Analysis Overview
SHA256
dcbc5b12a36dfe61b393260b0bce6c7dbea88e055513c31fc94f5c1b83acffb8
Threat Level: Known bad
The file 2024-06-11_2d4305d6215114298496a0ffbcdc0fbd_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
Xmrig family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 15:50
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 15:50
Reported
2024-06-11 15:53
Platform
win7-20240508-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IwAMycx.exe | N/A |
| N/A | N/A | C:\Windows\System\VXiVoYZ.exe | N/A |
| N/A | N/A | C:\Windows\System\nBpUrhF.exe | N/A |
| N/A | N/A | C:\Windows\System\wMaGfNL.exe | N/A |
| N/A | N/A | C:\Windows\System\zzXmsOY.exe | N/A |
| N/A | N/A | C:\Windows\System\sKIaZGN.exe | N/A |
| N/A | N/A | C:\Windows\System\sjsqHTe.exe | N/A |
| N/A | N/A | C:\Windows\System\ohNjvHF.exe | N/A |
| N/A | N/A | C:\Windows\System\lPofElk.exe | N/A |
| N/A | N/A | C:\Windows\System\kivRUkm.exe | N/A |
| N/A | N/A | C:\Windows\System\APAEIxo.exe | N/A |
| N/A | N/A | C:\Windows\System\pfvVIWa.exe | N/A |
| N/A | N/A | C:\Windows\System\nalqObR.exe | N/A |
| N/A | N/A | C:\Windows\System\SDzXgrU.exe | N/A |
| N/A | N/A | C:\Windows\System\ToLqlUf.exe | N/A |
| N/A | N/A | C:\Windows\System\xFxQxad.exe | N/A |
| N/A | N/A | C:\Windows\System\VHpeuGO.exe | N/A |
| N/A | N/A | C:\Windows\System\UzKQfaS.exe | N/A |
| N/A | N/A | C:\Windows\System\UptliDq.exe | N/A |
| N/A | N/A | C:\Windows\System\IvqmOFv.exe | N/A |
| N/A | N/A | C:\Windows\System\gXzNsdd.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_2d4305d6215114298496a0ffbcdc0fbd_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_2d4305d6215114298496a0ffbcdc0fbd_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_2d4305d6215114298496a0ffbcdc0fbd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_2d4305d6215114298496a0ffbcdc0fbd_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\IwAMycx.exe
C:\Windows\System\IwAMycx.exe
C:\Windows\System\VXiVoYZ.exe
C:\Windows\System\VXiVoYZ.exe
C:\Windows\System\nBpUrhF.exe
C:\Windows\System\nBpUrhF.exe
C:\Windows\System\wMaGfNL.exe
C:\Windows\System\wMaGfNL.exe
C:\Windows\System\zzXmsOY.exe
C:\Windows\System\zzXmsOY.exe
C:\Windows\System\ohNjvHF.exe
C:\Windows\System\ohNjvHF.exe
C:\Windows\System\sKIaZGN.exe
C:\Windows\System\sKIaZGN.exe
C:\Windows\System\ToLqlUf.exe
C:\Windows\System\ToLqlUf.exe
C:\Windows\System\sjsqHTe.exe
C:\Windows\System\sjsqHTe.exe
C:\Windows\System\xFxQxad.exe
C:\Windows\System\xFxQxad.exe
C:\Windows\System\lPofElk.exe
C:\Windows\System\lPofElk.exe
C:\Windows\System\VHpeuGO.exe
C:\Windows\System\VHpeuGO.exe
C:\Windows\System\kivRUkm.exe
C:\Windows\System\kivRUkm.exe
C:\Windows\System\UzKQfaS.exe
C:\Windows\System\UzKQfaS.exe
C:\Windows\System\APAEIxo.exe
C:\Windows\System\APAEIxo.exe
C:\Windows\System\UptliDq.exe
C:\Windows\System\UptliDq.exe
C:\Windows\System\pfvVIWa.exe
C:\Windows\System\pfvVIWa.exe
C:\Windows\System\IvqmOFv.exe
C:\Windows\System\IvqmOFv.exe
C:\Windows\System\nalqObR.exe
C:\Windows\System\nalqObR.exe
C:\Windows\System\gXzNsdd.exe
C:\Windows\System\gXzNsdd.exe
C:\Windows\System\SDzXgrU.exe
C:\Windows\System\SDzXgrU.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2892-0-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2892-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\IwAMycx.exe
| MD5 | 78aa5d2d8a79672759af6fd5777025a0 |
| SHA1 | e8e12d8a5b221f29186758ecf8a6d6ec2902247f |
| SHA256 | f6e1e27835d0c2073977b4bbc905d551c236edb8523f3acb5225ce9c0c537197 |
| SHA512 | 38c8ea1ed6ca100b2b3e014443952d88129ad4a22c3a8cdc2b90a2383c79d3809609cae6dd1a937057560193f746023253a10b8702aa0df02efa11ebd74f0ee2 |
memory/1524-8-0x000000013FCD0000-0x0000000140024000-memory.dmp
\Windows\system\VXiVoYZ.exe
| MD5 | f885259672ea5192248012dc401ff7b8 |
| SHA1 | 91110a157e53a37aeddd5868548eab954bf44f36 |
| SHA256 | 70a513bbcb75b526fe4ac44879498393dd78d47b0d3fa742da07d76e13a36b70 |
| SHA512 | 750c22cc8e7bac5cfed4f3d41e3b6fb0c3b911f50b49dcedb5d9153e8e330179115527f30edeb30a4edca74e4c80d14001aba7d686a3956699cca7094c6f16c7 |
memory/2892-111-0x000000013FD90000-0x00000001400E4000-memory.dmp
C:\Windows\system\wMaGfNL.exe
| MD5 | d895749c817421ad4dc6243013f22446 |
| SHA1 | c7d32fc739aabb62dd83eafa37954e09414fb9e2 |
| SHA256 | fd59f05e383930c3be6897ea7b5cafa58e78b2a2840031dcc4297df1c63711f4 |
| SHA512 | 26c4574916595d7dca735fd45683a20ce7817e0a905d7402489e5a00dadcb78588edccbe309c5e5f6cced9175b1afcf6ebc5b07b28eabf98505dec9d93d5898f |
memory/2728-107-0x000000013FF90000-0x00000001402E4000-memory.dmp
C:\Windows\system\nalqObR.exe
| MD5 | 6da6b57d362eddc3d7308ae6d15244bb |
| SHA1 | 4b021b52dd4b70baf0a87453c58a3060ddad376f |
| SHA256 | 9b5ac958f83c950b4aad688e7f0dec3133a132aeb588f5f0179f115f3cdd2a36 |
| SHA512 | 0bef70082e972c2bf5a85466c564db55a999d2b4bb97239bd7994ac6c5c65c5cc0b8344cbacd80f6cc3295dd024d1ef2121a8f818b72484e259ce818a082fdfe |
C:\Windows\system\pfvVIWa.exe
| MD5 | 4584aff41bb469a771a50b0519b77871 |
| SHA1 | 24476132d7ae3b7ea6f74d6cdaaf9c4dac6ce546 |
| SHA256 | 8fab1aa8a1c9764bebee16e67effe5c7f35d6b5ba505b7600661a182cc60c771 |
| SHA512 | d5794ee73bab36134ef2d584e7abdb841e6d7e4baf8cd8ec0fb31b95ac99e40426c70ca98226687428e2d5742cff6e4355dee937ed8e83a8033d0822b9a2fb7f |
\Windows\system\gXzNsdd.exe
| MD5 | 7245e2c4ab4764aaa3d0b3b146f63ca6 |
| SHA1 | fb141f0347dcbfe0df610d4e77d72f36ef884f46 |
| SHA256 | 43fd7d651bbf386317e5a6e1cac5fb6a50fa0d36302175422dd862584a02a365 |
| SHA512 | 84ed3e1d5777c2d22da75055dd0c2f6add96cc6699b0dbe5e732ed6ef24b0743ecda5088e24cca4511a9dee52056e2891cf56b674ee2e1bd6b8afca9d01c5973 |
memory/2892-96-0x0000000002250000-0x00000000025A4000-memory.dmp
\Windows\system\IvqmOFv.exe
| MD5 | 2c4f98ac0aa1bdd555618141d92807e2 |
| SHA1 | 56b6d1ce2205355ff06e051ad3f82e574253e88b |
| SHA256 | ddfb26c72603a91609ae0655f6d45e57e0b90f7f8f58a096e2c56e8b1c0cf079 |
| SHA512 | b5f787a737a1a512b98001dbdc390ff42c47e0bed1fa182df40746f928e09b4d636dc0d00519b112ed109c1accc26d5c4f9dee3084760db523e0b161be7513ce |
memory/2668-87-0x000000013F3F0000-0x000000013F744000-memory.dmp
\Windows\system\UptliDq.exe
| MD5 | 4d0ac2ddf0edd80f382e120b8aa72357 |
| SHA1 | f9a34f60cb22d22af88aad4ae997fc1369498dde |
| SHA256 | 40bc3c9be1ebde593538c3ce11fb815f729eb78781b97b44a14e0405858c8691 |
| SHA512 | b4287f41ec892844fe3b266088e3a86af8d5366284a56e9a314a98e5fdf7015981c1f2d0b5a33204983e5106ccca9a4b05870e80b106460199809e7eea1e244b |
C:\Windows\system\kivRUkm.exe
| MD5 | ea719557548fdb63c53ec3d36c8cde7b |
| SHA1 | 76a69e51167530b6075042c2bfc307272d45224c |
| SHA256 | b26adfa21c7ecf0e14f88266eae9394079a4b83f7bfeee41eeab7209cebff0ba |
| SHA512 | ac464dd853bcb14d1a40f88a8070d604cff793cf9bb2b066b1cc5e7299da9ea4565cdd1a7bea7c4345a2445c361895fe14bd99983ae3578f0370fd98b8fef00f |
memory/2892-78-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2892-77-0x0000000002250000-0x00000000025A4000-memory.dmp
\Windows\system\UzKQfaS.exe
| MD5 | 2943937507ab26a66961db2537620bdd |
| SHA1 | 5eb04e6e00d4d6b9ddb7677030de676f43a6d14e |
| SHA256 | 0ba0dbd8fd98849774811d0c97ed19dfb97493dd7628feb5d0bdf886612037e4 |
| SHA512 | 1bf8d58e552b1d7717afdba91095238483446c3246b1f3db0e4e70f11abfbb58bb4018c4b5af35323e5f99ce5db0876fb1d17885c346dce9d5fcaf6c38ab12e2 |
\Windows\system\VHpeuGO.exe
| MD5 | 1d0cdcff03ea274e09f6ad3a46858bf5 |
| SHA1 | e3d2c9d9d414dae8c286eedd108b0f73ce0a1ce5 |
| SHA256 | 8957f81b77486165b56d7ff5b3bb804f9f313dc5255f3ef62e3b011792fe3703 |
| SHA512 | ae048522037b9590d952c25dc00677135432d21415cfe5d9e3faea2d5f102c7a2d361caaffd401eed4a2a95381e5901b86acc7a681de3e78e89f79196868cc07 |
C:\Windows\system\sjsqHTe.exe
| MD5 | 91df3e588ad852fe222e8575324a9c82 |
| SHA1 | 05a426806c291b331a6839b7e9df305341b3c8d7 |
| SHA256 | 0ec4952c0426961af6b1ad418683f0a796d4d6096572901ac792b5ff37d1510c |
| SHA512 | f063b24df2db623d7a3ab85b046ff0b63fc3a45f9a23b201e373b8343728f25b7275cb2dcdd106b5ae3c21089eac6413aae729ec8be60bffdc03dbba6e833e8d |
C:\Windows\system\sKIaZGN.exe
| MD5 | 860075faf42a37a99de803c6b59f551d |
| SHA1 | e4a02865e5974c900fb7ae022b9aacc017832b5e |
| SHA256 | 47bb0a42d535bcb59d142b0161fb03105549f3830b39f88d99a9544cdcc1d8a6 |
| SHA512 | 60f743a3b3aaec124c4d4b26beefb9dbf8c6b078551656756cd26f55d4358b339f97c2cf9803ea6952e85dd108f8c3126ac4a3dc519030c7b0bda3a6fbb55238 |
memory/2892-48-0x0000000002250000-0x00000000025A4000-memory.dmp
\Windows\system\xFxQxad.exe
| MD5 | 19e6f4e247e4cd753ef598d5e00a76c5 |
| SHA1 | b3bbb94af25ee8147878ebc5ad5414c42e11d761 |
| SHA256 | 1c6d31124b1457b1ae7071a832ee24d808f19b034761aebdfd57eeb39f3928d5 |
| SHA512 | e49507f7e362e5ca71738de3da6015e38b5100a2d8c2bcd1854bd3d46e39f0d2179b5b40336b6daac2ca288fead9a71dd33988cfce704e89a59b35f37b85762a |
memory/2892-40-0x0000000002250000-0x00000000025A4000-memory.dmp
\Windows\system\ToLqlUf.exe
| MD5 | dac8ae6bc4e8ddab1208ff912e2bd5dd |
| SHA1 | 47f87e27b6778064852a49c67c4807df8f7eaa96 |
| SHA256 | 6dcfe5a600609e71adff63fb77f04b3705442d7ba4ffa25d1bb00cdf0ce84aef |
| SHA512 | 27b7cae0dc826b54db57bc47c4e846126b31b4c0e8433b26771a251cafb85a9a096ae94f3f6385383684a83b7f4483b03018822c26c3654922643047ec90ba4e |
memory/2892-32-0x0000000002250000-0x00000000025A4000-memory.dmp
memory/2892-116-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2892-115-0x0000000002250000-0x00000000025A4000-memory.dmp
memory/1956-114-0x000000013F3C0000-0x000000013F714000-memory.dmp
C:\Windows\system\SDzXgrU.exe
| MD5 | 7a8be9e73f6eed9bcd65e6b1d50ec74e |
| SHA1 | aa9daca209cc1e790aab47a1bb282824c754f98a |
| SHA256 | 02a573208bf43ec666eebf5e058c66df6ef77797fa361cc7e6282a1a265461d5 |
| SHA512 | 4a17c072802c2c01f2de1b719f958c02beb01adc349196ce94ba68bab1cf4661d62556cf398c3499e9ed2684ed42d91158bc98d572e1d3fbfc3e38271c8fe7e3 |
memory/2892-112-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2892-110-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2892-99-0x000000013FF90000-0x00000001402E4000-memory.dmp
C:\Windows\system\APAEIxo.exe
| MD5 | 378a75b0f7ae518f6ca431d1d0601b45 |
| SHA1 | f2e2a55e8f560fc6c5f1a1ade6324bfb486b3092 |
| SHA256 | a0080c6ada737ffc403885380cf4dd416fa8cff0ee3b8770dda46a67bb8b6e3e |
| SHA512 | 39dbd510207b42994bf5fb8584461a0c98a55fe84f19ca2d7b46eaff663738d1a209374a37d8313284107f3eacffcf9f1fb14bd48cd171f92840e25e55da6c6f |
memory/2776-83-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2892-71-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2516-65-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2892-63-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2540-62-0x000000013F450000-0x000000013F7A4000-memory.dmp
C:\Windows\system\lPofElk.exe
| MD5 | 8682c5ec6beb44bcdf34ca4ae8d74c93 |
| SHA1 | d962bbf8ddba96670b5eded66603c285239be12b |
| SHA256 | 558325b072fec611f5cb65d9a7992b7dfee150240ccd833e476b4ce354c56cdb |
| SHA512 | e0d709004a63eb9399876fe6be945cbafdc5f5343bcb1f555a1eea0f43747b994f22bb777d3b48263a7cf65061efce2eaa30d32992a902922dfe5ee7d812eba8 |
memory/3040-27-0x000000013F160000-0x000000013F4B4000-memory.dmp
C:\Windows\system\ohNjvHF.exe
| MD5 | 72f9a7aa89c6982747513dafdeedcc96 |
| SHA1 | 292558d1a27d4d24690bf93f98de976771946632 |
| SHA256 | 7c789b8e32318be327d7513c96a6e2ace83911f602b10041a87368e13c538d22 |
| SHA512 | a1305fd9ac0fb2abbce2e7a83fab333d6da641cc320d4f9e631935a7067712c8b2505df91fb7adf5b98e0d73395e0f5c93ffa9abb074c4446654b47f979e96c1 |
memory/2892-59-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2844-56-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2796-54-0x000000013FFA0000-0x00000001402F4000-memory.dmp
C:\Windows\system\zzXmsOY.exe
| MD5 | 4b7316ef39bfe5fff3ab994615d7b78e |
| SHA1 | dfa8ae4d3ada6a211b3b5ef87385355ccc235fc1 |
| SHA256 | ec567bc2cd01a48c05ace929926ab7017c2843d74f228d3fc8f769b56c48351c |
| SHA512 | df172d19d0f4523a792b40f5aac618280891b9da268017417e26d5d8b279982bfde1f906f379ead7bb27c90b9e201d6daaa671e5fecf3a2a8084e69135e61144 |
C:\Windows\system\nBpUrhF.exe
| MD5 | 4c183b50ac07816527e436f777689753 |
| SHA1 | 26e63a73c2a85c6716cd819ace3cbfdcbe7a9e0e |
| SHA256 | f575421fa4d3cf425a625d0e6c032d5ec9ddb7f22cdf1664d889cbd81571346e |
| SHA512 | f8cd7f2fb4108a8a31ed89fe353b8e90c1dd6c744251f86fde2a4bbee7c71b04888e24591d022a7cea973afc13f7fcbbf4e5acaac4e8d12c7622f900adf3198d |
memory/2612-20-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2892-15-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2892-134-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2612-135-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2892-137-0x0000000002250000-0x00000000025A4000-memory.dmp
memory/3040-136-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2516-138-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1524-139-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2612-140-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/3040-141-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2844-142-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2796-143-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2776-145-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2540-144-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2516-146-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2668-148-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2728-147-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/1956-149-0x000000013F3C0000-0x000000013F714000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 15:50
Reported
2024-06-11 15:53
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LhVrRvp.exe | N/A |
| N/A | N/A | C:\Windows\System\qGbVrHO.exe | N/A |
| N/A | N/A | C:\Windows\System\WtQzAsQ.exe | N/A |
| N/A | N/A | C:\Windows\System\PaUhNnb.exe | N/A |
| N/A | N/A | C:\Windows\System\eUERspw.exe | N/A |
| N/A | N/A | C:\Windows\System\qzsXJpR.exe | N/A |
| N/A | N/A | C:\Windows\System\unFLRoW.exe | N/A |
| N/A | N/A | C:\Windows\System\mDwmiWI.exe | N/A |
| N/A | N/A | C:\Windows\System\mTjFnkg.exe | N/A |
| N/A | N/A | C:\Windows\System\RnPYyfG.exe | N/A |
| N/A | N/A | C:\Windows\System\HbUwrYf.exe | N/A |
| N/A | N/A | C:\Windows\System\VhkUaow.exe | N/A |
| N/A | N/A | C:\Windows\System\rqLcoqX.exe | N/A |
| N/A | N/A | C:\Windows\System\xMQvlxg.exe | N/A |
| N/A | N/A | C:\Windows\System\znlCDLQ.exe | N/A |
| N/A | N/A | C:\Windows\System\dMapqel.exe | N/A |
| N/A | N/A | C:\Windows\System\GgJMerG.exe | N/A |
| N/A | N/A | C:\Windows\System\NzNuWeB.exe | N/A |
| N/A | N/A | C:\Windows\System\YIlDEuj.exe | N/A |
| N/A | N/A | C:\Windows\System\nHgrpZa.exe | N/A |
| N/A | N/A | C:\Windows\System\ewGmnCl.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_2d4305d6215114298496a0ffbcdc0fbd_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_2d4305d6215114298496a0ffbcdc0fbd_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_2d4305d6215114298496a0ffbcdc0fbd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_2d4305d6215114298496a0ffbcdc0fbd_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\LhVrRvp.exe
C:\Windows\System\LhVrRvp.exe
C:\Windows\System\qGbVrHO.exe
C:\Windows\System\qGbVrHO.exe
C:\Windows\System\WtQzAsQ.exe
C:\Windows\System\WtQzAsQ.exe
C:\Windows\System\eUERspw.exe
C:\Windows\System\eUERspw.exe
C:\Windows\System\PaUhNnb.exe
C:\Windows\System\PaUhNnb.exe
C:\Windows\System\qzsXJpR.exe
C:\Windows\System\qzsXJpR.exe
C:\Windows\System\unFLRoW.exe
C:\Windows\System\unFLRoW.exe
C:\Windows\System\mDwmiWI.exe
C:\Windows\System\mDwmiWI.exe
C:\Windows\System\mTjFnkg.exe
C:\Windows\System\mTjFnkg.exe
C:\Windows\System\RnPYyfG.exe
C:\Windows\System\RnPYyfG.exe
C:\Windows\System\HbUwrYf.exe
C:\Windows\System\HbUwrYf.exe
C:\Windows\System\VhkUaow.exe
C:\Windows\System\VhkUaow.exe
C:\Windows\System\rqLcoqX.exe
C:\Windows\System\rqLcoqX.exe
C:\Windows\System\xMQvlxg.exe
C:\Windows\System\xMQvlxg.exe
C:\Windows\System\znlCDLQ.exe
C:\Windows\System\znlCDLQ.exe
C:\Windows\System\dMapqel.exe
C:\Windows\System\dMapqel.exe
C:\Windows\System\GgJMerG.exe
C:\Windows\System\GgJMerG.exe
C:\Windows\System\NzNuWeB.exe
C:\Windows\System\NzNuWeB.exe
C:\Windows\System\YIlDEuj.exe
C:\Windows\System\YIlDEuj.exe
C:\Windows\System\nHgrpZa.exe
C:\Windows\System\nHgrpZa.exe
C:\Windows\System\ewGmnCl.exe
C:\Windows\System\ewGmnCl.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/64-0-0x00007FF697720000-0x00007FF697A74000-memory.dmp
memory/64-1-0x000002DE35F90000-0x000002DE35FA0000-memory.dmp
C:\Windows\System\LhVrRvp.exe
| MD5 | 3aca82d9a51afd9f72c0ba47455bae05 |
| SHA1 | 28f4c75cf108157ddd6e03e5f198dc0b37a261c2 |
| SHA256 | 6310a0c72739e2ced18ab6c24f0a02616ed355ac352e9bbe3d18b235c32621a3 |
| SHA512 | 0d22086ded0e45c56b78ba95dd391229457bf7b0cffec69c19ebddf9c8f4ef48f98d97f8bf55de641716cd14525b1e4bbed0ded01964aef310ff139ad526f6c8 |
C:\Windows\System\qGbVrHO.exe
| MD5 | 65af1667e9bc4df59780c8c3771529e7 |
| SHA1 | 66695e727ed2a7503b72de6bd6e13bdc559a54c7 |
| SHA256 | 334a4998ef7f9a6c8fd6814faafe7712935f547714acacdad8093fb1e19634ac |
| SHA512 | 34cc9f83143b637afb28a9467750091ce255bd3231bd407a10516b987730dcefc9578c43384f0414b57f16b2b3a641871aba2816922dfe687a82b92559444b94 |
C:\Windows\System\WtQzAsQ.exe
| MD5 | e70044d77ef3c4984ed581935b705798 |
| SHA1 | 658b111292532e2bf3bbd3e7b65a9a51262110d2 |
| SHA256 | 26008d8e37bb98a2226df82849db60bb4394b79fca4ccb6b71ffecc5d2193032 |
| SHA512 | f8f619341d3ef700065bb08e49a379709431df9e9b528cbe4cdff722e895da1f36f084b6989ae4e11787f1e2b8dc8c4f66aa5189e3ee2d29c7f75b2513eaf3ab |
memory/4732-38-0x00007FF6D7320000-0x00007FF6D7674000-memory.dmp
C:\Windows\System\mTjFnkg.exe
| MD5 | 68e95fb976a218dfb13ecb9a6640367b |
| SHA1 | fad844a018f68a481d5cea71b061a5053bd055d5 |
| SHA256 | 6b13a33e4b42c0f23a7e2c5b6eb8d28d6ec317eeb1127cb8d34f83307b49c46e |
| SHA512 | b07ed2e6f4999e1e130081824502c637a1220ffafa244f6c2a52ad1e87dcabfa67445e8c14e9b836c5d049c367ff1ad7ae78c3a967da2e22b6cfe56ca6c47c7c |
C:\Windows\System\RnPYyfG.exe
| MD5 | 46c12fb2413d7eb83e5c9f8d905aa609 |
| SHA1 | cd14dedcb29cf240c9596b88c00276a54b369380 |
| SHA256 | e718da4e56dff1b17284c8959ce2fceba9fad4d1ed56110edf7314a3e56a77c4 |
| SHA512 | 6d8fb537febe7e38cf784c946caab567ae7332ebc1d0a455db741dcd3608330a82c673529f0416a5ad811f39972d356cb9e174e6e801797bfa9cfd425371fc0c |
C:\Windows\System\HbUwrYf.exe
| MD5 | 452d64fcfdd583edccd66f1b1f183716 |
| SHA1 | 4afe51200db518e0899f87052b11b23f4b5b0823 |
| SHA256 | 39c592586637227194938af6b3e1016acc9b30918cb9527578cd56a1c7445109 |
| SHA512 | 7d04b0d20c781ea2318d4506e1d8b84809c8a3947e5dd14ef796f720a1a4c72f789d9bb48f8e60cc2aa42d4d968f8b47b1266bb4022e4265784c5fde079691d8 |
C:\Windows\System\rqLcoqX.exe
| MD5 | 358d78db0f4995a7f25719093af7c3c6 |
| SHA1 | 74899f1e57ebcca8475b2f9f450196bb76de091b |
| SHA256 | 062159295a7edebe8587412fa78daed6bd7dd6c83b1f8adc5bef848309f936b0 |
| SHA512 | 229e3566d0f00bb19cac1fd739198f31e7f6127f5736e9be6fb6b41347ef33f2dc1cf6cd097d5e2909651d3e0f7a03e4aaa7a70bdc32be5fc323f9ad8d140556 |
memory/2908-79-0x00007FF6C66B0000-0x00007FF6C6A04000-memory.dmp
memory/1784-80-0x00007FF726470000-0x00007FF7267C4000-memory.dmp
C:\Windows\System\VhkUaow.exe
| MD5 | d6be99e2b3a3a07a706dc15c070e1ae1 |
| SHA1 | 7437738073ab6fa073c10d2b03a3e6653ceab13b |
| SHA256 | 8f104c3ba57123990a4b02297a10cf8a414259e84b59cfae86283a205f7b7380 |
| SHA512 | 84f66b20194baa763caa4550a082ccbf2a2a7678c9a5e6ca77c1734211dc13ece2ae9e7cbcd22aa8b38b818d330ba4ec3d2bd2a7ec3a640d8dfb15a5164162dd |
memory/4840-76-0x00007FF603C50000-0x00007FF603FA4000-memory.dmp
memory/828-75-0x00007FF6A6EB0000-0x00007FF6A7204000-memory.dmp
memory/1636-72-0x00007FF65A630000-0x00007FF65A984000-memory.dmp
memory/4704-69-0x00007FF7258B0000-0x00007FF725C04000-memory.dmp
memory/3900-66-0x00007FF78A200000-0x00007FF78A554000-memory.dmp
memory/2964-65-0x00007FF7007D0000-0x00007FF700B24000-memory.dmp
C:\Windows\System\unFLRoW.exe
| MD5 | 148f581b5e23ff858105628f6e263503 |
| SHA1 | 33bc5723e9ddbdfb3f6193c7bbe821f2b03c830d |
| SHA256 | c3ada55bc52bb6bf6c4840de8461aa0e0a616d33fe55a9da06d1b6c252494d5f |
| SHA512 | 3d278f3ed99fd984dcd567f933be4cf2eb1186a15b92cc4e80fed2e451b16e1305ccaa6676625a6984412e243bef3c19c72d86413e976e0dfed79238130667f4 |
C:\Windows\System\mDwmiWI.exe
| MD5 | 5a1e13b6ab42d144391006d720153f9e |
| SHA1 | 7df67c97aecf7d62ab979236ace9bd1eb5c151e4 |
| SHA256 | d57a1b50e30379ee6dc1908fbf4ee3a8efc5a105d5bd34d85de37c0360405229 |
| SHA512 | 576f3acfe54c05ee52407dea13da13c43a9ef75bbe0ee92499f94aee8b322976ec7147b667caa1a5dc78ea70d8ec12ae09f60d9578d8d8fd2206f5ea4b1734f7 |
memory/876-45-0x00007FF6C5C40000-0x00007FF6C5F94000-memory.dmp
C:\Windows\System\eUERspw.exe
| MD5 | e594875743ad717acffb4644c98644a6 |
| SHA1 | 1f9df7e6b9c56104a04b76e5030516a1e148f466 |
| SHA256 | 740adb5a8f44ede9001034e985b66728a91546d774fd69889c1e975312525c2f |
| SHA512 | a95f851f753c0567f7129cbbc383781ea6ef51cc2ac055290fee2a9a118169934c061715b86043b93514ecb6e31f9c33151998ab39d7e553140ca2cdc41c33f6 |
C:\Windows\System\PaUhNnb.exe
| MD5 | 21144a10e1248b7e6c7c45942d3e9888 |
| SHA1 | dc5ece2019e5c45cb195c4d09a7747ddb2ad4f42 |
| SHA256 | 73182cbe1d1bce4f115f3cab484847b441535a46a2013ca186ae1ac1dca0b79a |
| SHA512 | 4e701dd556e61aa04ec573acf056fd37c3153aad0df456e288ff89b33bdd009b46d50a9ebe74515475e8487106d4ffc730688837c14b38cfc2918f25954b8da0 |
C:\Windows\System\qzsXJpR.exe
| MD5 | a66296f9d8d54df9da5b4d4f228b9455 |
| SHA1 | df17796505c00ea60aeed91673bd123e736e6532 |
| SHA256 | 724b3b6357fc5b55523088e147f6bcb633db3523642bfc27e1420b0662fbca41 |
| SHA512 | af1addba3a7c26d5cbfee419a9700134d63f6b29c579597dd9d9ee2f072b75428e657287b981fb49956d655a704d51844b0944230c368cfa94f03745b1db0410 |
memory/4780-24-0x00007FF6EF8F0000-0x00007FF6EFC44000-memory.dmp
memory/1992-22-0x00007FF72FF50000-0x00007FF7302A4000-memory.dmp
memory/2732-11-0x00007FF6318C0000-0x00007FF631C14000-memory.dmp
C:\Windows\System\xMQvlxg.exe
| MD5 | e968f1b4e5b68f62c85c77c093f5b257 |
| SHA1 | 780c180169524534ead205a0ad0808d5f848c4bf |
| SHA256 | 71b846e71d0b4b8d440769151c9ba17eaa6bad30e459282395258ff309bfce8b |
| SHA512 | 46b169a6638315c2018b5e314e4886f2add27de569b1bf435ee55463e82b188a5354486a254628b0157a4b91bc0e086f4fd6bdd0f6d81f4b62937bb46e583f09 |
memory/1900-85-0x00007FF6F61E0000-0x00007FF6F6534000-memory.dmp
C:\Windows\System\znlCDLQ.exe
| MD5 | 5439176ffae537e039de036334df216b |
| SHA1 | 7cf7992e08cd0b7a887130cf9d208b04cd4d809d |
| SHA256 | 089003a78c58d6d797ee34758d398953bd73d4fd62eac58d10b14be32a7ca087 |
| SHA512 | 5c80fc0100f2e517b53c8bcc2941770552a3893e95eafdfc52063991c884575de103b3892fa39eee8e7fb5d36a90ac3538b2b5602d01dbf3b8cc94d2ef50bce2 |
memory/408-92-0x00007FF7CE610000-0x00007FF7CE964000-memory.dmp
memory/4472-97-0x00007FF6E1FD0000-0x00007FF6E2324000-memory.dmp
C:\Windows\System\GgJMerG.exe
| MD5 | a5f3418a3bd9d607df2f7a8ff57618b0 |
| SHA1 | 4ec0bbe1392c7019776227d028fcb716014e1ca5 |
| SHA256 | e414112a8374ec02de1c51218241c343d06ab3e9cccbfc0da908714c72c53eef |
| SHA512 | 268d10ab7419fde3b1700fdfaba74470d1891b2ea4071a043afba492d487a801ae03ca7347b96dffbccd32a79df060b2750315998db4bf6ec3f255fbe4232935 |
memory/2088-104-0x00007FF6DFC50000-0x00007FF6DFFA4000-memory.dmp
C:\Windows\System\NzNuWeB.exe
| MD5 | 45ce7488c3457e3c3fcf9ee70a5fde67 |
| SHA1 | e0e0740c94c5a1e2000f73be2a3ace75c7caf554 |
| SHA256 | b6a63a6b87c06d0f7a74f03ea2052e18fad8a88d734143cbd5997cde67fb0584 |
| SHA512 | 9e0f27e03488c3be30aaef9e1ae7c305e72804ca5c7ddffb2ef32f810f31a31ea8edebf1a559ebc6b731529278c982caf37e490ec70e158adb3cb349c875030f |
C:\Windows\System\dMapqel.exe
| MD5 | da525d372ae5379a53ad7959aa31912d |
| SHA1 | 1ae706767d4a54bfe7a9f03bc5e5b6b21ef528dc |
| SHA256 | c577a90e8fd8dfad939e6b19bcc7936939f6dc7b02921b9983699e93c3982aa2 |
| SHA512 | 82556aafaade6594199ce2604bcf8844272f6df28047fb2965866f83b8f4b7e46c4c8514e802cf80f0e2038c4c01bf0ae951edab660d28c7b1abb366e6758ee9 |
memory/2732-114-0x00007FF6318C0000-0x00007FF631C14000-memory.dmp
C:\Windows\System\nHgrpZa.exe
| MD5 | 8b646c9f82e7a035b766294045936333 |
| SHA1 | 8df83705a6b54021ab464df1e544e304348a45a8 |
| SHA256 | 2a573b570d95e81f0f0cd888262bd87bccf927b6d200c65fc1d4e34b2f8e4c1e |
| SHA512 | 15292a9eb55c4586ffbdb64e6759e923136bee49bc48f5e9387c789c79e01312c5e7e6a7a2712b968f500a7b9d60c36a0180c37c641c923a8c48b4bb9ce568e0 |
memory/1992-122-0x00007FF72FF50000-0x00007FF7302A4000-memory.dmp
memory/3724-121-0x00007FF7DD3D0000-0x00007FF7DD724000-memory.dmp
C:\Windows\System\YIlDEuj.exe
| MD5 | f04d238354c237f2483725c2a6af10a3 |
| SHA1 | d90e9e2597d6aa60e100adbca2f5b94b52c5c4f3 |
| SHA256 | 4eb011c6d90e6509908a9952516fb3a112effb6575ca2d8c720d2ed245d7067d |
| SHA512 | 748f5d1fb7f4ec90fb98b0ebaf487477ed0feb41cc8f018a699bc60d8699e8b320545c6865bdbd05ea4133e7b64385cf8dff1a562ebfc3ebd1565796d608407a |
memory/64-113-0x00007FF697720000-0x00007FF697A74000-memory.dmp
memory/1508-110-0x00007FF65D120000-0x00007FF65D474000-memory.dmp
memory/3960-125-0x00007FF661260000-0x00007FF6615B4000-memory.dmp
memory/4780-130-0x00007FF6EF8F0000-0x00007FF6EFC44000-memory.dmp
memory/4732-131-0x00007FF6D7320000-0x00007FF6D7674000-memory.dmp
memory/3224-133-0x00007FF6535A0000-0x00007FF6538F4000-memory.dmp
memory/2964-132-0x00007FF7007D0000-0x00007FF700B24000-memory.dmp
C:\Windows\System\ewGmnCl.exe
| MD5 | fe96d9c994f8b2089ae36d613b7d11f1 |
| SHA1 | 733eef3d297f4030f814b11335205f9e8ded668e |
| SHA256 | 1eee5740b09b13abd3ae7d684b7e5a6e55c5208867bf311467ee746b5926c874 |
| SHA512 | c7d4a40d99f6336f0b24ed5231b435bd2a6ea490142e58cc3d38dead2ab30c6cc86d5fa337cfbee459be3f5e842971146a95b5a10afd5b4691dfb3e974d467a8 |
memory/4704-134-0x00007FF7258B0000-0x00007FF725C04000-memory.dmp
memory/1636-135-0x00007FF65A630000-0x00007FF65A984000-memory.dmp
memory/1900-136-0x00007FF6F61E0000-0x00007FF6F6534000-memory.dmp
memory/4472-137-0x00007FF6E1FD0000-0x00007FF6E2324000-memory.dmp
memory/2088-138-0x00007FF6DFC50000-0x00007FF6DFFA4000-memory.dmp
memory/3724-139-0x00007FF7DD3D0000-0x00007FF7DD724000-memory.dmp
memory/2732-140-0x00007FF6318C0000-0x00007FF631C14000-memory.dmp
memory/1992-141-0x00007FF72FF50000-0x00007FF7302A4000-memory.dmp
memory/4780-142-0x00007FF6EF8F0000-0x00007FF6EFC44000-memory.dmp
memory/876-143-0x00007FF6C5C40000-0x00007FF6C5F94000-memory.dmp
memory/828-144-0x00007FF6A6EB0000-0x00007FF6A7204000-memory.dmp
memory/2908-146-0x00007FF6C66B0000-0x00007FF6C6A04000-memory.dmp
memory/3900-148-0x00007FF78A200000-0x00007FF78A554000-memory.dmp
memory/4840-147-0x00007FF603C50000-0x00007FF603FA4000-memory.dmp
memory/4732-145-0x00007FF6D7320000-0x00007FF6D7674000-memory.dmp
memory/2964-149-0x00007FF7007D0000-0x00007FF700B24000-memory.dmp
memory/4704-150-0x00007FF7258B0000-0x00007FF725C04000-memory.dmp
memory/1636-151-0x00007FF65A630000-0x00007FF65A984000-memory.dmp
memory/1784-152-0x00007FF726470000-0x00007FF7267C4000-memory.dmp
memory/1900-153-0x00007FF6F61E0000-0x00007FF6F6534000-memory.dmp
memory/408-154-0x00007FF7CE610000-0x00007FF7CE964000-memory.dmp
memory/4472-155-0x00007FF6E1FD0000-0x00007FF6E2324000-memory.dmp
memory/2088-156-0x00007FF6DFC50000-0x00007FF6DFFA4000-memory.dmp
memory/1508-157-0x00007FF65D120000-0x00007FF65D474000-memory.dmp
memory/3724-158-0x00007FF7DD3D0000-0x00007FF7DD724000-memory.dmp
memory/3960-159-0x00007FF661260000-0x00007FF6615B4000-memory.dmp
memory/3224-160-0x00007FF6535A0000-0x00007FF6538F4000-memory.dmp