Analysis Overview
SHA256
924307950a648626434c9637d783ece958986b7c84ebafbd283b99bddbcfb36c
Threat Level: Known bad
The file 2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Xmrig family
Cobalt Strike reflective loader
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-27 17:58
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 17:58
Reported
2024-05-27 18:01
Platform
win7-20240221-en
Max time kernel
126s
Max time network
141s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sxSPMGA.exe | N/A |
| N/A | N/A | C:\Windows\System\ThcuCBV.exe | N/A |
| N/A | N/A | C:\Windows\System\GeEYypr.exe | N/A |
| N/A | N/A | C:\Windows\System\Xhrysrg.exe | N/A |
| N/A | N/A | C:\Windows\System\nwQsfea.exe | N/A |
| N/A | N/A | C:\Windows\System\PTheKvD.exe | N/A |
| N/A | N/A | C:\Windows\System\HBNcugZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YbOjAaD.exe | N/A |
| N/A | N/A | C:\Windows\System\ctlaIAd.exe | N/A |
| N/A | N/A | C:\Windows\System\OCglYUj.exe | N/A |
| N/A | N/A | C:\Windows\System\wLnqUNX.exe | N/A |
| N/A | N/A | C:\Windows\System\qbgHMBC.exe | N/A |
| N/A | N/A | C:\Windows\System\MxEFHKJ.exe | N/A |
| N/A | N/A | C:\Windows\System\KdesDgQ.exe | N/A |
| N/A | N/A | C:\Windows\System\KNyleJf.exe | N/A |
| N/A | N/A | C:\Windows\System\mJbKzqh.exe | N/A |
| N/A | N/A | C:\Windows\System\ESbIZSe.exe | N/A |
| N/A | N/A | C:\Windows\System\SRACesY.exe | N/A |
| N/A | N/A | C:\Windows\System\qrICxvV.exe | N/A |
| N/A | N/A | C:\Windows\System\yQaPSLH.exe | N/A |
| N/A | N/A | C:\Windows\System\LoPJUgr.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\sxSPMGA.exe
C:\Windows\System\sxSPMGA.exe
C:\Windows\System\ThcuCBV.exe
C:\Windows\System\ThcuCBV.exe
C:\Windows\System\GeEYypr.exe
C:\Windows\System\GeEYypr.exe
C:\Windows\System\Xhrysrg.exe
C:\Windows\System\Xhrysrg.exe
C:\Windows\System\nwQsfea.exe
C:\Windows\System\nwQsfea.exe
C:\Windows\System\KdesDgQ.exe
C:\Windows\System\KdesDgQ.exe
C:\Windows\System\PTheKvD.exe
C:\Windows\System\PTheKvD.exe
C:\Windows\System\KNyleJf.exe
C:\Windows\System\KNyleJf.exe
C:\Windows\System\HBNcugZ.exe
C:\Windows\System\HBNcugZ.exe
C:\Windows\System\mJbKzqh.exe
C:\Windows\System\mJbKzqh.exe
C:\Windows\System\YbOjAaD.exe
C:\Windows\System\YbOjAaD.exe
C:\Windows\System\ESbIZSe.exe
C:\Windows\System\ESbIZSe.exe
C:\Windows\System\ctlaIAd.exe
C:\Windows\System\ctlaIAd.exe
C:\Windows\System\SRACesY.exe
C:\Windows\System\SRACesY.exe
C:\Windows\System\OCglYUj.exe
C:\Windows\System\OCglYUj.exe
C:\Windows\System\qrICxvV.exe
C:\Windows\System\qrICxvV.exe
C:\Windows\System\wLnqUNX.exe
C:\Windows\System\wLnqUNX.exe
C:\Windows\System\yQaPSLH.exe
C:\Windows\System\yQaPSLH.exe
C:\Windows\System\qbgHMBC.exe
C:\Windows\System\qbgHMBC.exe
C:\Windows\System\LoPJUgr.exe
C:\Windows\System\LoPJUgr.exe
C:\Windows\System\MxEFHKJ.exe
C:\Windows\System\MxEFHKJ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
\Windows\system\LoPJUgr.exe
| MD5 | 1fd93f23056b7aa11794fae48b0ffbf8 |
| SHA1 | 83fb546fdc88d9bd0b7aa8b5bede08125847792d |
| SHA256 | 94c59da5b9f7c756c3c28c3a9aa8490db609849f6689fcc5d7ef15cd31680d17 |
| SHA512 | 213d619efe73423274e0d59240cbe78e42b4d6cba59451d753056a4e03d452d071ff0f9b0067f8ea730727a4e78aabd217519fd960300aa651d925dc72b54867 |
\Windows\system\yQaPSLH.exe
| MD5 | 1801ddcc3604db3ef49450bbe76d0bbf |
| SHA1 | a79724effe516d60d38ceaa8047e51329876bed8 |
| SHA256 | 6ec6a8d8feb51145ac796d83903da00dc85a685eb6309ab35a99d894374ed7e8 |
| SHA512 | 14d589c6c32fb028c8f2b615d3bd0442a79bc90ec832d3400426e7af567e174ef1f6f464cda551f7dde776a0514e5b40ac2df862d588c1b7ca5cc9308941e621 |
memory/2136-83-0x000000013FB70000-0x000000013FEC4000-memory.dmp
\Windows\system\qrICxvV.exe
| MD5 | aa5bdecc8485f45006e80b07375dcb16 |
| SHA1 | c0d3d63443c4a181a6a12e23d1b7656d2598af26 |
| SHA256 | ababf987fa7aeade3872d62cf4357edaa9d33ca116b1a06a34cf8e360ba34f50 |
| SHA512 | ba8c45467c239a40df99fd52078e8d9f301050e6ddc9692bc7efd9d605b667c5dbe19ce749070a76d04634bff19b2ca49076150ed7c70c296c17521999f9b7d7 |
memory/2136-75-0x000000013FD50000-0x00000001400A4000-memory.dmp
\Windows\system\SRACesY.exe
| MD5 | 26b9215d3d74a771ee112c258b441017 |
| SHA1 | 5d45a7aa9319d239e0a6a6d42bcdef5229283d09 |
| SHA256 | dafe6b6040866f54af84448585522db0412b31f6c39497f63296095057f96a61 |
| SHA512 | dedb24d70a10f43cd1ecfdc1cc702fa60759dff66a42bd7aa2245120d38ff659d57377b755950a7c2bd5ac99e61dd8fadd7811289aff05374db28716e5dede49 |
C:\Windows\system\YbOjAaD.exe
| MD5 | b23fd6f39e2dacdf2ff21deaab367b0c |
| SHA1 | 5374d4060859b7de251739ec2c5b50918d87c1b2 |
| SHA256 | ebf7b997b24ef6177fd8e6ef6f084f46a9bdf7fcd27a36b4d79b597fc1a4232c |
| SHA512 | ead3698d51aca1b89286e530fc0c3890405cb694e632631561be9feef8c9f25320344cfb9c02a86f8e9633ba8fe08f8c5591e0c3a4e17a4325a4c3dca1c1e75c |
\Windows\system\ESbIZSe.exe
| MD5 | acfe7e8ba9cd4e93ea9dc21b9614f934 |
| SHA1 | d86f0b283384a45a6b67975ac22d11ce733597bd |
| SHA256 | a4d6f3b02d91851fcf6ff9d52eb49001b3a7ce7cf54a161acf2cf40611ce6611 |
| SHA512 | 3162f2df8c8d838f049bee2c137cff6f4f37e0d76e00228a24279f88d464c4c8636d5661a18b05e157a2870190690587d49aaed1afb1ec2fc5f042e37d304564 |
memory/2136-56-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/3012-55-0x000000013FD90000-0x00000001400E4000-memory.dmp
\Windows\system\mJbKzqh.exe
| MD5 | 1878fa517e7d297d13bf2ea98ebd8ac8 |
| SHA1 | 47a8d271d0715d84cf6412e1ced38133d0e9c862 |
| SHA256 | 9301dd2fc66ba563c69d07b1d467e564aed281ae1b157b98e69483cf58ae7c7c |
| SHA512 | b57306d95e4725a6697bf9690a02f01c173c36df31ca7f50e42bc80e20de8fae6196e635958f5edebebb547ade43648b147f0e7f9a45f208ab697cf36f74ae32 |
\Windows\system\KNyleJf.exe
| MD5 | 9f2e153cf016992e972e6fd5648b8988 |
| SHA1 | ae3b57944633e83a6af2c4d7461d497250eaf13b |
| SHA256 | 5d7dae17d19db3aafbe868bfa00d1e512e9a0e3b4e98822957150de9f9a83ea2 |
| SHA512 | b8ef24a1c45f12d2aaa279ca7e0bff8591faf436d1caa649c6f746aafc5e204a565562560d984cdb75bd1fc8c2eda8e29c4a34e312303f4ff07125f69ffa8f1f |
\Windows\system\KdesDgQ.exe
| MD5 | c60f896255d61b90f78d1e839fafecf2 |
| SHA1 | d3276d1d47e3d172ff02e7c16e29d06409a5b364 |
| SHA256 | 42cebaccb8529eea63a8c8346fe86c4219e3ddfad6ef0444c72ebf6c8ab7a398 |
| SHA512 | 9e51314c664e18c6591b48a05d8a4efa95a69e1180ff1ccd030b5970cbf06838e900dbab16dbf797c80465f469fefa568be586747f7e040ef141149974c7e06e |
memory/2084-130-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2136-129-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2136-105-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2688-104-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2136-103-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1332-28-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
C:\Windows\system\MxEFHKJ.exe
| MD5 | 67cf5914a8e61659fc9d865786377194 |
| SHA1 | befd760ce0bff0f20b027c87d9a1e3efc5366842 |
| SHA256 | 5a03450d8a4639a4e13ae00a36c44bff4e59bd024920cb6638ba9bcf21415df8 |
| SHA512 | cbdcfdedf356676ec1a235894a29e5606b5a4f65ed2170464bfb5b29f8fab4f58a88a51c34e4e4b1c886fb6e4c006f6dfbfcfa5a5924592e7233dab2d06d3644 |
memory/2136-96-0x000000013F5E0000-0x000000013F934000-memory.dmp
C:\Windows\system\qbgHMBC.exe
| MD5 | c4feb3dcb5341b56e85342e5bc723c01 |
| SHA1 | 03d494b7ed91e5f88dd6fae2cb4d6c9ec1c3e5c8 |
| SHA256 | 3ae332769d9663ec4dc9725bb04eef36632a8a4133007c9be82304bce4a679e7 |
| SHA512 | 97f4c2725a5c613a82eb779b4169609050f984c0223c82b67d26f8db1a294ece4f27a06231bfd83a11cae9af5bc6df4e13c83f972a99581a528d98cd850282d6 |
C:\Windows\system\wLnqUNX.exe
| MD5 | effe58465d46d82faeef1869ae2eba8b |
| SHA1 | b414a65fdd33f5129d187cfeb65dc3d768d7eb2b |
| SHA256 | fe56b05fde05167cb7d6a6434e61259b0e2c3e28fad1f936b95067a71d079faf |
| SHA512 | b75a5ca45d830beba63991fc80907abb505931d08bad7e051c823d829960a2b7324f8bac5c3894b01de545e214b895ef2d9ec0f01725c9d6e5b482371c114a0d |
memory/2644-86-0x000000013FB70000-0x000000013FEC4000-memory.dmp
C:\Windows\system\OCglYUj.exe
| MD5 | 6b90c7020990a31615770376dd15b064 |
| SHA1 | 4a4eba8fa01711ecf2240215d372b36d623ca3b9 |
| SHA256 | 44e2db78360f44bc5e6fdbea1a15e54396e3fcfad9728b4a8d83c726195d9a3a |
| SHA512 | 5ef884f5631582b184ea05bf746f5ff33069ece54cbbee58c15ddb9c775dd04c88687623ce4135a4d380d5401ccc1d986cf82e7549712f1b00ad87af4fd49ae9 |
memory/2900-71-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2136-70-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2136-69-0x000000013F950000-0x000000013FCA4000-memory.dmp
C:\Windows\system\ctlaIAd.exe
| MD5 | 18d52facace7bac81e1080aa3e6e7b79 |
| SHA1 | 9b052d0cbefd27c72913030b2b71e6e66a575c47 |
| SHA256 | 64e3b072422a32bca5293f17f2b28042da70b047b8ce03ad3d4f94899ca7dd54 |
| SHA512 | 930e0de898bf01f39a0335da7513e210e9654f7bb2ea6172433ebdf434fbebf34a0fee5768165fbafd832312b8cb1a8741e3a8c211f000456f03d73d473b7465 |
memory/2668-60-0x000000013F2F0000-0x000000013F644000-memory.dmp
C:\Windows\system\HBNcugZ.exe
| MD5 | a0a1085053c662cdc6dc705962430c9e |
| SHA1 | a245a6e9ff8333b46f8f7c6597b8631158d6d404 |
| SHA256 | 43ec3eecab5f7f0846efc30cb69c51a641761fd168573eed8519bccf75075a13 |
| SHA512 | 91bdd931f6d52eded662b0f2ec13cb914bbff0f85dd097be07eae1f0ed7d393ffa92a103bd8d1542497dce6c9c448f33d008ccad5362289583fc8ccca980ee74 |
memory/1332-131-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2136-44-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2272-41-0x000000013F470000-0x000000013F7C4000-memory.dmp
C:\Windows\system\PTheKvD.exe
| MD5 | 4b7fc45a1f2fe4d9c11780e8e72e852b |
| SHA1 | da683772cec899f357ead8edee2e954d8ddcf229 |
| SHA256 | 84facd60c63048d77fce2e23cd2e52dd78e085dd23e213c19faa6bb5fe82392d |
| SHA512 | d3256f94f0a5744ebb751d9dd5471b1917e00cc6806a5495f26dfc880f9cae7f09347e30cdba2da5f5099edc82eff909c8e6c6c743cfe21eaefc3f46995332cc |
C:\Windows\system\nwQsfea.exe
| MD5 | 10260679c7373af7e492fbe4add96641 |
| SHA1 | a9a397864f214acf1ff6c6d829e4ccb067d4fa12 |
| SHA256 | 3cf3ab7761a457e14917b5ffa932fc28934787c8f09fce9fc63b23e046b7b9df |
| SHA512 | dbbb2d94988ac7e972896aa4bfa39b0b72e3165938994b4318d308da5a36dba588b6a6ed51c9a50f965a5d59eda26f796dffc6297c94ba75cce5cf4644ef4ccb |
C:\Windows\system\Xhrysrg.exe
| MD5 | 6f2965141defb12dfbfe6add5b447424 |
| SHA1 | d6c8e04cdc2c5fd5d3341caa9e0d5cbab2a4e406 |
| SHA256 | 76a716cab209b74551cf8d2d96cb922df9695c8158e9f010bb5596c6640fabc0 |
| SHA512 | 316db95ad4dda67e727d07639071e2c4b70ea1b69a5b297a3bb06c0bc891cfd6ec53c0104e28322997d2076e011bb5aec30c7fac35dbcde5e3d6b18b48e52ea0 |
memory/2136-26-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2136-25-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2396-24-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2136-23-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2084-19-0x000000013FF90000-0x00000001402E4000-memory.dmp
C:\Windows\system\GeEYypr.exe
| MD5 | aec878b7847e7fed7169eb0d99a7a99d |
| SHA1 | 5450563c2f429d3ea614af5015a7e04751984d74 |
| SHA256 | 60a949d9c59a96c28b59f0088ec04ef392638a2c06ca20323dceae4dbc40ede4 |
| SHA512 | 1d2355fc961d926482c839122ecc28beb68c2a17233d0c0ee5da697388cd90b270ac99da4488d9f0243e4060c9920c52f795e485f1cfdc2b0f34773bd828be6e |
memory/548-17-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\ThcuCBV.exe
| MD5 | b5bd8e76aa731d9e229b71d21f28443e |
| SHA1 | 77b03efa62b2e9bce5394be51e3bbe1c443dace1 |
| SHA256 | 8699d94318ab7bfbfb054ca135e26acf623b1affc8bc66622dc2c9550612b976 |
| SHA512 | 066b4d6e9aeab3831c57773df6d93333a7f7c3603128ffcbf29f6027b486d183cd9056c000c8d7c1608b5c0ae748d9404f4529863fd9cd78300a38f1d33f92d8 |
C:\Windows\system\sxSPMGA.exe
| MD5 | 0ce8025aecb9d89c596344e03c9a9afc |
| SHA1 | c9a8c491c62946879cf5196ecbca11ee2f2fee57 |
| SHA256 | 3e4e2e52f15f65565574fd666193e5f110ee8c761da4dc0d1b6ad8efe3e2c335 |
| SHA512 | d1a872e568184a8bd4ed09504288e2d2f66b885f0c8998b287a6b2b2f2866b9d1c25e924ea1f1667bac9fcafaae5ae66c517ce2d8557bb91492d0bf07e90d6f5 |
memory/2136-1-0x0000000000200000-0x0000000000210000-memory.dmp
memory/2136-0-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2668-132-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2900-133-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2644-134-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2136-135-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2548-136-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2688-137-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/548-138-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2396-139-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2272-140-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/3012-141-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2084-142-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/1332-143-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2900-147-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2548-146-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2644-145-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2668-144-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2688-148-0x000000013F9E0000-0x000000013FD34000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 17:58
Reported
2024-05-27 18:01
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
158s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CurNQie.exe | N/A |
| N/A | N/A | C:\Windows\System\UiJBJuo.exe | N/A |
| N/A | N/A | C:\Windows\System\zFqNpVA.exe | N/A |
| N/A | N/A | C:\Windows\System\FhcdCex.exe | N/A |
| N/A | N/A | C:\Windows\System\rpHdrSS.exe | N/A |
| N/A | N/A | C:\Windows\System\ZWRIBdA.exe | N/A |
| N/A | N/A | C:\Windows\System\sSQamAX.exe | N/A |
| N/A | N/A | C:\Windows\System\OqOhdfz.exe | N/A |
| N/A | N/A | C:\Windows\System\Fywdvyf.exe | N/A |
| N/A | N/A | C:\Windows\System\mtTsTLP.exe | N/A |
| N/A | N/A | C:\Windows\System\vTGyVDo.exe | N/A |
| N/A | N/A | C:\Windows\System\vsOXZJm.exe | N/A |
| N/A | N/A | C:\Windows\System\nSpJYQv.exe | N/A |
| N/A | N/A | C:\Windows\System\zpQqxhY.exe | N/A |
| N/A | N/A | C:\Windows\System\LmfWaEf.exe | N/A |
| N/A | N/A | C:\Windows\System\SSSXbpW.exe | N/A |
| N/A | N/A | C:\Windows\System\uVMzphV.exe | N/A |
| N/A | N/A | C:\Windows\System\qFGWqig.exe | N/A |
| N/A | N/A | C:\Windows\System\FIZtsFJ.exe | N/A |
| N/A | N/A | C:\Windows\System\FBMvBVG.exe | N/A |
| N/A | N/A | C:\Windows\System\veUGWrQ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\CurNQie.exe
C:\Windows\System\CurNQie.exe
C:\Windows\System\UiJBJuo.exe
C:\Windows\System\UiJBJuo.exe
C:\Windows\System\zFqNpVA.exe
C:\Windows\System\zFqNpVA.exe
C:\Windows\System\FhcdCex.exe
C:\Windows\System\FhcdCex.exe
C:\Windows\System\rpHdrSS.exe
C:\Windows\System\rpHdrSS.exe
C:\Windows\System\ZWRIBdA.exe
C:\Windows\System\ZWRIBdA.exe
C:\Windows\System\sSQamAX.exe
C:\Windows\System\sSQamAX.exe
C:\Windows\System\OqOhdfz.exe
C:\Windows\System\OqOhdfz.exe
C:\Windows\System\Fywdvyf.exe
C:\Windows\System\Fywdvyf.exe
C:\Windows\System\mtTsTLP.exe
C:\Windows\System\mtTsTLP.exe
C:\Windows\System\vTGyVDo.exe
C:\Windows\System\vTGyVDo.exe
C:\Windows\System\vsOXZJm.exe
C:\Windows\System\vsOXZJm.exe
C:\Windows\System\nSpJYQv.exe
C:\Windows\System\nSpJYQv.exe
C:\Windows\System\zpQqxhY.exe
C:\Windows\System\zpQqxhY.exe
C:\Windows\System\LmfWaEf.exe
C:\Windows\System\LmfWaEf.exe
C:\Windows\System\SSSXbpW.exe
C:\Windows\System\SSSXbpW.exe
C:\Windows\System\uVMzphV.exe
C:\Windows\System\uVMzphV.exe
C:\Windows\System\qFGWqig.exe
C:\Windows\System\qFGWqig.exe
C:\Windows\System\FIZtsFJ.exe
C:\Windows\System\FIZtsFJ.exe
C:\Windows\System\FBMvBVG.exe
C:\Windows\System\FBMvBVG.exe
C:\Windows\System\veUGWrQ.exe
C:\Windows\System\veUGWrQ.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3100-0-0x00007FF6427E0000-0x00007FF642B34000-memory.dmp
memory/3100-1-0x0000020319150000-0x0000020319160000-memory.dmp
C:\Windows\System\CurNQie.exe
| MD5 | 85ddb45af7e22b213cc258f14c844fbe |
| SHA1 | 92d6f4ad3f7a1db4ddce3e4af204d276006f7263 |
| SHA256 | 10475be38cbc2a69ab1c01045a78b934544fcf31853625fefdf4a3edec4b01a7 |
| SHA512 | 44744ce08dad328baad53e40ab521c04ae18d847ba89084f3a01523a644d153c8d9493d920437f3612723bfdcc579dbbdcc0dc5ad138921855892d0e105b2177 |
memory/2012-8-0x00007FF7DE420000-0x00007FF7DE774000-memory.dmp
C:\Windows\System\UiJBJuo.exe
| MD5 | b8fc0ba757ddf20dc7c34ad0a3e5566a |
| SHA1 | 963087df531ce20b5ab809d2f5e5fc2412abc0f5 |
| SHA256 | 51301d5596ce32be440ed11f779d473538cd19e6a87d2c854a35d2e04869c71a |
| SHA512 | 13f6be40f2a47aa358ed430365b0824ba49d769e0a96db990ef961fde0226800f5e2fcec84683b63b1dc1fbc24b5a441a6d2760be1ae32ea0711c0f077f4dc31 |
memory/4580-14-0x00007FF6B0870000-0x00007FF6B0BC4000-memory.dmp
C:\Windows\System\zFqNpVA.exe
| MD5 | bfd3f8bb904a6f251e3d30ad8f0a57b9 |
| SHA1 | 3ef94e7ae819429e896a318aada40e41e2470852 |
| SHA256 | 95ce1512f3be3b2c59d7fb24dabd9cee491996b369fea9ac90ccf0a989e92003 |
| SHA512 | 22341bf83990162e6b7962f7dc3b00df58d58e87708e07f2976969f65da4f5031391aef781369d8f28cb8fb21cdae37cb5bc58a47b3c587e9e8a5289c520a69d |
memory/4016-20-0x00007FF66F680000-0x00007FF66F9D4000-memory.dmp
C:\Windows\System\FhcdCex.exe
| MD5 | 644344abe07393843b97e021e23bc332 |
| SHA1 | 8c7ede7831279c9b091bf83eb2ddaa6a1b203c32 |
| SHA256 | 62444dd42b42fb9ccdbd5c0b345820524332f040da5d26fa941638397c83539f |
| SHA512 | dcc34beddfb93c4c7ced07dc80ee85b1aff0dc148751b6b0c84f09b8a0103ee4e4d514ad7aea5f890fd905c8182b7599e52641fc54f2870c39e1b21f0cedce59 |
memory/4724-24-0x00007FF7782D0000-0x00007FF778624000-memory.dmp
C:\Windows\System\rpHdrSS.exe
| MD5 | 3bad8301981bb11c933f1a16bdc39aa8 |
| SHA1 | c655323d1aba0bbd9bdf70f77d8c4ebd8df9f1de |
| SHA256 | c36cbd724d2f7882b4c6ae954dbb6b64d8d7576849c3e790a79e0ae54d5b9df6 |
| SHA512 | 856895be04e08f368819034cc0d4f625449e82a1dfcd743bcfea81eb374d7cf056e05d84180145acae0e24d743e738fb644a02d79ea735f5d51b029274e04d23 |
C:\Windows\System\ZWRIBdA.exe
| MD5 | 66dad18706a2cc5714fc60a4d4e32eb2 |
| SHA1 | a4cf3eb0cd1c4ad5123ab1d4f79cfe337117bffb |
| SHA256 | c028e77cc2fe98ff6663d9f80dc56bcb52ecf80ca667bc4b09d480a706818247 |
| SHA512 | 04d02f594faad6f61e6e08bb4ec7c37926830174b154c0965b82f3b16c8bff0c2b2b7a98d969ac450d0296003f8f35b89f09a0743aa9eadc20a79c32972e3a9e |
memory/3660-32-0x00007FF7DD7A0000-0x00007FF7DDAF4000-memory.dmp
memory/3608-36-0x00007FF62BC40000-0x00007FF62BF94000-memory.dmp
C:\Windows\System\sSQamAX.exe
| MD5 | 727825133ca0b4d6beef6e136ee98021 |
| SHA1 | 3ac4dd148c9f493cddc60b31d196a46239c2958d |
| SHA256 | de79d98bce000593bbeb695a6d4d701eb0c2dff56174c5c1828cd7a6bad53df3 |
| SHA512 | 8b912ac70e192fb321ed068db744e3952321b836484422623efb345b6a783b8a3ee534c34e0ef282f5827a7e9cee0b9070f6be31227bee9d1068eaefcce9dde6 |
memory/2196-44-0x00007FF7CB840000-0x00007FF7CBB94000-memory.dmp
C:\Windows\System\OqOhdfz.exe
| MD5 | be17f3e551c490b42069ce865387abb4 |
| SHA1 | 533778ddc79ea903b38c0f2d9db8fa25bceada87 |
| SHA256 | fb9115b17a2cf18af7f0b96ae2a9540f11293e0c716823301d25e5033e2622a6 |
| SHA512 | 4ec0b4b2d1381b786a987e1bfa5ef7b39b919272968d7e43495f4a320021632ece7c5d9afec0e13ebbef550efb0390e45ec8b2afa61e7c62ef1e29e2c4163a83 |
C:\Windows\System\Fywdvyf.exe
| MD5 | 8517db7ef8368c31c9661eefa051f19d |
| SHA1 | 29a1ffcbc147711ecda7eb65142fcad7382e45f1 |
| SHA256 | 184c5cf38ee9086e98a29040e953503ad0a9ff66a2de2b2d93e54364069a32bd |
| SHA512 | 110aa2466d762b0181856328ec354dcda8fefc9782af61a9895dafe91ef4990e073964da40332d1b90474a0eae28b6f4307c784f530ffabfc03d07627d7a7784 |
memory/3300-50-0x00007FF6FFCB0000-0x00007FF700004000-memory.dmp
C:\Windows\System\mtTsTLP.exe
| MD5 | 52cb892ada9e80c9804384104f1d2a96 |
| SHA1 | dc2796719b6dabf1bd28cfabdbc6475caf17a9f6 |
| SHA256 | 5f6a43e307af2f2fb5c7e245b4d3b2fa82aa1cfafa3c542ce29dd5142c758eee |
| SHA512 | 7523c24846bf7e4cf28981852d7ba37e4358eb4175aa68f55298f92d3e97f18312e55e1c13d3dec9f4925369c411072a9ee1620182e0ae9dc6d708a3fd3a7aa2 |
memory/908-57-0x00007FF79D370000-0x00007FF79D6C4000-memory.dmp
memory/3100-62-0x00007FF6427E0000-0x00007FF642B34000-memory.dmp
memory/2596-63-0x00007FF65E350000-0x00007FF65E6A4000-memory.dmp
C:\Windows\System\vTGyVDo.exe
| MD5 | c5bb923eb086b4d547c80de5df75eca4 |
| SHA1 | 2e625cd3ad31ce8ef006a3285adf193a3354569d |
| SHA256 | aa7c6aa278ffd1130d1d23c60745510372ff43abd541dd5e57b7bf01e812ba5d |
| SHA512 | 14a11dc8bb696f9e033c7f5de1ba63da2e9d18c82b2a8f419a58dea3e792893db5db89295d1b218379e43e56754a2cb4a6cb5f93556b04a996886733df8023be |
memory/2012-67-0x00007FF7DE420000-0x00007FF7DE774000-memory.dmp
C:\Windows\System\vsOXZJm.exe
| MD5 | a20964c57db520634803a2061084f37b |
| SHA1 | 41635340edd1669547e3f91bf8b2a78c465b9561 |
| SHA256 | 92c47e20ea9118c1946e6c6472d7c39f9d2c07baa6008bb12c29f617dfb90009 |
| SHA512 | 7e63bd093a610af4ef0c7106c0a06e9761c1aac05eb37f200b1c4985487fda49592ab0e9cc60749ecd9c342e59866efe8d231c5a24692d0a523fd1cd68c7b2f2 |
memory/4044-73-0x00007FF733420000-0x00007FF733774000-memory.dmp
memory/4580-74-0x00007FF6B0870000-0x00007FF6B0BC4000-memory.dmp
memory/4844-75-0x00007FF635030000-0x00007FF635384000-memory.dmp
memory/4016-81-0x00007FF66F680000-0x00007FF66F9D4000-memory.dmp
C:\Windows\System\nSpJYQv.exe
| MD5 | 868070b09a789e1c0343033c59ba7c0b |
| SHA1 | ce9a4c0b729193334c20423df3a8fe74cd13a0ad |
| SHA256 | 961f6d54c4d1cb6306ee2401e1374976ac87313676ec6d50f4aee2a62a874c91 |
| SHA512 | f9284547378b38f3ccc640a4086008e952b1371a433c6757dba26f83fbf1630447b036b34fef6239a69e652b486f3d00de8654e71ec7f1202541deda08c617c1 |
C:\Windows\System\zpQqxhY.exe
| MD5 | 55224baa98d1eb75644ca5ff78ccf83f |
| SHA1 | 9dfe9d51de03811fb3443f6391e6842bb757da96 |
| SHA256 | 133e1889d09353d098d71cbb5fe6c9683492901f79d10e48d1f6d084aa63fb63 |
| SHA512 | e277a67eea9c4429ab01dc341900077a9ce2aa31230193d5a319ad1ffa3ab3298b50d43b5443bec5523e2632c96ba11323f7870526198a5ac2c8d414158520f7 |
C:\Windows\System\LmfWaEf.exe
| MD5 | 2095aaddeedf83f67f497818e3f1c8b9 |
| SHA1 | f0c9550b333cba13415aa588f4e69ae47f5f8cd4 |
| SHA256 | 3076a8334597cfa0b640e1ae543e906e67fde552f390f941e9e874dd8d632b87 |
| SHA512 | bbc548405aabf5ed869032c9c0092de5779da215c372576b8c3f687ec9060f790bac5b35e053dae3fa8ec5e239c78b7b3d3a8c93273252509886e07afbbae746 |
C:\Windows\System\SSSXbpW.exe
| MD5 | de5de2603bf279e99660abd22e386281 |
| SHA1 | f0cbff38344916f2c169a49ab4ee937de050da51 |
| SHA256 | 3f8ae6a5f690b9258c7498235e658c30e4665d0fb1a07a1710eb91a9eee8d24d |
| SHA512 | c28954f2fe7d51ac986d49091d22d64222aa310c38074844623703b31140af2dddde46ea7fe06ad6d6eec592bbd659bf1793a8e2da5d8f12ce7d7fd82a412363 |
C:\Windows\System\uVMzphV.exe
| MD5 | 71cd26cd690548592a5fb26d5ed5f977 |
| SHA1 | 57c7e38bcb60305c9b171c641c8c07454261e198 |
| SHA256 | 322665f45a4320e4f3855d1cb59e452228b17fd44e5c13aebe5cf428024fb6a2 |
| SHA512 | 6c49a429e2d5ea612ea456fcacc2f3ba64adec3c284a78903f69a4c66a3439f2172a7fa730786aa7532c3e120ce847fb8d2b94eda58f5de064e842206b436d8b |
C:\Windows\System\qFGWqig.exe
| MD5 | 0b1e8404dc976abcec0ff3bc6c726ff7 |
| SHA1 | 100767aa9405b13a8a9705088e2836814e711b99 |
| SHA256 | 1dc535e770727af5090ee9fb5ab7ec9f2cb2c8317d30a64343abb5e3df659790 |
| SHA512 | c4abd7aaaf5c4e87172e79ab7f5742e4b6903c2658135c4d291a00cdce62f8ae2d0c1d23dfbebc3a3ef403f87dd6225a6a3fb1a45b3003e0dae3edb2fb974b43 |
C:\Windows\System\FIZtsFJ.exe
| MD5 | 8fb2a825e94fd63e28fec5d6900fc9ce |
| SHA1 | 633a2d5679e91b57c6527940f2b11603fb4b6df6 |
| SHA256 | effec9b98428ae3bcd343ef8130503318e8b44ab4210f7d51780505000e683c6 |
| SHA512 | 81c4add85ebe6cec3360ab269ead50e2c844f57a28c257ac7008969d0bccd012235b0192b28eb1b9d2c3f7cb039a0778ac696a1146d50b46806a5426c80441a6 |
C:\Windows\System\veUGWrQ.exe
| MD5 | 8a86ab4b62297f524bedbdc088bb4d71 |
| SHA1 | df065bbbdd7f2fcd9907ebe32bf521da0411859a |
| SHA256 | 3b6aa9197618d8ba4472d1e01717759a035e8af925a2602f8b076909f2105e60 |
| SHA512 | 9ad8533277a45331ed70be00015c164b4712ee9f73401268b1ae6d11d5950d26914ec8e5a4656b10d5cd28dfb3507a0df89cb2e81d379a528840ddb84ea22bb7 |
C:\Windows\System\FBMvBVG.exe
| MD5 | 7394486df3fffd1191790ee28b9c065e |
| SHA1 | ccb8465a5145ba2dfc47c2ee87988481f6d14f2b |
| SHA256 | ec9fd120fd7c4b15921cb300975b95181b724137d60bdc743f1b8617efb0320c |
| SHA512 | 2ac696bcfb5f6c8382665e9e6fb7a68e1d41ba8cd00e09c01264d65c3a33f91dcccde468b89e6d6eb9f21fb2da3e04b70bfaf7f2c8e7a95b26e0256ab0a1ee85 |
memory/4592-82-0x00007FF728FB0000-0x00007FF729304000-memory.dmp
memory/2008-122-0x00007FF674EE0000-0x00007FF675234000-memory.dmp
memory/1572-126-0x00007FF65D950000-0x00007FF65DCA4000-memory.dmp
memory/864-128-0x00007FF669CB0000-0x00007FF66A004000-memory.dmp
memory/1624-130-0x00007FF7E3D80000-0x00007FF7E40D4000-memory.dmp
memory/4012-129-0x00007FF65EC70000-0x00007FF65EFC4000-memory.dmp
memory/3652-127-0x00007FF760410000-0x00007FF760764000-memory.dmp
memory/4612-125-0x00007FF6162B0000-0x00007FF616604000-memory.dmp
memory/5012-115-0x00007FF64F240000-0x00007FF64F594000-memory.dmp
memory/4724-112-0x00007FF7782D0000-0x00007FF778624000-memory.dmp
memory/3608-133-0x00007FF62BC40000-0x00007FF62BF94000-memory.dmp
memory/3300-134-0x00007FF6FFCB0000-0x00007FF700004000-memory.dmp
memory/4844-135-0x00007FF635030000-0x00007FF635384000-memory.dmp
memory/2012-136-0x00007FF7DE420000-0x00007FF7DE774000-memory.dmp
memory/4592-137-0x00007FF728FB0000-0x00007FF729304000-memory.dmp
memory/4580-138-0x00007FF6B0870000-0x00007FF6B0BC4000-memory.dmp
memory/4016-139-0x00007FF66F680000-0x00007FF66F9D4000-memory.dmp
memory/4724-140-0x00007FF7782D0000-0x00007FF778624000-memory.dmp
memory/3660-141-0x00007FF7DD7A0000-0x00007FF7DDAF4000-memory.dmp
memory/4012-142-0x00007FF65EC70000-0x00007FF65EFC4000-memory.dmp
memory/1624-143-0x00007FF7E3D80000-0x00007FF7E40D4000-memory.dmp
memory/2196-144-0x00007FF7CB840000-0x00007FF7CBB94000-memory.dmp
memory/3608-145-0x00007FF62BC40000-0x00007FF62BF94000-memory.dmp
memory/3300-146-0x00007FF6FFCB0000-0x00007FF700004000-memory.dmp
memory/908-147-0x00007FF79D370000-0x00007FF79D6C4000-memory.dmp
memory/2596-148-0x00007FF65E350000-0x00007FF65E6A4000-memory.dmp
memory/4044-149-0x00007FF733420000-0x00007FF733774000-memory.dmp
memory/4844-150-0x00007FF635030000-0x00007FF635384000-memory.dmp
memory/5012-151-0x00007FF64F240000-0x00007FF64F594000-memory.dmp
memory/2008-152-0x00007FF674EE0000-0x00007FF675234000-memory.dmp
memory/4592-153-0x00007FF728FB0000-0x00007FF729304000-memory.dmp
memory/1572-154-0x00007FF65D950000-0x00007FF65DCA4000-memory.dmp
memory/864-155-0x00007FF669CB0000-0x00007FF66A004000-memory.dmp
memory/4612-157-0x00007FF6162B0000-0x00007FF616604000-memory.dmp
memory/3652-156-0x00007FF760410000-0x00007FF760764000-memory.dmp
memory/1624-158-0x00007FF7E3D80000-0x00007FF7E40D4000-memory.dmp
memory/4012-159-0x00007FF65EC70000-0x00007FF65EFC4000-memory.dmp