Analysis Overview
SHA256
95792671b83572260062ca8152e6d8f36beece698afc4c8fecaed421e4f23c77
Threat Level: Known bad
The file 2024-06-11_b8888e2a12211180b8edfe73948f1310_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
UPX dump on OEP (original entry point)
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 13:26
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 13:26
Reported
2024-06-11 13:29
Platform
win7-20240221-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ERJoGbI.exe | N/A |
| N/A | N/A | C:\Windows\System\uchpncF.exe | N/A |
| N/A | N/A | C:\Windows\System\KfBMqbd.exe | N/A |
| N/A | N/A | C:\Windows\System\GMhsdsh.exe | N/A |
| N/A | N/A | C:\Windows\System\oSMJAEF.exe | N/A |
| N/A | N/A | C:\Windows\System\nGgaJSH.exe | N/A |
| N/A | N/A | C:\Windows\System\jRWlLWK.exe | N/A |
| N/A | N/A | C:\Windows\System\FgGwWoz.exe | N/A |
| N/A | N/A | C:\Windows\System\ECBIwVh.exe | N/A |
| N/A | N/A | C:\Windows\System\zWhdHbR.exe | N/A |
| N/A | N/A | C:\Windows\System\ATwJlkA.exe | N/A |
| N/A | N/A | C:\Windows\System\VFSRglK.exe | N/A |
| N/A | N/A | C:\Windows\System\lgyhVaV.exe | N/A |
| N/A | N/A | C:\Windows\System\sSriYhU.exe | N/A |
| N/A | N/A | C:\Windows\System\NIrmQaC.exe | N/A |
| N/A | N/A | C:\Windows\System\XXFkyMX.exe | N/A |
| N/A | N/A | C:\Windows\System\eHEouhT.exe | N/A |
| N/A | N/A | C:\Windows\System\wbzPMRo.exe | N/A |
| N/A | N/A | C:\Windows\System\VtEFeTP.exe | N/A |
| N/A | N/A | C:\Windows\System\EIwWoJM.exe | N/A |
| N/A | N/A | C:\Windows\System\LstTiEA.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_b8888e2a12211180b8edfe73948f1310_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_b8888e2a12211180b8edfe73948f1310_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_b8888e2a12211180b8edfe73948f1310_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_b8888e2a12211180b8edfe73948f1310_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ERJoGbI.exe
C:\Windows\System\ERJoGbI.exe
C:\Windows\System\uchpncF.exe
C:\Windows\System\uchpncF.exe
C:\Windows\System\KfBMqbd.exe
C:\Windows\System\KfBMqbd.exe
C:\Windows\System\GMhsdsh.exe
C:\Windows\System\GMhsdsh.exe
C:\Windows\System\oSMJAEF.exe
C:\Windows\System\oSMJAEF.exe
C:\Windows\System\nGgaJSH.exe
C:\Windows\System\nGgaJSH.exe
C:\Windows\System\jRWlLWK.exe
C:\Windows\System\jRWlLWK.exe
C:\Windows\System\FgGwWoz.exe
C:\Windows\System\FgGwWoz.exe
C:\Windows\System\ECBIwVh.exe
C:\Windows\System\ECBIwVh.exe
C:\Windows\System\zWhdHbR.exe
C:\Windows\System\zWhdHbR.exe
C:\Windows\System\XXFkyMX.exe
C:\Windows\System\XXFkyMX.exe
C:\Windows\System\ATwJlkA.exe
C:\Windows\System\ATwJlkA.exe
C:\Windows\System\eHEouhT.exe
C:\Windows\System\eHEouhT.exe
C:\Windows\System\VFSRglK.exe
C:\Windows\System\VFSRglK.exe
C:\Windows\System\wbzPMRo.exe
C:\Windows\System\wbzPMRo.exe
C:\Windows\System\lgyhVaV.exe
C:\Windows\System\lgyhVaV.exe
C:\Windows\System\VtEFeTP.exe
C:\Windows\System\VtEFeTP.exe
C:\Windows\System\sSriYhU.exe
C:\Windows\System\sSriYhU.exe
C:\Windows\System\EIwWoJM.exe
C:\Windows\System\EIwWoJM.exe
C:\Windows\System\NIrmQaC.exe
C:\Windows\System\NIrmQaC.exe
C:\Windows\System\LstTiEA.exe
C:\Windows\System\LstTiEA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3000-0-0x000000013F500000-0x000000013F854000-memory.dmp
memory/3000-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\ERJoGbI.exe
| MD5 | 33cf0bfc1ff24938c300c025a14cf1f2 |
| SHA1 | 6e2ce5e8880b16a11156f84a9bef799e1ae3af41 |
| SHA256 | a05482ef6a9dc9f95aaf87b73e5c0ec706570164b3355ccd0c61a46996dd1d6d |
| SHA512 | a3dacbf5e7936b6353146a95a84129bbe282e5f20de3e90823ef7a84b806170472b2711bfa4f2d637a48d8325eb450c7ddcb0de130b2b2e52d4ebc0e04041aac |
C:\Windows\system\uchpncF.exe
| MD5 | e6b08cfe60d5f1e15d5ad221ed664400 |
| SHA1 | 8edd5354f03897fbc6e75fe75a8c56cfd7e563df |
| SHA256 | 35cfb4c16f0350abe095f2383e2189c88aceebdce3164313f53387e8d84aebbd |
| SHA512 | 4446eaea53d4fc96f2feefe07094679a10fdefb03d12e992071caafe956249d678bc0cc90df68a15ae167450fb6f4a8802a39909b38d38f33cee93bffc5f8712 |
memory/3000-12-0x0000000002430000-0x0000000002784000-memory.dmp
memory/1072-11-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2208-14-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
C:\Windows\system\KfBMqbd.exe
| MD5 | 5d6b5193dcdad7c74542142c3a3cceeb |
| SHA1 | f2ed4e67b9ac0b2237bcf96f5871c1926edd5ef8 |
| SHA256 | af69e13be0df790fa1bd83a5d8aa68c7d55eb53df404e1aac1ec5c16ac9082ab |
| SHA512 | e34489961c6d754da65056a370041a4521f1ab765e9fa60a7bb06602c2770d5b47c2a6369cb60ef8d44a0f9ec513405f3437674207bd64ef45c5554149d58594 |
memory/1664-22-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/3000-20-0x0000000002430000-0x0000000002784000-memory.dmp
C:\Windows\system\GMhsdsh.exe
| MD5 | e1562a4a53436049c83d6a43bdaecb9f |
| SHA1 | 4e9a38bd2f0e8801f8bb8a9aa0850aed41c2ea92 |
| SHA256 | 801063acc650db27f95b6863ded8883f3d498edc28048f5b13f3755d1da71140 |
| SHA512 | 43f00c58a84c8d431aa3d206b5b6462c913b6f5dc47db99646e7dd2ad1bbfa6d31f3e363df0ec252b8d8c87641ee23a6a1e48a6b1950f74bec218f2c6902352c |
memory/3044-27-0x000000013F040000-0x000000013F394000-memory.dmp
memory/3000-26-0x000000013F040000-0x000000013F394000-memory.dmp
\Windows\system\oSMJAEF.exe
| MD5 | b25538280c8f9c3560737d6d3131ae48 |
| SHA1 | 685c9302cfd53319e2bb1ba94a86a4a40cf4f942 |
| SHA256 | 400b90ba4c0de2391cdc5fa1bb5afdb60447b637cec0b2e65601c3f8463e5e93 |
| SHA512 | f81e2c5e34fd77aabb0a90e2edcb33a9616914894488710a827557345df31bcb981904b7d7e219f7f07248a629a7dc4f47bcf1399e0e5c29cf571792e9643afc |
C:\Windows\system\nGgaJSH.exe
| MD5 | 49372ca31661ad7683552b592a03088c |
| SHA1 | 3254656ced2ab794097d34dbb7b74ad97e05de94 |
| SHA256 | 3b418edf8cbba4ae4c547df599075cadbf02a83b3719a45eef3ec67c35fb525a |
| SHA512 | 7eeed1377575d708c8647d3572cfe317ecf8cf1cb00e447720eec926367036a4c48e2db46fe81b964ff40a09d4a72c13e949ee45ad78d31c9780569e6a38afbd |
memory/2584-40-0x000000013F890000-0x000000013FBE4000-memory.dmp
C:\Windows\system\FgGwWoz.exe
| MD5 | dec2c2ead278b6fd428b0bf0d75bb315 |
| SHA1 | 9916d8064e3f62a9c336d9944a44fd741e636351 |
| SHA256 | f26feaa8f250f19d20c5d8db8a7c07bd2c84e855c074ac903d0d853a38b65579 |
| SHA512 | 408d13a5d19a07984ec375c2a20132672d88876fa9e6de8c5f6cb52083d8387365c93131e949a17f510dd53588870db9e2ff34b4e411d8c2e901f4524f983fdb |
memory/2768-48-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2728-55-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2420-62-0x000000013F620000-0x000000013F974000-memory.dmp
memory/3000-66-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2208-65-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/3000-60-0x0000000002430000-0x0000000002784000-memory.dmp
C:\Windows\system\ECBIwVh.exe
| MD5 | 5485f795fbb593682b9cfe172493831c |
| SHA1 | 054f6d4c83a075b01b2efc408f6134cc534d4e8c |
| SHA256 | d9fb8cd11337a722fd81a751644bd40353cc8c444f739367d5c3f29db40aa913 |
| SHA512 | f0c9468107f148a02c57c6706a74dbfdc09231f4b07227297917b2a2e7c05293bd0e9ede90170f0b98f4b56547c859f37c027d41bbcc26a19f5889145c0e6819 |
\Windows\system\zWhdHbR.exe
| MD5 | eaf0af3b9cb541683aad453b5deb4058 |
| SHA1 | c273c13040167d22f305df255824170b645d1be8 |
| SHA256 | 53b7ff3d0be59ebc37d12702c5b88bead98089187657c318884351c47a856ce9 |
| SHA512 | fd1eedce8a4d534d49d992a646c75873d055281266fba77a5f602ff04e3ce11fbbf5093e31ee718bb10e216da11646a7f499449a4a28ba978279adbb9d458745 |
memory/3000-53-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/1072-47-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\jRWlLWK.exe
| MD5 | 78a0162ceeac970a06df3269fcb44462 |
| SHA1 | d89ef328c53db351f99822112fb485e4bfd86dc4 |
| SHA256 | e3dd081be4d34404ff9e7f63268767a7f61f2f695d9f0e6b8e4a02c72d8c0a66 |
| SHA512 | 2d932660330b317568207ddd0d813a228f06478cf22f24bfb4d6eedbad278bd14dbc1b852a27d68869f35dcb8e451347433245c38d875af36e63a2c8b0a489f3 |
memory/3000-43-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2556-34-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1664-67-0x000000013F750000-0x000000013FAA4000-memory.dmp
\Windows\system\VFSRglK.exe
| MD5 | faf480de809295a569d11ff1ef1fb634 |
| SHA1 | ccffcf37acb91c4652cf45f2da0606cf1ff8a4b8 |
| SHA256 | 2209bf35a9854f8f822f5683e018cf23f555b1be171df1a00ec57e099f986fd9 |
| SHA512 | e6e62cb6ffd859214e9ad94c65c6ad1049f94e67cc622de4cd4a481b441af95f5fe8ca82163c6ca55894ef610f6051fb15fa681f24b7d4db985072434d8d7e5d |
C:\Windows\system\sSriYhU.exe
| MD5 | 8fffb2059ebd0cf5856ca9594bb80316 |
| SHA1 | 04eda15c40dacc653e43effffb17d766e8aa8c49 |
| SHA256 | 4315f6ef54f00a4cdab68db8638a26758b62000854ceda9f339962bc90c60b52 |
| SHA512 | 26cdab613760a2cb58260f97f0d00c829cc7ef3276ff9cf4a1c9f0213ffaa61f30c58866b7e52ea543b09f28b04724251c0cadde2fd736df9bcbec2d640ec031 |
C:\Windows\system\eHEouhT.exe
| MD5 | 4ddab70fee68a28b9affb3fd5cc99c9d |
| SHA1 | 427b1abf054e12225674d06b267e106bd073762a |
| SHA256 | 1865d47be297ca18cbbb5b05e0279ac27420a3463594ff423ffc359dd4385e27 |
| SHA512 | 50b352679a3336b26cf2fa008f39b8a53a3da4baa0ddeb421d10066d81e74baf3e48bdf82ccd7240e1dd4531a9de5527615be77c9329303e0a964e00778aed44 |
C:\Windows\system\wbzPMRo.exe
| MD5 | 44cf165ac57aa7cf59b3dbbbcf865537 |
| SHA1 | db74e4bfb49a108f61b34686e91401b827763fb0 |
| SHA256 | 10fbb7e39409826354a18a23917293ee8b2e9e2db5ffb6f063ba8ac3a861db9f |
| SHA512 | 3bd16efbb19bd20499e7494ec5c1995817b41a2ea01a1acb81566c7cb4893f3104a1defaa21dfb1aaa1626745e4e2858a33e0d4db22a8194ff0db48873c9739d |
\Windows\system\EIwWoJM.exe
| MD5 | 392f198162cdbfe545d00d27d4784d98 |
| SHA1 | 9a29030ea884dbfcd0b34a553825d6942eedbc03 |
| SHA256 | 4de50d40639036185c49e1eab4f71bec6c7587f798e7a745d6930e8dea91db34 |
| SHA512 | 9c5a2ff1eba462ee386a0eeec73c30b772590b3491b8312c0297cd179c883198e5121232bd8c30cbc9b5975c8c0e0a7e06038cf083586cf8b2a36eac6663448c |
memory/3000-116-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
\Windows\system\LstTiEA.exe
| MD5 | 0644a862ea938817be903e3813f2f739 |
| SHA1 | f7b69824d5fdc5fe2f2e10687f1c2ab0ab168f1b |
| SHA256 | 326e26b8118460babae01e795687385ec1d4fc437d8f5402e5dd5aac7a984c27 |
| SHA512 | 0ea61543a8bc04c3e2ba046e6f0a3792c4e4dc3acc788d3732e6bcee17001bca35a0bc8d37f41c85cb6d631fcc0deb14749ec757723c435c649c31ad46c356bd |
memory/2584-110-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/1508-107-0x000000013FA20000-0x000000013FD74000-memory.dmp
\Windows\system\VtEFeTP.exe
| MD5 | 6ff36a7fec2a1ef4a4ed88073b182aff |
| SHA1 | 9d229e2894a2667b58b94ded59f4cdb712aa20e9 |
| SHA256 | 03cf8e5f80ad0273ce01bd45d465165e74dc8905f1b44b8b10230fa99f928c14 |
| SHA512 | 8e9493fa2cbff78d789695e524aadab1dbe1832100cbcce585d226c7159901f51b4339e5c91db6b9bd990f1b58bf54a3795aa01f9db9308ec39b6429832aef68 |
memory/2556-90-0x000000013F9E0000-0x000000013FD34000-memory.dmp
\Windows\system\XXFkyMX.exe
| MD5 | 7e66063c2d7313f5fb36141f8d01244f |
| SHA1 | 386eaae24fb05d8586dc8804abd1c96b7f4dfa45 |
| SHA256 | 78f020f36732ab10b8e533baefdb8d28c00910edcf52dc89e8d73cb4ab659be7 |
| SHA512 | 30b19dab456713030b492e5a4a9f47276b52abb9f103a1dbca0d754c4372beafef6309b59d2081bae76bafee562ffdaceae67af189e93bb7857f7553fb6c6860 |
C:\Windows\system\NIrmQaC.exe
| MD5 | 623313e3f81bce104f300185da14057b |
| SHA1 | 7f22327f3f619616b6579e606a73cba46c875f98 |
| SHA256 | 51f01c236bcdde633629d3e0ee01b1f08a1f5ef1748fb21d2d9717dd878d6975 |
| SHA512 | a067b2267f430be8fb20596a5fe230a2a0c559a0691c4945d509960277a4eadff20f668e49a9310fdd3a1433a00ffdde7f4642424a57a694be79a77b3c0f5933 |
C:\Windows\system\lgyhVaV.exe
| MD5 | 262a1cbe62af2d40de999fbd524a7397 |
| SHA1 | 075488fb9ac95e390ac9776d395f61aac7df609c |
| SHA256 | c1a77ce63d607463686ed2f79bf83e657511247f4e669b126056c6da16f226db |
| SHA512 | 2f62f04ba06a6464e90758df1a1036e7a8dd1db38593815fbb25dbb5f1aad9b22b13d3d7b7c083280e8e036c86bf4d8d9a96ae57ba1d5563579bff02320c3207 |
memory/3000-114-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2772-102-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/3000-96-0x0000000002430000-0x0000000002784000-memory.dmp
memory/3000-94-0x000000013F0D0000-0x000000013F424000-memory.dmp
C:\Windows\system\ATwJlkA.exe
| MD5 | fa054af1375f0b69807933649a975f6d |
| SHA1 | 9b8069b7ff79afa1217e66f24c2e1c3474c9ff17 |
| SHA256 | c217557542cf82bbf67a93d5ea557876d3a2bc464188079e8e953710d036d110 |
| SHA512 | d81715da3413bd406d9a486de7a6b8e1002e917734eb377e0ffc039094bc7145e232735186c9e56fb3d7b8b2683fb0455bff2e220dbdde5261ba73a53518e64f |
memory/660-78-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/3044-71-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2768-136-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2420-138-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2728-137-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/3000-139-0x0000000002430000-0x0000000002784000-memory.dmp
memory/3000-140-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/660-141-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/3000-142-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2772-144-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/3000-143-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/3000-145-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/1072-146-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2208-147-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/1664-148-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/3044-149-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2556-150-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2584-151-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2728-152-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2420-153-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2768-154-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/660-155-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/1508-156-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2772-157-0x000000013F0D0000-0x000000013F424000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 13:26
Reported
2024-06-11 13:29
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ERJoGbI.exe | N/A |
| N/A | N/A | C:\Windows\System\uchpncF.exe | N/A |
| N/A | N/A | C:\Windows\System\KfBMqbd.exe | N/A |
| N/A | N/A | C:\Windows\System\GMhsdsh.exe | N/A |
| N/A | N/A | C:\Windows\System\oSMJAEF.exe | N/A |
| N/A | N/A | C:\Windows\System\nGgaJSH.exe | N/A |
| N/A | N/A | C:\Windows\System\jRWlLWK.exe | N/A |
| N/A | N/A | C:\Windows\System\FgGwWoz.exe | N/A |
| N/A | N/A | C:\Windows\System\ECBIwVh.exe | N/A |
| N/A | N/A | C:\Windows\System\zWhdHbR.exe | N/A |
| N/A | N/A | C:\Windows\System\XXFkyMX.exe | N/A |
| N/A | N/A | C:\Windows\System\ATwJlkA.exe | N/A |
| N/A | N/A | C:\Windows\System\eHEouhT.exe | N/A |
| N/A | N/A | C:\Windows\System\VFSRglK.exe | N/A |
| N/A | N/A | C:\Windows\System\wbzPMRo.exe | N/A |
| N/A | N/A | C:\Windows\System\lgyhVaV.exe | N/A |
| N/A | N/A | C:\Windows\System\VtEFeTP.exe | N/A |
| N/A | N/A | C:\Windows\System\sSriYhU.exe | N/A |
| N/A | N/A | C:\Windows\System\EIwWoJM.exe | N/A |
| N/A | N/A | C:\Windows\System\NIrmQaC.exe | N/A |
| N/A | N/A | C:\Windows\System\LstTiEA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_b8888e2a12211180b8edfe73948f1310_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_b8888e2a12211180b8edfe73948f1310_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_b8888e2a12211180b8edfe73948f1310_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_b8888e2a12211180b8edfe73948f1310_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ERJoGbI.exe
C:\Windows\System\ERJoGbI.exe
C:\Windows\System\uchpncF.exe
C:\Windows\System\uchpncF.exe
C:\Windows\System\KfBMqbd.exe
C:\Windows\System\KfBMqbd.exe
C:\Windows\System\GMhsdsh.exe
C:\Windows\System\GMhsdsh.exe
C:\Windows\System\oSMJAEF.exe
C:\Windows\System\oSMJAEF.exe
C:\Windows\System\nGgaJSH.exe
C:\Windows\System\nGgaJSH.exe
C:\Windows\System\jRWlLWK.exe
C:\Windows\System\jRWlLWK.exe
C:\Windows\System\FgGwWoz.exe
C:\Windows\System\FgGwWoz.exe
C:\Windows\System\ECBIwVh.exe
C:\Windows\System\ECBIwVh.exe
C:\Windows\System\zWhdHbR.exe
C:\Windows\System\zWhdHbR.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1036,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8
C:\Windows\System\XXFkyMX.exe
C:\Windows\System\XXFkyMX.exe
C:\Windows\System\ATwJlkA.exe
C:\Windows\System\ATwJlkA.exe
C:\Windows\System\eHEouhT.exe
C:\Windows\System\eHEouhT.exe
C:\Windows\System\VFSRglK.exe
C:\Windows\System\VFSRglK.exe
C:\Windows\System\wbzPMRo.exe
C:\Windows\System\wbzPMRo.exe
C:\Windows\System\lgyhVaV.exe
C:\Windows\System\lgyhVaV.exe
C:\Windows\System\VtEFeTP.exe
C:\Windows\System\VtEFeTP.exe
C:\Windows\System\sSriYhU.exe
C:\Windows\System\sSriYhU.exe
C:\Windows\System\EIwWoJM.exe
C:\Windows\System\EIwWoJM.exe
C:\Windows\System\NIrmQaC.exe
C:\Windows\System\NIrmQaC.exe
C:\Windows\System\LstTiEA.exe
C:\Windows\System\LstTiEA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/928-0-0x00007FF6342D0000-0x00007FF634624000-memory.dmp
memory/928-1-0x000001E5C8D60000-0x000001E5C8D70000-memory.dmp
C:\Windows\System\ERJoGbI.exe
| MD5 | 33cf0bfc1ff24938c300c025a14cf1f2 |
| SHA1 | 6e2ce5e8880b16a11156f84a9bef799e1ae3af41 |
| SHA256 | a05482ef6a9dc9f95aaf87b73e5c0ec706570164b3355ccd0c61a46996dd1d6d |
| SHA512 | a3dacbf5e7936b6353146a95a84129bbe282e5f20de3e90823ef7a84b806170472b2711bfa4f2d637a48d8325eb450c7ddcb0de130b2b2e52d4ebc0e04041aac |
C:\Windows\System\uchpncF.exe
| MD5 | e6b08cfe60d5f1e15d5ad221ed664400 |
| SHA1 | 8edd5354f03897fbc6e75fe75a8c56cfd7e563df |
| SHA256 | 35cfb4c16f0350abe095f2383e2189c88aceebdce3164313f53387e8d84aebbd |
| SHA512 | 4446eaea53d4fc96f2feefe07094679a10fdefb03d12e992071caafe956249d678bc0cc90df68a15ae167450fb6f4a8802a39909b38d38f33cee93bffc5f8712 |
memory/3636-8-0x00007FF761A20000-0x00007FF761D74000-memory.dmp
C:\Windows\System\KfBMqbd.exe
| MD5 | 5d6b5193dcdad7c74542142c3a3cceeb |
| SHA1 | f2ed4e67b9ac0b2237bcf96f5871c1926edd5ef8 |
| SHA256 | af69e13be0df790fa1bd83a5d8aa68c7d55eb53df404e1aac1ec5c16ac9082ab |
| SHA512 | e34489961c6d754da65056a370041a4521f1ab765e9fa60a7bb06602c2770d5b47c2a6369cb60ef8d44a0f9ec513405f3437674207bd64ef45c5554149d58594 |
C:\Windows\System\GMhsdsh.exe
| MD5 | e1562a4a53436049c83d6a43bdaecb9f |
| SHA1 | 4e9a38bd2f0e8801f8bb8a9aa0850aed41c2ea92 |
| SHA256 | 801063acc650db27f95b6863ded8883f3d498edc28048f5b13f3755d1da71140 |
| SHA512 | 43f00c58a84c8d431aa3d206b5b6462c913b6f5dc47db99646e7dd2ad1bbfa6d31f3e363df0ec252b8d8c87641ee23a6a1e48a6b1950f74bec218f2c6902352c |
memory/932-19-0x00007FF63A4F0000-0x00007FF63A844000-memory.dmp
memory/2912-16-0x00007FF76D490000-0x00007FF76D7E4000-memory.dmp
C:\Windows\System\oSMJAEF.exe
| MD5 | b25538280c8f9c3560737d6d3131ae48 |
| SHA1 | 685c9302cfd53319e2bb1ba94a86a4a40cf4f942 |
| SHA256 | 400b90ba4c0de2391cdc5fa1bb5afdb60447b637cec0b2e65601c3f8463e5e93 |
| SHA512 | f81e2c5e34fd77aabb0a90e2edcb33a9616914894488710a827557345df31bcb981904b7d7e219f7f07248a629a7dc4f47bcf1399e0e5c29cf571792e9643afc |
memory/3056-32-0x00007FF6F9300000-0x00007FF6F9654000-memory.dmp
C:\Windows\System\nGgaJSH.exe
| MD5 | 49372ca31661ad7683552b592a03088c |
| SHA1 | 3254656ced2ab794097d34dbb7b74ad97e05de94 |
| SHA256 | 3b418edf8cbba4ae4c547df599075cadbf02a83b3719a45eef3ec67c35fb525a |
| SHA512 | 7eeed1377575d708c8647d3572cfe317ecf8cf1cb00e447720eec926367036a4c48e2db46fe81b964ff40a09d4a72c13e949ee45ad78d31c9780569e6a38afbd |
C:\Windows\System\jRWlLWK.exe
| MD5 | 78a0162ceeac970a06df3269fcb44462 |
| SHA1 | d89ef328c53db351f99822112fb485e4bfd86dc4 |
| SHA256 | e3dd081be4d34404ff9e7f63268767a7f61f2f695d9f0e6b8e4a02c72d8c0a66 |
| SHA512 | 2d932660330b317568207ddd0d813a228f06478cf22f24bfb4d6eedbad278bd14dbc1b852a27d68869f35dcb8e451347433245c38d875af36e63a2c8b0a489f3 |
memory/3156-38-0x00007FF670870000-0x00007FF670BC4000-memory.dmp
memory/5092-26-0x00007FF7EEF20000-0x00007FF7EF274000-memory.dmp
memory/2152-44-0x00007FF7B6770000-0x00007FF7B6AC4000-memory.dmp
C:\Windows\System\FgGwWoz.exe
| MD5 | dec2c2ead278b6fd428b0bf0d75bb315 |
| SHA1 | 9916d8064e3f62a9c336d9944a44fd741e636351 |
| SHA256 | f26feaa8f250f19d20c5d8db8a7c07bd2c84e855c074ac903d0d853a38b65579 |
| SHA512 | 408d13a5d19a07984ec375c2a20132672d88876fa9e6de8c5f6cb52083d8387365c93131e949a17f510dd53588870db9e2ff34b4e411d8c2e901f4524f983fdb |
C:\Windows\System\ECBIwVh.exe
| MD5 | 5485f795fbb593682b9cfe172493831c |
| SHA1 | 054f6d4c83a075b01b2efc408f6134cc534d4e8c |
| SHA256 | d9fb8cd11337a722fd81a751644bd40353cc8c444f739367d5c3f29db40aa913 |
| SHA512 | f0c9468107f148a02c57c6706a74dbfdc09231f4b07227297917b2a2e7c05293bd0e9ede90170f0b98f4b56547c859f37c027d41bbcc26a19f5889145c0e6819 |
memory/2388-54-0x00007FF7CC340000-0x00007FF7CC694000-memory.dmp
memory/1604-50-0x00007FF75A200000-0x00007FF75A554000-memory.dmp
C:\Windows\System\zWhdHbR.exe
| MD5 | eaf0af3b9cb541683aad453b5deb4058 |
| SHA1 | c273c13040167d22f305df255824170b645d1be8 |
| SHA256 | 53b7ff3d0be59ebc37d12702c5b88bead98089187657c318884351c47a856ce9 |
| SHA512 | fd1eedce8a4d534d49d992a646c75873d055281266fba77a5f602ff04e3ce11fbbf5093e31ee718bb10e216da11646a7f499449a4a28ba978279adbb9d458745 |
memory/928-61-0x00007FF6342D0000-0x00007FF634624000-memory.dmp
memory/1064-62-0x00007FF789A30000-0x00007FF789D84000-memory.dmp
C:\Windows\System\XXFkyMX.exe
| MD5 | 7e66063c2d7313f5fb36141f8d01244f |
| SHA1 | 386eaae24fb05d8586dc8804abd1c96b7f4dfa45 |
| SHA256 | 78f020f36732ab10b8e533baefdb8d28c00910edcf52dc89e8d73cb4ab659be7 |
| SHA512 | 30b19dab456713030b492e5a4a9f47276b52abb9f103a1dbca0d754c4372beafef6309b59d2081bae76bafee562ffdaceae67af189e93bb7857f7553fb6c6860 |
C:\Windows\System\ATwJlkA.exe
| MD5 | fa054af1375f0b69807933649a975f6d |
| SHA1 | 9b8069b7ff79afa1217e66f24c2e1c3474c9ff17 |
| SHA256 | c217557542cf82bbf67a93d5ea557876d3a2bc464188079e8e953710d036d110 |
| SHA512 | d81715da3413bd406d9a486de7a6b8e1002e917734eb377e0ffc039094bc7145e232735186c9e56fb3d7b8b2683fb0455bff2e220dbdde5261ba73a53518e64f |
C:\Windows\System\VFSRglK.exe
| MD5 | faf480de809295a569d11ff1ef1fb634 |
| SHA1 | ccffcf37acb91c4652cf45f2da0606cf1ff8a4b8 |
| SHA256 | 2209bf35a9854f8f822f5683e018cf23f555b1be171df1a00ec57e099f986fd9 |
| SHA512 | e6e62cb6ffd859214e9ad94c65c6ad1049f94e67cc622de4cd4a481b441af95f5fe8ca82163c6ca55894ef610f6051fb15fa681f24b7d4db985072434d8d7e5d |
C:\Windows\System\eHEouhT.exe
| MD5 | 4ddab70fee68a28b9affb3fd5cc99c9d |
| SHA1 | 427b1abf054e12225674d06b267e106bd073762a |
| SHA256 | 1865d47be297ca18cbbb5b05e0279ac27420a3463594ff423ffc359dd4385e27 |
| SHA512 | 50b352679a3336b26cf2fa008f39b8a53a3da4baa0ddeb421d10066d81e74baf3e48bdf82ccd7240e1dd4531a9de5527615be77c9329303e0a964e00778aed44 |
C:\Windows\System\lgyhVaV.exe
| MD5 | 262a1cbe62af2d40de999fbd524a7397 |
| SHA1 | 075488fb9ac95e390ac9776d395f61aac7df609c |
| SHA256 | c1a77ce63d607463686ed2f79bf83e657511247f4e669b126056c6da16f226db |
| SHA512 | 2f62f04ba06a6464e90758df1a1036e7a8dd1db38593815fbb25dbb5f1aad9b22b13d3d7b7c083280e8e036c86bf4d8d9a96ae57ba1d5563579bff02320c3207 |
memory/3700-95-0x00007FF62BAF0000-0x00007FF62BE44000-memory.dmp
C:\Windows\System\VtEFeTP.exe
| MD5 | 6ff36a7fec2a1ef4a4ed88073b182aff |
| SHA1 | 9d229e2894a2667b58b94ded59f4cdb712aa20e9 |
| SHA256 | 03cf8e5f80ad0273ce01bd45d465165e74dc8905f1b44b8b10230fa99f928c14 |
| SHA512 | 8e9493fa2cbff78d789695e524aadab1dbe1832100cbcce585d226c7159901f51b4339e5c91db6b9bd990f1b58bf54a3795aa01f9db9308ec39b6429832aef68 |
C:\Windows\System\wbzPMRo.exe
| MD5 | 44cf165ac57aa7cf59b3dbbbcf865537 |
| SHA1 | db74e4bfb49a108f61b34686e91401b827763fb0 |
| SHA256 | 10fbb7e39409826354a18a23917293ee8b2e9e2db5ffb6f063ba8ac3a861db9f |
| SHA512 | 3bd16efbb19bd20499e7494ec5c1995817b41a2ea01a1acb81566c7cb4893f3104a1defaa21dfb1aaa1626745e4e2858a33e0d4db22a8194ff0db48873c9739d |
memory/3564-96-0x00007FF761630000-0x00007FF761984000-memory.dmp
memory/932-94-0x00007FF63A4F0000-0x00007FF63A844000-memory.dmp
memory/4876-89-0x00007FF7D61C0000-0x00007FF7D6514000-memory.dmp
memory/1948-88-0x00007FF7C86C0000-0x00007FF7C8A14000-memory.dmp
memory/3004-79-0x00007FF796910000-0x00007FF796C64000-memory.dmp
memory/4544-74-0x00007FF767A10000-0x00007FF767D64000-memory.dmp
memory/1472-106-0x00007FF605D70000-0x00007FF6060C4000-memory.dmp
C:\Windows\System\sSriYhU.exe
| MD5 | 8fffb2059ebd0cf5856ca9594bb80316 |
| SHA1 | 04eda15c40dacc653e43effffb17d766e8aa8c49 |
| SHA256 | 4315f6ef54f00a4cdab68db8638a26758b62000854ceda9f339962bc90c60b52 |
| SHA512 | 26cdab613760a2cb58260f97f0d00c829cc7ef3276ff9cf4a1c9f0213ffaa61f30c58866b7e52ea543b09f28b04724251c0cadde2fd736df9bcbec2d640ec031 |
memory/2684-113-0x00007FF614880000-0x00007FF614BD4000-memory.dmp
memory/3156-112-0x00007FF670870000-0x00007FF670BC4000-memory.dmp
C:\Windows\System\EIwWoJM.exe
| MD5 | 392f198162cdbfe545d00d27d4784d98 |
| SHA1 | 9a29030ea884dbfcd0b34a553825d6942eedbc03 |
| SHA256 | 4de50d40639036185c49e1eab4f71bec6c7587f798e7a745d6930e8dea91db34 |
| SHA512 | 9c5a2ff1eba462ee386a0eeec73c30b772590b3491b8312c0297cd179c883198e5121232bd8c30cbc9b5975c8c0e0a7e06038cf083586cf8b2a36eac6663448c |
memory/4972-119-0x00007FF6D43E0000-0x00007FF6D4734000-memory.dmp
C:\Windows\System\NIrmQaC.exe
| MD5 | 623313e3f81bce104f300185da14057b |
| SHA1 | 7f22327f3f619616b6579e606a73cba46c875f98 |
| SHA256 | 51f01c236bcdde633629d3e0ee01b1f08a1f5ef1748fb21d2d9717dd878d6975 |
| SHA512 | a067b2267f430be8fb20596a5fe230a2a0c559a0691c4945d509960277a4eadff20f668e49a9310fdd3a1433a00ffdde7f4642424a57a694be79a77b3c0f5933 |
memory/1140-125-0x00007FF654620000-0x00007FF654974000-memory.dmp
C:\Windows\System\LstTiEA.exe
| MD5 | 0644a862ea938817be903e3813f2f739 |
| SHA1 | f7b69824d5fdc5fe2f2e10687f1c2ab0ab168f1b |
| SHA256 | 326e26b8118460babae01e795687385ec1d4fc437d8f5402e5dd5aac7a984c27 |
| SHA512 | 0ea61543a8bc04c3e2ba046e6f0a3792c4e4dc3acc788d3732e6bcee17001bca35a0bc8d37f41c85cb6d631fcc0deb14749ec757723c435c649c31ad46c356bd |
memory/2388-130-0x00007FF7CC340000-0x00007FF7CC694000-memory.dmp
memory/2064-131-0x00007FF600140000-0x00007FF600494000-memory.dmp
memory/1064-132-0x00007FF789A30000-0x00007FF789D84000-memory.dmp
memory/3004-133-0x00007FF796910000-0x00007FF796C64000-memory.dmp
memory/1948-134-0x00007FF7C86C0000-0x00007FF7C8A14000-memory.dmp
memory/3700-135-0x00007FF62BAF0000-0x00007FF62BE44000-memory.dmp
memory/3564-136-0x00007FF761630000-0x00007FF761984000-memory.dmp
memory/3636-137-0x00007FF761A20000-0x00007FF761D74000-memory.dmp
memory/2912-138-0x00007FF76D490000-0x00007FF76D7E4000-memory.dmp
memory/932-139-0x00007FF63A4F0000-0x00007FF63A844000-memory.dmp
memory/5092-140-0x00007FF7EEF20000-0x00007FF7EF274000-memory.dmp
memory/3056-141-0x00007FF6F9300000-0x00007FF6F9654000-memory.dmp
memory/3156-142-0x00007FF670870000-0x00007FF670BC4000-memory.dmp
memory/2152-143-0x00007FF7B6770000-0x00007FF7B6AC4000-memory.dmp
memory/1604-144-0x00007FF75A200000-0x00007FF75A554000-memory.dmp
memory/2388-145-0x00007FF7CC340000-0x00007FF7CC694000-memory.dmp
memory/1064-146-0x00007FF789A30000-0x00007FF789D84000-memory.dmp
memory/4544-147-0x00007FF767A10000-0x00007FF767D64000-memory.dmp
memory/3004-148-0x00007FF796910000-0x00007FF796C64000-memory.dmp
memory/4876-149-0x00007FF7D61C0000-0x00007FF7D6514000-memory.dmp
memory/3564-152-0x00007FF761630000-0x00007FF761984000-memory.dmp
memory/1472-151-0x00007FF605D70000-0x00007FF6060C4000-memory.dmp
memory/3700-150-0x00007FF62BAF0000-0x00007FF62BE44000-memory.dmp
memory/1948-153-0x00007FF7C86C0000-0x00007FF7C8A14000-memory.dmp
memory/2684-154-0x00007FF614880000-0x00007FF614BD4000-memory.dmp
memory/4972-155-0x00007FF6D43E0000-0x00007FF6D4734000-memory.dmp
memory/1140-156-0x00007FF654620000-0x00007FF654974000-memory.dmp
memory/2064-157-0x00007FF600140000-0x00007FF600494000-memory.dmp