Analysis Overview
SHA256
d48bb218ec8749cdffada855ef9f6a973c451485da0385bce12317ef9fc79ca9
Threat Level: Known bad
The file 2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Xmrig family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 02:12
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 02:12
Reported
2024-06-01 02:14
Platform
win7-20240220-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KWBODKl.exe | N/A |
| N/A | N/A | C:\Windows\System\yeVozfe.exe | N/A |
| N/A | N/A | C:\Windows\System\PUjLxlm.exe | N/A |
| N/A | N/A | C:\Windows\System\IHQsJgc.exe | N/A |
| N/A | N/A | C:\Windows\System\ULQKosb.exe | N/A |
| N/A | N/A | C:\Windows\System\OigWIyB.exe | N/A |
| N/A | N/A | C:\Windows\System\KziynoP.exe | N/A |
| N/A | N/A | C:\Windows\System\ojTwSQW.exe | N/A |
| N/A | N/A | C:\Windows\System\yRSJbka.exe | N/A |
| N/A | N/A | C:\Windows\System\scLJBKw.exe | N/A |
| N/A | N/A | C:\Windows\System\YTzUtQV.exe | N/A |
| N/A | N/A | C:\Windows\System\MEcxGin.exe | N/A |
| N/A | N/A | C:\Windows\System\NlulgTj.exe | N/A |
| N/A | N/A | C:\Windows\System\sUtOlVE.exe | N/A |
| N/A | N/A | C:\Windows\System\UmtRphF.exe | N/A |
| N/A | N/A | C:\Windows\System\bBspvQu.exe | N/A |
| N/A | N/A | C:\Windows\System\UoioNTL.exe | N/A |
| N/A | N/A | C:\Windows\System\FymBsDe.exe | N/A |
| N/A | N/A | C:\Windows\System\ROpSQra.exe | N/A |
| N/A | N/A | C:\Windows\System\jfdTVhG.exe | N/A |
| N/A | N/A | C:\Windows\System\HLsPFqh.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KWBODKl.exe
C:\Windows\System\KWBODKl.exe
C:\Windows\System\yeVozfe.exe
C:\Windows\System\yeVozfe.exe
C:\Windows\System\PUjLxlm.exe
C:\Windows\System\PUjLxlm.exe
C:\Windows\System\IHQsJgc.exe
C:\Windows\System\IHQsJgc.exe
C:\Windows\System\ULQKosb.exe
C:\Windows\System\ULQKosb.exe
C:\Windows\System\OigWIyB.exe
C:\Windows\System\OigWIyB.exe
C:\Windows\System\KziynoP.exe
C:\Windows\System\KziynoP.exe
C:\Windows\System\ojTwSQW.exe
C:\Windows\System\ojTwSQW.exe
C:\Windows\System\yRSJbka.exe
C:\Windows\System\yRSJbka.exe
C:\Windows\System\scLJBKw.exe
C:\Windows\System\scLJBKw.exe
C:\Windows\System\YTzUtQV.exe
C:\Windows\System\YTzUtQV.exe
C:\Windows\System\MEcxGin.exe
C:\Windows\System\MEcxGin.exe
C:\Windows\System\NlulgTj.exe
C:\Windows\System\NlulgTj.exe
C:\Windows\System\sUtOlVE.exe
C:\Windows\System\sUtOlVE.exe
C:\Windows\System\UmtRphF.exe
C:\Windows\System\UmtRphF.exe
C:\Windows\System\bBspvQu.exe
C:\Windows\System\bBspvQu.exe
C:\Windows\System\UoioNTL.exe
C:\Windows\System\UoioNTL.exe
C:\Windows\System\FymBsDe.exe
C:\Windows\System\FymBsDe.exe
C:\Windows\System\ROpSQra.exe
C:\Windows\System\ROpSQra.exe
C:\Windows\System\jfdTVhG.exe
C:\Windows\System\jfdTVhG.exe
C:\Windows\System\HLsPFqh.exe
C:\Windows\System\HLsPFqh.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1028-0-0x000000013F220000-0x000000013F574000-memory.dmp
memory/1028-1-0x0000000000100000-0x0000000000110000-memory.dmp
\Windows\system\KWBODKl.exe
| MD5 | 3c9de06f8a149b7f77eb94fed8938e6c |
| SHA1 | 6591a73b8d05e6978edfc4ac76960b80440a1afd |
| SHA256 | 63024aa787716f0f47be3dbd0231d0b5ee7a4f49fc18835bd497c65d2043d3f5 |
| SHA512 | 0e000760d30bf3ab452dd26c2b0a3aabf4c37e0581720f97e4c510cc2a3c5263bc5e996013c7a177c4c5d5cf93e266b2ea84dfb085b107a19d7dcdb472981aef |
\Windows\system\PUjLxlm.exe
| MD5 | d3f900325ec34f4390d3722e27b96754 |
| SHA1 | 8e07443588fbf61c37ceaf770a24cb6fb7d5b7ea |
| SHA256 | e5d803830a86855adf94f098eeb175905e01267eb403adc8222e5aff5cce0a7b |
| SHA512 | 4b99030c6ca27c27bd622838204f4c2858edc62046ef44b15d06584f0bbeaf1baf0956e31b81f98f56ac59eba52375fe94e7a01e9b774501aacb57c3e851f218 |
memory/2524-28-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2648-29-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/1028-27-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/1028-26-0x000000013FC00000-0x000000013FF54000-memory.dmp
C:\Windows\system\IHQsJgc.exe
| MD5 | 8099351dd5cac8355d7c9ae7e3d41dff |
| SHA1 | 586eb8e92badfd4c58230e95a4a4af4f458de596 |
| SHA256 | 5c30559c6551576539afc984b22a24bebcd0c55f71b6b2d07f9116e4c4fd6ea6 |
| SHA512 | 03df95f83477f6ea34e7df600e2047a9c871834b6e4520d0203d65af031d6f8d3621add524834514460c3ddaeb88a374bea3ca2200bd08c0d92ceba28cf7ef02 |
memory/1028-21-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/1332-19-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2916-13-0x000000013F070000-0x000000013F3C4000-memory.dmp
C:\Windows\system\yeVozfe.exe
| MD5 | 2f2ba90f90026b4276ca5ee778513d52 |
| SHA1 | 93353fe2a9efb19a2b1ff676b9596927d7fcb197 |
| SHA256 | cb8e33671a93ac276b5a26a510c30fcbd19cb11fdcfd0fa85bd26bda7732eaf8 |
| SHA512 | 06267a8a2909062fa2dac9927d18ac6ab066cdac0ce24771bf34b547867293de281e29a4e653054f5d5c755ce7cdae199d98320538b7eb0458c0e75829d36bf7 |
\Windows\system\ULQKosb.exe
| MD5 | 76806b7bf642b36a5a6fa144b0d8cf9a |
| SHA1 | ad1d324d666d47663dcbeecb511b0ec7b6084773 |
| SHA256 | 5021b4bd7dcff0f4247794ab608e9abcaf8ad254965f802c769ea6cb5263f5da |
| SHA512 | 992f7c67c538b1a0b5a7a9f1c01208dead1957ea5075be51b4744a860ae8dd21612d68613c1691cc819a56d0890f238f09f59d2d53a9592a9c7e2ab7f9f1b9cd |
memory/2808-36-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1028-35-0x000000013F8D0000-0x000000013FC24000-memory.dmp
C:\Windows\system\OigWIyB.exe
| MD5 | f210c93e358f6758c3c2ed93db65ac58 |
| SHA1 | 3cb0071ca69a64ebb424baf36915afdb5de44ca1 |
| SHA256 | bcefddbcda34704b5361e7363ff4f9447b614303f3196d14d6a515ed9969b82d |
| SHA512 | 9c500f4912669b65405d6fda737f144a89741edfd8d9cf339311f227b362652b000d15f9b7cc6559a84ad6195ba89b1c0c627b87d136ca00d72b9c13f6aaab31 |
\Windows\system\KziynoP.exe
| MD5 | 1ba934b36bf991f0e6acc55cc826dfae |
| SHA1 | 2963fabe74316feb14d539effbd63fcea65aa63a |
| SHA256 | cc57de283b82deabb635694fa47fec1ea35dc08d65965861571f671d56240b48 |
| SHA512 | 02674fecdf6ccd09498a632f9f0271c9c45c248e0464bfff5e026777b54129159fe7bd72c742636b6488c12c446367d2fd90ce0b169342cbcba2f3eb596c2b46 |
memory/1028-43-0x0000000002480000-0x00000000027D4000-memory.dmp
C:\Windows\system\ojTwSQW.exe
| MD5 | 939d62afb05eb1746bb2499dc5caa6b8 |
| SHA1 | 516369df39e5288abd000837246005aeb4110322 |
| SHA256 | 478fd249b13d86f556641521b72442bae18d6db169bb794339dac7e3f6c7b95c |
| SHA512 | e6dac55531d6e2a28dd5be90cb8eb5ea9ee7bceb8ce4a2c7809831d5070de1f36ed6ec47dbdc002cbf4db6922e8f2b2b5232cf5f85c37f42f5bc7aa55a911ddd |
memory/1028-53-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2388-57-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1028-56-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2664-55-0x000000013FD70000-0x00000001400C4000-memory.dmp
C:\Windows\system\yRSJbka.exe
| MD5 | f31ed82f49c2a7b32486137049ba2dfb |
| SHA1 | cdcdc10e92de25c00a4158e76950fa377060e157 |
| SHA256 | 31856a8a3dcbbe885665d633a716321728913555199b47e9ab150d11c3b7dc67 |
| SHA512 | 2445259ea7b1e98a14d436ca3a037f9ff3149d0c5af88cd8bb723da66334c8f5bcafead8ec7c66221aaf9ef00b250b97387ea9c48252ac67315b4d162d56ce90 |
memory/2916-63-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/1028-62-0x000000013F220000-0x000000013F574000-memory.dmp
\Windows\system\scLJBKw.exe
| MD5 | 12dc43dbda4d2c57cd7a57227cf2a5e5 |
| SHA1 | ddfcb4d31e3b497eeb7e4cd8891266fb50dd84f7 |
| SHA256 | aa6077dae07d3a342f27703d31c7b59f89cc06051c85e8d3e9b03c30d65f717e |
| SHA512 | bdcdd5206bf6638d747d5fb6ec028dca2c4ab28a39c0dac2881cd4d8a3cedadd123d880f56e019178b68b9c91f755e58f2666494724a3982d04bd491dce336d1 |
\Windows\system\MEcxGin.exe
| MD5 | 7223200ee6876ef35d70ec397de99287 |
| SHA1 | 528cf74cc2b1ab69c95f3ed25e45671884322547 |
| SHA256 | 94610af7583be46aaf6ccedc7b96331680946c6a9ccb9f818e06479c5564bacb |
| SHA512 | 7e5490d3bd24ebe411eb4426c43ec132e1daf08e7fd46b9da2f5d6c52f4070b1aa25bfc9e8c7e03c4a5b9c388d20c49cbeb3932b28396cbfa1f98227be224d11 |
C:\Windows\system\UoioNTL.exe
| MD5 | 21f25762dcf3deaac990dd6cd6c5f850 |
| SHA1 | 97385155b820b0a14f830292e82c38e86a6b1928 |
| SHA256 | 7459537c669ba645ebcbdbd91291da3a8be57d048b726a4e77c3075d3ee17af6 |
| SHA512 | b137b578fc8aef2009154e598bd62a8b10a1e4ad729cb4f252c12deb7e10d3d126bbde17f62fc0891e7c7d59173e6c5b3e320543386c18f50542f1bdc3f3b542 |
C:\Windows\system\jfdTVhG.exe
| MD5 | 741cf5fe853b1c8b6a1e55d00afc9871 |
| SHA1 | a9504171bad37ac8a30a0f585d1379d4a0308e5d |
| SHA256 | 2337316d664f8b179c3cce545d06a530f94b2014951964302e7ab6fb05f7c9bc |
| SHA512 | 3655f66061bad2903bad2d91fd61d55ed7f20d86167d1deee6ec7b36b31a4d2c928a4f0cd06d32705250279ff52c56fb2cedc4b52b6116f63912a5d05fd5e09b |
\Windows\system\HLsPFqh.exe
| MD5 | 32b15dd93146f838fbbdae860dd2998d |
| SHA1 | b7011e11f682f41f0eee3a0426477accdf2d9c0a |
| SHA256 | 069cc3959f5594286571bb9600c56b68a28c88000250b92e4ed6056289b53db5 |
| SHA512 | a6b98dfb070c445915e0931a06e9f88cb4822b933ccc7cd4f4ea588b8c06acb450ba84b351d590e31d3972434182cbe66e78acfb50b99098d4cb231ab650e682 |
C:\Windows\system\ROpSQra.exe
| MD5 | 3a959f8f3ebe1c92e8e66b8ab5f894da |
| SHA1 | 69d4438c2b5ed03c3ee659b54151e100c44fb270 |
| SHA256 | 64d29ed88ac0a7122a93fad908b8bbbe237c50e5846beb54f261752a63064190 |
| SHA512 | b1f4733ff9e30f3796879a9e9907f0cf51ab8d63f7862802e12e8adff6f05fe899eb55641d2c24aab5bfc204dae0c9e4e0f3a2ea04bf2727177151df7fc3f2af |
C:\Windows\system\FymBsDe.exe
| MD5 | 54c99e9ef769fc023fbb68dbce1e7d79 |
| SHA1 | 9ee5e2e7f66da6492e59573c2ac133cc7ea7b4ac |
| SHA256 | 32836c6486f77f1bcd61116cbd90b39c3fca0a63e5be15551e95a9d17d911fa8 |
| SHA512 | 0b113a8dc64828e045832745844d2487fdcea057846f66724c26ac5c990c5cf2a0e3c0feca8da2ec05b0b7d84aa2c44e2be9bc32c5561f7716a3110510a13d81 |
C:\Windows\system\bBspvQu.exe
| MD5 | 7f379015f637e0f0525ebadef6521070 |
| SHA1 | e4144c12567f58968cc19a5d528382ff3b273ac7 |
| SHA256 | b7964a51c7b09bba9e6cbbc72602d9ee1ef6cdf4636eaf94e5f6795d59ec1046 |
| SHA512 | 8c13df5643725f8c6280c40c4b6173d1c67eb1fef79199412623e4ab766b489234ac2854f08f259a5932966e1404aee4af181ad3548f8071ffa5acf65d4a65cf |
C:\Windows\system\UmtRphF.exe
| MD5 | 646a69ecd3569ae7f19e0d7f7dad40b9 |
| SHA1 | e32c70c607078d338a11eb0ea75fd07cb8384579 |
| SHA256 | 8fa0c6116c654136536bb5192284852b9e0c18d79bdff37d721d614cb5c2b809 |
| SHA512 | 860c63d8e6db3b8b0d4303727cd6c994e235a4083f0a7f286db33100dc1fda83822381c9fc3962945f520c491991dc803352ef9eb7a8e56c4f005f4985073395 |
C:\Windows\system\sUtOlVE.exe
| MD5 | 774688d300dae941e48f3791f81b8976 |
| SHA1 | 9f1b70fbbf8d342f4258dcb45753a57ab44017b0 |
| SHA256 | ff5be47cc2bfb5bca9e571cfcfe7eaf299fce4c0c6249bfcb90c820d3990e4fe |
| SHA512 | f674c266e2fc7b6768ee0a5202feb390b9e4a4b7941e80823d3f253413f97b3baf8f7d051321df9a03efc273e9ab5e84296d894af9199be3703a748347adae86 |
C:\Windows\system\NlulgTj.exe
| MD5 | b53760842f8c6190c625cda19f98afb4 |
| SHA1 | a578352008fa8faeda9bba62634d8711de040cd8 |
| SHA256 | 76b984df2aabd47c33c806f80ea350907a495f3a23662d726e916883576ef60b |
| SHA512 | 87808ccf4729e48c9ad4c7441b32493bc7f483f9af5183072923d36927903205186c24e648af9fa4fdb52dd6e101a87da0995198670e2b1ea16fe1d24824c888 |
C:\Windows\system\YTzUtQV.exe
| MD5 | e88f292affc76333228401893c519ed3 |
| SHA1 | 6c9c9a458afb21dd17a5acfc392dbfdd56a29086 |
| SHA256 | 1d8925de89573d57511a627234f7fbe814c202f1da9cc130cf08b065e42776b2 |
| SHA512 | 9022b8196e48703d406d5ee1db5c00a5c2ebfa1831fe2bc0e64c018657e05f570d3c37716074fe328937caeaa199aed3d51fd55686fa2ca250deaa44727777dd |
memory/2628-47-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/1900-124-0x000000013F620000-0x000000013F974000-memory.dmp
memory/556-125-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/1028-128-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/1940-132-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/1028-134-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/1028-133-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1028-131-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2772-130-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2640-129-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2556-127-0x000000013F030000-0x000000013F384000-memory.dmp
memory/1028-126-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/1028-135-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1900-136-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1028-137-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2916-138-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/1332-139-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2648-140-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2524-141-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2808-142-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2628-143-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2664-144-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2388-145-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/556-146-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2556-147-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2640-148-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2772-149-0x000000013F310000-0x000000013F664000-memory.dmp
memory/1940-150-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/1900-151-0x000000013F620000-0x000000013F974000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 02:12
Reported
2024-06-01 02:14
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KWBODKl.exe | N/A |
| N/A | N/A | C:\Windows\System\yeVozfe.exe | N/A |
| N/A | N/A | C:\Windows\System\PUjLxlm.exe | N/A |
| N/A | N/A | C:\Windows\System\IHQsJgc.exe | N/A |
| N/A | N/A | C:\Windows\System\ULQKosb.exe | N/A |
| N/A | N/A | C:\Windows\System\OigWIyB.exe | N/A |
| N/A | N/A | C:\Windows\System\KziynoP.exe | N/A |
| N/A | N/A | C:\Windows\System\yRSJbka.exe | N/A |
| N/A | N/A | C:\Windows\System\ojTwSQW.exe | N/A |
| N/A | N/A | C:\Windows\System\scLJBKw.exe | N/A |
| N/A | N/A | C:\Windows\System\YTzUtQV.exe | N/A |
| N/A | N/A | C:\Windows\System\MEcxGin.exe | N/A |
| N/A | N/A | C:\Windows\System\NlulgTj.exe | N/A |
| N/A | N/A | C:\Windows\System\sUtOlVE.exe | N/A |
| N/A | N/A | C:\Windows\System\UmtRphF.exe | N/A |
| N/A | N/A | C:\Windows\System\bBspvQu.exe | N/A |
| N/A | N/A | C:\Windows\System\UoioNTL.exe | N/A |
| N/A | N/A | C:\Windows\System\FymBsDe.exe | N/A |
| N/A | N/A | C:\Windows\System\ROpSQra.exe | N/A |
| N/A | N/A | C:\Windows\System\HLsPFqh.exe | N/A |
| N/A | N/A | C:\Windows\System\jfdTVhG.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KWBODKl.exe
C:\Windows\System\KWBODKl.exe
C:\Windows\System\yeVozfe.exe
C:\Windows\System\yeVozfe.exe
C:\Windows\System\PUjLxlm.exe
C:\Windows\System\PUjLxlm.exe
C:\Windows\System\IHQsJgc.exe
C:\Windows\System\IHQsJgc.exe
C:\Windows\System\ULQKosb.exe
C:\Windows\System\ULQKosb.exe
C:\Windows\System\OigWIyB.exe
C:\Windows\System\OigWIyB.exe
C:\Windows\System\KziynoP.exe
C:\Windows\System\KziynoP.exe
C:\Windows\System\ojTwSQW.exe
C:\Windows\System\ojTwSQW.exe
C:\Windows\System\yRSJbka.exe
C:\Windows\System\yRSJbka.exe
C:\Windows\System\scLJBKw.exe
C:\Windows\System\scLJBKw.exe
C:\Windows\System\YTzUtQV.exe
C:\Windows\System\YTzUtQV.exe
C:\Windows\System\MEcxGin.exe
C:\Windows\System\MEcxGin.exe
C:\Windows\System\NlulgTj.exe
C:\Windows\System\NlulgTj.exe
C:\Windows\System\sUtOlVE.exe
C:\Windows\System\sUtOlVE.exe
C:\Windows\System\UmtRphF.exe
C:\Windows\System\UmtRphF.exe
C:\Windows\System\bBspvQu.exe
C:\Windows\System\bBspvQu.exe
C:\Windows\System\UoioNTL.exe
C:\Windows\System\UoioNTL.exe
C:\Windows\System\FymBsDe.exe
C:\Windows\System\FymBsDe.exe
C:\Windows\System\ROpSQra.exe
C:\Windows\System\ROpSQra.exe
C:\Windows\System\jfdTVhG.exe
C:\Windows\System\jfdTVhG.exe
C:\Windows\System\HLsPFqh.exe
C:\Windows\System\HLsPFqh.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5032-0-0x00007FF69A610000-0x00007FF69A964000-memory.dmp
memory/5032-1-0x000001FBD9C60000-0x000001FBD9C70000-memory.dmp
C:\Windows\System\KWBODKl.exe
| MD5 | 3c9de06f8a149b7f77eb94fed8938e6c |
| SHA1 | 6591a73b8d05e6978edfc4ac76960b80440a1afd |
| SHA256 | 63024aa787716f0f47be3dbd0231d0b5ee7a4f49fc18835bd497c65d2043d3f5 |
| SHA512 | 0e000760d30bf3ab452dd26c2b0a3aabf4c37e0581720f97e4c510cc2a3c5263bc5e996013c7a177c4c5d5cf93e266b2ea84dfb085b107a19d7dcdb472981aef |
C:\Windows\System\yeVozfe.exe
| MD5 | 2f2ba90f90026b4276ca5ee778513d52 |
| SHA1 | 93353fe2a9efb19a2b1ff676b9596927d7fcb197 |
| SHA256 | cb8e33671a93ac276b5a26a510c30fcbd19cb11fdcfd0fa85bd26bda7732eaf8 |
| SHA512 | 06267a8a2909062fa2dac9927d18ac6ab066cdac0ce24771bf34b547867293de281e29a4e653054f5d5c755ce7cdae199d98320538b7eb0458c0e75829d36bf7 |
memory/4920-8-0x00007FF795350000-0x00007FF7956A4000-memory.dmp
C:\Windows\System\PUjLxlm.exe
| MD5 | d3f900325ec34f4390d3722e27b96754 |
| SHA1 | 8e07443588fbf61c37ceaf770a24cb6fb7d5b7ea |
| SHA256 | e5d803830a86855adf94f098eeb175905e01267eb403adc8222e5aff5cce0a7b |
| SHA512 | 4b99030c6ca27c27bd622838204f4c2858edc62046ef44b15d06584f0bbeaf1baf0956e31b81f98f56ac59eba52375fe94e7a01e9b774501aacb57c3e851f218 |
C:\Windows\System\IHQsJgc.exe
| MD5 | 8099351dd5cac8355d7c9ae7e3d41dff |
| SHA1 | 586eb8e92badfd4c58230e95a4a4af4f458de596 |
| SHA256 | 5c30559c6551576539afc984b22a24bebcd0c55f71b6b2d07f9116e4c4fd6ea6 |
| SHA512 | 03df95f83477f6ea34e7df600e2047a9c871834b6e4520d0203d65af031d6f8d3621add524834514460c3ddaeb88a374bea3ca2200bd08c0d92ceba28cf7ef02 |
C:\Windows\System\ULQKosb.exe
| MD5 | 76806b7bf642b36a5a6fa144b0d8cf9a |
| SHA1 | ad1d324d666d47663dcbeecb511b0ec7b6084773 |
| SHA256 | 5021b4bd7dcff0f4247794ab608e9abcaf8ad254965f802c769ea6cb5263f5da |
| SHA512 | 992f7c67c538b1a0b5a7a9f1c01208dead1957ea5075be51b4744a860ae8dd21612d68613c1691cc819a56d0890f238f09f59d2d53a9592a9c7e2ab7f9f1b9cd |
C:\Windows\System\OigWIyB.exe
| MD5 | f210c93e358f6758c3c2ed93db65ac58 |
| SHA1 | 3cb0071ca69a64ebb424baf36915afdb5de44ca1 |
| SHA256 | bcefddbcda34704b5361e7363ff4f9447b614303f3196d14d6a515ed9969b82d |
| SHA512 | 9c500f4912669b65405d6fda737f144a89741edfd8d9cf339311f227b362652b000d15f9b7cc6559a84ad6195ba89b1c0c627b87d136ca00d72b9c13f6aaab31 |
memory/3460-33-0x00007FF622C90000-0x00007FF622FE4000-memory.dmp
memory/1728-32-0x00007FF73E680000-0x00007FF73E9D4000-memory.dmp
memory/3904-23-0x00007FF78C640000-0x00007FF78C994000-memory.dmp
memory/2820-35-0x00007FF74A6D0000-0x00007FF74AA24000-memory.dmp
memory/3312-41-0x00007FF69CEE0000-0x00007FF69D234000-memory.dmp
C:\Windows\System\KziynoP.exe
| MD5 | 1ba934b36bf991f0e6acc55cc826dfae |
| SHA1 | 2963fabe74316feb14d539effbd63fcea65aa63a |
| SHA256 | cc57de283b82deabb635694fa47fec1ea35dc08d65965861571f671d56240b48 |
| SHA512 | 02674fecdf6ccd09498a632f9f0271c9c45c248e0464bfff5e026777b54129159fe7bd72c742636b6488c12c446367d2fd90ce0b169342cbcba2f3eb596c2b46 |
C:\Windows\System\ojTwSQW.exe
| MD5 | 939d62afb05eb1746bb2499dc5caa6b8 |
| SHA1 | 516369df39e5288abd000837246005aeb4110322 |
| SHA256 | 478fd249b13d86f556641521b72442bae18d6db169bb794339dac7e3f6c7b95c |
| SHA512 | e6dac55531d6e2a28dd5be90cb8eb5ea9ee7bceb8ce4a2c7809831d5070de1f36ed6ec47dbdc002cbf4db6922e8f2b2b5232cf5f85c37f42f5bc7aa55a911ddd |
memory/2840-59-0x00007FF67E6C0000-0x00007FF67EA14000-memory.dmp
C:\Windows\System\scLJBKw.exe
| MD5 | 12dc43dbda4d2c57cd7a57227cf2a5e5 |
| SHA1 | ddfcb4d31e3b497eeb7e4cd8891266fb50dd84f7 |
| SHA256 | aa6077dae07d3a342f27703d31c7b59f89cc06051c85e8d3e9b03c30d65f717e |
| SHA512 | bdcdd5206bf6638d747d5fb6ec028dca2c4ab28a39c0dac2881cd4d8a3cedadd123d880f56e019178b68b9c91f755e58f2666494724a3982d04bd491dce336d1 |
C:\Windows\System\MEcxGin.exe
| MD5 | 7223200ee6876ef35d70ec397de99287 |
| SHA1 | 528cf74cc2b1ab69c95f3ed25e45671884322547 |
| SHA256 | 94610af7583be46aaf6ccedc7b96331680946c6a9ccb9f818e06479c5564bacb |
| SHA512 | 7e5490d3bd24ebe411eb4426c43ec132e1daf08e7fd46b9da2f5d6c52f4070b1aa25bfc9e8c7e03c4a5b9c388d20c49cbeb3932b28396cbfa1f98227be224d11 |
C:\Windows\System\NlulgTj.exe
| MD5 | b53760842f8c6190c625cda19f98afb4 |
| SHA1 | a578352008fa8faeda9bba62634d8711de040cd8 |
| SHA256 | 76b984df2aabd47c33c806f80ea350907a495f3a23662d726e916883576ef60b |
| SHA512 | 87808ccf4729e48c9ad4c7441b32493bc7f483f9af5183072923d36927903205186c24e648af9fa4fdb52dd6e101a87da0995198670e2b1ea16fe1d24824c888 |
memory/824-84-0x00007FF7018C0000-0x00007FF701C14000-memory.dmp
memory/4632-91-0x00007FF6F21A0000-0x00007FF6F24F4000-memory.dmp
memory/508-92-0x00007FF60AE00000-0x00007FF60B154000-memory.dmp
memory/3992-90-0x00007FF6173B0000-0x00007FF617704000-memory.dmp
memory/2152-89-0x00007FF6E82E0000-0x00007FF6E8634000-memory.dmp
C:\Windows\System\UmtRphF.exe
| MD5 | 646a69ecd3569ae7f19e0d7f7dad40b9 |
| SHA1 | e32c70c607078d338a11eb0ea75fd07cb8384579 |
| SHA256 | 8fa0c6116c654136536bb5192284852b9e0c18d79bdff37d721d614cb5c2b809 |
| SHA512 | 860c63d8e6db3b8b0d4303727cd6c994e235a4083f0a7f286db33100dc1fda83822381c9fc3962945f520c491991dc803352ef9eb7a8e56c4f005f4985073395 |
C:\Windows\System\sUtOlVE.exe
| MD5 | 774688d300dae941e48f3791f81b8976 |
| SHA1 | 9f1b70fbbf8d342f4258dcb45753a57ab44017b0 |
| SHA256 | ff5be47cc2bfb5bca9e571cfcfe7eaf299fce4c0c6249bfcb90c820d3990e4fe |
| SHA512 | f674c266e2fc7b6768ee0a5202feb390b9e4a4b7941e80823d3f253413f97b3baf8f7d051321df9a03efc273e9ab5e84296d894af9199be3703a748347adae86 |
C:\Windows\System\YTzUtQV.exe
| MD5 | e88f292affc76333228401893c519ed3 |
| SHA1 | 6c9c9a458afb21dd17a5acfc392dbfdd56a29086 |
| SHA256 | 1d8925de89573d57511a627234f7fbe814c202f1da9cc130cf08b065e42776b2 |
| SHA512 | 9022b8196e48703d406d5ee1db5c00a5c2ebfa1831fe2bc0e64c018657e05f570d3c37716074fe328937caeaa199aed3d51fd55686fa2ca250deaa44727777dd |
memory/1640-60-0x00007FF6A2790000-0x00007FF6A2AE4000-memory.dmp
memory/4120-57-0x00007FF755310000-0x00007FF755664000-memory.dmp
C:\Windows\System\yRSJbka.exe
| MD5 | f31ed82f49c2a7b32486137049ba2dfb |
| SHA1 | cdcdc10e92de25c00a4158e76950fa377060e157 |
| SHA256 | 31856a8a3dcbbe885665d633a716321728913555199b47e9ab150d11c3b7dc67 |
| SHA512 | 2445259ea7b1e98a14d436ca3a037f9ff3149d0c5af88cd8bb723da66334c8f5bcafead8ec7c66221aaf9ef00b250b97387ea9c48252ac67315b4d162d56ce90 |
memory/4780-44-0x00007FF742670000-0x00007FF7429C4000-memory.dmp
C:\Windows\System\bBspvQu.exe
| MD5 | 7f379015f637e0f0525ebadef6521070 |
| SHA1 | e4144c12567f58968cc19a5d528382ff3b273ac7 |
| SHA256 | b7964a51c7b09bba9e6cbbc72602d9ee1ef6cdf4636eaf94e5f6795d59ec1046 |
| SHA512 | 8c13df5643725f8c6280c40c4b6173d1c67eb1fef79199412623e4ab766b489234ac2854f08f259a5932966e1404aee4af181ad3548f8071ffa5acf65d4a65cf |
memory/3216-98-0x00007FF6D4830000-0x00007FF6D4B84000-memory.dmp
C:\Windows\System\FymBsDe.exe
| MD5 | 54c99e9ef769fc023fbb68dbce1e7d79 |
| SHA1 | 9ee5e2e7f66da6492e59573c2ac133cc7ea7b4ac |
| SHA256 | 32836c6486f77f1bcd61116cbd90b39c3fca0a63e5be15551e95a9d17d911fa8 |
| SHA512 | 0b113a8dc64828e045832745844d2487fdcea057846f66724c26ac5c990c5cf2a0e3c0feca8da2ec05b0b7d84aa2c44e2be9bc32c5561f7716a3110510a13d81 |
C:\Windows\System\ROpSQra.exe
| MD5 | 3a959f8f3ebe1c92e8e66b8ab5f894da |
| SHA1 | 69d4438c2b5ed03c3ee659b54151e100c44fb270 |
| SHA256 | 64d29ed88ac0a7122a93fad908b8bbbe237c50e5846beb54f261752a63064190 |
| SHA512 | b1f4733ff9e30f3796879a9e9907f0cf51ab8d63f7862802e12e8adff6f05fe899eb55641d2c24aab5bfc204dae0c9e4e0f3a2ea04bf2727177151df7fc3f2af |
C:\Windows\System\UoioNTL.exe
| MD5 | 21f25762dcf3deaac990dd6cd6c5f850 |
| SHA1 | 97385155b820b0a14f830292e82c38e86a6b1928 |
| SHA256 | 7459537c669ba645ebcbdbd91291da3a8be57d048b726a4e77c3075d3ee17af6 |
| SHA512 | b137b578fc8aef2009154e598bd62a8b10a1e4ad729cb4f252c12deb7e10d3d126bbde17f62fc0891e7c7d59173e6c5b3e320543386c18f50542f1bdc3f3b542 |
memory/5032-105-0x00007FF69A610000-0x00007FF69A964000-memory.dmp
memory/4960-115-0x00007FF7E3AF0000-0x00007FF7E3E44000-memory.dmp
memory/2612-118-0x00007FF783A60000-0x00007FF783DB4000-memory.dmp
memory/3248-122-0x00007FF6F5220000-0x00007FF6F5574000-memory.dmp
memory/4920-127-0x00007FF795350000-0x00007FF7956A4000-memory.dmp
memory/3904-128-0x00007FF78C640000-0x00007FF78C994000-memory.dmp
C:\Windows\System\jfdTVhG.exe
| MD5 | 741cf5fe853b1c8b6a1e55d00afc9871 |
| SHA1 | a9504171bad37ac8a30a0f585d1379d4a0308e5d |
| SHA256 | 2337316d664f8b179c3cce545d06a530f94b2014951964302e7ab6fb05f7c9bc |
| SHA512 | 3655f66061bad2903bad2d91fd61d55ed7f20d86167d1deee6ec7b36b31a4d2c928a4f0cd06d32705250279ff52c56fb2cedc4b52b6116f63912a5d05fd5e09b |
C:\Windows\System\HLsPFqh.exe
| MD5 | 32b15dd93146f838fbbdae860dd2998d |
| SHA1 | b7011e11f682f41f0eee3a0426477accdf2d9c0a |
| SHA256 | 069cc3959f5594286571bb9600c56b68a28c88000250b92e4ed6056289b53db5 |
| SHA512 | a6b98dfb070c445915e0931a06e9f88cb4822b933ccc7cd4f4ea588b8c06acb450ba84b351d590e31d3972434182cbe66e78acfb50b99098d4cb231ab650e682 |
memory/1728-129-0x00007FF73E680000-0x00007FF73E9D4000-memory.dmp
memory/5036-130-0x00007FF6BA640000-0x00007FF6BA994000-memory.dmp
memory/4408-131-0x00007FF72F9E0000-0x00007FF72FD34000-memory.dmp
memory/3312-132-0x00007FF69CEE0000-0x00007FF69D234000-memory.dmp
memory/4780-133-0x00007FF742670000-0x00007FF7429C4000-memory.dmp
memory/1640-134-0x00007FF6A2790000-0x00007FF6A2AE4000-memory.dmp
memory/3216-135-0x00007FF6D4830000-0x00007FF6D4B84000-memory.dmp
memory/2612-137-0x00007FF783A60000-0x00007FF783DB4000-memory.dmp
memory/4960-136-0x00007FF7E3AF0000-0x00007FF7E3E44000-memory.dmp
memory/3248-138-0x00007FF6F5220000-0x00007FF6F5574000-memory.dmp
memory/4920-139-0x00007FF795350000-0x00007FF7956A4000-memory.dmp
memory/3904-140-0x00007FF78C640000-0x00007FF78C994000-memory.dmp
memory/3460-141-0x00007FF622C90000-0x00007FF622FE4000-memory.dmp
memory/1728-142-0x00007FF73E680000-0x00007FF73E9D4000-memory.dmp
memory/2820-143-0x00007FF74A6D0000-0x00007FF74AA24000-memory.dmp
memory/3312-144-0x00007FF69CEE0000-0x00007FF69D234000-memory.dmp
memory/4780-145-0x00007FF742670000-0x00007FF7429C4000-memory.dmp
memory/4120-146-0x00007FF755310000-0x00007FF755664000-memory.dmp
memory/1640-147-0x00007FF6A2790000-0x00007FF6A2AE4000-memory.dmp
memory/2840-148-0x00007FF67E6C0000-0x00007FF67EA14000-memory.dmp
memory/2152-150-0x00007FF6E82E0000-0x00007FF6E8634000-memory.dmp
memory/824-149-0x00007FF7018C0000-0x00007FF701C14000-memory.dmp
memory/508-151-0x00007FF60AE00000-0x00007FF60B154000-memory.dmp
memory/4632-153-0x00007FF6F21A0000-0x00007FF6F24F4000-memory.dmp
memory/3992-152-0x00007FF6173B0000-0x00007FF617704000-memory.dmp
memory/3216-154-0x00007FF6D4830000-0x00007FF6D4B84000-memory.dmp
memory/4960-155-0x00007FF7E3AF0000-0x00007FF7E3E44000-memory.dmp
memory/5036-156-0x00007FF6BA640000-0x00007FF6BA994000-memory.dmp
memory/2612-157-0x00007FF783A60000-0x00007FF783DB4000-memory.dmp
memory/3248-159-0x00007FF6F5220000-0x00007FF6F5574000-memory.dmp
memory/4408-158-0x00007FF72F9E0000-0x00007FF72FD34000-memory.dmp