Analysis Overview
SHA256
616409e2debfc2925e3e54a27ee410f9c6179dd5bdf8591beef26634fa24ad46
Threat Level: Known bad
The file 2024-06-01_e482516bbe843e2fd84ec89c71fee145_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike family
Xmrig family
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:57
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:57
Reported
2024-06-01 08:00
Platform
win7-20240221-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wKjCsYP.exe | N/A |
| N/A | N/A | C:\Windows\System\KwkcDVr.exe | N/A |
| N/A | N/A | C:\Windows\System\KonGbiL.exe | N/A |
| N/A | N/A | C:\Windows\System\zgrGcWw.exe | N/A |
| N/A | N/A | C:\Windows\System\ySVYBot.exe | N/A |
| N/A | N/A | C:\Windows\System\JIApUrk.exe | N/A |
| N/A | N/A | C:\Windows\System\uHfVlnc.exe | N/A |
| N/A | N/A | C:\Windows\System\Fexfgys.exe | N/A |
| N/A | N/A | C:\Windows\System\yjghxId.exe | N/A |
| N/A | N/A | C:\Windows\System\OqIjdQU.exe | N/A |
| N/A | N/A | C:\Windows\System\HayuECI.exe | N/A |
| N/A | N/A | C:\Windows\System\BSajyEm.exe | N/A |
| N/A | N/A | C:\Windows\System\uOcEOAN.exe | N/A |
| N/A | N/A | C:\Windows\System\UKSZUeK.exe | N/A |
| N/A | N/A | C:\Windows\System\wXnopco.exe | N/A |
| N/A | N/A | C:\Windows\System\DGmuybO.exe | N/A |
| N/A | N/A | C:\Windows\System\QMGqnEp.exe | N/A |
| N/A | N/A | C:\Windows\System\tSLQTnk.exe | N/A |
| N/A | N/A | C:\Windows\System\rrYZIwl.exe | N/A |
| N/A | N/A | C:\Windows\System\mHbsxjy.exe | N/A |
| N/A | N/A | C:\Windows\System\jpRptZU.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_e482516bbe843e2fd84ec89c71fee145_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_e482516bbe843e2fd84ec89c71fee145_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_e482516bbe843e2fd84ec89c71fee145_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_e482516bbe843e2fd84ec89c71fee145_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\wKjCsYP.exe
C:\Windows\System\wKjCsYP.exe
C:\Windows\System\KwkcDVr.exe
C:\Windows\System\KwkcDVr.exe
C:\Windows\System\KonGbiL.exe
C:\Windows\System\KonGbiL.exe
C:\Windows\System\zgrGcWw.exe
C:\Windows\System\zgrGcWw.exe
C:\Windows\System\ySVYBot.exe
C:\Windows\System\ySVYBot.exe
C:\Windows\System\JIApUrk.exe
C:\Windows\System\JIApUrk.exe
C:\Windows\System\uHfVlnc.exe
C:\Windows\System\uHfVlnc.exe
C:\Windows\System\Fexfgys.exe
C:\Windows\System\Fexfgys.exe
C:\Windows\System\yjghxId.exe
C:\Windows\System\yjghxId.exe
C:\Windows\System\OqIjdQU.exe
C:\Windows\System\OqIjdQU.exe
C:\Windows\System\HayuECI.exe
C:\Windows\System\HayuECI.exe
C:\Windows\System\BSajyEm.exe
C:\Windows\System\BSajyEm.exe
C:\Windows\System\uOcEOAN.exe
C:\Windows\System\uOcEOAN.exe
C:\Windows\System\UKSZUeK.exe
C:\Windows\System\UKSZUeK.exe
C:\Windows\System\DGmuybO.exe
C:\Windows\System\DGmuybO.exe
C:\Windows\System\wXnopco.exe
C:\Windows\System\wXnopco.exe
C:\Windows\System\QMGqnEp.exe
C:\Windows\System\QMGqnEp.exe
C:\Windows\System\tSLQTnk.exe
C:\Windows\System\tSLQTnk.exe
C:\Windows\System\rrYZIwl.exe
C:\Windows\System\rrYZIwl.exe
C:\Windows\System\mHbsxjy.exe
C:\Windows\System\mHbsxjy.exe
C:\Windows\System\jpRptZU.exe
C:\Windows\System\jpRptZU.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3048-0-0x000000013F440000-0x000000013F794000-memory.dmp
memory/3048-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\wKjCsYP.exe
| MD5 | a66fe0158941b27346c6521f189d2490 |
| SHA1 | 61d0a3ebe8f37b6fadf64bf2b3b9c81d0f874ac3 |
| SHA256 | 9cc3c4412acc10eec971c7a1a1f8c0be264dec9836521dba5b85b66ad8c06e9c |
| SHA512 | ae3581c92a803ae79b3baf3db641331bd41531b261b2f21f35f95c1440f3073206f08bfb2aedf84d92d74fe81141ed405fa6d56e912c3dfcebae2b701f4784a2 |
memory/1276-9-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/3048-8-0x000000013FBC0000-0x000000013FF14000-memory.dmp
\Windows\system\KwkcDVr.exe
| MD5 | 1803899a59c0904955561a9e175585f0 |
| SHA1 | b3cb73cdbc39a094d835c9e7ac4ad826fe047efa |
| SHA256 | e893df1fd02bebfc1341fa50f28a02e8d260a3374444109f4f65d252270c3aab |
| SHA512 | e33ffdb0572900505b30210938ee3fd7d3fd84e3ec5b980dfbda2fcc5ff3d6832e426f2a9b8d3fb9008cf944ad82cf33d5a6e6fd53b451513757a9639e4aa4ca |
memory/3048-15-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2560-16-0x000000013FA40000-0x000000013FD94000-memory.dmp
C:\Windows\system\KonGbiL.exe
| MD5 | 3e17e311cadff9d163d51dd3f863b784 |
| SHA1 | b2e9ebb072a7879fde791164e4c8e1b4224f9c4e |
| SHA256 | 136348b00b450fff1e1283bd202cac640da33d7957109a7b78a6fd4b591a6ca4 |
| SHA512 | 928de6db2ad376917311a5f4e7a660e410f74658012f2d1660cf9f54e1cd80e2acb8b2d878167076e6535e656dd359a1e8db8ebdbc51eaeadc148388ba8e95a1 |
\Windows\system\zgrGcWw.exe
| MD5 | 55c9da387751bbd4d32944fe28174a29 |
| SHA1 | b1a7616ecc6a3bdb125be690e6dc7b46ffc0b90e |
| SHA256 | 27bb5171b05d817fd565dc6de2af714501a71f98d0dbdb5d24bc6ff67fec178c |
| SHA512 | 0deb8e8cfbf78bcacaa754c32495cddbb749e58f656fa2713f6be28103efa6467f96399d28dccfeca59d88c9a357083218228830332fc3ff5e4dad8bf46d8987 |
memory/2640-27-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/3048-33-0x0000000002440000-0x0000000002794000-memory.dmp
C:\Windows\system\ySVYBot.exe
| MD5 | 81d17b46db90d21ed58e8260f4663f7c |
| SHA1 | 267f7d66fe767765cbb41401e1eff4384ffdea0b |
| SHA256 | d46ed7f88858cc05a52295714e7072818663b5c65a3e8b435b606552da53964a |
| SHA512 | c7172fcd3210783478fc1f6945bdedfbfb64edd500483c3b4fe6a3e179dca1aceda1cfaeeebc277907a0856c4a8275bce69daa6d57e86268a7db1ef4ed59d749 |
memory/2564-35-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/3048-37-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2684-36-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/3048-24-0x000000013FFA0000-0x00000001402F4000-memory.dmp
C:\Windows\system\JIApUrk.exe
| MD5 | 2c9b37145899c08b0dec6f118a9c5598 |
| SHA1 | ad3ee5f390a7a54447d336131cea1a79f461cab7 |
| SHA256 | bb15d3e99ae2cae93992ac8c4373a9887414f169696f84e6c434bf0b7fad5d79 |
| SHA512 | a2dba8f9fd605eafe5c44dca3ca310f9a53cd08fcfbd1631e29a9edc2debf925026b566f2daa814dc62d34ffe6f64d7cd934112a1c05fb8f4d085d75c660a65e |
memory/3048-50-0x0000000002440000-0x0000000002794000-memory.dmp
memory/2716-49-0x000000013F930000-0x000000013FC84000-memory.dmp
C:\Windows\system\Fexfgys.exe
| MD5 | 0be448b6f7b2f87254bfe588661f3477 |
| SHA1 | 84820f420f4a61d8aab562e45b69073e65d0de7d |
| SHA256 | da72da999d535ec72abcbb212af2637185b77c567f4244b0a80f7d5ee24e7b70 |
| SHA512 | 0445d6b158fb7e267fb5d7e00351117f2bd911b45cfffcc291f1b03447f300743549ffa1bf2027e49c55772e47b907f58baaaaae246aaba6dd3b683ae641b99a |
memory/2408-56-0x000000013FEB0000-0x0000000140204000-memory.dmp
C:\Windows\system\yjghxId.exe
| MD5 | 493148115d732b03edd24105708d6b61 |
| SHA1 | 8f2645221346aca201c552e73c19427f2323fa49 |
| SHA256 | 69077330f62cbf8db3f31ab906a7d4cdbb6809f34a6b08ca447f07a4ea703ba6 |
| SHA512 | a0cf1c808e4892adffba9ca62e0bdf64234f259ae780dc909b43f6dd5f12c035a68e4c5e6e80b1d1cf27271f2af3ee22e83480710a529c0b9556ebc7af7596fe |
memory/2484-64-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/3048-63-0x0000000002440000-0x0000000002794000-memory.dmp
memory/2632-51-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/3048-48-0x000000013F930000-0x000000013FC84000-memory.dmp
C:\Windows\system\uHfVlnc.exe
| MD5 | 61cc15146f32068dd17d5d4f4d854f62 |
| SHA1 | 4f376f865a11474241b4997b9fd6c6c493a5277a |
| SHA256 | 2fcd0493220d5507dccde641e2a2e823c544275f126242a709dcce3ab39809a3 |
| SHA512 | 50046ae565725536a72685603b2f37146d8b4cfe70d2fd057db322a27b24060b08924e7382161d6a1417942d2aa7199140db93ae822993801b1449da2916fb33 |
C:\Windows\system\OqIjdQU.exe
| MD5 | 0ae7d2b1986c9d995efa65390eaca67e |
| SHA1 | 7c20c565eb5e7d12983c7f17d17826c46bff05c1 |
| SHA256 | 5e9beb1cc3c691c4ab3e509fa6967ecae4768d92d40fe27618bad52a382eaf89 |
| SHA512 | 89b12bc4f9faef37bde8e71a34be43930eddb358de57981627734f9abcf543f216b4df4e6dddb3a16ac2a77c86d6858e6ba95f6c1c90280f3d2faef0a1cf199e |
memory/3048-69-0x000000013F440000-0x000000013F794000-memory.dmp
memory/3000-71-0x000000013F9C0000-0x000000013FD14000-memory.dmp
C:\Windows\system\HayuECI.exe
| MD5 | 732bafbbc549ade3135c89b1e8819dc6 |
| SHA1 | 8982a10a868835827bb6a6c17980d56498cbe957 |
| SHA256 | a5388292907e02fd04170632e4521f6d651f21202d15785f179c7ec00c062d70 |
| SHA512 | 8df856c640868d5ba1234149226946877297e58085caa1e8ef4b907bfdce9901be2f9f9381f808a6dd6ce28e6d3491c42f6c3b92f0e8405f7363a3c8da6423b3 |
memory/1592-77-0x000000013F070000-0x000000013F3C4000-memory.dmp
C:\Windows\system\BSajyEm.exe
| MD5 | 70a9604a5ceb2dfebe4d332b89d6a006 |
| SHA1 | a18466936037eafa5eed4ad2738e5049aca6698d |
| SHA256 | 27bc9e3fab4a9446de17700230e80c8ffe59b9b144f434140b6721c12ad7a6cd |
| SHA512 | c368bc616bf0f7660e534643032f4dd16885d71d2edd113d3781c77d0c2898bc13d0743570b2b406053f828e37f4fd41de7df361b816d47da5c6635ef55b436c |
memory/3048-84-0x0000000002440000-0x0000000002794000-memory.dmp
memory/3048-83-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/3048-89-0x0000000002440000-0x0000000002794000-memory.dmp
C:\Windows\system\uOcEOAN.exe
| MD5 | f0b320387f4a85c2a67b10f5d8aaca9d |
| SHA1 | 89f23e95e1e6ae035ed9b439b4722f280d1734db |
| SHA256 | 113f6842cda06647d09882f0485640de7b3b95fed7965789c5325084055b3566 |
| SHA512 | 8d65b6293e2091ac60db5faa5d476ef909efc62d9f5e8b97ffa2a90da99bdd91915cfe15784b993dd83d5c097eea8177c07ce5bd326ec8fa3516df1be4d3483b |
\Windows\system\rrYZIwl.exe
| MD5 | 67f29c3a33df599b9dcefc21969ef009 |
| SHA1 | 4120b5365a140d3c93bde2fdab9303bfbc8f6e55 |
| SHA256 | 4d73d249f4b64e3358c2e06bed671ee7d5beb710bb3e6a7d72dd37cf7acce86c |
| SHA512 | 529f10da92a186de48db1fdc77b8dc9fc9b7db04c3cb569accbe509e450ce8c8a9272839d631a0f8c0cd36a1c6d8f17a3e7a4d714f6be7d5d25b1b5595545cd8 |
\Windows\system\mHbsxjy.exe
| MD5 | 6b39ec58bf45e49cc0a73b11b3889187 |
| SHA1 | 0de83ebd7c8911baed1a0ed872b477fd15010002 |
| SHA256 | 253eb0e314f82f31dcc5556986269ff6442a052755a6183298340d53d02d4c80 |
| SHA512 | 7ccc4fb6cd420b65012e2bc8e30180c68898d67c470fc254822cf18aca9d876eadbd2b9dc590ca14ad675d1af676b3b7bb09e709c097650174ddfc05eb6d62e9 |
C:\Windows\system\jpRptZU.exe
| MD5 | 8d128b63425b2999ab08f8f5b601affd |
| SHA1 | 2ea63174fde90d0e7fe19864e9d98308dcd8ddff |
| SHA256 | ef4a00bf71dad2163ba7f57d3420a8aa3865662c991c79b3441ad4c49f5098b3 |
| SHA512 | 9dca810f9501bb9a93f7f1c5afe20ec0a9661e33e1ae9686009d48c30cb736024fb36ba62c8a98e429d34e44a786ea851a3e53217e533539bcf7ae298d43ac47 |
memory/3048-124-0x0000000002440000-0x0000000002794000-memory.dmp
memory/500-120-0x000000013FE90000-0x00000001401E4000-memory.dmp
C:\Windows\system\tSLQTnk.exe
| MD5 | 1e3bbbc5eec447ce6c090871869bc432 |
| SHA1 | b47356c73bff4f60978598f2ee726ce89f7354d6 |
| SHA256 | dda319ccfc88490d6c2987698f4a8939370cbe021fa64f582fc51d0e467becf1 |
| SHA512 | 964afc0b4aa8bb678b7944f035692c38994498832c6d289f98d2886aee7a4a5df36209e96aeaf4a4aa05be9cf54b2d26141faddb0ccf5601fbf7925754967d85 |
\Windows\system\QMGqnEp.exe
| MD5 | a4ecaa99d8d6235f362c7c2ff6e16842 |
| SHA1 | ef264e9c9e13c631e79083d52598c62db0336a80 |
| SHA256 | edc7f70bb59d2815c8f6d362606b06057a1ba0a03710ac550e4c188a0e13ad5f |
| SHA512 | be5e3036327a22c446ea25baec9cdabfd1ee00d96bacaf1c693a1a540ecb1f3ce375b8c2a7e29cac02bbf4583db8dfbec957236b2f5bc320749b9979813e3739 |
C:\Windows\system\DGmuybO.exe
| MD5 | a04e31c1908eb84c2928ceee88dd712f |
| SHA1 | bc2fd589f911b259c296464a939fbd00fb24e523 |
| SHA256 | cb08419cd3a1171871b6d37a934f962f77753e3c470860d46b82646ad17ecfd3 |
| SHA512 | f23b1915e399b39401e272ce0b4a4424879c4f6f7aa7da1cbdad29c05a6d3456d4f08448164e261d90f9df5a86b6f0cd9c6c851058390e97b3b60f8fa9b35d07 |
memory/3048-105-0x000000013F070000-0x000000013F3C4000-memory.dmp
C:\Windows\system\wXnopco.exe
| MD5 | 222d991ccd8b9ae8e99a17d81f09eef8 |
| SHA1 | 0277aca02bf35e087e6b334810b540b0ca43e315 |
| SHA256 | 1da60cd63aa0169ba085a3b07e93b48583ba6f822de5bc7b241b9ac90a42f081 |
| SHA512 | 8cad2ff8d4b6582b9cd6b6a34bc41cf50b3de696b0ed40c2d0deffb75a2cee8a79c00a2da92bcbe4a8aa424c864533052939f903b93a3ddeb9bc352690ab1409 |
memory/3048-111-0x000000013F800000-0x000000013FB54000-memory.dmp
C:\Windows\system\UKSZUeK.exe
| MD5 | a32017bcd7a745dd0b2117f5d4635710 |
| SHA1 | 2eeecf0d35a7a7d6b62075ecb41cdf80d845a9ab |
| SHA256 | b866db4ac7e011a2a7bc6ce43b1694241f19db801283efd9221463fa945c8902 |
| SHA512 | 484a703df75f8f02d96611d14472c05f88105d27adc71e83535f0de07f0e2ecce148631d69ca67d9a7c86a3cfcdef2bf906d864249663a42880ee5a769a81d66 |
memory/3048-97-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2760-87-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/3048-136-0x0000000002440000-0x0000000002794000-memory.dmp
memory/2408-137-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/3048-138-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/3048-139-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/1276-140-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2560-141-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2640-142-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2564-143-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2684-144-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2716-145-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2632-146-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2408-148-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2484-147-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/3000-149-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/1592-150-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2760-151-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/500-152-0x000000013FE90000-0x00000001401E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:57
Reported
2024-06-01 08:00
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WZMJUWz.exe | N/A |
| N/A | N/A | C:\Windows\System\uXksUbP.exe | N/A |
| N/A | N/A | C:\Windows\System\OSdCjWs.exe | N/A |
| N/A | N/A | C:\Windows\System\YvlKgsA.exe | N/A |
| N/A | N/A | C:\Windows\System\fypcQYS.exe | N/A |
| N/A | N/A | C:\Windows\System\sLlvsse.exe | N/A |
| N/A | N/A | C:\Windows\System\NTAaRla.exe | N/A |
| N/A | N/A | C:\Windows\System\GHzPYwf.exe | N/A |
| N/A | N/A | C:\Windows\System\HyhPDcc.exe | N/A |
| N/A | N/A | C:\Windows\System\lLaQqyr.exe | N/A |
| N/A | N/A | C:\Windows\System\lpvMUiT.exe | N/A |
| N/A | N/A | C:\Windows\System\tLsuSCS.exe | N/A |
| N/A | N/A | C:\Windows\System\lVRCjAc.exe | N/A |
| N/A | N/A | C:\Windows\System\fZSKYLB.exe | N/A |
| N/A | N/A | C:\Windows\System\eXFKrXJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZdjlTju.exe | N/A |
| N/A | N/A | C:\Windows\System\uiYiWbn.exe | N/A |
| N/A | N/A | C:\Windows\System\nxhnoOt.exe | N/A |
| N/A | N/A | C:\Windows\System\scROQyq.exe | N/A |
| N/A | N/A | C:\Windows\System\vJmPFGV.exe | N/A |
| N/A | N/A | C:\Windows\System\PpbkmsX.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_e482516bbe843e2fd84ec89c71fee145_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_e482516bbe843e2fd84ec89c71fee145_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_e482516bbe843e2fd84ec89c71fee145_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_e482516bbe843e2fd84ec89c71fee145_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\WZMJUWz.exe
C:\Windows\System\WZMJUWz.exe
C:\Windows\System\uXksUbP.exe
C:\Windows\System\uXksUbP.exe
C:\Windows\System\OSdCjWs.exe
C:\Windows\System\OSdCjWs.exe
C:\Windows\System\YvlKgsA.exe
C:\Windows\System\YvlKgsA.exe
C:\Windows\System\fypcQYS.exe
C:\Windows\System\fypcQYS.exe
C:\Windows\System\sLlvsse.exe
C:\Windows\System\sLlvsse.exe
C:\Windows\System\NTAaRla.exe
C:\Windows\System\NTAaRla.exe
C:\Windows\System\GHzPYwf.exe
C:\Windows\System\GHzPYwf.exe
C:\Windows\System\HyhPDcc.exe
C:\Windows\System\HyhPDcc.exe
C:\Windows\System\lLaQqyr.exe
C:\Windows\System\lLaQqyr.exe
C:\Windows\System\lpvMUiT.exe
C:\Windows\System\lpvMUiT.exe
C:\Windows\System\tLsuSCS.exe
C:\Windows\System\tLsuSCS.exe
C:\Windows\System\lVRCjAc.exe
C:\Windows\System\lVRCjAc.exe
C:\Windows\System\fZSKYLB.exe
C:\Windows\System\fZSKYLB.exe
C:\Windows\System\eXFKrXJ.exe
C:\Windows\System\eXFKrXJ.exe
C:\Windows\System\ZdjlTju.exe
C:\Windows\System\ZdjlTju.exe
C:\Windows\System\uiYiWbn.exe
C:\Windows\System\uiYiWbn.exe
C:\Windows\System\nxhnoOt.exe
C:\Windows\System\nxhnoOt.exe
C:\Windows\System\scROQyq.exe
C:\Windows\System\scROQyq.exe
C:\Windows\System\vJmPFGV.exe
C:\Windows\System\vJmPFGV.exe
C:\Windows\System\PpbkmsX.exe
C:\Windows\System\PpbkmsX.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2528 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
memory/4768-0-0x00007FF7CBB70000-0x00007FF7CBEC4000-memory.dmp
memory/4768-1-0x000001951A600000-0x000001951A610000-memory.dmp
C:\Windows\System\WZMJUWz.exe
| MD5 | 04a03bd82f45d8b2c55890a316b119e4 |
| SHA1 | 3454a3d54a73ae0157bdb9f6218a946ea175e3ab |
| SHA256 | 3b8ec0252148200f265cf6608669d38d87343adf50ae7142885483af309e57e9 |
| SHA512 | 1c002c4518d5747108672098a4e301373d9dfdf5511281e071c8a5ca9e7b6e45ebde2f78c860c132ba92d3498b383c7bff2d883d2a47c5e141d4d81b76acb7db |
memory/1596-7-0x00007FF7EF3B0000-0x00007FF7EF704000-memory.dmp
C:\Windows\System\uXksUbP.exe
| MD5 | 9b69d2021827bc086a8e8002191dd207 |
| SHA1 | a528560625cadc398c4839d4905b43e96fa96de8 |
| SHA256 | 7a6b7e413a701e99bac565b0f58a2808e6e57d9b6dabf294167708491c0b4bd0 |
| SHA512 | bdae0d579297dc851406fb3d3eaccaf2351743270b64663804b5cc79e25c52dcb95a5baf9ccd8854cd05189dea96c917f87a3822812ace669cf43c1c61891669 |
memory/4340-12-0x00007FF7C2500000-0x00007FF7C2854000-memory.dmp
C:\Windows\System\OSdCjWs.exe
| MD5 | 3f00d0fc3c77c4e7d7d7aa8519f92d56 |
| SHA1 | 1dd051507afc4391d6fec1e53f2c9b1447dad2af |
| SHA256 | 84ff2eb21c4bc7aba73d93cc3a61bc26c1b79b40f97e7eedbc2ef9f0e8aee78b |
| SHA512 | c65e119343043bc8e393a0cdaefad96b17472ea31c0fb05f539e10b45b114f15bb70329fe145d154dc6736f1580981910edf62b79b0582824d067f9cbd548080 |
memory/3768-20-0x00007FF60EEA0000-0x00007FF60F1F4000-memory.dmp
C:\Windows\System\YvlKgsA.exe
| MD5 | c6588a862093e4ae97f54338bed33ad8 |
| SHA1 | b8594a88c16e7ceae7ae441e87826ac8a77221ad |
| SHA256 | 8bbccd04b13c4f71b55cb4d52ef7a65baa8a78ec4ee588d6c24a009a163b7a11 |
| SHA512 | a96e0e67894c91820ac23c5ed421ce8c7dff1ab11160527a4a072e79b40e16e01c4fe8124147ca189036fd60a89cd877fc2b5aea698e4bb28bf168ace2e5ede0 |
memory/4308-26-0x00007FF7D7700000-0x00007FF7D7A54000-memory.dmp
C:\Windows\System\fypcQYS.exe
| MD5 | 393b27c082b1474a0e9c23953c5c1502 |
| SHA1 | 59140f2b8dc7e416684416b356a1532049968652 |
| SHA256 | af0a5b2245fcf2ad1540945b2f23942c903136a8f5f8dc9bd11969902e04452b |
| SHA512 | 2a4f71f405c29c4013cf15f3444e061c456e049b96d9f279fa63a4215f32f0abb66c32a89c136c326f7d3d4f544a6c57f2774995a6ce99dd5143cf1b2090343e |
memory/2728-32-0x00007FF7BFFB0000-0x00007FF7C0304000-memory.dmp
C:\Windows\System\sLlvsse.exe
| MD5 | 925e02c950b37686b7cc104cd4a779a4 |
| SHA1 | 6486c66111f5eb94f5cb1b4b0867b6cb481f84b9 |
| SHA256 | da132801c3ed7a2f69c0913bd065dbeb81412c30e2570a822e60011c56b4709b |
| SHA512 | 708df80b0e2c22eb9180abc843de90e13c3b55411795efd077eb7e347d140f38029662d15e2b8e0b3778fe5a56bf19839f64a12fb75d760d834edf39b85ce14a |
memory/4084-38-0x00007FF7F6720000-0x00007FF7F6A74000-memory.dmp
C:\Windows\System\NTAaRla.exe
| MD5 | 386327c50b8f410ee83b3c7d6322051c |
| SHA1 | ee690d1d6c2c96ed224d25b8c0b90db9c887a813 |
| SHA256 | b1efb507b46b1c8083d8c57c2ddc8f01aea3bcebacaf1d60c432de86c6484948 |
| SHA512 | 3c177c918f9c47693dbd03e89088edfb720147996bb52c602582a2758fc633d1b697be416599964a2bab3047c0f98eaae3eda6c07b5985fd243447628f85ca6d |
memory/2288-44-0x00007FF76BC40000-0x00007FF76BF94000-memory.dmp
C:\Windows\System\GHzPYwf.exe
| MD5 | 88ef1565c5dc84d6f5fe8b0e680c7150 |
| SHA1 | 58bab64fc62dcf53ca13b5fa56b94a88fb397f0c |
| SHA256 | babd1e226a5baa233febdf3eb5794662331be47b30a6390e787ac6616b8b1328 |
| SHA512 | ff28c8231a263c9d0653756aaa7c18d9e41e0222cb5e29403ae58a5ce78812cc65040830034fab8b14380e13832f10e063fc9bea53f2d129870907429cf8ee44 |
C:\Windows\System\HyhPDcc.exe
| MD5 | e33d73d55bcef1afcd53f07dd53fcf00 |
| SHA1 | 23d41adc31ef360a2567e427fba0c47ce2aaaa98 |
| SHA256 | 278f8695407a063ad1d882994d8c63d8c77a42c47d4a444e336384ae68b85ad4 |
| SHA512 | 9714b3eb1bef0d5ad8d1a27c05d103a46ae85a27734092b4d73057ae8a6f0dd062b95deaf31ebdfa4be136fd80686f7e4c45947520aa772ee09ed6338465fb26 |
C:\Windows\System\lLaQqyr.exe
| MD5 | ddce319d8f061e51bb77b4958f561195 |
| SHA1 | e9acc5c752ddaf938ab03c5861d91e319fa7a495 |
| SHA256 | 95ddf07bc75d9374115f3a533d85d2c37b1e238f6e3d824b78efafccba692d86 |
| SHA512 | a0b8a9721f3db3beb6a9b87e2ad116557e011dd529cbefd08552700369344153fbcd9da8f78c35e9fba5bf12905cfd1b8392a2098e0591dc11d947f1af04a0d5 |
C:\Windows\System\lpvMUiT.exe
| MD5 | a5da3da4c3ad0c07e3835341fcd68670 |
| SHA1 | 7cc9995378437efd0ffc7930a07ae1b6cfe9c71e |
| SHA256 | 8cc3fd7550c5142e703927412339456587702a110c4a40278693a885d4020f14 |
| SHA512 | 03ccdbeb8383dcd0facb52422c97dc700b8cb4a7d8ff9ecd9ea39c60ecb3759f369e661bc3097afd79430157019b313808a34f42325bd078fe81a7f6a4c8b3cd |
memory/2096-69-0x00007FF7B58C0000-0x00007FF7B5C14000-memory.dmp
memory/3384-70-0x00007FF7C9340000-0x00007FF7C9694000-memory.dmp
memory/2268-71-0x00007FF7E4D30000-0x00007FF7E5084000-memory.dmp
memory/2144-72-0x00007FF6DDC90000-0x00007FF6DDFE4000-memory.dmp
memory/620-68-0x00007FF6DDD10000-0x00007FF6DE064000-memory.dmp
C:\Windows\System\tLsuSCS.exe
| MD5 | 7c42d41ade9a6e3142667cfed54d96b5 |
| SHA1 | 7bfc6b9970b857efe27bfc519bf4a2aa7f7f3a09 |
| SHA256 | a66f891d97c6c9ea6414de100a0c34fb1fd34af5ac39b110cb0b74a4f9ffdb6b |
| SHA512 | 3f7a1f55a0572653465003019479c90babdd7d4541e03ab057fc87eeccee8fe44952ad89e3e82e08016a6fb9ffc2fd86f7a416bf2e5aa90f1b703e19ef937db7 |
C:\Windows\System\lVRCjAc.exe
| MD5 | 41a39d8bb054fda9f2a4d29fb2d8985b |
| SHA1 | de16cf8dd99310bb44a850bfe1128e6941e7a89a |
| SHA256 | f04eead8d979a05c977f60516c26761148431ad0dd3f06dfcc41ffcac214b643 |
| SHA512 | e8983520aa3a6c96a72f141eef0917886a35b583fc578acc597134d667231da373ca4d65cd82a3a1d1cb5d9e0a4acaabd97ec930749443b36f0ec0a5b2fb1e33 |
C:\Windows\System\fZSKYLB.exe
| MD5 | ffd9f80aeb0c351b72f3be9f93dec065 |
| SHA1 | cb4a6c2f51f9dfbd22856ebc2edba9bd1d863c82 |
| SHA256 | f2f5326414e0418dca3a1ce8f196bcec979416453861b0bbfafac68342ff0c77 |
| SHA512 | 7de68cffe77a604694d5cca5b101d50c1fb5563c2fed065a3fa1d1a9cc7c654fdb4448bd5db118dc587ab455ca23cd3510496f53232dcc380f487b8a219842e9 |
C:\Windows\System\eXFKrXJ.exe
| MD5 | 9a67148368d3c20f9dea51bc6fad18ca |
| SHA1 | c43dbc36c4cf432c54c22399c6cbbed5ddecb713 |
| SHA256 | a2c9aa4a92ea486068c9df48e9acc362b18daaf9e5962a7ce03b04c83063725c |
| SHA512 | b2eefcc14cca47a265eca5c82ec7a3e6e0a9fbc17426a69287a56bcece969b4cec64a5757e1ad9f055a8f380678a56e9fa14d48c4de0c9de3a200e0907194adf |
C:\Windows\System\ZdjlTju.exe
| MD5 | a2d342a68461b79b3b1b8369f6cca111 |
| SHA1 | 5a2662abeace1baeac2bcd6fce1a55c9455d83ad |
| SHA256 | f8e7242d599ecc0af800611f91e9bc44b5098fa279cf6cba6ffd8dd04f128e7e |
| SHA512 | 9cc807217aa9d668306184728df416439d9fb055721ed4786e4596bd187d4d980814d2f1460faad5f9ba97162bde06b66dc9a369c29458c4a10adbed997761ca |
C:\Windows\System\uiYiWbn.exe
| MD5 | 569090d701abfd867ca2c4a7ab9da9f3 |
| SHA1 | d3f8b30e0e3424974dd543db2d42be7bef9d4fa8 |
| SHA256 | b18e7c5d78d008f27f99efd59441968bb4b5739de9ac8f550ccbc3655a390870 |
| SHA512 | 10ff3b2a77ac7dd33b5957a7a848d8f29aaee01cfd974a4c5e0a8ca95ee430362fd4fe20a6b878ca6442c7969cb7f720c0d458d24d9164228c0d306a4ad6ccc5 |
C:\Windows\System\nxhnoOt.exe
| MD5 | f7b77680c639a49b0a724d18b3bf3d09 |
| SHA1 | 6b6d704514046b943fcf3fba00085715a8017b91 |
| SHA256 | d86dde420af526542fe22a859925c7b601c1a27e45a94219dccd23363d669ff1 |
| SHA512 | 02ca5fef65f40440c645347409c33c3086a6fb04e35aa119d79ec5041918a38c063cfbcf3066662afaf8c8c37c5aedeb25acdc01cc732507ae00d22e5cc913b4 |
C:\Windows\System\scROQyq.exe
| MD5 | 8ab43fb0da4e618cadaf6112d9e786f7 |
| SHA1 | e98a9c45ec614dd68925e27e3e8c31dca7b0712a |
| SHA256 | 44b1f16a38b2fc8a9e8f029432d6efa277b68044854a2099178eae50b51b9be2 |
| SHA512 | 83d76f8841ed6e5b5d2e70819280f6ae22e2945c2c0c577ca9cec268fa3dc391225193bead9e141cd8a504603febbf7767d3c7cd601bc6f2aafc30cc884d87ce |
C:\Windows\System\vJmPFGV.exe
| MD5 | 46bf8e34f8fbf2f882ad6a26989e644c |
| SHA1 | 9e3413414586c91bdbba02d95c8f7ff683774517 |
| SHA256 | 76cfdef07002e3829688a845fa917daba8b7670d340608f01fef2482ae7448eb |
| SHA512 | 11fda0441411776c4e7f0126d1fdb1a40b1db21e62e1be54a825f1af1a5522f25075439568cf2c80fe7cd2fa4e0de4518afc7e6063f2e7c35199bb8987395c66 |
C:\Windows\System\PpbkmsX.exe
| MD5 | 23dd0e09cc82755f2fd837e06f89f0e1 |
| SHA1 | 64ca230bdfd55ef3cbaa18eca669a3cc318d7090 |
| SHA256 | 5b9d54bb3c31e3d916c3be8bfcf729e5b496d71831a0ccda5268936658086be0 |
| SHA512 | d6d8b1ea953860ae4af6101d8104a5c544de02040262e788ec62c7728ed4e80f0c6bf544ef4a3d2facb5769f44fbc66cb6b49b7c212efa55d04ee56e34a0ea8b |
memory/4768-119-0x00007FF7CBB70000-0x00007FF7CBEC4000-memory.dmp
memory/3572-120-0x00007FF73C180000-0x00007FF73C4D4000-memory.dmp
memory/4904-121-0x00007FF6AD580000-0x00007FF6AD8D4000-memory.dmp
memory/2932-122-0x00007FF687F10000-0x00007FF688264000-memory.dmp
memory/4972-123-0x00007FF712D50000-0x00007FF7130A4000-memory.dmp
memory/4796-124-0x00007FF66C220000-0x00007FF66C574000-memory.dmp
memory/1124-125-0x00007FF772B70000-0x00007FF772EC4000-memory.dmp
memory/5060-126-0x00007FF642550000-0x00007FF6428A4000-memory.dmp
memory/2688-127-0x00007FF68BDF0000-0x00007FF68C144000-memory.dmp
memory/3076-128-0x00007FF661300000-0x00007FF661654000-memory.dmp
memory/1596-129-0x00007FF7EF3B0000-0x00007FF7EF704000-memory.dmp
memory/4340-130-0x00007FF7C2500000-0x00007FF7C2854000-memory.dmp
memory/4308-131-0x00007FF7D7700000-0x00007FF7D7A54000-memory.dmp
memory/1596-132-0x00007FF7EF3B0000-0x00007FF7EF704000-memory.dmp
memory/2144-133-0x00007FF6DDC90000-0x00007FF6DDFE4000-memory.dmp
memory/4340-134-0x00007FF7C2500000-0x00007FF7C2854000-memory.dmp
memory/3768-135-0x00007FF60EEA0000-0x00007FF60F1F4000-memory.dmp
memory/4308-136-0x00007FF7D7700000-0x00007FF7D7A54000-memory.dmp
memory/2728-137-0x00007FF7BFFB0000-0x00007FF7C0304000-memory.dmp
memory/4084-138-0x00007FF7F6720000-0x00007FF7F6A74000-memory.dmp
memory/2288-139-0x00007FF76BC40000-0x00007FF76BF94000-memory.dmp
memory/620-140-0x00007FF6DDD10000-0x00007FF6DE064000-memory.dmp
memory/2096-141-0x00007FF7B58C0000-0x00007FF7B5C14000-memory.dmp
memory/3384-142-0x00007FF7C9340000-0x00007FF7C9694000-memory.dmp
memory/2268-143-0x00007FF7E4D30000-0x00007FF7E5084000-memory.dmp
memory/3572-144-0x00007FF73C180000-0x00007FF73C4D4000-memory.dmp
memory/4904-145-0x00007FF6AD580000-0x00007FF6AD8D4000-memory.dmp
memory/2932-146-0x00007FF687F10000-0x00007FF688264000-memory.dmp
memory/4796-148-0x00007FF66C220000-0x00007FF66C574000-memory.dmp
memory/4972-147-0x00007FF712D50000-0x00007FF7130A4000-memory.dmp
memory/5060-149-0x00007FF642550000-0x00007FF6428A4000-memory.dmp
memory/1124-150-0x00007FF772B70000-0x00007FF772EC4000-memory.dmp
memory/2688-151-0x00007FF68BDF0000-0x00007FF68C144000-memory.dmp
memory/3076-152-0x00007FF661300000-0x00007FF661654000-memory.dmp
memory/2144-153-0x00007FF6DDC90000-0x00007FF6DDFE4000-memory.dmp