Analysis Overview
SHA256
1417b103cca2ab8faca64d0c08e2c67f1bc3e09146fd029dc1d3c835442774f6
Threat Level: Known bad
The file 2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
xmrig
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 04:14
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 04:14
Reported
2024-05-30 04:17
Platform
win7-20240221-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bBJPwnH.exe | N/A |
| N/A | N/A | C:\Windows\System\EzHGzAC.exe | N/A |
| N/A | N/A | C:\Windows\System\xQAyZnR.exe | N/A |
| N/A | N/A | C:\Windows\System\eSQyTOq.exe | N/A |
| N/A | N/A | C:\Windows\System\hBzFtBI.exe | N/A |
| N/A | N/A | C:\Windows\System\xIwiSgp.exe | N/A |
| N/A | N/A | C:\Windows\System\LzKXzyn.exe | N/A |
| N/A | N/A | C:\Windows\System\WBxMRAJ.exe | N/A |
| N/A | N/A | C:\Windows\System\wPRzUbI.exe | N/A |
| N/A | N/A | C:\Windows\System\MiNPZhJ.exe | N/A |
| N/A | N/A | C:\Windows\System\BvStomb.exe | N/A |
| N/A | N/A | C:\Windows\System\pAAxbJz.exe | N/A |
| N/A | N/A | C:\Windows\System\wTOKYaj.exe | N/A |
| N/A | N/A | C:\Windows\System\fblFQJH.exe | N/A |
| N/A | N/A | C:\Windows\System\xKjYzfD.exe | N/A |
| N/A | N/A | C:\Windows\System\HHtLcGh.exe | N/A |
| N/A | N/A | C:\Windows\System\GrkmSet.exe | N/A |
| N/A | N/A | C:\Windows\System\TYnqgMJ.exe | N/A |
| N/A | N/A | C:\Windows\System\TjyNNgE.exe | N/A |
| N/A | N/A | C:\Windows\System\wIixmwn.exe | N/A |
| N/A | N/A | C:\Windows\System\eAeidMJ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\bBJPwnH.exe
C:\Windows\System\bBJPwnH.exe
C:\Windows\System\EzHGzAC.exe
C:\Windows\System\EzHGzAC.exe
C:\Windows\System\xQAyZnR.exe
C:\Windows\System\xQAyZnR.exe
C:\Windows\System\eSQyTOq.exe
C:\Windows\System\eSQyTOq.exe
C:\Windows\System\hBzFtBI.exe
C:\Windows\System\hBzFtBI.exe
C:\Windows\System\xIwiSgp.exe
C:\Windows\System\xIwiSgp.exe
C:\Windows\System\LzKXzyn.exe
C:\Windows\System\LzKXzyn.exe
C:\Windows\System\WBxMRAJ.exe
C:\Windows\System\WBxMRAJ.exe
C:\Windows\System\wPRzUbI.exe
C:\Windows\System\wPRzUbI.exe
C:\Windows\System\MiNPZhJ.exe
C:\Windows\System\MiNPZhJ.exe
C:\Windows\System\BvStomb.exe
C:\Windows\System\BvStomb.exe
C:\Windows\System\pAAxbJz.exe
C:\Windows\System\pAAxbJz.exe
C:\Windows\System\wTOKYaj.exe
C:\Windows\System\wTOKYaj.exe
C:\Windows\System\fblFQJH.exe
C:\Windows\System\fblFQJH.exe
C:\Windows\System\GrkmSet.exe
C:\Windows\System\GrkmSet.exe
C:\Windows\System\xKjYzfD.exe
C:\Windows\System\xKjYzfD.exe
C:\Windows\System\TYnqgMJ.exe
C:\Windows\System\TYnqgMJ.exe
C:\Windows\System\HHtLcGh.exe
C:\Windows\System\HHtLcGh.exe
C:\Windows\System\TjyNNgE.exe
C:\Windows\System\TjyNNgE.exe
C:\Windows\System\wIixmwn.exe
C:\Windows\System\wIixmwn.exe
C:\Windows\System\eAeidMJ.exe
C:\Windows\System\eAeidMJ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2100-1-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2100-0-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\bBJPwnH.exe
| MD5 | e9f1b2fc5fc1f0276c571f75f65a6376 |
| SHA1 | 44c6c2a654ff9bb325c2de5acae1061aaf115387 |
| SHA256 | 1fcc776b26aee2f4823445c086616e3e8453d96be3eb26ef291f125a1140c56c |
| SHA512 | a1d8b0eef106edf7f16e09db46be61c8f32c33cc2e341d912d5948aa903ad7c8c3c1598966363b1c2e4f163e37ac4334b294e17431a015a7ea06fba99835011a |
memory/2100-10-0x000000013F020000-0x000000013F374000-memory.dmp
\Windows\system\EzHGzAC.exe
| MD5 | 05390f7b77d8ccd22e66079c5164e455 |
| SHA1 | 707a82cf315f830a0b768b8a4805b72f60b712a0 |
| SHA256 | ea9922e8c00d77589c87f34665e9c62dbd90ff47184dad16fa7d06c53e3f4592 |
| SHA512 | 8f137a8120faa47b808736b294437ff05f1419f25591d09c7a4fe8f3cbcc122484394561f561d116465edaaaf3a887429ee8cb6e093837b9f1021c46cf16a50a |
C:\Windows\system\xQAyZnR.exe
| MD5 | c4cceaa7c3f385b796ad1b4956b71bec |
| SHA1 | 80680f21e27ef1ac9f1393cb373d8cd0f3fd0c17 |
| SHA256 | 6038ef825ecb19a6b1d2c8f6f95eabc6c78514893f9becd1507124e8316cfb21 |
| SHA512 | 5c998580fcb557e72ad9f661aabd7187bfe164391f79e8f378c8d1c9d0fa1ba8d282c2ae9f1beafac6d79f2a18d54ab3c4c31d9a6d45e18d82bf2275f3306934 |
memory/2464-18-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2100-20-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2512-22-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2568-21-0x000000013F1B0000-0x000000013F504000-memory.dmp
\Windows\system\eSQyTOq.exe
| MD5 | f08fb127e9d861f408759c0061873904 |
| SHA1 | 26e22d0309f76b9c990761a8d1b8fcaa60c2e520 |
| SHA256 | 5b44fbbaa4d1b57b6cea6dc97a049753c74532774a796cb5c956328f8fe76bfd |
| SHA512 | b404f44def8f244bcd68baa945b95b8323275f9e38735bc20bb8754d573d18fd6bc4e73c849f3d35ea8b240252bdeefab0173c26c2ebf4c11cc8cf8110d84700 |
\Windows\system\hBzFtBI.exe
| MD5 | 218b122af4403fde8601192badaae6d4 |
| SHA1 | 595dd166f94b7c410250e0346ef2094a8b75a067 |
| SHA256 | 66141492e97d5c6a99f8a0b1b960542aed3697492368b64b8a9af8fc0469184b |
| SHA512 | c8ac3ab1165f7a26d69ce4e56a8410b27c96b5488a8c1eb8b6cff8512618c5c6abc880cdf95219813c03d36828949ac4755f5994be98b5a4dd34caaa15a91a39 |
memory/2100-34-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2496-33-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2988-35-0x000000013F750000-0x000000013FAA4000-memory.dmp
\Windows\system\xIwiSgp.exe
| MD5 | 2fdc393e0080f8254787b209a9f16e9d |
| SHA1 | 85dd79c80fa3342a69d1455481a5ad0360e92a8b |
| SHA256 | 302661fc7c1a3c4e75779b3b290fd71550ebc040c7ab71a95880c4720f85ccb9 |
| SHA512 | 615119ff7a4575acde01c8ac2b916ee1a9ff59d3e0d10210bbd760490575b8ba2eb09cf25f73d0c1be61d23d469f8bf91211dc35510e339622776c4a200a6b75 |
\Windows\system\LzKXzyn.exe
| MD5 | 8da051a6ce299b2947600faf6853e606 |
| SHA1 | 94ac919979ee9716834ad506e753d8748db895e9 |
| SHA256 | a6d59fa5084128516ae5af6370d771e7a213f83e7502aeb6c90af0eab721d6e2 |
| SHA512 | 144e0ed6f2cdc5a5f96897e11b35a221f4ca815897a6b3b72c26ab475675ab99584605e3c0f401bea68e1bb6f7b9e44e5ac8866afe9894a54cfc09f7cf69e411 |
memory/2100-46-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\WBxMRAJ.exe
| MD5 | 8b13fad3352ca7a651cedbeef4ee7e7a |
| SHA1 | 84ceb937f729f52e54521ecaa3999c5e36f35e74 |
| SHA256 | 842ea757af24ab45dec97bc41f853b3770589baa782c4ed68d42ef4c54b881be |
| SHA512 | e0549e6d39b71e95e14f16089ceb2cae3e6f86d0c210f8df47c95c94e0cb62c411be28ddfe7a8b3fdd6afa9549b278cac10f527a8456d635fb91359e4132ad07 |
memory/2100-56-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2428-57-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2100-54-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2812-53-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2952-51-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2100-44-0x000000013F320000-0x000000013F674000-memory.dmp
C:\Windows\system\wPRzUbI.exe
| MD5 | f3843d5fcf9d9be906e59baa5c54feca |
| SHA1 | 3908a6995bbbefd9f51c2b92fedbaa124e1b0744 |
| SHA256 | d38feb465cc7507284137a5046e27155e44db6682b9a563016d1c39333ea802e |
| SHA512 | 834c680c98346dd9168148f3b33181724e0a7a4d3b318ab21ae1e8cfba8343e840146665900141f9b384c7e167cdfe9db578768a797fe14e19ae8901634cead2 |
C:\Windows\system\MiNPZhJ.exe
| MD5 | e7198587b47b13f6fc8980200e82c8e1 |
| SHA1 | 7631c507f749e8331bc729b2981f289863d40de5 |
| SHA256 | 669606190646270ed696c1edf72b080730ef6c90783f708f344df88a87117145 |
| SHA512 | 077510d23ed8a371b48f1e297aa2d86f562ecb5dce1573392e66f2d3d4fe4a2a69e39411e49cb9b7d2c1c714580d18593b1474e970c494b4a4050ce857e554e6 |
memory/2100-70-0x0000000002320000-0x0000000002674000-memory.dmp
memory/856-71-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2444-63-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2100-62-0x000000013F240000-0x000000013F594000-memory.dmp
C:\Windows\system\BvStomb.exe
| MD5 | 94da64ae0627267d1f93cf8915c7a3e6 |
| SHA1 | 4b89ac4f398a0b20b12fdbdd233463e9806ed643 |
| SHA256 | d447bcacb55e3dbd3dbba706fea0b348dc4071cd92ebd81418793ba197b41582 |
| SHA512 | 69786627288d6dc87e8645ff88f21319481fa27197319341dcb2fc7c1adfedfaee4d5618df1b642685653e9492bdd76c60c4c667547ccfb7837392a41695c253 |
memory/2640-78-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2100-77-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2100-93-0x000000013F110000-0x000000013F464000-memory.dmp
\Windows\system\fblFQJH.exe
| MD5 | dbab89b4d2adad92b5b5c95e1fc85016 |
| SHA1 | 773225a389e1e9850dacaefcca76cfa06007e371 |
| SHA256 | 729edf163eec69ca270ad2c08ea41a94ce065f303e5f9b3701fe9954ca6c323d |
| SHA512 | d3c43265cbf41b3707b9e76f14457d983108839d7b9c57a0af65c56d05010b64cd8f912af601d701ede465e16bcd2c8ac365f551c3e5e2c60a6ab5776c792750 |
C:\Windows\system\HHtLcGh.exe
| MD5 | 44690b013c5cc3a33c31559aba6554c1 |
| SHA1 | 48fb3952b10484077304dbc0d2cc4ba39d9affdb |
| SHA256 | 1364579f064158cb3e04cf9d94e93d6a75faaa75ccb148a98d0660dbdfdfb283 |
| SHA512 | 6a280e93fa689196cc70f960663e1656d81776096cb8413081c9c4bb9b85bcea54f7614d155415bcb2d7438da61d6a7901bff9cb6e95870c2f4020a600e74d88 |
memory/2100-115-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
C:\Windows\system\TjyNNgE.exe
| MD5 | 77e7ee6d9f6fbbc29b8327f571fed88a |
| SHA1 | 48b1df5dc45cce02053c19ff82e3ed9b819e1b8a |
| SHA256 | 5e4210dbd80d20d1156db15e8efbabfb6c32a4de3cba254d90b1e2a386fe7ae9 |
| SHA512 | 165341ec83ddb8e845819a0eaa3255c64af4e0f4ff69dafad14163f9682e771aae3438b863bb9823527746c1bc89897b88d06a4fbcac10a748ab0660d2ad93aa |
\Windows\system\eAeidMJ.exe
| MD5 | 1f67288072ff80dfbf9d2df55449deff |
| SHA1 | af45f1be98496f8d4474b8a6afab80ec9a06b724 |
| SHA256 | ffdeba9270f41d3519fdcae0325f29189fdbfc8ea5207b6159bde2f33516c953 |
| SHA512 | a00deeef040d781c83d1ab5e3a4351979c3f93228dd095a8c011caeaeffe427035e3cfb7f3dffcea4a106a62b782d34a9d45c931b3a239d38b77fde328f119e7 |
C:\Windows\system\wIixmwn.exe
| MD5 | a93ce691ce4ea7fdeba9a5af04f5a283 |
| SHA1 | bcfda2654faba94c26f6900de3929731cc74d58a |
| SHA256 | 6ad2b3384f82489fa65d251088af65d14a3084992e8ded0a8aa6b2dccf935ee6 |
| SHA512 | 589dc7ad985558d19da8e37db60168eb1c62c2812983ebf8bb205918ceeb543c8a30b0adfd56a9005e61395589492d80e63e1be72a0c0c847c8c4c3ea17b1a0e |
\Windows\system\TYnqgMJ.exe
| MD5 | 24866fa7bf2bc8f60c71a749afdb4839 |
| SHA1 | 3706a73a89a52d68264da851bbd8e85683285b83 |
| SHA256 | f0c368d3c723595f23050ffa800e2ab206512fce7acf528ab79e5fe8430e93f6 |
| SHA512 | 5661e054574d809343426a4f57034e619a9c5d32a6408b87cb7eed6ee453632970f3f98153efaa12f84003fdad080a33b361d910d661c5c3148c82f4d8077c32 |
\Windows\system\GrkmSet.exe
| MD5 | ad7e1b54d790f15dca8e0d4872d0d144 |
| SHA1 | 28963f7c1632dbfe366a835bad789a7a8f0dc5a7 |
| SHA256 | 446570a61dba029d8c1cd59f82f5ad5e23df6c70e4f5307198082cbe32a56ec5 |
| SHA512 | 9057cf75aa8f75d0f3fb1f2a76625fe3b7a04f9827ebb05a814a4b752e02f0d8179edf496859784dd510039d67a4f958b319d0dbec23515850f0afbc67511af0 |
memory/996-113-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2100-112-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\xKjYzfD.exe
| MD5 | 4916bc840d77eda70511924a8e1eb0d1 |
| SHA1 | c018cef0460cd9a0c4d7b1c0b9ed733840b5462c |
| SHA256 | b86ee313001c5480ed469e404731fa89b382c3190d758819c5a855e649180683 |
| SHA512 | 6b045683aac2a0f4d60c6b7e2c63a2a9a249b51ff518e203aaa0b79c146396df70edb192bf3e1680b2a80db30c11694d1b6bc2e726f20bd1acec16e910eb5c26 |
memory/2100-88-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\wTOKYaj.exe
| MD5 | ed350921b3883049d18a7b022ce47207 |
| SHA1 | 7710e2cac7e737f84b3143d5cc4eb97f52b3dbdc |
| SHA256 | 740435b2d2223f7ddd5aa8772b0da852b12f966e4de5d272af7013ad498618e1 |
| SHA512 | ba8e40dbdf3c0e8fa5bad7fc7bcf77271669f0fc1599d1be279180cb626300c5f936b5d00ea4694e3ab4105a8d8766bd3fb21b4772eed4138f29cab3feb03f57 |
memory/2712-109-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2740-102-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\pAAxbJz.exe
| MD5 | aa862605910d834e2db3ad8af95dd72c |
| SHA1 | 29d8688515f2f01972053fb2083ab2477d176cb5 |
| SHA256 | 058ec11f0c388ed0fa7196000600005bad7cf869cd2878d70045b9c992ffbe7a |
| SHA512 | 87d2b0018a0a8dd8535d5f819de3766c16ecd99556ff40a244a268f2b5808183fbc42212bd0ddcece088605b9e6ce28b6b3883b31807b8bea8563a377fe514dd |
memory/2100-135-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2952-136-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2444-137-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2100-138-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2100-140-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2100-139-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2464-141-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2512-142-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2568-143-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2496-144-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2988-145-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2812-146-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2952-147-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2428-148-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2444-149-0x000000013F240000-0x000000013F594000-memory.dmp
memory/856-150-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2640-151-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2740-152-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2712-153-0x000000013F110000-0x000000013F464000-memory.dmp
memory/996-154-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 04:14
Reported
2024-05-30 04:17
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vwqLojG.exe | N/A |
| N/A | N/A | C:\Windows\System\HJVVNno.exe | N/A |
| N/A | N/A | C:\Windows\System\iKgcIGs.exe | N/A |
| N/A | N/A | C:\Windows\System\DZCShYX.exe | N/A |
| N/A | N/A | C:\Windows\System\hXZaJXs.exe | N/A |
| N/A | N/A | C:\Windows\System\TlXNORK.exe | N/A |
| N/A | N/A | C:\Windows\System\SolQDZa.exe | N/A |
| N/A | N/A | C:\Windows\System\mIVwIux.exe | N/A |
| N/A | N/A | C:\Windows\System\AJjuOvE.exe | N/A |
| N/A | N/A | C:\Windows\System\DCwfUGa.exe | N/A |
| N/A | N/A | C:\Windows\System\meCOWkx.exe | N/A |
| N/A | N/A | C:\Windows\System\gtbkbrP.exe | N/A |
| N/A | N/A | C:\Windows\System\bRXdEPS.exe | N/A |
| N/A | N/A | C:\Windows\System\lXSiJgN.exe | N/A |
| N/A | N/A | C:\Windows\System\kEpHNxc.exe | N/A |
| N/A | N/A | C:\Windows\System\HVCEGbE.exe | N/A |
| N/A | N/A | C:\Windows\System\PkmQPrw.exe | N/A |
| N/A | N/A | C:\Windows\System\ztFahrf.exe | N/A |
| N/A | N/A | C:\Windows\System\yNrdYoT.exe | N/A |
| N/A | N/A | C:\Windows\System\aidUBbI.exe | N/A |
| N/A | N/A | C:\Windows\System\uORAISW.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\vwqLojG.exe
C:\Windows\System\vwqLojG.exe
C:\Windows\System\HJVVNno.exe
C:\Windows\System\HJVVNno.exe
C:\Windows\System\iKgcIGs.exe
C:\Windows\System\iKgcIGs.exe
C:\Windows\System\DZCShYX.exe
C:\Windows\System\DZCShYX.exe
C:\Windows\System\hXZaJXs.exe
C:\Windows\System\hXZaJXs.exe
C:\Windows\System\TlXNORK.exe
C:\Windows\System\TlXNORK.exe
C:\Windows\System\SolQDZa.exe
C:\Windows\System\SolQDZa.exe
C:\Windows\System\mIVwIux.exe
C:\Windows\System\mIVwIux.exe
C:\Windows\System\AJjuOvE.exe
C:\Windows\System\AJjuOvE.exe
C:\Windows\System\DCwfUGa.exe
C:\Windows\System\DCwfUGa.exe
C:\Windows\System\meCOWkx.exe
C:\Windows\System\meCOWkx.exe
C:\Windows\System\gtbkbrP.exe
C:\Windows\System\gtbkbrP.exe
C:\Windows\System\bRXdEPS.exe
C:\Windows\System\bRXdEPS.exe
C:\Windows\System\lXSiJgN.exe
C:\Windows\System\lXSiJgN.exe
C:\Windows\System\kEpHNxc.exe
C:\Windows\System\kEpHNxc.exe
C:\Windows\System\HVCEGbE.exe
C:\Windows\System\HVCEGbE.exe
C:\Windows\System\PkmQPrw.exe
C:\Windows\System\PkmQPrw.exe
C:\Windows\System\ztFahrf.exe
C:\Windows\System\ztFahrf.exe
C:\Windows\System\yNrdYoT.exe
C:\Windows\System\yNrdYoT.exe
C:\Windows\System\aidUBbI.exe
C:\Windows\System\aidUBbI.exe
C:\Windows\System\uORAISW.exe
C:\Windows\System\uORAISW.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
memory/1384-0-0x00007FF6D3220000-0x00007FF6D3574000-memory.dmp
memory/1384-1-0x000001D37B470000-0x000001D37B480000-memory.dmp
C:\Windows\System\vwqLojG.exe
| MD5 | e2e3805a0ebcce9327d41d214b4a3739 |
| SHA1 | a7da1771954e4761f931ffd2d91fcfacf20ff6e5 |
| SHA256 | 221c0f4749052c9ac6741959e10ce29d27829bd5b694dff66775be4b86178943 |
| SHA512 | caa542973d0f05381d241618cfc25b493830f96e07d84f2858cc283756756e56acdbe57437036715c2b74657f18d956f00706554ab3d5b38197dc1e5e5e80733 |
memory/4112-8-0x00007FF6EFAF0000-0x00007FF6EFE44000-memory.dmp
C:\Windows\System\HJVVNno.exe
| MD5 | 301584823e2e362c49b3254cb236d083 |
| SHA1 | 898394b02b02d62b515d88ad9807dd3b546f1553 |
| SHA256 | 205af3e7b58229f5e4c014c699bc8a2082c7ae4a9b1a51302379f32092306be8 |
| SHA512 | 1b9fd0759b6a8395f8de21f535ab7d71860d0b51d1107b72319242317509c0d5de9960404faec8512030b0d07691d9c06ed5b4d2aa1948c4dfd04e56587cd2ae |
memory/3656-14-0x00007FF6AD990000-0x00007FF6ADCE4000-memory.dmp
C:\Windows\System\iKgcIGs.exe
| MD5 | 1ddff0db308023b987c42839aeb64315 |
| SHA1 | 06d9f4eb84e2fd0e9217e89826b262de5b5629d1 |
| SHA256 | d1aeaa686f359e804fca493f7bb25285efecdf14f028a8592b2e9e3f2b4a00bf |
| SHA512 | e34ddc210643a8774387dfaed05d57d73099f47ab18c8d1e0ca37a2cc05a6b73346d6fb99f52280a09f0b1cf2db84febe79e13a851c803e935f3346a6031278a |
C:\Windows\System\DZCShYX.exe
| MD5 | 426b2d75c0c44ec77799ec6cfed3e688 |
| SHA1 | 6dbdad9f40034737d741b9ab591261ec7607f057 |
| SHA256 | 8802835d0d1d584542ecde95f408ca42748bacebe42e2841843684db57a7cf01 |
| SHA512 | 54e39f44d22781751f4d3ba9e80463916cc297c41340ad31834d11d2f1ef5c56d005406451ff9eb46915301646c9b751f31dd100a08bedc06426a2df59e0d54f |
memory/772-24-0x00007FF74A570000-0x00007FF74A8C4000-memory.dmp
memory/5092-23-0x00007FF6AB650000-0x00007FF6AB9A4000-memory.dmp
C:\Windows\System\hXZaJXs.exe
| MD5 | fd4a7e0e7042f6a7e8f8fe01510eade5 |
| SHA1 | 67002f0c531b556cf203993d9ba0d13454c1fe19 |
| SHA256 | e47af8d9d5aea6f5c84eb42b10096655604f537628c3b0afae34725542fd50fd |
| SHA512 | 706105e64a7b86508a0576f4610c415bc09cc95a37e3844e84c3efe54cce8444fc9db4769d4ff1b83cf0d35d290b6547c019ed7f90f06bdc9aedcef0db05bb21 |
memory/3904-32-0x00007FF6116D0000-0x00007FF611A24000-memory.dmp
C:\Windows\System\TlXNORK.exe
| MD5 | 643fd0165f579bb77762cf3a26c8089b |
| SHA1 | 4e9ff269a8561ff66faa3f13d33a5852bc179b9e |
| SHA256 | 41af9795cda00faaf30e06316a3c13b31cd8f870f95f357ff38579f7b0a70104 |
| SHA512 | b21590530acc0fa89f2ee927f41bcae89926dc32551e017a941392524a824e5bff5ee5da0c5bca0a9d8c83838d93ac6a278347c479b79ac0ac573ede52f5a7cb |
memory/4180-36-0x00007FF70C980000-0x00007FF70CCD4000-memory.dmp
C:\Windows\System\SolQDZa.exe
| MD5 | f62444c2b854fd496af81f72295fbcd8 |
| SHA1 | d3dfe29736866baba8b085ea3b00181083ea8b11 |
| SHA256 | caca17818d718b1158f77e67d5e82103173b734d1f85c5b7e9efa22bdc4ad8b4 |
| SHA512 | b0db8627e629c6cfe081a7aa5cdeb0e99ec48534cf10b4c332341a5fb3aa0a9a55d785657dd9759e45c728bfd9d0550c687832b283ac78a360a4bbf927506b0b |
memory/3000-43-0x00007FF771590000-0x00007FF7718E4000-memory.dmp
C:\Windows\System\mIVwIux.exe
| MD5 | 2b6ae6eae43056a5712b0918a8a6a3e2 |
| SHA1 | a9fcc9d623698e8a0cb9939dd8be8ed6b93c7a92 |
| SHA256 | 4b7c830df3da0d848fa0a39e14e9f56ec7d6f4a8ac0bcf035caeaefbb577b987 |
| SHA512 | 2bfc51fdce975ee031961ec042fb560ec54de44261f3923ead38b70ac5c930e8a1daaeca197644c2c6998590ff568b4945dd56cf3be0f12e68449a850d28ceec |
memory/1784-49-0x00007FF6DE260000-0x00007FF6DE5B4000-memory.dmp
C:\Windows\System\AJjuOvE.exe
| MD5 | f8abf625102a27fb860acd431665e02b |
| SHA1 | 4b8f972c24636f4fffbf64f5d6845ec9758edaa8 |
| SHA256 | 3870393b0b9011dbfbcf5318d9ca5daf005c5fb30f8e40b5c571245f3ba3cf90 |
| SHA512 | c497b1487cfa00718ca0709dba49fdaaaf0edbbfb3031906ab15189fcc2642a9c8f73bc18825ae83a9a531d46c352ba8edd81170d2850f4e425d609d35863657 |
memory/1624-55-0x00007FF6152B0000-0x00007FF615604000-memory.dmp
memory/1384-54-0x00007FF6D3220000-0x00007FF6D3574000-memory.dmp
C:\Windows\System\DCwfUGa.exe
| MD5 | 55a5d9e1cd8d9e79192f8ef93a3a619f |
| SHA1 | 4ef0d1b966203e60ee962a55df69d587f1481c32 |
| SHA256 | 83f9fec98525681a4e8317ed989617976bd5e4d51a2da9742bd6b0359a97efc2 |
| SHA512 | 9d3badb9365c3aa412de26e7f65dca7ba449466df4bdda69e191a8e1f72c6192e69396d0b08be26793fc7c6ce380bb460c04edc99f8ed079b7b095aca3997b6c |
C:\Windows\System\meCOWkx.exe
| MD5 | 023cafcbb95cdc2a5c4848ac05ce4472 |
| SHA1 | ffd5457d480c6f013dd830cc8585e50257a9a3a5 |
| SHA256 | ecaecc84ad0700a7262ff24ee973de39fe8362815d73c5c0eab888678b29a983 |
| SHA512 | ca66f05857adf2a7d4f0b6adb93fcacb8f04594f816a530090037bb1fdeee488a49811376a37a0494c3768f917e86284252544730bb0421abb25bab6f159a42c |
C:\Windows\System\gtbkbrP.exe
| MD5 | 1a6b348ea092c4ba27672cd1261ab42d |
| SHA1 | 62a4e72dc3fecbbb26258133aedc32ea4270c311 |
| SHA256 | e8c319a9a519e3737e479e1b4146c79f51d5d7d991e84c38daa794a797c41184 |
| SHA512 | 51cadab0c6fbf2cdfa2af3cc7e163bd1c4a144ebd4539dd764a8d22602cae896546108da4627c9a66974a0443d80dfa79f34fe7fd80d59a89be858c887c4b75f |
C:\Windows\System\bRXdEPS.exe
| MD5 | f1156c3ca480bc39d0228e77423df9ce |
| SHA1 | 138cc2320182b508b720a023156be3c386a0e16c |
| SHA256 | 49be241b62b9e17fabd559c16c5c8646c00d7a734b29e262b829a70eff421733 |
| SHA512 | 3dad174b545c534ea0f4a8f71a3ef4b809d5edf2f981ad8300663934ae7ec3ea25d2842bcfea1d1e89f2db1d0640549bd27126d4f0c02bd6ae0c35c2ce4a73d0 |
C:\Windows\System\lXSiJgN.exe
| MD5 | bc6357d71b05e3ff2b30fe679f11dc27 |
| SHA1 | 7bdb9a90ac740dfbbcd3fd3a1b688c61f7bf4d27 |
| SHA256 | 359a961f74313a9c65db92192abf51631ab60a91ed85dfd41fc0550e616986b4 |
| SHA512 | 6f002c336de0375172805a7247ea5f7d51ad426daaf8ab5190d555888082cdf40ce53e0e51017966be82d525a91baa156a98dcf4bc0cf9d55675ab268ac938c9 |
C:\Windows\System\kEpHNxc.exe
| MD5 | a81969cf5cd1f2e495b2b4b08a1a9f76 |
| SHA1 | 401d2bc2e9f487933524b36800c96d08c05523b2 |
| SHA256 | fd427cc8a81f60c2734f1f1d1f8ec8ad53771bb7497486a748c65e98d1a87335 |
| SHA512 | 5970a68053828713c911d9c1d8a51d99bad2d1c71611e7ddc13c6740af625e0697e3beb577870c75c96c18d4bb9f0b430ae58859cd550fdb41cbd2f676723363 |
C:\Windows\System\HVCEGbE.exe
| MD5 | 5abd0cbc141ab670b62ec18200338a0c |
| SHA1 | 825eaff5c1036b5f49b44fac3811a6fbb28d274b |
| SHA256 | 310e6265ea75d6e01a4790c869fa5d6560874f1219dd62f823181fafbacbed5c |
| SHA512 | 7b15906866794fd759728937376aed419ba3835d77338d34bda1d8527825950569e6fd70bb64df683697550b156c4f42afd96df0129bfe1b039c75126c4b1ee8 |
C:\Windows\System\PkmQPrw.exe
| MD5 | 568dc0f8e3e54b613ad4117a1bb52ac1 |
| SHA1 | eff48ee96fb4b7995acd2514e4915e08330a031d |
| SHA256 | 9280e4b10e348812d2547e94f31dea47641ede652135142fae48bebb1f36237d |
| SHA512 | a7c9dc2079c84982882debee1c4c90155b030d81e9da652c2da88a00f578324813e0417f9af46eb59c19537d6900da79e51ce1ee0e8c737ce59576c71e71de3e |
C:\Windows\System\yNrdYoT.exe
| MD5 | ed3802404e6898d5f1cc79aff85aaf3a |
| SHA1 | 10ac5babe3bda941700de4fcf7d7452b769aaeb3 |
| SHA256 | 3e0dc4a704f8b955ffbfdc29408f57061cdc179306ec5653b19f6c5f67369f86 |
| SHA512 | 5491c93879292775c73f47be84ab33d49cf974a88ee43b503841cb35d68136be541800047dafdebbf7e720cab8c9eafed378ead8e33e6593870b4bc16609a906 |
C:\Windows\System\aidUBbI.exe
| MD5 | 491f1b87b8bde025744b05fd1dcf3e23 |
| SHA1 | 39b4c79d9a42351ac52533f762c566a6400a489f |
| SHA256 | 497439f428cad3175f509ad080e5fa389b684f84bf9c804faca385d7f9b347cd |
| SHA512 | 6509c826e00e90a50097fbbd79f346c4ba3b3678572e1905d77d31d0ef4d512ffca0d245f26285283ec8d676332620ebd13ada8439bbfe930387042b25cd0d12 |
C:\Windows\System\uORAISW.exe
| MD5 | 9199a8f1e1df42f8df011d13ee2fcf60 |
| SHA1 | d9fc249729c7fe75b29d2bced6c527090386e541 |
| SHA256 | ff7aacd314cd7daa7d3f0f347893e65e8c550b1c91926327c62d713d744c0e9c |
| SHA512 | 7882138eac53bdce55347d8ad8b3088940105d6784fb97fa0eb00e903410a8b1c06c1b20dbf1e0a173c8c100034bfd465954cc815785ebef7087a8334ec0f096 |
C:\Windows\System\ztFahrf.exe
| MD5 | 01d4bd8d398209010c3b67c792fc7e20 |
| SHA1 | 6f6ea2350ff103317fd31b4cac0af3aaa2ee37de |
| SHA256 | b01f25efbb5db19ebab0784d08c0b276ef6f4e949663f1a0443833e3c7157301 |
| SHA512 | 1c5ce4c960a0a2927bca347949d9a013ef800f50286624b03968a25c69fd5975f88d9e5f67f2fe2fdafedda391a6d319605309d6135a2e048410da22daa45050 |
memory/4112-117-0x00007FF6EFAF0000-0x00007FF6EFE44000-memory.dmp
memory/5020-118-0x00007FF6AF6F0000-0x00007FF6AFA44000-memory.dmp
memory/3136-120-0x00007FF7E3E10000-0x00007FF7E4164000-memory.dmp
memory/888-121-0x00007FF6E51F0000-0x00007FF6E5544000-memory.dmp
memory/1968-122-0x00007FF74ED90000-0x00007FF74F0E4000-memory.dmp
memory/1652-123-0x00007FF7F8AA0000-0x00007FF7F8DF4000-memory.dmp
memory/112-125-0x00007FF71BED0000-0x00007FF71C224000-memory.dmp
memory/2524-124-0x00007FF69B2F0000-0x00007FF69B644000-memory.dmp
memory/3644-126-0x00007FF7469D0000-0x00007FF746D24000-memory.dmp
memory/4392-128-0x00007FF639FA0000-0x00007FF63A2F4000-memory.dmp
memory/1912-129-0x00007FF795C00000-0x00007FF795F54000-memory.dmp
memory/2596-127-0x00007FF623E40000-0x00007FF624194000-memory.dmp
memory/4680-119-0x00007FF69EB60000-0x00007FF69EEB4000-memory.dmp
memory/3656-130-0x00007FF6AD990000-0x00007FF6ADCE4000-memory.dmp
memory/772-131-0x00007FF74A570000-0x00007FF74A8C4000-memory.dmp
memory/4180-132-0x00007FF70C980000-0x00007FF70CCD4000-memory.dmp
memory/3000-133-0x00007FF771590000-0x00007FF7718E4000-memory.dmp
memory/1784-134-0x00007FF6DE260000-0x00007FF6DE5B4000-memory.dmp
memory/4112-135-0x00007FF6EFAF0000-0x00007FF6EFE44000-memory.dmp
memory/1624-136-0x00007FF6152B0000-0x00007FF615604000-memory.dmp
memory/3656-137-0x00007FF6AD990000-0x00007FF6ADCE4000-memory.dmp
memory/5092-138-0x00007FF6AB650000-0x00007FF6AB9A4000-memory.dmp
memory/772-139-0x00007FF74A570000-0x00007FF74A8C4000-memory.dmp
memory/3904-140-0x00007FF6116D0000-0x00007FF611A24000-memory.dmp
memory/3000-141-0x00007FF771590000-0x00007FF7718E4000-memory.dmp
memory/4180-142-0x00007FF70C980000-0x00007FF70CCD4000-memory.dmp
memory/1784-143-0x00007FF6DE260000-0x00007FF6DE5B4000-memory.dmp
memory/1624-144-0x00007FF6152B0000-0x00007FF615604000-memory.dmp
memory/5020-145-0x00007FF6AF6F0000-0x00007FF6AFA44000-memory.dmp
memory/4680-146-0x00007FF69EB60000-0x00007FF69EEB4000-memory.dmp
memory/3136-147-0x00007FF7E3E10000-0x00007FF7E4164000-memory.dmp
memory/1968-149-0x00007FF74ED90000-0x00007FF74F0E4000-memory.dmp
memory/888-148-0x00007FF6E51F0000-0x00007FF6E5544000-memory.dmp
memory/2524-150-0x00007FF69B2F0000-0x00007FF69B644000-memory.dmp
memory/1652-151-0x00007FF7F8AA0000-0x00007FF7F8DF4000-memory.dmp
memory/112-152-0x00007FF71BED0000-0x00007FF71C224000-memory.dmp
memory/3644-153-0x00007FF7469D0000-0x00007FF746D24000-memory.dmp
memory/2596-154-0x00007FF623E40000-0x00007FF624194000-memory.dmp
memory/1912-155-0x00007FF795C00000-0x00007FF795F54000-memory.dmp
memory/4392-156-0x00007FF639FA0000-0x00007FF63A2F4000-memory.dmp