Analysis Overview
SHA256
4ffccd3bdab85e9d09be17e40837c3a4b004d012cde86adcd80bf84def092eae
Threat Level: Known bad
The file 2024-05-27_f8249d9221810bc08f93520b6f12e641_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike
xmrig
Cobaltstrike family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-27 18:18
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 18:18
Reported
2024-05-27 18:21
Platform
win7-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sBaQzpi.exe | N/A |
| N/A | N/A | C:\Windows\System\AgNlSaI.exe | N/A |
| N/A | N/A | C:\Windows\System\DLSsyJC.exe | N/A |
| N/A | N/A | C:\Windows\System\OhbSXvr.exe | N/A |
| N/A | N/A | C:\Windows\System\oWmkqxl.exe | N/A |
| N/A | N/A | C:\Windows\System\WHOdsGu.exe | N/A |
| N/A | N/A | C:\Windows\System\SkBNcea.exe | N/A |
| N/A | N/A | C:\Windows\System\igyUQIx.exe | N/A |
| N/A | N/A | C:\Windows\System\KnfipJF.exe | N/A |
| N/A | N/A | C:\Windows\System\QabYzHJ.exe | N/A |
| N/A | N/A | C:\Windows\System\cEQOlMK.exe | N/A |
| N/A | N/A | C:\Windows\System\EdYCRWe.exe | N/A |
| N/A | N/A | C:\Windows\System\DiryDKe.exe | N/A |
| N/A | N/A | C:\Windows\System\OwjZeWV.exe | N/A |
| N/A | N/A | C:\Windows\System\PicIKia.exe | N/A |
| N/A | N/A | C:\Windows\System\BQbLSkV.exe | N/A |
| N/A | N/A | C:\Windows\System\YJTAstQ.exe | N/A |
| N/A | N/A | C:\Windows\System\gGSNqYb.exe | N/A |
| N/A | N/A | C:\Windows\System\PGytGqd.exe | N/A |
| N/A | N/A | C:\Windows\System\wbBPqJb.exe | N/A |
| N/A | N/A | C:\Windows\System\qXGVnXp.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_f8249d9221810bc08f93520b6f12e641_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_f8249d9221810bc08f93520b6f12e641_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_f8249d9221810bc08f93520b6f12e641_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_f8249d9221810bc08f93520b6f12e641_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\sBaQzpi.exe
C:\Windows\System\sBaQzpi.exe
C:\Windows\System\AgNlSaI.exe
C:\Windows\System\AgNlSaI.exe
C:\Windows\System\DLSsyJC.exe
C:\Windows\System\DLSsyJC.exe
C:\Windows\System\DiryDKe.exe
C:\Windows\System\DiryDKe.exe
C:\Windows\System\OhbSXvr.exe
C:\Windows\System\OhbSXvr.exe
C:\Windows\System\OwjZeWV.exe
C:\Windows\System\OwjZeWV.exe
C:\Windows\System\oWmkqxl.exe
C:\Windows\System\oWmkqxl.exe
C:\Windows\System\PicIKia.exe
C:\Windows\System\PicIKia.exe
C:\Windows\System\WHOdsGu.exe
C:\Windows\System\WHOdsGu.exe
C:\Windows\System\BQbLSkV.exe
C:\Windows\System\BQbLSkV.exe
C:\Windows\System\SkBNcea.exe
C:\Windows\System\SkBNcea.exe
C:\Windows\System\YJTAstQ.exe
C:\Windows\System\YJTAstQ.exe
C:\Windows\System\igyUQIx.exe
C:\Windows\System\igyUQIx.exe
C:\Windows\System\gGSNqYb.exe
C:\Windows\System\gGSNqYb.exe
C:\Windows\System\KnfipJF.exe
C:\Windows\System\KnfipJF.exe
C:\Windows\System\PGytGqd.exe
C:\Windows\System\PGytGqd.exe
C:\Windows\System\QabYzHJ.exe
C:\Windows\System\QabYzHJ.exe
C:\Windows\System\wbBPqJb.exe
C:\Windows\System\wbBPqJb.exe
C:\Windows\System\cEQOlMK.exe
C:\Windows\System\cEQOlMK.exe
C:\Windows\System\qXGVnXp.exe
C:\Windows\System\qXGVnXp.exe
C:\Windows\System\EdYCRWe.exe
C:\Windows\System\EdYCRWe.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2980-0-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2980-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\sBaQzpi.exe
| MD5 | 6bb54bb67703c94a86bc2bf52eafdc72 |
| SHA1 | f3b82b528842372c826e5fd60f8e66f25b72971d |
| SHA256 | 4e0dbb6d6e682b8215fd75589010805ecedfcb55198fab66216833293bf9b12b |
| SHA512 | 1fdbb7391789523566edbb1b381a947651e1d6caaa244708e1281fcf9b044dac95238878e4743cedd8dc7b3c8ca36e0d2b04c99c81fc06fc315805511abde554 |
C:\Windows\system\AgNlSaI.exe
| MD5 | 7a180fdee9e4d8fff3fd49c397dac6c8 |
| SHA1 | 6671fd9445ac4d9588b816517d314b4833b9a91c |
| SHA256 | 7b4e02f6766dadf6783ac75666b268b4ab1abd5c17867116ee718f9d5d61f4d3 |
| SHA512 | 3259376c4833b8071b2a62dd95c9ba0361ebc09e5d738648e2bb7772a6d13900dfa37b349afbb43bab34d8e8f0595453995c919c6320667c3d5c37e20718c2fd |
memory/2756-97-0x000000013F1F0000-0x000000013F544000-memory.dmp
C:\Windows\system\DiryDKe.exe
| MD5 | a7533a78fd2f481308cf46cb0cfa2c1c |
| SHA1 | 932aadf41c4bd5390fcf7d2cbf23233bd90e729e |
| SHA256 | 4fabd84a6d979c5dd42c792c3759e5c6cfd083bb4b1e80ffc0926613de8f7e4a |
| SHA512 | d0a494c7363a086d6de0b08e28c9bf670154eefd970de6eb8c4a827dbe633da11c3973db40b1c87020ec70129beb39134e356bdd3305c1a25ab2df38a9b6b8d1 |
memory/2980-102-0x00000000024D0000-0x0000000002824000-memory.dmp
C:\Windows\system\cEQOlMK.exe
| MD5 | ab4262367f163419a68873f0d83671b0 |
| SHA1 | c1ef4281fca31e514e4d8a6050f31d3765ae8d46 |
| SHA256 | 6c5bd12dcdfee62e0d5de852ad68da019d68af85c54475a569fe5b48dad3d1a3 |
| SHA512 | 40c0d65f52aa42b1591eb34dec6bc42075d720befd110d616eda77667b68a9778df2bd8c3d599c92d8c48811686fd5e7c2e39b783ca8205a5c2ca67e4c69a345 |
\Windows\system\qXGVnXp.exe
| MD5 | 79f7da9ecec815933452c14aa2d679df |
| SHA1 | 9af2909f2894584ff717952561a85f41d2b11160 |
| SHA256 | 5e34b7d884a08ea777dbf4d6852d74009bf3b215f4cdcff526ea9a3625e0693a |
| SHA512 | bf4e5dae6e3a6299fd3ef4f58ebaa59256ad55a209315f2fe3aec92ccef579e9c529449b5e83edd6a651fbb0531535a15b8d05711c19cd6289f573f3da0a774f |
memory/2516-93-0x000000013F740000-0x000000013FA94000-memory.dmp
C:\Windows\system\QabYzHJ.exe
| MD5 | 0a79f169068dfdb4a15f5444f1af9c88 |
| SHA1 | ca6974f238e251f967b95a1e261ca0c5519e4d35 |
| SHA256 | 975fb3db288c7d5bed8ff0224b19e4d369aa820dc85e0666a24f2f578a8b3c93 |
| SHA512 | cd7cca757a1a2bad733ce7960a167b927285e774452d36ed5eb5f6afcd02f277dc534cd465e4042fea470ef275166ce90c1d39cf1035421b4890de9d5278d89a |
\Windows\system\wbBPqJb.exe
| MD5 | ad1362f3d38752f681cf3b6cdae3ee71 |
| SHA1 | 93b953c9ba94c5178c6fe4ff9bc37710f6b06c77 |
| SHA256 | cee7c3a166b46bd3cf4a59cda853163bf9f425ac4888bf76205107ba3929ba73 |
| SHA512 | 3c2cfffca5d12b83992c14fc942ae870e64aa0c10e776f73b5c862bed40641989aa0d7bc0df81374e7796f800cd0a5ac867bb4c3ee128e0f1047b9045b67f367 |
C:\Windows\system\KnfipJF.exe
| MD5 | 9f8a8d36b1796d6da654a5cc5bc3c339 |
| SHA1 | 68c7ff656c9f24256d2ada5942402c28e8c4b5ec |
| SHA256 | d2a83f053fb107db227c5470b7a2bfed9c8266b35b873881e8e737a2e55064e0 |
| SHA512 | 68c13ecfa72c2323568583e818f781616a6075b2f3305517671dcc2174f2a1060aa487c76d207e5401b2f513a12c91c4a5616a34e0016a5d9a7b4d92f1a7e470 |
\Windows\system\PGytGqd.exe
| MD5 | 181b3f48c1954332a90b7a782a86ddf2 |
| SHA1 | a4430290089125072499e51d4d596c42fb63bc66 |
| SHA256 | 3ff62d48b22e9767689470213e5abb71b245d2d11590d61274655ea38121ad39 |
| SHA512 | 2281e14869f0ccdfc489be67d6a886b1b00cf5540fa7b8076f979acd69798ef1741755488355e600397cf11bb6f049bfe6eea5504926aec73dcc29bf53dd707b |
memory/2980-76-0x00000000024D0000-0x0000000002824000-memory.dmp
C:\Windows\system\igyUQIx.exe
| MD5 | 9fad3e41563cbc127dd408737ad86183 |
| SHA1 | 9b51a29d1bf26e964d60aebdab672038c22c4543 |
| SHA256 | b36b05f7a2ba7228651037860e9bc630fc60899c37f937f070dc998562e5df22 |
| SHA512 | a4a82e6d508622a01229b6f5aff80fddbcdca0b13bcfcfeaf2920aa84a942fe04756daa8aa7c38a36f4cd0a8dbd0a5c345095d88b04479768cbed52dba2992d5 |
\Windows\system\gGSNqYb.exe
| MD5 | 9f37e793169569244511d551325fecef |
| SHA1 | 6ed5a2872afbc59ec7c6e6a2de3471ed05df55e6 |
| SHA256 | aa76de3f1dc7d3c9adcf108aabc4804f9be9dacef93b549f42fd1c8b543e8e40 |
| SHA512 | bd6039e94345b2035d5e9229fca9a42d4a50c070ebad6d434a41b6c689fae8d8fa34352e6e19e0db7eea4ae3c90562821985c59472d88d927b9a1177ac71df7c |
memory/2980-133-0x000000013FD10000-0x0000000140064000-memory.dmp
\Windows\system\YJTAstQ.exe
| MD5 | c0ea2904df86b52b00a9daef4651f28b |
| SHA1 | 952534d8e0dcf97abf0f00208477fc464b787557 |
| SHA256 | 055981835b94eaf5504b6838a5de7a8094cb7e67308bbfacca560c69cec5a034 |
| SHA512 | 7c0def87c0c380db61698c859c82c51578ddf5b2968d2833ab996657797084507d6f87c2a3a55a95ba99f7678cd338e403d2de498c8078d4bfb9cb82ec0fad35 |
memory/2572-53-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
C:\Windows\system\WHOdsGu.exe
| MD5 | 00d6d097dc6933216521d4563f6d9376 |
| SHA1 | 27c30b1b34d0ea60a6817304533bd8207d09e007 |
| SHA256 | bf034878c4e6d2f94607edb013c4cb71937f3c809e026e622e72ddc92b845584 |
| SHA512 | 2335fdeafda90cbdb14419bc0cbe0e1c876e7ee97702c4097f36ca7a5c2b22860aeef9c44a759fd6e51f2352bde92b550d30fa5e869a6c4cac6933bdc2fbfb6b |
\Windows\system\BQbLSkV.exe
| MD5 | 9e3a2bcfe7b02e4c820e34b8e2dcfb68 |
| SHA1 | 85ffab8b91cb6cd4ec00276079471028137d6d3e |
| SHA256 | a8fe460034245a08b8175022c9c326d2255789bcb4f88f590ea115327585ee1b |
| SHA512 | b4002623aee3a0d776eb8f0874874cfdffd285da2d84eb3ff8831d35932b069645712da021f149b11d48a18dcc0e25b8f28dec7da99f9e714260a1c4992f0dbb |
memory/2980-44-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2980-42-0x00000000024D0000-0x0000000002824000-memory.dmp
C:\Windows\system\oWmkqxl.exe
| MD5 | 8887d23fe7856334103d0264f0a02da0 |
| SHA1 | 38e7c392eb110ee98a0b4597206a1878371742f6 |
| SHA256 | 3196392efcee826dd09a9782bb204c9da94f6abadeb9581a11651bab510cbef9 |
| SHA512 | cd8eb4851b4c022e3b346c9f856f182e28b358515c35b54478d4815f73297fabfcc7ea6053af918feeb7a2fa66547d0bca318a73cbe0c234738c60bdfcea9211 |
\Windows\system\PicIKia.exe
| MD5 | 31d601da61bddc8632d54448cea5a684 |
| SHA1 | 949ad0e53e3393fa3fcb6eae6774bb8ba0fe0fa0 |
| SHA256 | 4a31c58dc47d3d069f24c0f682de658b006a2eeaf08d4f6b11e52f0ff5af3ac9 |
| SHA512 | fd464b0776a724821c11e200c5f6d7ca11e0f08bc0e2248df6abb31fa29de587f2118a7bf8f35c2321ace4d58ddac7b74979c32df42ed122740eac97ddd7a247 |
memory/2612-32-0x000000013FEE0000-0x0000000140234000-memory.dmp
\Windows\system\OwjZeWV.exe
| MD5 | 7dbe4dc80adefbef1e1bab223b3745d7 |
| SHA1 | 11b0d61bc97ad58c55c90d7216fa33ca9f5b8fcb |
| SHA256 | a5d6f11ca16c97fee5f7a95004278c6cb47950e19883d15f3d0dcd26ddbcc475 |
| SHA512 | cb2e4a8ec8d71160513e27e04bb89be2fa7b72328fe0900f04b47ffab3fa3eca8581f32b48517cde6f45ce24f39d9cc7943c391b589a8bbc631fa9dff1ca4ed0 |
memory/2980-22-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2980-108-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2980-107-0x00000000024D0000-0x0000000002824000-memory.dmp
C:\Windows\system\EdYCRWe.exe
| MD5 | 44d7ffcc15c107e006ed1ab9c14392d3 |
| SHA1 | 495b7fd100b4d9fb6f062306e492bf20bd68dca8 |
| SHA256 | ae6265d02a11e63b5cbde20c580d9e0e0bb22b5b3d621494efe4d10a44f63ddc |
| SHA512 | 4121c0fa0524f34537164b5ca70ab18d74e806705f67bf107d1649bbe04e23677239e49c9312e47e1433a6f866c03bb2681cf4f6d2da49fc426c0ef0e4e32753 |
memory/2980-105-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2980-88-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2968-80-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2980-71-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2476-69-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2980-63-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2980-62-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2980-61-0x000000013F5E0000-0x000000013F934000-memory.dmp
C:\Windows\system\SkBNcea.exe
| MD5 | f0f14fa1e3cd557f40fe4a2f44eb440d |
| SHA1 | e060323bcbc5868bc9653917dfaaeab6546a5f9e |
| SHA256 | 993b1abeb3d36f6b671162aaae9030d3c94631cdd2c20295d6574fdeaa33961f |
| SHA512 | 78999efa61be81e5cb940e96a177656af7d1240217088adee02898a4aa0940ef638cb6c6c0f06fc1e24eeef4ca688f99e376ec740a8dedf9904b68055eff793f |
memory/2980-58-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2668-57-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2980-48-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/1920-37-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2980-29-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2600-27-0x000000013F120000-0x000000013F474000-memory.dmp
C:\Windows\system\OhbSXvr.exe
| MD5 | cd80a84ebff0d5f617f3796a7e7699b2 |
| SHA1 | 771166c83e1d04d346f601fd86fb9e9de351e528 |
| SHA256 | 8674b79b87cf8843e56a7a39b4e5f3788c9fdce989eeef72ee2d580a91992c6e |
| SHA512 | afa3be389a307404fba66b9bd064b76b5d5b532e7440a6b11c82cba192fc123a517dd5d6cbece5936e6e179b5dca75316ab01c01d61244bae62a2321da38a51d |
memory/2648-18-0x000000013F0B0000-0x000000013F404000-memory.dmp
C:\Windows\system\DLSsyJC.exe
| MD5 | 16408820a2e5d12119557dee6ee92a17 |
| SHA1 | 5df80b2357fd1d924a7fdb452e58bb581884e7ef |
| SHA256 | 486b5c627a1cc1a1b1c9d5c4706faddc37e034cc8a032536e9cc94669b0c2946 |
| SHA512 | 1e816fa43c821f782d0dd2fe6ce2752b5ee99a6ec3a2558157645b0ea8ca5f6c57c4ffc52ee7f2d7087d109b96e7c1fa373312ec7e252410db70b508ef309ccf |
memory/2980-135-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2668-136-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2980-134-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2980-137-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2968-138-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2516-139-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2756-140-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2980-141-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2648-142-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2600-143-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2612-145-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/1920-144-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2572-146-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2476-147-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2668-148-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2516-150-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2968-149-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2756-151-0x000000013F1F0000-0x000000013F544000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 18:18
Reported
2024-05-27 18:21
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ByqOvRL.exe | N/A |
| N/A | N/A | C:\Windows\System\ChutYUb.exe | N/A |
| N/A | N/A | C:\Windows\System\wmDhpxU.exe | N/A |
| N/A | N/A | C:\Windows\System\upkmNpu.exe | N/A |
| N/A | N/A | C:\Windows\System\SaSDjjj.exe | N/A |
| N/A | N/A | C:\Windows\System\dhXpcTF.exe | N/A |
| N/A | N/A | C:\Windows\System\KNdgSKE.exe | N/A |
| N/A | N/A | C:\Windows\System\TMkDBwu.exe | N/A |
| N/A | N/A | C:\Windows\System\UEpWsYA.exe | N/A |
| N/A | N/A | C:\Windows\System\tATllwE.exe | N/A |
| N/A | N/A | C:\Windows\System\hbtbxzL.exe | N/A |
| N/A | N/A | C:\Windows\System\PkHPskY.exe | N/A |
| N/A | N/A | C:\Windows\System\BFCDgYP.exe | N/A |
| N/A | N/A | C:\Windows\System\NerBQFb.exe | N/A |
| N/A | N/A | C:\Windows\System\HPeTqts.exe | N/A |
| N/A | N/A | C:\Windows\System\zhHGkkd.exe | N/A |
| N/A | N/A | C:\Windows\System\OcAhNTz.exe | N/A |
| N/A | N/A | C:\Windows\System\wQhWWfB.exe | N/A |
| N/A | N/A | C:\Windows\System\rtRARQR.exe | N/A |
| N/A | N/A | C:\Windows\System\kkEHUME.exe | N/A |
| N/A | N/A | C:\Windows\System\nKvLgvl.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_f8249d9221810bc08f93520b6f12e641_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_f8249d9221810bc08f93520b6f12e641_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_f8249d9221810bc08f93520b6f12e641_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_f8249d9221810bc08f93520b6f12e641_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ByqOvRL.exe
C:\Windows\System\ByqOvRL.exe
C:\Windows\System\ChutYUb.exe
C:\Windows\System\ChutYUb.exe
C:\Windows\System\wmDhpxU.exe
C:\Windows\System\wmDhpxU.exe
C:\Windows\System\upkmNpu.exe
C:\Windows\System\upkmNpu.exe
C:\Windows\System\SaSDjjj.exe
C:\Windows\System\SaSDjjj.exe
C:\Windows\System\dhXpcTF.exe
C:\Windows\System\dhXpcTF.exe
C:\Windows\System\KNdgSKE.exe
C:\Windows\System\KNdgSKE.exe
C:\Windows\System\TMkDBwu.exe
C:\Windows\System\TMkDBwu.exe
C:\Windows\System\UEpWsYA.exe
C:\Windows\System\UEpWsYA.exe
C:\Windows\System\tATllwE.exe
C:\Windows\System\tATllwE.exe
C:\Windows\System\hbtbxzL.exe
C:\Windows\System\hbtbxzL.exe
C:\Windows\System\PkHPskY.exe
C:\Windows\System\PkHPskY.exe
C:\Windows\System\BFCDgYP.exe
C:\Windows\System\BFCDgYP.exe
C:\Windows\System\NerBQFb.exe
C:\Windows\System\NerBQFb.exe
C:\Windows\System\HPeTqts.exe
C:\Windows\System\HPeTqts.exe
C:\Windows\System\zhHGkkd.exe
C:\Windows\System\zhHGkkd.exe
C:\Windows\System\OcAhNTz.exe
C:\Windows\System\OcAhNTz.exe
C:\Windows\System\wQhWWfB.exe
C:\Windows\System\wQhWWfB.exe
C:\Windows\System\rtRARQR.exe
C:\Windows\System\rtRARQR.exe
C:\Windows\System\kkEHUME.exe
C:\Windows\System\kkEHUME.exe
C:\Windows\System\nKvLgvl.exe
C:\Windows\System\nKvLgvl.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3500-0-0x00007FF6F1490000-0x00007FF6F17E4000-memory.dmp
memory/3500-1-0x0000018433D50000-0x0000018433D60000-memory.dmp
C:\Windows\System\ByqOvRL.exe
| MD5 | 17149da5143782bab55106cb2fafe2bd |
| SHA1 | e6186aa91fd1d4b7e099358a34d85978e7d12d19 |
| SHA256 | be14381c03720d6a08b3431484fe9f1fc889fa356676e92eb32bf18f7af195d1 |
| SHA512 | 95124c453e90681110fbfaa9fa69f71e229c4e3ed2e95c327d3afcb34c30c649c7130442de32f3e079a781a65efae878dca05526471f2e42c07c6fcda40287a7 |
C:\Windows\System\wmDhpxU.exe
| MD5 | a535136e0b7dcb2866e680972e64da18 |
| SHA1 | 1d9f0a45b8f82952553cde626621a84d9d70b003 |
| SHA256 | 5bdef7f72e91deabd8377080f27ce7064a1f04de123dc3f2608844cb64fe7ee6 |
| SHA512 | d8e3646998e9e64b96c1efda79d2d092dc42ef7e046f9a84bfc78695c13a0b98589fb7bb5cacce0a635a6fc36b112e0f964b9f5b26daa6b4eb16863ec06a9951 |
C:\Windows\System\ChutYUb.exe
| MD5 | 83790dd2d23fcb9c0c677371ad58cf02 |
| SHA1 | c1f76c9d5b2c5871ab5967a8f734c36fec296165 |
| SHA256 | c35424f1168164aff635a65b6bcfb11fe4c836eadcbd4328484cba282dde600f |
| SHA512 | 607e20b9c9edd393397e938367b3ad2e97ab937412e3272b7127d5f0cbd2e17c8fafe627cabfb19df8b8909b0d2c4395421b18843d9c4f9296531e944cf72c50 |
memory/232-12-0x00007FF6ADCC0000-0x00007FF6AE014000-memory.dmp
memory/3604-22-0x00007FF7C6960000-0x00007FF7C6CB4000-memory.dmp
C:\Windows\System\upkmNpu.exe
| MD5 | d6a163c7d9a12108dc9b33af9cf9b47f |
| SHA1 | a208ac96f0f392fa0bccc87e8c2a92f7e3f4b433 |
| SHA256 | 9fa39e7ad5a947be23dbb632ff4cc1522de0b3e559c8cdf58cce7cc2511fcf3c |
| SHA512 | e500efd41c3f239ab7083bcd1b688b7093e4b8ece0aecb24a41d65b81e5f4006cf3ea9dc96df785b02324368a8ae21522ebc4db9e986ede06ed88cb665099390 |
memory/1008-24-0x00007FF701860000-0x00007FF701BB4000-memory.dmp
memory/916-14-0x00007FF6761B0000-0x00007FF676504000-memory.dmp
C:\Windows\System\SaSDjjj.exe
| MD5 | c8e91213baeac0c72d8c6c3da7251089 |
| SHA1 | 90e05cf806e88667a6db92a33b91aa55a4d822b6 |
| SHA256 | 03b58c56c0357fb14f45d80bdd523945b15361ac2038d6239e03dd603a6bfe6d |
| SHA512 | 262ce7baa698a4bac9226ce0df34e084b0fa1d37939e9552aa0c4b3be2729e5b9e6dfeebc1659c151560d5da8eb95f7e9d7f917dcfdeb7f81fce05ed13c51720 |
memory/1588-34-0x00007FF65FC20000-0x00007FF65FF74000-memory.dmp
C:\Windows\System\dhXpcTF.exe
| MD5 | 869b4fd78b0fed15d38b2fae271a7af7 |
| SHA1 | 2015af476322e069fa4807fb0fb2fb6cf6e4f565 |
| SHA256 | 1766873b06871b1192f0d3313e9db27cb2e77a4bdbb0ffa124466b87736d2f02 |
| SHA512 | 0d6251194d8882fca456fa936b3371bd20b3d7423b8fa1cae9b8dbab13a559399472ba14e93772998fc5ec5a594aaf608f26eeae1d69e9930f264379fc87388f |
memory/4040-36-0x00007FF706330000-0x00007FF706684000-memory.dmp
C:\Windows\System\KNdgSKE.exe
| MD5 | 9bb90987cf991b6ce1bfc613f5459d69 |
| SHA1 | b43cdad6438fb67d6c4cba417bd8f14b8784ecea |
| SHA256 | 817a681515b8c07bb7701e3449981ceb4956f440f6006d105c168f2973cbd959 |
| SHA512 | 481b4389753d55c2e4e9fba5dff9d4316531e2d20ce184cf396af64e666935af58f4c7a9a9e41f8f5b7b926ec8f71bf66830531ffe5ceb155f46438653146199 |
memory/2128-50-0x00007FF61FC00000-0x00007FF61FF54000-memory.dmp
C:\Windows\System\UEpWsYA.exe
| MD5 | 2bf0ed1ea6c2db8e86c339a749d706bf |
| SHA1 | 25088187c738b63f38700d8137b9f1193cc513cf |
| SHA256 | 651fd952529b23e97d833c064aae3cbfbf22b39a8d95f335359da14316349bef |
| SHA512 | 6f072ae5e81cb8f2ac6ba92fc3475435a9436b046a285cbc900da6d869ae7cf8b3642d901161ed9b9ca2168e100286115a77ca85b698ac42411121c10093b7e8 |
C:\Windows\System\tATllwE.exe
| MD5 | cb33dc596762663d15782bf83efab3eb |
| SHA1 | 949a7b29d8b921659535864b5511789552d50376 |
| SHA256 | 1b1766d52a338050022106d4d03d9ef158d6c2bf8b40c0d53f7151094af1eed4 |
| SHA512 | a6fbb5b2ffcf48f87840f1f7dcd556033e9a0228f38d8ba2f3e14fd89eeaacf691410aa67a5c667ad6d3f779c756bbe6359600f0166bdbfc717410437ab35849 |
memory/1244-64-0x00007FF6CDA20000-0x00007FF6CDD74000-memory.dmp
C:\Windows\System\PkHPskY.exe
| MD5 | d83d087a43a54ccec527f31fd356db3b |
| SHA1 | e73365e12698be7a8ff74a7b3b95568be143e9ce |
| SHA256 | 46b2907f35b44db19415b76e53777fd332e8cfa0b33f30108f437d0b7972b14e |
| SHA512 | 4196af258d7836094a46a92d0bca40ed1143a3d4a68c497a4426ae017e0924473d2aff749ddf271b251db4970bcb1f29be519b25fc12c292654daa80a3072854 |
C:\Windows\System\zhHGkkd.exe
| MD5 | a18d7454071f20fdf2f49bca0bd2d0ac |
| SHA1 | 1aea43c061d1240819e2fe6393ac3cb7fb3f12bd |
| SHA256 | c4b1199b62db089f8e7d9ef776b94bf67937b8a2f21e172a98a78f744e7668db |
| SHA512 | 6595c2bde5c8656fa313758f9f30a4987622fe74b9a130d6caadee3d656db9ad3868deb9d668f08a7d2661854b9773d9c78e29f134fffe3bd50dae8a051e8564 |
C:\Windows\System\rtRARQR.exe
| MD5 | a1424af75532cd49370fcd57bc131060 |
| SHA1 | 681a4c4d9560bfd7316ca1ec4f89ff83cda5e097 |
| SHA256 | 9a6ba616d0a1000e2918ff7fa2803ec4024cf4285cd56e03aa1f1eab6cf8bd4e |
| SHA512 | f4d0a5be1f3ad2bd9e2719e33c6e765b0bc3b3c75344d684193c22dfc2eae49b38745d45b89490476b1a2d03359cc14caccb748c1b467cf943d35c026db28cd0 |
C:\Windows\System\nKvLgvl.exe
| MD5 | 855dd2624df237476d3c8b372bd61024 |
| SHA1 | cdab7db806245886c9ea3504f21407f07aaeefb7 |
| SHA256 | a95efa2d7e6cf4781cef8a2c70359b7117f1c8e22a8a3af149327c6f26aa3c93 |
| SHA512 | dfc3d11fff6f8ccc20f84cb510c74e3be4c9fbc70d1d88692c3afbfd39e1de1831c6bfe09ba6d025075cfe6c612adfe8feb6193961508c5a04d9f8f5a5afe100 |
C:\Windows\System\kkEHUME.exe
| MD5 | 1f1fefaaecb63f7d5e3baf72262c37b7 |
| SHA1 | 9460bbd8bd83264d54954fcac543bdb7fcbb59ae |
| SHA256 | 813e8779552a1671186bd9d781977c355ac178c9d3ccd9c2862160d6357b8a2f |
| SHA512 | 4a8b2b9aab9e74fa71a533ffc904400f1ac010ea2b204f84218383cddff26d769ec3a705b8b4fd9f28a48d6331602b5e2185a85839a9f88f9e1dc1beabf82868 |
C:\Windows\System\wQhWWfB.exe
| MD5 | 380bcbd6f9cc4b685aaa6fc75e8aa439 |
| SHA1 | 3b30cf15a829968c785cc64a73101cbdd0f00afe |
| SHA256 | 54d546c7861eaab8b9c038ff6fb2d4b61f16439975633ccb198219cf113532a2 |
| SHA512 | 89e594d0f78d563a07648b997eafe120218af54fe11f0acce403bddea488bd0e35a09c3ac6abf84ff83052f070fca1afee226cdae346767bd6f9ad0d0d03a40f |
C:\Windows\System\OcAhNTz.exe
| MD5 | 8a5e98c2b59b9c11a38c22a92c86009f |
| SHA1 | 0f6ca85d2890f9f825e54c29c572012adfd9c988 |
| SHA256 | 4edc3b806103a1731c27b355c4c52f7e574fb358646051abac0be37f0423d692 |
| SHA512 | 440c34a7d5a439125bc4ce69cf499879c3c66418210475832888c7326b7f7ddfbc5fc8eaaf2146b0b44fe65760aaa7cc2b960d29c3a444ede6240b649f0dc5ed |
C:\Windows\System\HPeTqts.exe
| MD5 | 8d5ae50e9714a0756ba5cd37dfc78eb9 |
| SHA1 | 2c23c40b3e9d46ab6a56dc29f6f601cdab0269ba |
| SHA256 | 6967d653c36250a5fc94490a7b3ad758bc13e3e111a20455234b65b830ee4e50 |
| SHA512 | ea66ae12825f469cb0a28826e37147834868e08bf27f4a3bde91c9b854622700915b86ac6d1d363cb30d8eba8078a59299e5dce215668ee85496079ec1843900 |
C:\Windows\System\NerBQFb.exe
| MD5 | f8220547eebb9b5d69486cdb11f6cfc8 |
| SHA1 | 4eb423b274af21ce31e6154c718b9ecaa4735ccc |
| SHA256 | fb7f4e0b6d992d289c7d62d68a91f354cdb809ab8f6d4c2f7f30cf3bc792d99a |
| SHA512 | 954fcd0408dd3f030a5bc3e743e8cb91a6c9713697679aa46e713371edba05e9014ad80e2445e4c48585030a0253407ab2309d541c8f295b52da1368f9c60f7a |
C:\Windows\System\BFCDgYP.exe
| MD5 | 4485b72c622b076edaad0bb9a1508b34 |
| SHA1 | e2222d854e8d04ceb32da107bfa6bfc67abd8f1f |
| SHA256 | 2805e0cd82a4768e4941ea5149030b43ac49a976bcdccf1ba50fb8a5b03d18fb |
| SHA512 | c13ca06f4f7dcca28eed14bd48da2f7209d3aed0dfd628ddc5fb3b52c87a230ada18fc1181002d9b3ea83b6e1a30a8505e48f1a3760dd5e0968685d63ace0438 |
memory/3672-75-0x00007FF666C00000-0x00007FF666F54000-memory.dmp
memory/2068-72-0x00007FF689760000-0x00007FF689AB4000-memory.dmp
memory/3500-69-0x00007FF6F1490000-0x00007FF6F17E4000-memory.dmp
C:\Windows\System\hbtbxzL.exe
| MD5 | 6d05ed8cb018847f088141e825ca4179 |
| SHA1 | d1f3eb46fc3bdb2f23dfffdcd9844ae994c50ca2 |
| SHA256 | d1c2fcd705c0e11c918162650f0b45fa46f9b371c64dbea2eb5344ab3c163945 |
| SHA512 | 091d850185226062bac49cd9d3493175878707df6618879d4dffe3b9d1d6f35470665dcbfcecb9c43536fe975032067125b2b7fda8a4982ec6bd3e83f10c6bd5 |
memory/2320-65-0x00007FF6001C0000-0x00007FF600514000-memory.dmp
C:\Windows\System\TMkDBwu.exe
| MD5 | 0e439d2ca459457680584782e1223f2b |
| SHA1 | 495b56c602e3aa7e2b32adcfad7ad387dc53b291 |
| SHA256 | 65b1d1d44f85995f1876ae5d029619dce83fc29445fd9b4363b9f04cf33c8282 |
| SHA512 | 232f085181fa7e741f0c59f6743fbda0c4efda4dc5e1e8ee0e54e00e2daff5ddb07043f5809e9b2b59bff8499b45d4a9a4abc4ee42990158519907a36a2a1a56 |
memory/2788-46-0x00007FF7FC9F0000-0x00007FF7FCD44000-memory.dmp
memory/3296-120-0x00007FF7CE7D0000-0x00007FF7CEB24000-memory.dmp
memory/1060-121-0x00007FF63D330000-0x00007FF63D684000-memory.dmp
memory/1628-122-0x00007FF713B70000-0x00007FF713EC4000-memory.dmp
memory/2136-125-0x00007FF7EAD30000-0x00007FF7EB084000-memory.dmp
memory/3532-124-0x00007FF6535E0000-0x00007FF653934000-memory.dmp
memory/1204-126-0x00007FF72FFD0000-0x00007FF730324000-memory.dmp
memory/3088-127-0x00007FF7F14E0000-0x00007FF7F1834000-memory.dmp
memory/3804-123-0x00007FF7FB5C0000-0x00007FF7FB914000-memory.dmp
memory/4860-128-0x00007FF7B3570000-0x00007FF7B38C4000-memory.dmp
memory/1008-129-0x00007FF701860000-0x00007FF701BB4000-memory.dmp
memory/4040-130-0x00007FF706330000-0x00007FF706684000-memory.dmp
memory/2128-131-0x00007FF61FC00000-0x00007FF61FF54000-memory.dmp
memory/3672-132-0x00007FF666C00000-0x00007FF666F54000-memory.dmp
memory/232-133-0x00007FF6ADCC0000-0x00007FF6AE014000-memory.dmp
memory/916-134-0x00007FF6761B0000-0x00007FF676504000-memory.dmp
memory/3604-135-0x00007FF7C6960000-0x00007FF7C6CB4000-memory.dmp
memory/1008-136-0x00007FF701860000-0x00007FF701BB4000-memory.dmp
memory/1588-137-0x00007FF65FC20000-0x00007FF65FF74000-memory.dmp
memory/4040-138-0x00007FF706330000-0x00007FF706684000-memory.dmp
memory/2788-139-0x00007FF7FC9F0000-0x00007FF7FCD44000-memory.dmp
memory/2128-140-0x00007FF61FC00000-0x00007FF61FF54000-memory.dmp
memory/2320-142-0x00007FF6001C0000-0x00007FF600514000-memory.dmp
memory/1244-141-0x00007FF6CDA20000-0x00007FF6CDD74000-memory.dmp
memory/2068-143-0x00007FF689760000-0x00007FF689AB4000-memory.dmp
memory/3672-144-0x00007FF666C00000-0x00007FF666F54000-memory.dmp
memory/1060-145-0x00007FF63D330000-0x00007FF63D684000-memory.dmp
memory/3296-146-0x00007FF7CE7D0000-0x00007FF7CEB24000-memory.dmp
memory/3088-149-0x00007FF7F14E0000-0x00007FF7F1834000-memory.dmp
memory/3532-152-0x00007FF6535E0000-0x00007FF653934000-memory.dmp
memory/3804-153-0x00007FF7FB5C0000-0x00007FF7FB914000-memory.dmp
memory/2136-151-0x00007FF7EAD30000-0x00007FF7EB084000-memory.dmp
memory/1204-150-0x00007FF72FFD0000-0x00007FF730324000-memory.dmp
memory/4860-148-0x00007FF7B3570000-0x00007FF7B38C4000-memory.dmp
memory/1628-147-0x00007FF713B70000-0x00007FF713EC4000-memory.dmp