db3aa55e9e67a9 |
| SHA1 | 16736572328c5efe1b7f8ebb2833f3d89fa6e4ae |
| SHA256 | d44f0c810c85742dfd65c66128c72192f7867400cc04cd7cc55c415ab54aaf05 |
| SHA512 | b1519849add659c6f0b19e7a472cad47a1a759e6854db13ec639270443e370050b9450fa296895bdb0b8c10c70755ecec2f168f783ad44e7bb2aa6b81d57a606 |
C:\Windows\System\WMOQseW.exe
| MD5 | 42f5e9a43222fc81fc7d826e31ee5a3a |
| SHA1 | 5c944b1a96c702b9cce81311b297e80a66ef0dea |
| SHA256 | 0ada4136bd1bd8d73fb564ad73dfa5411741ab76e1c94d85690c02592f72661a |
| SHA512 | 6ae7c568d521e5af81fc06be4e2cca57cc4e2c106a896ae7b2f8bb326d9fd15cac9fbfa99c92967c5ce087a6895a20721020fceef0c5c586ff70a65ba6433502 |
memory/3600-88-0x00007FF7E9BC0000-0x00007FF7E9F14000-memory.dmp
memory/4080-86-0x00007FF638BF0000-0x00007FF638F44000-memory.dmp
memory/3336-75-0x00007FF7F44A0000-0x00007FF7F47F4000-memory.dmp
memory/4276-69-0x00007FF67D6D0000-0x00007FF67DA24000-memory.dmp
memory/2920-113-0x00007FF71BEC0000-0x00007FF71C214000-memory.dmp
memory/1836-117-0x00007FF71D990000-0x00007FF71DCE4000-memory.dmp
memory/4740-118-0x00007FF798790000-0x00007FF798AE4000-memory.dmp
C:\Windows\System\fNpjUKC.exe
| MD5 | 8fa96088e44ff34f26678e71215b854f |
| SHA1 | 5bde4e041ff467683c1691ec4b4864d977007b56 |
| SHA256 | 7f1476de0d2e59c40d708f4ad673fe65d4e11e0cd1d82f33ffbf38cceff69e19 |
| SHA512 | baa4d0cf43f3fd810f1826a944e53e1baa056a7d5a3cd1555d886b83d29be82639ff22e240ba45f1d5afd0f36cc95df404c6b5455ecb4c48c2bb75e78ba6f838 |
C:\Windows\System\FpldlTF.exe
| MD5 | da5b1fc872c41710047ae810c5612e9d |
| SHA1 | 9c1deff9717aaf7ba1aba6b363406bb4caa2e26c |
| SHA256 | 62dfe5848d36a24b145eed4ba10937f70e25e2f8004e1914b678ff792238ee41 |
| SHA512 | e133144246c33ec01be65a5293f15abe6eb4ae9acbf2de079657bc217ab50f08864347bd2516a104efad6d87b59e418343c3a9db5f48097efde5f6b1eff65539 |
C:\Windows\System\otgGGqS.exe
| MD5 | adb47b93ed3de20b9a820a42c0d4e25d |
| SHA1 | 192132eb58211431897d9a2f51f58d357935ab2d |
| SHA256 | 53b31e481a5cfb3dc9b6407f08586a169dce3bd29b71d64d0f22f392a3e76081 |
| SHA512 | 947f3683d51b904cc83a89f0a24386f0e650193b2f1109ab86e73d2a56f418f20e51829332e927b77ae391384ace0796dcd47ad1f3396ec346fac592f0e2cc32 |
memory/1132-109-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp
C:\Windows\System\VscFDCx.exe
| MD5 | e19db02ba0e2fea57df003d6a8693b04 |
| SHA1 | 6263cf2d9b6986bf2fe1964ebc4497f643467c15 |
| SHA256 | 60a9f6b4204e58c5c071def9013927aa08815b4371dc78ee3437207108d5767c |
| SHA512 | 99efbf0ff32ebe69b168899ce5d5e232b4de319e2af33e36696d65feb62e22f9dda20426d1ff7d3f5e8efd3c42da48e5e1f25d10d2aeeffed9f86fba63cbce21 |
memory/2692-101-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp
memory/2392-100-0x00007FF65D8E0000-0x00007FF65DC34000-memory.dmp
memory/3896-99-0x00007FF660C40000-0x00007FF660F94000-memory.dmp
memory/3284-126-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp
C:\Windows\System\nyyhNKW.exe
| MD5 | 601d261e1b55f54d85bc6015c5e0a0b2 |
| SHA1 | a119caf0ba7140170757af666df87c682cf4f889 |
| SHA256 | db0f5ddd4762382482bdea6c5032e48ce9a4b53651ee5e4ec7e393b4fdf3ff99 |
| SHA512 | 1a63648076d5766495ed8033d27c7a040d4c4a71c6df93554b15917ebe5cf14247fccdcb08656051cdad9e5a32f5645c2be3557267d9116498d20e0670a71e88 |
memory/2428-127-0x00007FF7FC4D0000-0x00007FF7FC824000-memory.dmp
memory/3588-132-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp
memory/896-133-0x00007FF6EC870000-0x00007FF6ECBC4000-memory.dmp
memory/3336-134-0x00007FF7F44A0000-0x00007FF7F47F4000-memory.dmp
memory/4080-135-0x00007FF638BF0000-0x00007FF638F44000-memory.dmp
memory/3600-136-0x00007FF7E9BC0000-0x00007FF7E9F14000-memory.dmp
memory/4740-137-0x00007FF798790000-0x00007FF798AE4000-memory.dmp
memory/4204-138-0x00007FF7C33F0000-0x00007FF7C3744000-memory.dmp
memory/2624-139-0x00007FF6CC660000-0x00007FF6CC9B4000-memory.dmp
memory/3656-140-0x00007FF7CE640000-0x00007FF7CE994000-memory.dmp
memory/3100-142-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp
memory/3640-141-0x00007FF7B6A70000-0x00007FF7B6DC4000-memory.dmp
memory/3284-143-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp
memory/1132-144-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp
memory/3896-145-0x00007FF660C40000-0x00007FF660F94000-memory.dmp
memory/600-146-0x00007FF7DA2F0000-0x00007FF7DA644000-memory.dmp
memory/3588-148-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp
memory/1620-147-0x00007FF668980000-0x00007FF668CD4000-memory.dmp
memory/3336-149-0x00007FF7F44A0000-0x00007FF7F47F4000-memory.dmp
memory/4080-150-0x00007FF638BF0000-0x00007FF638F44000-memory.dmp
memory/2392-152-0x00007FF65D8E0000-0x00007FF65DC34000-memory.dmp
memory/2692-151-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp
memory/3600-153-0x00007FF7E9BC0000-0x00007FF7E9F14000-memory.dmp
memory/2920-154-0x00007FF71BEC0000-0x00007FF71C214000-memory.dmp
memory/1836-155-0x00007FF71D990000-0x00007FF71DCE4000-memory.dmp
memory/2428-156-0x00007FF7FC4D0000-0x00007FF7FC824000-memory.dmp
memory/4740-157-0x00007FF798790000-0x00007FF798AE4000-memory.dmp
memory/896-158-0x00007FF6EC870000-0x00007FF6ECBC4000-memory.dmp