Analysis Overview
SHA256
aa0bddc391aa36a4e213301052b32440d1e868a08a43196cf90afb6695ae462d
Threat Level: Known bad
The file 2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobaltstrike
Xmrig family
xmrig
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:40
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:40
Reported
2024-06-01 15:42
Platform
win7-20240508-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dlJDZhd.exe | N/A |
| N/A | N/A | C:\Windows\System\hlxTyUA.exe | N/A |
| N/A | N/A | C:\Windows\System\YStpPil.exe | N/A |
| N/A | N/A | C:\Windows\System\iGNCJui.exe | N/A |
| N/A | N/A | C:\Windows\System\WfYFuks.exe | N/A |
| N/A | N/A | C:\Windows\System\bsbZZHW.exe | N/A |
| N/A | N/A | C:\Windows\System\DGNsnsH.exe | N/A |
| N/A | N/A | C:\Windows\System\XUStDOt.exe | N/A |
| N/A | N/A | C:\Windows\System\vdxVNOc.exe | N/A |
| N/A | N/A | C:\Windows\System\GcwVrlq.exe | N/A |
| N/A | N/A | C:\Windows\System\gNMnDKc.exe | N/A |
| N/A | N/A | C:\Windows\System\kpYdbJD.exe | N/A |
| N/A | N/A | C:\Windows\System\HCILQDm.exe | N/A |
| N/A | N/A | C:\Windows\System\RkRrGgr.exe | N/A |
| N/A | N/A | C:\Windows\System\kUmIMBP.exe | N/A |
| N/A | N/A | C:\Windows\System\TOkTBVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\wyhtdEP.exe | N/A |
| N/A | N/A | C:\Windows\System\wblswNl.exe | N/A |
| N/A | N/A | C:\Windows\System\DtdzHGH.exe | N/A |
| N/A | N/A | C:\Windows\System\vqtGJMr.exe | N/A |
| N/A | N/A | C:\Windows\System\HVJdvkS.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\hlxTyUA.exe
C:\Windows\System\hlxTyUA.exe
C:\Windows\System\dlJDZhd.exe
C:\Windows\System\dlJDZhd.exe
C:\Windows\System\YStpPil.exe
C:\Windows\System\YStpPil.exe
C:\Windows\System\iGNCJui.exe
C:\Windows\System\iGNCJui.exe
C:\Windows\System\WfYFuks.exe
C:\Windows\System\WfYFuks.exe
C:\Windows\System\bsbZZHW.exe
C:\Windows\System\bsbZZHW.exe
C:\Windows\System\DGNsnsH.exe
C:\Windows\System\DGNsnsH.exe
C:\Windows\System\XUStDOt.exe
C:\Windows\System\XUStDOt.exe
C:\Windows\System\vdxVNOc.exe
C:\Windows\System\vdxVNOc.exe
C:\Windows\System\GcwVrlq.exe
C:\Windows\System\GcwVrlq.exe
C:\Windows\System\gNMnDKc.exe
C:\Windows\System\gNMnDKc.exe
C:\Windows\System\kpYdbJD.exe
C:\Windows\System\kpYdbJD.exe
C:\Windows\System\HCILQDm.exe
C:\Windows\System\HCILQDm.exe
C:\Windows\System\RkRrGgr.exe
C:\Windows\System\RkRrGgr.exe
C:\Windows\System\kUmIMBP.exe
C:\Windows\System\kUmIMBP.exe
C:\Windows\System\TOkTBVQ.exe
C:\Windows\System\TOkTBVQ.exe
C:\Windows\System\wyhtdEP.exe
C:\Windows\System\wyhtdEP.exe
C:\Windows\System\wblswNl.exe
C:\Windows\System\wblswNl.exe
C:\Windows\System\DtdzHGH.exe
C:\Windows\System\DtdzHGH.exe
C:\Windows\System\vqtGJMr.exe
C:\Windows\System\vqtGJMr.exe
C:\Windows\System\HVJdvkS.exe
C:\Windows\System\HVJdvkS.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2052-0-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2052-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\hlxTyUA.exe
| MD5 | 90a127000de6bed7dc23d876c7f8120b |
| SHA1 | 5a3294dd21f315028dcb108cbc4f1e3c11b7e0ae |
| SHA256 | 957005c437fa2418d0411c2effc8a920d8aba152de3187114c6c5c7dfaf13f8e |
| SHA512 | 3c46e21c150663a779d9646ed2c57ec6d156a23c38b986e85202d3457ac3c554877d0c2e71ffcd9daff8369aafef5385c6c535927dfe0238fda6811cc3d51c62 |
C:\Windows\system\dlJDZhd.exe
| MD5 | c61f3dc68b1bd73d9d0b8997bb1e7034 |
| SHA1 | cc5f6a4e82cab05873fcdc6b274c81df9fdb7133 |
| SHA256 | a78c5a2222a05fbf992c4fb2202f7e703da51df3dce9e30ffac9dc4aa20b022e |
| SHA512 | 287616f944386e50aa97d63eda8f5b68a45e0c8cb9fab7ed814febdd6c63a62393b8f804bb11ede3c3fbd7c4791551b86cad31ecf1cd78e57aa09f70d112a30a |
memory/2304-13-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2052-11-0x000000013F140000-0x000000013F494000-memory.dmp
C:\Windows\system\WfYFuks.exe
| MD5 | d425fdeb1ab1799a84fb6a0e3bb79fc3 |
| SHA1 | e2234af4de154f6a431f5d3a0ede5b1b89be6971 |
| SHA256 | 3aff755b20af669b54553f219a2656ea7ae7f238081f1f0ac6685a19e6dad23a |
| SHA512 | c2cfcdbc8bcaa2a0db972b6f4afa7ae0ab9e84e5cad73ab1f00fecfe8af290df98b33046bf988ad37dea088e9e1daf4e0a9faa12d1fcc799451dcfcea912180f |
C:\Windows\system\bsbZZHW.exe
| MD5 | 10d7a963956bd3c006f48bd434730382 |
| SHA1 | f7d3cb5cc1d3871a8a6dbef73331b9f8d51a778d |
| SHA256 | 9e4dd1012d5c0d9a0b79753c7ab5da556e6577ad87f1fbedd550646f7657a98b |
| SHA512 | f278806082d74e525fca89117564230559ad3b8bf2083196414e7c5897547079f36b2693e9bc13ed13699aa8bdde56955dbf4d263d1c5735982821176aacd736 |
C:\Windows\system\DGNsnsH.exe
| MD5 | 3d120eac1731cfc408f2ec33d626c001 |
| SHA1 | 8b8d99c42500f928dd372c6f444010b3925b906a |
| SHA256 | 1c0f347d4781802652c5abb13e4e785e72ceea6e2d5da9110246b1a186b8814c |
| SHA512 | 3d20db7d0223d7473f8e33bc36353770a7193312b9712acbce910881ec1fde4ce229b5b5efc651a1536d2e6d10464c0568085e2ff120c1461856b5f39c1e0384 |
C:\Windows\system\GcwVrlq.exe
| MD5 | 96cee15aa9ab20448453eaf95256aa8e |
| SHA1 | be54d4eaca065afaa55249f921f3f47e066d1595 |
| SHA256 | ca49349bf3ce418b082a4c3256e68c4bc0de9311c520133a2b1f7fb8c74512e4 |
| SHA512 | 56903ee961bbe7b605ae7860d3230403af28e7219c92077415657a7db318026dc3ce3df1ebf5d76a81933d2c613718ff1392cb6eb1dd12c93781e09174323e0d |
C:\Windows\system\kUmIMBP.exe
| MD5 | 2dc83413f6d52fa108941beffae3f54b |
| SHA1 | d6d0fb757ad80a4f3d5a1e8127ede48b8123c130 |
| SHA256 | a0151af54ba1ebae4be7dbb8a8ba62a51f9fd28a8b4b1130a7950668c734e0e4 |
| SHA512 | c72e8b9d2fcfcbd18e8a5c5089adcdc94d6880d81adf8f5d740d7e395207ed065a4bf582c40288f436de53a352d588eb0083d0dae12994a19441c0c85e070f3c |
C:\Windows\system\wblswNl.exe
| MD5 | c9563851a8e255f851d679da59cb0d1b |
| SHA1 | ebecf0275d68c559725c56f1ca2b94a78e39e634 |
| SHA256 | 69b39057b5918e1d6604e74129729b6daab554d03e5e5d6c4bd2d0d5e9839b37 |
| SHA512 | 2f403947b7808af9a7dbaad2f8b550686eb09c6b41c2e68c2a03df5e1a24ca763761f140973650d7e42967a847096d4aa1aa68b4eb8b257caf2e90aa7623fd7d |
C:\Windows\system\DtdzHGH.exe
| MD5 | 166f7ad3288607a7cf45c5b256069801 |
| SHA1 | 3ee6bb4f168d4034664e688f6da7c071a1c8cb2b |
| SHA256 | 58b597a6023d1e758efc8a47d693f85780e252c41471c22da9d9d9fe0768b8a0 |
| SHA512 | b6c790310474a3b1162393517ad9d6761acffddd0bb2a8cbf83923e369b747dda7e845775b113f1c07878a19305f05ca72795c332428ed3f680063daece6e4c0 |
C:\Windows\system\vqtGJMr.exe
| MD5 | 76c507b44cf7ce7394177c861ab07729 |
| SHA1 | 264a9b49ea43dff802c2a533e9b845ac5a84cb01 |
| SHA256 | c70c081b9949efa121848ad5f94dda5bea173d103eee2e85d8e87e23e9042615 |
| SHA512 | 24f9329dfca2d932bf8073e54ee1e69fb723178a42ead8f5c524cd65b89eb6614fc64ad7262ebe7522a9f92fe46662b2364560f5251c0d669666cb14e18c0d64 |
\Windows\system\HVJdvkS.exe
| MD5 | c5a19993849d123bc5990d7b47c38782 |
| SHA1 | 0abd8c482e6b65dbf04a00f2e41acb37a5836cb9 |
| SHA256 | 8341cc9851b34f138b9753c6c05dfe9a90017a6c5aa2132aaf4d8d84c98e1570 |
| SHA512 | 775f93f693a50bfef99f2c3c37528a516ee9ee066e1ff88409f1fb04991456b46e6ec53cd30c0286098c1e9bd6ca012ce3b7e11f027e08021dabe5a49c1a323d |
C:\Windows\system\wyhtdEP.exe
| MD5 | 11b425867de760c0d373f3cdf7dd2b15 |
| SHA1 | cb2a2c5bb0381141f56ed59c3ee21855e2bd5e05 |
| SHA256 | 671f158f4d56e683235cbec231ab4582395e1b3f217761d81594cb6db8136d89 |
| SHA512 | 8c82b440e7b5a78d84b0f074994186a7ef6e95343af653f24e529a7f0be0606ab459b63a6e2978e519bcc8e042a1ce9d7f45d0e2eeae183accecf3e9d16fa60c |
C:\Windows\system\TOkTBVQ.exe
| MD5 | bde8684434cff61149a69a212ae4c426 |
| SHA1 | b93afe775d48740768ae8185d361aba0aa07e9a9 |
| SHA256 | 0658965831af4d4460131e6f2c8be8184f80043fb44fa9f4a30642ad6cdfa350 |
| SHA512 | 09402c8bd73b0445604f2041af2a2daeed4796d77150f497ae048960058d5e391da10f97587a5ed4966b894eba9c761713ef152d6b13dc623730e1c3d8cdb5c0 |
C:\Windows\system\RkRrGgr.exe
| MD5 | 64ac97bb50844e79f438418259f3f571 |
| SHA1 | b563aaec313a2392feaa5e153661b7c167e5480f |
| SHA256 | ad170a9ea8c76b75ca34282c2fe5e316a88b813cfe9b9fbbb1a4714af0bb45ef |
| SHA512 | 1c307138df5195db7c87d168bd60660a8ac1b93deadee41b311c451f3be11563800d618dde29c9b9315d044c3e813262c0c261c0f0402fba047ad0c22d3011ab |
C:\Windows\system\HCILQDm.exe
| MD5 | 89ceb8c86d6bf1b66fabbbbfe0874ce0 |
| SHA1 | ad572003b2840d75899bed7116a4c79e9d42e90e |
| SHA256 | 0915eecfa0232333600b04972725b326a6a38007354ee75d521f1c0b136cea19 |
| SHA512 | c05d85c7ab3b405d5039399137a9ddd94feebab8ba5d1c3437749d1e730b72c8ef0a199181d6e0b3d6962467075092a48a934b6a6977e5d2636a1fc2b9bd0a69 |
C:\Windows\system\kpYdbJD.exe
| MD5 | a25c76d9e8080cc6dafd9da51daa4cc6 |
| SHA1 | 07f5a96ff336114c6297d9fd5c69064ae9d47406 |
| SHA256 | 2d154913fc32e7a864f9f882e1b72a329521d2660a78b967c2f65c3620d9253f |
| SHA512 | 5f471093212cf6c00756ae33c1eb8bd8ea5a7d3188ac0dd170ca7d8705e05c5e3a28fa67818a5df84144962023a53c7f40066b65384861240fe49188254b40fb |
C:\Windows\system\gNMnDKc.exe
| MD5 | 61088ac7daa0fca349b1b4a4a047e9cf |
| SHA1 | 17b6ff502249461bee0a2a1e123b417aed2fa411 |
| SHA256 | f00531ad7ff6b3e102f4ecc197cc4207347b0de8c2d0169f1e53b4cc86b40cde |
| SHA512 | cbcbe44a5be199b34961fea356e95e3537e8e6f13321a61d6a336fe2657d566a31a3e8298c9e3028ef675ad482251689916ce5e2071f10fa8c3149fcef2a3259 |
C:\Windows\system\vdxVNOc.exe
| MD5 | 3e04386912d52c7ed1af806465ff5e6c |
| SHA1 | 97e1a991dcc88587920d1322e8f4cb48ea1d914a |
| SHA256 | f0c2f15884cd62d9954faaff4f60aabcf312571904173b0d00ea8b9034293cf2 |
| SHA512 | e0ca0692556a4bcdcd67534dbf21aeb2b20931f79bcc56b6a300a987e8e83b5868516353a593947d196b169aa2396f1514b131aaedf3905cf8608754f6ee2e58 |
C:\Windows\system\XUStDOt.exe
| MD5 | efbf7efe2c7bc1af23f2973ac636d0b8 |
| SHA1 | 6a7e47975912dfeb0dfd9ab6f7fb04db5b292dce |
| SHA256 | 076fbfcc34110533558e1f0f7a93dd7d30f173eb445d76f8e7fcfd873ca8cd64 |
| SHA512 | 882e1a7eed0da846ea6777dfbe214462dc5bf2521ca07837dda1d78a397ccb1b3cd1e7042d6265265df122ee6f160d6f5700eb4853bf90640a335f724fc53a97 |
C:\Windows\system\iGNCJui.exe
| MD5 | 87142c986d7470dfef4d69c1c537ee7a |
| SHA1 | 6a44b2423a841e02d57abe4fb9e2f659bc9baff8 |
| SHA256 | a786e989c68cb95420cffc7cb7f00d5f16dc40de5ce6ded5f00d4f8793a670e8 |
| SHA512 | 9dd2084fec4e4a793e722f22bf0de0272327d27c681dbdbe87753b3df79816d650f48c5e93ee0295ea866a309eafca146270a7dab81dbd945bc0551166a698ee |
memory/2620-19-0x000000013F300000-0x000000013F654000-memory.dmp
C:\Windows\system\YStpPil.exe
| MD5 | c5e3c4f316b0ab3407e80ca35d5617d7 |
| SHA1 | 77858b25cd95e7cfee1cb322bb3a61665358ce17 |
| SHA256 | 6bb5bc02ae76b140ae742235cf960dc4776190fd2b21a664d262c719e1865a59 |
| SHA512 | aa89e6fbeca89b22ae9ee2aa8f0d6932eb93d281cde7c5648c10967e20be7d49a9557afbfe8dafe7ff2d96c578f3dbb1f05d742cef02023e8f2dacb00320ded4 |
memory/2052-6-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2632-111-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2664-112-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2584-114-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2052-113-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2052-117-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2772-120-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2484-121-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2488-124-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2896-126-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2052-125-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2052-123-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2436-122-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2052-119-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2736-118-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2568-116-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2052-115-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2052-129-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2396-128-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/3052-127-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2052-130-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2304-131-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2620-132-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2052-133-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2052-134-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2304-135-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2632-136-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2664-137-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2584-138-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2568-139-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2736-140-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2772-141-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2484-142-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2436-143-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2488-144-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2896-145-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/3052-146-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2396-147-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2620-148-0x000000013F300000-0x000000013F654000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:40
Reported
2024-06-01 15:42
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kOZyJvs.exe | N/A |
| N/A | N/A | C:\Windows\System\pTCDbIS.exe | N/A |
| N/A | N/A | C:\Windows\System\HJVUgto.exe | N/A |
| N/A | N/A | C:\Windows\System\IGrUeWT.exe | N/A |
| N/A | N/A | C:\Windows\System\uONAQRn.exe | N/A |
| N/A | N/A | C:\Windows\System\eKGMnpi.exe | N/A |
| N/A | N/A | C:\Windows\System\NrCcXiQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qkLxAZP.exe | N/A |
| N/A | N/A | C:\Windows\System\xNpktge.exe | N/A |
| N/A | N/A | C:\Windows\System\SDNespT.exe | N/A |
| N/A | N/A | C:\Windows\System\DhsEqFX.exe | N/A |
| N/A | N/A | C:\Windows\System\kPULHkt.exe | N/A |
| N/A | N/A | C:\Windows\System\NKZXlJY.exe | N/A |
| N/A | N/A | C:\Windows\System\tpWVMLN.exe | N/A |
| N/A | N/A | C:\Windows\System\jBXxQHq.exe | N/A |
| N/A | N/A | C:\Windows\System\cuYXIxT.exe | N/A |
| N/A | N/A | C:\Windows\System\NzvczZC.exe | N/A |
| N/A | N/A | C:\Windows\System\tXQzEmr.exe | N/A |
| N/A | N/A | C:\Windows\System\oadMxYg.exe | N/A |
| N/A | N/A | C:\Windows\System\CjbkFIw.exe | N/A |
| N/A | N/A | C:\Windows\System\SOQADvj.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\kOZyJvs.exe
C:\Windows\System\kOZyJvs.exe
C:\Windows\System\pTCDbIS.exe
C:\Windows\System\pTCDbIS.exe
C:\Windows\System\HJVUgto.exe
C:\Windows\System\HJVUgto.exe
C:\Windows\System\IGrUeWT.exe
C:\Windows\System\IGrUeWT.exe
C:\Windows\System\uONAQRn.exe
C:\Windows\System\uONAQRn.exe
C:\Windows\System\eKGMnpi.exe
C:\Windows\System\eKGMnpi.exe
C:\Windows\System\NrCcXiQ.exe
C:\Windows\System\NrCcXiQ.exe
C:\Windows\System\qkLxAZP.exe
C:\Windows\System\qkLxAZP.exe
C:\Windows\System\xNpktge.exe
C:\Windows\System\xNpktge.exe
C:\Windows\System\SDNespT.exe
C:\Windows\System\SDNespT.exe
C:\Windows\System\DhsEqFX.exe
C:\Windows\System\DhsEqFX.exe
C:\Windows\System\kPULHkt.exe
C:\Windows\System\kPULHkt.exe
C:\Windows\System\NKZXlJY.exe
C:\Windows\System\NKZXlJY.exe
C:\Windows\System\tpWVMLN.exe
C:\Windows\System\tpWVMLN.exe
C:\Windows\System\jBXxQHq.exe
C:\Windows\System\jBXxQHq.exe
C:\Windows\System\cuYXIxT.exe
C:\Windows\System\cuYXIxT.exe
C:\Windows\System\NzvczZC.exe
C:\Windows\System\NzvczZC.exe
C:\Windows\System\tXQzEmr.exe
C:\Windows\System\tXQzEmr.exe
C:\Windows\System\oadMxYg.exe
C:\Windows\System\oadMxYg.exe
C:\Windows\System\CjbkFIw.exe
C:\Windows\System\CjbkFIw.exe
C:\Windows\System\SOQADvj.exe
C:\Windows\System\SOQADvj.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1304-0-0x00007FF750B50000-0x00007FF750EA4000-memory.dmp
memory/1304-1-0x00000222B5080000-0x00000222B5090000-memory.dmp
C:\Windows\System\kOZyJvs.exe
| MD5 | e7bd2ad0130f55f7ac77b8b1d9ecf748 |
| SHA1 | 5fbdd388396dfdf28d716b18da25e3a908e11d3a |
| SHA256 | f45eb7a4e0447b26459258305b48cde9c417c0b2e19344683e5bcff00d868d3b |
| SHA512 | d6104c2c45f5ce610d485c1bf94f5e3de9032cfd033135adbf979fac98c3d22722a57e48f987929a1377c40af5fa2e5204eb9d7ea5a90fc6063876634ccda9b6 |
C:\Windows\System\HJVUgto.exe
| MD5 | 12982233d189123b00ee07f5ff5a0bc9 |
| SHA1 | a466ac4bba932786f32bd7a74b8a2d4eb1c87021 |
| SHA256 | c97ca526c44eb4baf0322587ac267d5868551da34525a932f789a0713fd13bc7 |
| SHA512 | 8bcbd2c42512a73b369785daf4f8ca5c5a8becf77bd8896cf65523700cf4533f2688dea70aaf9fc4ea40c21a1a6330390f02bd1cad0f5a87dd69ffbea9873f45 |
C:\Windows\System\pTCDbIS.exe
| MD5 | db33333abab943f4016646368a752888 |
| SHA1 | 2a048429138aadf1af1c55ad296da50493f4a2da |
| SHA256 | 5fbb369545744db49119318ef209abd6c5b1845aa996a0e94203d2ce75bd7a6f |
| SHA512 | 80c59a549db733d2517b9cb5800e9abf1c10d0df685177dd8215508fc7a6aea1edef6e1aed386d1b4b2b95eaf945cdc03f1695109171181ed9b894f6cffc3845 |
memory/2696-18-0x00007FF732510000-0x00007FF732864000-memory.dmp
memory/1692-12-0x00007FF633470000-0x00007FF6337C4000-memory.dmp
memory/1700-8-0x00007FF76D350000-0x00007FF76D6A4000-memory.dmp
C:\Windows\System\IGrUeWT.exe
| MD5 | 9aec9a367ce771b3061a36839fe079a3 |
| SHA1 | 726593ff856bce3d16e89765eff3a22f140a3e48 |
| SHA256 | dda4dfcbedaabc026f43a8010c4f58c18476896f68722e4b856b1f51dbc219d8 |
| SHA512 | 57abca45ed39a7ee74df9dd2f07f4f7572e1e43974783afa802dcc2203de69d2fce78fb9186f7c0fb8e8113b005fd3658173490a6725b0a162b4e7c5d8e8a1a5 |
memory/4600-26-0x00007FF6FD070000-0x00007FF6FD3C4000-memory.dmp
C:\Windows\System\uONAQRn.exe
| MD5 | c0f0f64a525ee49c556c93eb212005dd |
| SHA1 | f6815455c432958393eaf02e714fb6fb1a6e8127 |
| SHA256 | b7ae16843ea0b018feed4f53e48577492e40acc2238769368daac4cd58c1a466 |
| SHA512 | 0d8492c420b8929ca15188cb8e58acfa1e8cbd30cdbe8429377f9eb9d0b6093a8882ba06dbf7c610c0c5d532eadbf8e4ae08173ed5e06ab88c6982bf32aeb507 |
memory/1356-32-0x00007FF6BE090000-0x00007FF6BE3E4000-memory.dmp
C:\Windows\System\eKGMnpi.exe
| MD5 | d9717006448d519df5948a2b73b69efc |
| SHA1 | 22335144d95a8daca4c2ca1353183dfa54ed67d8 |
| SHA256 | 77831135786b0e5b45b94404a7dbc3d46d8a26165c69e307376f2b14fa3a1bbf |
| SHA512 | b43f30cfbf6332913175f0dde111d9589f2455f263e6443f9445145fc9ca6730f19c43f763fdf17f53c0c03c89fb31e5d0f3ce3faa2c594039b8369b52d98f90 |
memory/2368-38-0x00007FF7FEB50000-0x00007FF7FEEA4000-memory.dmp
C:\Windows\System\NrCcXiQ.exe
| MD5 | c79462f526af20cb8dd0529f2d9894f5 |
| SHA1 | 3530f9c38d09d0c3c0715347896e958dd22536f4 |
| SHA256 | c538a02ef58e56853cf1b0835dc995a7b510ea18b802cad74bff45acade5bb3c |
| SHA512 | d684b1be30ca7b536171a3bd05b8b9e38c3ccbd663a3fde0be4aaca4ad7b4ff84f178d77999eae362ab7464edb62f889e4360988da7be46714bb2d9e33a26060 |
memory/1036-44-0x00007FF7DD630000-0x00007FF7DD984000-memory.dmp
C:\Windows\System\qkLxAZP.exe
| MD5 | badc06c84ae9e9dcbedb28edc61735a4 |
| SHA1 | 4ac936f9c05939ff2db168e5b3266f30bd27bdfb |
| SHA256 | 4d34ac92bdabfbb8a3b6f5d9a168f77e39cd4f35c7f1d1591280cb0d1b4433ed |
| SHA512 | e09ca3283ec45a8108e09e5857f55f9a4f74a07de4778f08f83c9c569be63584ac7a3a3c0549c47d995f8d865f8a8605af4532af67dd674a0c884ce0c11cf83d |
C:\Windows\System\xNpktge.exe
| MD5 | b7eac79daa3b1a8986ce994489e54035 |
| SHA1 | a1d59cd0d7922c7ba22522aa5bf8c576a90ea117 |
| SHA256 | f757439e57f7d51636b90cf46849a4e86992f91a6b3d9a04f4df9d56c009fb93 |
| SHA512 | 5c083ab43277174a50e275452b5719a1a7123fdffa0cb4ba02c035ab6dad320eaaed20c95eb0e4977fbd7d00e9c54ff55be5d80a637f5f6c62eadddd0dc627be |
C:\Windows\System\SDNespT.exe
| MD5 | 4a580e3f3d2da5c0e79f894452bbb00e |
| SHA1 | 7ed20876ca495941b65e74c479f932e9bbd1980b |
| SHA256 | 6479d6f0178ad3decaff5d338d654359c0a159eac3d7b16847208a22a38fe0fc |
| SHA512 | 7f7d04dc07fbfcd4585c87eec99e0c01da357f0651cbcaf91d4b60a6cb0e9bc94699de440e662e4940fa0f9e752cd85cdbbb01b5b947f295f69d83676cfed407 |
memory/1952-58-0x00007FF7981D0000-0x00007FF798524000-memory.dmp
memory/460-59-0x00007FF6B7AE0000-0x00007FF6B7E34000-memory.dmp
memory/1684-51-0x00007FF767FB0000-0x00007FF768304000-memory.dmp
C:\Windows\System\DhsEqFX.exe
| MD5 | 901e9062b1fb2dc4912085453497f099 |
| SHA1 | f43d42ef5e89fc677596f46c6f8f893780002b5c |
| SHA256 | 4315bcfe0e222d8ef3d480599f82c32e4ed41e820e9dc3bac49d4812b874fe87 |
| SHA512 | aaeed6323b36fe93904770a3be150ddec50eb1c6ce9f3b113b55e8301f4ca52ebcdb777e9e0ce3a841a4cb7ee05d45ea8a31340b525c69e91709f13d5f789d1e |
C:\Windows\System\kPULHkt.exe
| MD5 | 9bc132a3fa0369c8f92aa4349a84429c |
| SHA1 | 509961a61db38a053acc955a22e99c4fcfbc63e5 |
| SHA256 | 4e1ed62e9a6566760f88a58e8b75e631c5cc8510f3d956f72822ecce91c9476d |
| SHA512 | df062f6d75d3b81352e1781e1c5427cc0550a1389f1266364b7e9806e285aff07e0f11d92317611c4ca41171591a5e5b5a466933a71b31f7743a7b67d259605b |
C:\Windows\System\NKZXlJY.exe
| MD5 | b7f0058f03e064fe335f79392745bb5e |
| SHA1 | 25932f0b5aa8923dd740ca9b412e0792aea764b1 |
| SHA256 | 7fbcc7bd81646057c5161e3eeda144789ffecd63dd1376b3f9f9febd8f988544 |
| SHA512 | 0e4a5a63cdb054da1269ab735ede9772f9ed31a6b34c540092bb33d88f9668ec5992611d713194865a8abbe02c1b6c6a702166a5065a0eb1a778c5bf64402de0 |
C:\Windows\System\tpWVMLN.exe
| MD5 | bf2f75694069b272d732f4a74305d25c |
| SHA1 | f38ac77427402fb5c75f7d1ff43143372274913e |
| SHA256 | 420bc54ae1e7ebd54c63c2b6b05053afbd8ce421d9f2d55dceda67ba9baad30b |
| SHA512 | f4ab45ace9552a8aec1f3dd994d91bb38780932eca8f3f6e0a7c4d156b17b83f5a44f972eafb443bacd7e4220eb978cf568845aec0fc8d429248547462511401 |
C:\Windows\System\jBXxQHq.exe
| MD5 | 00047da54b68ffa0a5c5b818f8540478 |
| SHA1 | 970515bede0b17e043a0b25ed148444cf41b34d0 |
| SHA256 | 0e080e0308b2c9aee0a3ff3be01056dc629c2d19f69c2b7cb2bfcab08df2c926 |
| SHA512 | 2db34332f5bfd4940f3a4906708386d6f6c890bbf005c08e71418a440e471e7ae69ec78ac97b1fbe5cdc75106b6432dc148155f4e01930453b34e47cc95e2f5e |
memory/2368-114-0x00007FF7FEB50000-0x00007FF7FEEA4000-memory.dmp
C:\Windows\System\oadMxYg.exe
| MD5 | c682def2ddc3a4fb38bccb214953daf4 |
| SHA1 | aa1f1ba2903ea699dbf36e59bc5b6e082ff896ad |
| SHA256 | cddfd6f6498d73717f60bd5ae7b2ea720a3a442b42addfa440c2101ba271a24e |
| SHA512 | d0f462fc56b1810ad27f2572c560ba1e6c005a91ff06753d94a9c7b748d24f343e246fcacbf767922aa03c7f1221f95fa469a1a2cf50ce2efc568f8c6c1f9a96 |
C:\Windows\System\tXQzEmr.exe
| MD5 | 37d603ef41aa5cede9df8b010d438128 |
| SHA1 | cb042fa98e91810af059f628b2200416ca75280e |
| SHA256 | 0cd9a4e2f4f3355d6b95d074c235746e7540cb66e53823fff6d31fef067f6faf |
| SHA512 | bbd781ad3b5bb2ea67e7123f86e942e10b15b066a93eddf007459fa8990866ad4a02dc54789c71f42ff65aedaa6e42dc4dbd1b3aed9d12fd95b8017363a846a3 |
memory/2760-118-0x00007FF633630000-0x00007FF633984000-memory.dmp
memory/3652-117-0x00007FF605270000-0x00007FF6055C4000-memory.dmp
C:\Windows\System\cuYXIxT.exe
| MD5 | 29219fc0b641d64a56e907d665156e95 |
| SHA1 | 8297cbfd77edecaeb59bc856bf3fb29045d7c33f |
| SHA256 | be4ff9f49fc2518807daeba2ec3c5b7c88f74b260c5cb69d6387806e314478a3 |
| SHA512 | a7963f7224df8f78ed6125103492f03cdb6adbe34d6badd2e807e7a7e85f3491e948ec08d2aea517fdf3c15652faa440f46814f000db0109ed542691ee608f6e |
memory/3768-112-0x00007FF7FF460000-0x00007FF7FF7B4000-memory.dmp
C:\Windows\System\NzvczZC.exe
| MD5 | 20f5912ed3a91eef11f888dcffbd9618 |
| SHA1 | 1cd7f38b5aad608c2573ec78d8d51ebc84d7d788 |
| SHA256 | a16c3a363a24410bac877e93fc1e20e5a39526e6d1945a377005fa3c27c8ae7b |
| SHA512 | 42003b35488e5846a43e2c4550ad50a11e00b1b169a0d175aaef09e3becd1d03093c98a3052ab04f6c865238bc8f7b966c5d19462aa7650b1b9baaaa20aabb0a |
memory/4916-104-0x00007FF6402A0000-0x00007FF6405F4000-memory.dmp
memory/5072-99-0x00007FF72C990000-0x00007FF72CCE4000-memory.dmp
memory/4600-98-0x00007FF6FD070000-0x00007FF6FD3C4000-memory.dmp
memory/2696-89-0x00007FF732510000-0x00007FF732864000-memory.dmp
memory/1780-92-0x00007FF688AA0000-0x00007FF688DF4000-memory.dmp
memory/4720-81-0x00007FF671B70000-0x00007FF671EC4000-memory.dmp
memory/1692-77-0x00007FF633470000-0x00007FF6337C4000-memory.dmp
memory/1416-76-0x00007FF7E5BA0000-0x00007FF7E5EF4000-memory.dmp
memory/1700-73-0x00007FF76D350000-0x00007FF76D6A4000-memory.dmp
memory/752-72-0x00007FF630770000-0x00007FF630AC4000-memory.dmp
memory/1304-68-0x00007FF750B50000-0x00007FF750EA4000-memory.dmp
C:\Windows\System\CjbkFIw.exe
| MD5 | fcb44c8b87af60b3b94d59a745a3c5d5 |
| SHA1 | 37df482c58d32f0aaa97efec9e2095c4f95ace31 |
| SHA256 | 49d62a2cd8313563607570594962e010c19e6110c6bcee0dfa0621f831e0cbd2 |
| SHA512 | d5c9a8a25d6c1a0407870852b2b3dee54a25ed96f9d9232e848fd5b76b689a60eb6b6cc318a580daf831d25d6d23c75fb2f6ed764295d936f1fb6c63f5ea422f |
C:\Windows\System\SOQADvj.exe
| MD5 | 65928dbd6624d64ad7a865da133e0738 |
| SHA1 | a61130c6c1885d7d78ef829a2829d931bd231289 |
| SHA256 | cdde3b65a02775486e070232bc9e7ed804c01a1b738fb4be83caf5567db79cdf |
| SHA512 | ac9c3998c738b5576ae154bd288e22c09ea44d93dda34dcfac75ac1760db541bc8c10d174af964e1f7d1b1556fac27987493976fb2888907387fec3a6f4a18ce |
memory/2056-132-0x00007FF7B26F0000-0x00007FF7B2A44000-memory.dmp
memory/460-133-0x00007FF6B7AE0000-0x00007FF6B7E34000-memory.dmp
memory/2908-134-0x00007FF7D0E70000-0x00007FF7D11C4000-memory.dmp
memory/1416-135-0x00007FF7E5BA0000-0x00007FF7E5EF4000-memory.dmp
memory/4720-136-0x00007FF671B70000-0x00007FF671EC4000-memory.dmp
memory/5072-137-0x00007FF72C990000-0x00007FF72CCE4000-memory.dmp
memory/3768-138-0x00007FF7FF460000-0x00007FF7FF7B4000-memory.dmp
memory/4916-139-0x00007FF6402A0000-0x00007FF6405F4000-memory.dmp
memory/3652-140-0x00007FF605270000-0x00007FF6055C4000-memory.dmp
memory/2760-141-0x00007FF633630000-0x00007FF633984000-memory.dmp
memory/2056-142-0x00007FF7B26F0000-0x00007FF7B2A44000-memory.dmp
memory/1700-143-0x00007FF76D350000-0x00007FF76D6A4000-memory.dmp
memory/1692-144-0x00007FF633470000-0x00007FF6337C4000-memory.dmp
memory/2696-145-0x00007FF732510000-0x00007FF732864000-memory.dmp
memory/4600-146-0x00007FF6FD070000-0x00007FF6FD3C4000-memory.dmp
memory/1356-147-0x00007FF6BE090000-0x00007FF6BE3E4000-memory.dmp
memory/2368-148-0x00007FF7FEB50000-0x00007FF7FEEA4000-memory.dmp
memory/1036-149-0x00007FF7DD630000-0x00007FF7DD984000-memory.dmp
memory/1684-150-0x00007FF767FB0000-0x00007FF768304000-memory.dmp
memory/1952-151-0x00007FF7981D0000-0x00007FF798524000-memory.dmp
memory/460-152-0x00007FF6B7AE0000-0x00007FF6B7E34000-memory.dmp
memory/752-153-0x00007FF630770000-0x00007FF630AC4000-memory.dmp
memory/1416-154-0x00007FF7E5BA0000-0x00007FF7E5EF4000-memory.dmp
memory/1780-156-0x00007FF688AA0000-0x00007FF688DF4000-memory.dmp
memory/4720-155-0x00007FF671B70000-0x00007FF671EC4000-memory.dmp
memory/5072-157-0x00007FF72C990000-0x00007FF72CCE4000-memory.dmp
memory/3768-158-0x00007FF7FF460000-0x00007FF7FF7B4000-memory.dmp
memory/4916-159-0x00007FF6402A0000-0x00007FF6405F4000-memory.dmp
memory/3652-160-0x00007FF605270000-0x00007FF6055C4000-memory.dmp
memory/2760-161-0x00007FF633630000-0x00007FF633984000-memory.dmp
memory/2056-162-0x00007FF7B26F0000-0x00007FF7B2A44000-memory.dmp
memory/2908-163-0x00007FF7D0E70000-0x00007FF7D11C4000-memory.dmp