Analysis Overview
SHA256
2e17763c68edcfd13a5730fcee41ba586a5671dd08bede468d189062629beee4
Threat Level: Known bad
The file 2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Xmrig family
XMRig Miner payload
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 11:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 11:45
Reported
2024-06-06 11:50
Platform
win7-20240215-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XaVTnqL.exe | N/A |
| N/A | N/A | C:\Windows\System\qpWbFgt.exe | N/A |
| N/A | N/A | C:\Windows\System\oKmInuB.exe | N/A |
| N/A | N/A | C:\Windows\System\BjamvPJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jEQPmOV.exe | N/A |
| N/A | N/A | C:\Windows\System\bIlPaot.exe | N/A |
| N/A | N/A | C:\Windows\System\WljpwRU.exe | N/A |
| N/A | N/A | C:\Windows\System\iGsEjLJ.exe | N/A |
| N/A | N/A | C:\Windows\System\SfTXoam.exe | N/A |
| N/A | N/A | C:\Windows\System\qZQjxBh.exe | N/A |
| N/A | N/A | C:\Windows\System\wolnpFn.exe | N/A |
| N/A | N/A | C:\Windows\System\AAQyVag.exe | N/A |
| N/A | N/A | C:\Windows\System\wJZikzw.exe | N/A |
| N/A | N/A | C:\Windows\System\llFiCqe.exe | N/A |
| N/A | N/A | C:\Windows\System\HRmxnZu.exe | N/A |
| N/A | N/A | C:\Windows\System\llcFyAZ.exe | N/A |
| N/A | N/A | C:\Windows\System\joxWise.exe | N/A |
| N/A | N/A | C:\Windows\System\sVtUyVk.exe | N/A |
| N/A | N/A | C:\Windows\System\KCShJrA.exe | N/A |
| N/A | N/A | C:\Windows\System\jbScfee.exe | N/A |
| N/A | N/A | C:\Windows\System\fxGCKvq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\XaVTnqL.exe
C:\Windows\System\XaVTnqL.exe
C:\Windows\System\qpWbFgt.exe
C:\Windows\System\qpWbFgt.exe
C:\Windows\System\BjamvPJ.exe
C:\Windows\System\BjamvPJ.exe
C:\Windows\System\oKmInuB.exe
C:\Windows\System\oKmInuB.exe
C:\Windows\System\bIlPaot.exe
C:\Windows\System\bIlPaot.exe
C:\Windows\System\jEQPmOV.exe
C:\Windows\System\jEQPmOV.exe
C:\Windows\System\WljpwRU.exe
C:\Windows\System\WljpwRU.exe
C:\Windows\System\SfTXoam.exe
C:\Windows\System\SfTXoam.exe
C:\Windows\System\iGsEjLJ.exe
C:\Windows\System\iGsEjLJ.exe
C:\Windows\System\qZQjxBh.exe
C:\Windows\System\qZQjxBh.exe
C:\Windows\System\wolnpFn.exe
C:\Windows\System\wolnpFn.exe
C:\Windows\System\AAQyVag.exe
C:\Windows\System\AAQyVag.exe
C:\Windows\System\HRmxnZu.exe
C:\Windows\System\HRmxnZu.exe
C:\Windows\System\wJZikzw.exe
C:\Windows\System\wJZikzw.exe
C:\Windows\System\llcFyAZ.exe
C:\Windows\System\llcFyAZ.exe
C:\Windows\System\llFiCqe.exe
C:\Windows\System\llFiCqe.exe
C:\Windows\System\joxWise.exe
C:\Windows\System\joxWise.exe
C:\Windows\System\sVtUyVk.exe
C:\Windows\System\sVtUyVk.exe
C:\Windows\System\KCShJrA.exe
C:\Windows\System\KCShJrA.exe
C:\Windows\System\jbScfee.exe
C:\Windows\System\jbScfee.exe
C:\Windows\System\fxGCKvq.exe
C:\Windows\System\fxGCKvq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2388-0-0x0000000000300000-0x0000000000310000-memory.dmp
memory/2388-1-0x000000013FDB0000-0x0000000140104000-memory.dmp
C:\Windows\system\XaVTnqL.exe
| MD5 | a67ec3ca969833560c3e23ece866cdd1 |
| SHA1 | 0606974d4c818917dec70c46de9189b24e03f384 |
| SHA256 | 5e126ad4cc3b5f5e974f2895ad4ef77953d4344018e8d0aa4b7d3e3c9b2680b4 |
| SHA512 | 74d9d4a0d0a86d51e3324f587d6451e9a9ac4dd5757c4431c0a1828613d9287819f76eacb9d2a0419cafd0d74946472ac7972fb67a36eda1dbe37dc2b7c82fbf |
memory/2388-8-0x00000000021C0000-0x0000000002514000-memory.dmp
C:\Windows\system\BjamvPJ.exe
| MD5 | 980a052739cf54114cb56727c2533ff9 |
| SHA1 | d1371456e9aa1e2e0eeb9b34c6fc76314bb52275 |
| SHA256 | a74e6642dab7b24d88ae170333f6d3f6dac2328d4da8453349acd0eb68d14346 |
| SHA512 | cf2d5d29dcc4f75e4f2bf6a60818088eaedf9dc707e015d7d494c910d12eee149f0a92fdc4862648a13b418aaa891709850a59053bda88fcabb79158f38f380b |
\Windows\system\qpWbFgt.exe
| MD5 | 1f4055ba2f49e9f61c584540738933d6 |
| SHA1 | e830b0ca35a63026536d782350bdf0326993d72f |
| SHA256 | f5b179c0bedd1ac9d85bd45a3842f044426e835dfb330ab8ae5e6c0b63dd6337 |
| SHA512 | 9fedf377e45f04282160713e779854f582d839a2c1f117bcb182d6082c5d360ba3604256d6e3de83a175b1334fb9ecf4cc7f7956d29ffe1ec543532de1f25174 |
memory/1796-20-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2388-27-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
C:\Windows\system\bIlPaot.exe
| MD5 | 77d0c9c7515457defe28c9e206d691bc |
| SHA1 | 02b9eba57792ece09913fb8191ab87fbda599a55 |
| SHA256 | 25865c52e8b6cad48d63629317754642d2022d65e03dd23929974e1bf530465f |
| SHA512 | 20d319968f1baea2aeae0ff33a54bc1f595f8d469ba011759c1047aeb3c88fc872e5ac5bb5f11de2a7547a0cdbf7ab5ef77fedd81e49d9008da196145a0b2e84 |
memory/2388-39-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\jEQPmOV.exe
| MD5 | 200c08a5064962ffa45a78119c46f112 |
| SHA1 | 7e3fb26fcf0319fcb2699ebf86c34d85632ac0be |
| SHA256 | 407af22b2d0972f6b986f29ba47bde6cc3774c6dd28fb6db7818fbc5fa002640 |
| SHA512 | 7349e13860b0dbcef126b0fcc2a0ffbb4cdf042cbbd9dd75d62c45126f758afee8fe6cc3882e610234ad406ac840928fdb0105776c2a8563f0d0e4157cfb810c |
\Windows\system\WljpwRU.exe
| MD5 | 9ee3e5f5c90eef8eff424ab6df5e4439 |
| SHA1 | 3ea163786336c6afed5cf5c6552166fb59ceb0dd |
| SHA256 | b460f0266f43a71aab5fe8c78318c1bb387b2553fdea58a380f20a24ec142c58 |
| SHA512 | 5b93c542558d76be7c550ddb5e40a780294d444cd6e13bead49f6ced4184ab7b2b838f9eb52ad5f03aee1de93888f5dc81ab04968a231d65537c67e773b14ec5 |
memory/2172-32-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2612-29-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2388-36-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2388-22-0x00000000021C0000-0x0000000002514000-memory.dmp
\Windows\system\oKmInuB.exe
| MD5 | ec841b94e9b0ccf9422a50c6cc63ccc4 |
| SHA1 | f8beaece84974eea01467b39a7fcd0e537b0b103 |
| SHA256 | be26140f4f4bf9b230542f455a44f0483084fd2842273932df977d9e8cb802a6 |
| SHA512 | f7a27ea4daaddabf5cb53e4afa4c8576d3cdeabc9f0c18ef9789e649cbaa3c696419658d6c56f0c32b178b30e0375a930e280f6422a390349ab70c5f07286adb |
C:\Windows\system\iGsEjLJ.exe
| MD5 | 19d8e3410deda33b8ad003946ab1887b |
| SHA1 | fc95394da9537faf5dc24769842cbc09abb0ebf4 |
| SHA256 | 422a072c26dcd3d527fc98a56b1c51af9b53099386f8e1ccc8bc14d464627991 |
| SHA512 | 954f7d6f92a028b108ba79b18607e94ed00ef7d81e0242b4df76a3ea7607e81d176d88733d7bd8f0f9824e9e27c300dd5778837a00f257faf74cc57bbd447c4c |
memory/2144-49-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\AAQyVag.exe
| MD5 | b3d1cb9b50d3cd62c8608adfe82d92b2 |
| SHA1 | 4e96b5c6815b4522a8892741a185406d01557a45 |
| SHA256 | daf08477d4788182b321a8ba6d78b84c41de172011062f531e364f88d6958168 |
| SHA512 | 601047cd24c184aa808ad0e2ffe6bda4d79ee45fb87cdef0723d19583f94cd709fadb73f3a636829392d39e1eaaf4dec4f9236e4a2226024a95b5d30cb605443 |
memory/2388-103-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2388-105-0x00000000021C0000-0x0000000002514000-memory.dmp
memory/2776-106-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2388-104-0x00000000021C0000-0x0000000002514000-memory.dmp
memory/2388-102-0x000000013F430000-0x000000013F784000-memory.dmp
C:\Windows\system\llcFyAZ.exe
| MD5 | cd26d3504de7396293770ebda496a941 |
| SHA1 | 85f76ad72f7c4c19bef2a8c3cdbf708f8ff15585 |
| SHA256 | 7a04de817a7f7d4b92e06836ff74dc3a9d35a9be907da82427b3d8b52879446a |
| SHA512 | 8e25765395bffba48de66afdae459a7e1e1c0a4c7f0e0e65d42c4cbe956a344b4e6892355f296bbf2937753f2f0573990a7727ba6dff7f1c1638ba5ab9200270 |
C:\Windows\system\HRmxnZu.exe
| MD5 | dd756623a23c20d31744cb147866875a |
| SHA1 | 3fa09fe5563007fef6573c165b2549eb9dd97e95 |
| SHA256 | fcff0c178d4f225022c893a50588765e9053174bc3698f0462cfbb1a17e6375b |
| SHA512 | 4f0ccd023a27be5f7c006b0a93732efb822015f673a6aa232d5473dc5cd13d36f86f499db8dac6f38d975c2dd3c22c7da0ebb5a4f57a0f69b92071122565dd83 |
C:\Windows\system\joxWise.exe
| MD5 | db8bd90cb7a4cf076cb8c9161a74e7e4 |
| SHA1 | e04c27048f724c7c8a518f488f153f389b078550 |
| SHA256 | 459548cd24b864d313bbb7e4d9a956fd76cc31606caa6435e86293eb66e362cd |
| SHA512 | a8c0e4c1cb1c4055bde1e0c32aeab0ffff13b7a2af23dfc956f3a01731e330ffaadc2a98e7bc6701040e329c41b38f1f48cc356b66efcf7e0f05153303d49784 |
memory/2972-95-0x000000013F430000-0x000000013F784000-memory.dmp
C:\Windows\system\llFiCqe.exe
| MD5 | 0b5e7d14f8499b2f1e3486fac46d9597 |
| SHA1 | 1986145f49fd4e8afc13fba8cd4b7788c372cd47 |
| SHA256 | 0a93792baf16a468b1ea1fb712e5d62d1233b8f0992f2d5844bd9d3e2d728410 |
| SHA512 | 6033b920fa288fb916537b1b6c9a51a095d7cbe478ddd770391909bee1b36e0199b7f80fdee80256012bdea67e8b56e608fbef23df084d3409fa1daa04acc0e5 |
C:\Windows\system\wJZikzw.exe
| MD5 | 4945b330e81ae99b6a4107ab9b876209 |
| SHA1 | f86ab23944574d8ee779a797d2d74d9c3968cf1b |
| SHA256 | f4d6746b003db90813ceef39c27a3add6f462f8d9610969294471e84441ef959 |
| SHA512 | 3bd229a7023055b068d065eeaf44b957f2291780fd75754c7ccd5f813523b9d3374e6652f3c07a294a5c9275156caec54b5e999baecde3c6cc7241fb3be1e768 |
memory/2536-91-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2100-82-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2388-75-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2740-72-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2476-71-0x000000013FA10000-0x000000013FD64000-memory.dmp
C:\Windows\system\wolnpFn.exe
| MD5 | 94a5fce090c05a84f54c72d7603f54b1 |
| SHA1 | 1e5b65c753394aae48b96cdf024f980fc4e5b115 |
| SHA256 | d9801b7c6635c5357e7686e905c49bbdffe1eaeeaf8048cab544f1d5b69839a3 |
| SHA512 | ca4ce80786e2af6f55f089bec2902d0bfd8528e423b63cb1ad4ce1fb0daedee4f888dfc9225efd1cdc6a44067a5dd68a74e40930de88baa1662f6cd6b2afc860 |
\Windows\system\qZQjxBh.exe
| MD5 | 512892e19d9a399dd2d230f08e5f5988 |
| SHA1 | 100cf3903b1e8eb15521ef7edc65437bac4ce2ab |
| SHA256 | 1dd2234ee16541f417124a340799aba4bd101c89f608e6a476790bf77b61e631 |
| SHA512 | 190a2034f3647691c4d28edb5ddf87ab932c4437fa9c61e2386163f56d0408833a3f995fdfef96b62e5fe2670827fd1953b2474ee2ee8ec227b2cd15b55bf807 |
C:\Windows\system\sVtUyVk.exe
| MD5 | 6485ae779ef0334a61f8c291d87e81bf |
| SHA1 | ba512cb10d50d2c26e09c1a57d3ef4f829e12676 |
| SHA256 | 7869813586f96aa0ecf30ef630cf08699a2d0d54110a36a3a664fa6ec5398db0 |
| SHA512 | 43e808c3c2d2d7366a1c815fc75ea013c471ce13a4f9528864cf398bfa35823bf0375ace8f331de1c101aadb465f70982b3996262568032f3cc3268833875720 |
\Windows\system\fxGCKvq.exe
| MD5 | a103e025133b0df09b10a6ca70d6aa0b |
| SHA1 | c748e2a26feb65b711fa9e9de551982940d71112 |
| SHA256 | b8998dfb4095ac479b709bbfad8b3fc605b7996ae7f97faaefab0eb118aa5dd5 |
| SHA512 | 29f0eff5042b30e48b2094a5b57a184e25659a047abc624953f613e9788532b5fa5abc132a6cb9a82fce644c020eb4ec484c5d18431ba3d4c023bdef7a6751f0 |
C:\Windows\system\jbScfee.exe
| MD5 | 6ca846b6d1cb732dcaa15026f4064380 |
| SHA1 | 99eed9a74718a3854137f6bc9ecd85e365049015 |
| SHA256 | 2485c1d575dae3cbe6624a35dcaffe7e7b261f1eded10b80a16e53ce588f80d2 |
| SHA512 | 3adabda8d174ad5dbf8f3cf6c2858db7b58448e98f9f260d4838b3cd0dde4628ffe20bfd26972f342e89706d0d0d1e7ab837c3c0997f85937890507761b36ceb |
C:\Windows\system\KCShJrA.exe
| MD5 | cca4a693780cd4e823275e901414333e |
| SHA1 | 50d391ce8159efb42f67d8d8fc2c56c9cc783c1d |
| SHA256 | 0829f55e1f443f8591f0877eecf6bde50cabbefa7c983e564ce2f0da0959645c |
| SHA512 | bad0607d43777bdd52c774d51c94d32517e1a3975eea141e08dd60edbd2a65a50451825708b5252977108629ab2ee52f1f320c6e85b404548081465ed4e4d55f |
\Windows\system\SfTXoam.exe
| MD5 | cf8eefee768288e99107c499c09410fd |
| SHA1 | 0104e07a5f8f4cfa4324694b8a3f50b6c3fe5dc1 |
| SHA256 | cb3499588d089ffd1af911b9e0d95675bffbe8f88fbdbf2814a7adcedb031027 |
| SHA512 | fa5bc51344d67b9fefdde0fcb2a0e7dfef7049d2a86d3a89e4b89f9dbd4a69fecd92651b5f2efb251692651227d597f4b6778e962bbfc4c1ace5ea68504c0f98 |
memory/2388-66-0x00000000021C0000-0x0000000002514000-memory.dmp
memory/2624-62-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2620-53-0x000000013F340000-0x000000013F694000-memory.dmp
memory/1420-16-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2388-131-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/1796-132-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2388-133-0x00000000021C0000-0x0000000002514000-memory.dmp
memory/2388-134-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2476-135-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2388-136-0x000000013F430000-0x000000013F784000-memory.dmp
memory/1420-137-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2612-139-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2172-138-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/1796-140-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2620-141-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2144-142-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2624-143-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2740-144-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2536-145-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2476-147-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2100-146-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2972-148-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2776-149-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 11:45
Reported
2024-06-06 11:50
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dnRlZrw.exe | N/A |
| N/A | N/A | C:\Windows\System\XHJaKzf.exe | N/A |
| N/A | N/A | C:\Windows\System\TLkwVsQ.exe | N/A |
| N/A | N/A | C:\Windows\System\wStldGg.exe | N/A |
| N/A | N/A | C:\Windows\System\HSfFRvj.exe | N/A |
| N/A | N/A | C:\Windows\System\wfZrOet.exe | N/A |
| N/A | N/A | C:\Windows\System\izeCgpe.exe | N/A |
| N/A | N/A | C:\Windows\System\DByXinl.exe | N/A |
| N/A | N/A | C:\Windows\System\ebjqwDF.exe | N/A |
| N/A | N/A | C:\Windows\System\WazBPJn.exe | N/A |
| N/A | N/A | C:\Windows\System\oLxkPnd.exe | N/A |
| N/A | N/A | C:\Windows\System\sAzXpix.exe | N/A |
| N/A | N/A | C:\Windows\System\UaaUjka.exe | N/A |
| N/A | N/A | C:\Windows\System\BcsswCh.exe | N/A |
| N/A | N/A | C:\Windows\System\ipqAwdl.exe | N/A |
| N/A | N/A | C:\Windows\System\DoarYJb.exe | N/A |
| N/A | N/A | C:\Windows\System\RpQphqo.exe | N/A |
| N/A | N/A | C:\Windows\System\uVuUOTE.exe | N/A |
| N/A | N/A | C:\Windows\System\oJTGydi.exe | N/A |
| N/A | N/A | C:\Windows\System\NwqkYXg.exe | N/A |
| N/A | N/A | C:\Windows\System\CkWoRJg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dnRlZrw.exe
C:\Windows\System\dnRlZrw.exe
C:\Windows\System\XHJaKzf.exe
C:\Windows\System\XHJaKzf.exe
C:\Windows\System\TLkwVsQ.exe
C:\Windows\System\TLkwVsQ.exe
C:\Windows\System\wStldGg.exe
C:\Windows\System\wStldGg.exe
C:\Windows\System\HSfFRvj.exe
C:\Windows\System\HSfFRvj.exe
C:\Windows\System\wfZrOet.exe
C:\Windows\System\wfZrOet.exe
C:\Windows\System\izeCgpe.exe
C:\Windows\System\izeCgpe.exe
C:\Windows\System\DByXinl.exe
C:\Windows\System\DByXinl.exe
C:\Windows\System\ebjqwDF.exe
C:\Windows\System\ebjqwDF.exe
C:\Windows\System\WazBPJn.exe
C:\Windows\System\WazBPJn.exe
C:\Windows\System\oLxkPnd.exe
C:\Windows\System\oLxkPnd.exe
C:\Windows\System\sAzXpix.exe
C:\Windows\System\sAzXpix.exe
C:\Windows\System\UaaUjka.exe
C:\Windows\System\UaaUjka.exe
C:\Windows\System\BcsswCh.exe
C:\Windows\System\BcsswCh.exe
C:\Windows\System\ipqAwdl.exe
C:\Windows\System\ipqAwdl.exe
C:\Windows\System\DoarYJb.exe
C:\Windows\System\DoarYJb.exe
C:\Windows\System\RpQphqo.exe
C:\Windows\System\RpQphqo.exe
C:\Windows\System\uVuUOTE.exe
C:\Windows\System\uVuUOTE.exe
C:\Windows\System\oJTGydi.exe
C:\Windows\System\oJTGydi.exe
C:\Windows\System\NwqkYXg.exe
C:\Windows\System\NwqkYXg.exe
C:\Windows\System\CkWoRJg.exe
C:\Windows\System\CkWoRJg.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
memory/4756-0-0x00007FF7797E0000-0x00007FF779B34000-memory.dmp
memory/4756-1-0x0000024F99320000-0x0000024F99330000-memory.dmp
memory/4460-8-0x00007FF73C220000-0x00007FF73C574000-memory.dmp
C:\Windows\System\XHJaKzf.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
memory/2248-14-0x00007FF6E88D0000-0x00007FF6E8C24000-memory.dmp
C:\Windows\System\wStldGg.exe
| MD5 | 0523b1215b09aeb53a27df33d43bc147 |
| SHA1 | c30b1ba0a4ce316af2395ac6f8447e001deb7aa3 |
| SHA256 | 7df202b9d75ed742265db0aeb8e847776c199a50dc30074f6afed0125db03942 |
| SHA512 | 614d56f58b3ddd50af5c8d8aaab9111109b1d271face2612416cff3f647c226240fbaef2c7a08a028b06056853e888929900da9e773d57c4dac70b2beea284ea |
memory/1004-20-0x00007FF722170000-0x00007FF7224C4000-memory.dmp
memory/3952-26-0x00007FF655390000-0x00007FF6556E4000-memory.dmp
C:\Windows\System\HSfFRvj.exe
| MD5 | d29a5cc57d5e61885779dfcc4e06ca2d |
| SHA1 | ac323a54d614a748f03a9195b4c6ea6e2a5b7070 |
| SHA256 | 0743c3a3c9b22d5b54414a206a7f0e8c946844c16528032f92d1db0e91df8f93 |
| SHA512 | e237853ae19b1f197c0dd7a55264cc8aa0f89dbae54763853a4603b806573fde7fd74a0305250436cfa5b11496810013d3e3c5cfe1e657d1415c6c0de7bce7cb |
C:\Windows\System\TLkwVsQ.exe
| MD5 | bcf8278dd59479dcaf448170233a37bf |
| SHA1 | ffd08718de2e466fa06acc0253ded4b955a67ae1 |
| SHA256 | 98cc4eeb79b8e1ba2e8110d390b14c334bdeb7285f2799c51d99f8bfc6ad78eb |
| SHA512 | 1449fdca2eccf1572e70770be6bf64452757a4e207191af6169b6dcd433cba59b93e0c761e0db0163ad0c3d974a237502537f93dfbe3d1bc86cc1cb1cb5ebf7d |
memory/5016-32-0x00007FF7C90B0000-0x00007FF7C9404000-memory.dmp
memory/1376-37-0x00007FF768780000-0x00007FF768AD4000-memory.dmp
C:\Windows\System\DByXinl.exe
| MD5 | ec78f24d23fe3ec693910640185e96bf |
| SHA1 | cc61bb06d0e17c8be1bd3bf875868605e47757f2 |
| SHA256 | 92e7581493442f6570fafc209416fa4093e843623dd4ba75ac5248f225867af3 |
| SHA512 | fced22c82d4098cf97850ab55789b6cdae8a3de327d4f14e5c9a7e9a6801838acacabcf8c23c80918f8e6eea28a81f04d4f17970dc8d89f3154d6922d55cddb1 |
memory/2044-55-0x00007FF71C370000-0x00007FF71C6C4000-memory.dmp
C:\Windows\System\ebjqwDF.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/3772-63-0x00007FF73DF60000-0x00007FF73E2B4000-memory.dmp
C:\Windows\System\oLxkPnd.exe
| MD5 | c1e64a671624c5dca27eb22a97449a5e |
| SHA1 | 2e55a3bfd80902791115abe810d5b9849f1ce1e1 |
| SHA256 | a0310c0ab56f5c0072075d57518c347b99f9a1ed2df56eeab853be300a95a727 |
| SHA512 | 972bb5bc2a9227711563788cd082df44772b9dc371fab45210c4b728b4bc219408904d19b7f5d5011b21e463f572bcb8d24fa98e9304aa32bc72f6b526e08151 |
memory/4860-68-0x00007FF7FF0D0000-0x00007FF7FF424000-memory.dmp
C:\Windows\System\sAzXpix.exe
| MD5 | 44f97595568890dea8bd6dced1430fd0 |
| SHA1 | 4b3ccd0a16d253506041b510635c788991d5573c |
| SHA256 | be141ca2cbdbb81b8fc69efff6694fd0bdcede7801c44651a6c7f48f5f35da65 |
| SHA512 | 27357d80836bcf7f2e5d50ba780180ea0b5bbacb96c78130aeb98fe81f83018cae52a20d268858415c1db8670dd734afaee58dd57b45fbdc429eefea63689475 |
memory/2008-74-0x00007FF6DC490000-0x00007FF6DC7E4000-memory.dmp
C:\Windows\System\UaaUjka.exe
| MD5 | 3d4646ab6e0b6587657a1c6026cec4cd |
| SHA1 | a953342ecb1da36ff62c6ffeca6901e98d7569f9 |
| SHA256 | c4a186a22ffe7fae6a3301c829cfb9b851139e7f085b64d038ab38f37273d94e |
| SHA512 | c916bee90d881fe5a84db03656cb9ce9776e0da1814addd1c7f392d8dcf7d45993d3e01628582d9e3a0a5ea6dc27412885019db0ebae582243932c6ec2920e31 |
memory/2524-81-0x00007FF73B2C0000-0x00007FF73B614000-memory.dmp
C:\Windows\System\BcsswCh.exe
| MD5 | 8d115d9874da5a7f797182e772611178 |
| SHA1 | e51498cd39b104806fe3fd0117b77fd6562cbaf7 |
| SHA256 | 71e62ad1381dfc8261cddbbbe9622c1229008e6f7ac326751d193a1dbcb0552b |
| SHA512 | 1ba12f8474debac5b71c36f485147819bfce6bd8ac5da6236e07ef2efac03173c3a61f2ff64910fc4d9d315e9217929089bd9c992ce93effe508f060e8c0b47f |
memory/1428-86-0x00007FF7FDCC0000-0x00007FF7FE014000-memory.dmp
memory/3952-85-0x00007FF655390000-0x00007FF6556E4000-memory.dmp
C:\Windows\System\ipqAwdl.exe
| MD5 | 911c678ccf54ed131df2754c013e2acd |
| SHA1 | 21be003a4afe500d90a9ed7e636e11ad1097a3c4 |
| SHA256 | 3fff34e48ae6e543a51222bfd57abbe9adf78badd82e0566ae3c9b499c3c45be |
| SHA512 | 856be66b191d2d10f2f7a1cb561af884f69f30f76286616ca60688c963861faf2f6e793fa96ee0c7021c65e005025c4f937bb9f32369cdcbde503cfdf768d393 |
memory/1376-103-0x00007FF768780000-0x00007FF768AD4000-memory.dmp
C:\Windows\System\uVuUOTE.exe
| MD5 | c5c2140f0091288973f1cdf1a11f2ede |
| SHA1 | 72ac1ff688b6131c416a5238d0375c1ceaa4c961 |
| SHA256 | c984532ea4a94b3f4a6162b13c2eda322281ce167ec0aebabce0f9e1a85e40c6 |
| SHA512 | 0a175980f7dc51a27b219bd32e2d3ac065cc78315e60a765d6695d6fe0eaadb178aa8f26414b86ef558f9fa28c0e3426c8d6a5cf03eba91be8886adb5b211994 |
C:\Windows\System\oJTGydi.exe
| MD5 | 9d6406c2e6c74b926caa151156eb25b7 |
| SHA1 | 74177e4438b1151d86fe1d236491aa5d2b9f70d3 |
| SHA256 | 3d323ba6cc40770b392542e1cfcd1dd650a214b8bc6abf2e1ceb6a284e386d12 |
| SHA512 | 3db14372b9193b8fe04365e68d8ab783191ab43182f1a20498480edceba7e3e488d0198dd8f4516944958b8d7920609f3f7f58a0694d3911ff2b367f7346d4f1 |
memory/3716-115-0x00007FF6D8FC0000-0x00007FF6D9314000-memory.dmp
memory/2044-123-0x00007FF71C370000-0x00007FF71C6C4000-memory.dmp
C:\Windows\System\NwqkYXg.exe
| MD5 | ec0a5f8b4cff0ec3e7f127026220b508 |
| SHA1 | 0d3f24b57c7f7931128f216116ae007b4bcc62e3 |
| SHA256 | 6824f3dc17183a0c47bf27c07abc473d2a123a8569a5622e8deb84c2f8cd8db8 |
| SHA512 | 6b5a9b046282ca55e467cd696098bb42f6f8f9a15906221c04eae55be71a375d11616e73fea06118e720eb67a2fb0c4770f559a8d3d4c0f07bba022920ed7810 |
memory/2744-127-0x00007FF788900000-0x00007FF788C54000-memory.dmp
memory/4860-126-0x00007FF7FF0D0000-0x00007FF7FF424000-memory.dmp
C:\Windows\System\CkWoRJg.exe
| MD5 | 302d3a64ad9f18c11ea02140e08820f0 |
| SHA1 | ead5011be35711ed177b1aa6b7b9e3868fc3cae5 |
| SHA256 | 5e99dfd407afa02c8d2a45d18119edd2d43f8a0b29f3d435c2fd7495b370f96c |
| SHA512 | 49587875b93bb627f97c179b3fbab14a34bb7e73a0540aa8a026953354c2198563f160eb5ff49ddef345bcbdb1c6b8358c3b7cbe04fb35a794446c0978bc4fc1 |
memory/3116-134-0x00007FF6E43D0000-0x00007FF6E4724000-memory.dmp
memory/1164-125-0x00007FF659930000-0x00007FF659C84000-memory.dmp
memory/852-114-0x00007FF6C4C10000-0x00007FF6C4F64000-memory.dmp
memory/1896-109-0x00007FF690B70000-0x00007FF690EC4000-memory.dmp
memory/4608-107-0x00007FF6552A0000-0x00007FF6555F4000-memory.dmp
memory/4712-104-0x00007FF624030000-0x00007FF624384000-memory.dmp
C:\Windows\System\RpQphqo.exe
| MD5 | ad76e574c7bcf0a6146ee357dd9dd9ed |
| SHA1 | 4c7155a30db552e5984762dbb1fddd4b2469cd04 |
| SHA256 | 3ca1c61196557dc2c9ebe63ae54a510591337a442b3759777061b47a215ded89 |
| SHA512 | 925307a2ca610589fa8a1ed1fa445d0b7d1068f815258aca4342e6db90da04a92c258aabd755fb8ffd99dc918f86531ecece196524f38a6e864fd8b7fdf29694 |
C:\Windows\System\DoarYJb.exe
| MD5 | f67a3e507f56889720e7e527a38b2a8f |
| SHA1 | b4cf23ecdd4d19ecd1a3911b4dd09c13563e04dd |
| SHA256 | 96fcec4feba9e496c31630bd7ce0350a76949f244593a88bf9de7882180397c8 |
| SHA512 | 6cdf8e5994c3c25c18c6c4c14677f1bafbc8fe5f9441072505ff228549f72af8aa17adbc221a357524bab99979d3376f683acb44306abfd6f694ce49e04aef0d |
memory/3480-96-0x00007FF6F8DB0000-0x00007FF6F9104000-memory.dmp
memory/4756-62-0x00007FF7797E0000-0x00007FF779B34000-memory.dmp
C:\Windows\System\WazBPJn.exe
| MD5 | b483cdbd5b900e97c145f2f5e0f43af4 |
| SHA1 | 528c7dc9ac5f60c01173e41bd1c5a010f105f3cb |
| SHA256 | 955be391728df7b3ff8d612343d6e0e6bf4098ef972ee3584f6474429f915cf1 |
| SHA512 | 56fc53e95cfcb6a9172cc274ba58376a68f32c542412405590238f9b2d22b058be805d97bd4aac67884048c8d435fb5e019ea7ef3b7251596b5574f430a1d754 |
memory/852-48-0x00007FF6C4C10000-0x00007FF6C4F64000-memory.dmp
C:\Windows\System\ebjqwDF.exe
| MD5 | 829ed9d4a5dab5576799ce734bdd3ea3 |
| SHA1 | 8ac6cf22fbcd928df66adf24115cfcb28c1227d3 |
| SHA256 | 86a86e68a349916e73ad1f5d197d65f7af4938dfe692bd61659192fd32924b3c |
| SHA512 | e453875e4749f717725907cb4fc7e3c389fc32abaa1b9a360ef827c0d66e054b3c796b8b9344d7e4b20be3af0f7de1a96acdd6d0e02aab9e9bbe358e63ce65fe |
C:\Windows\System\izeCgpe.exe
| MD5 | ce0af25f5348d057170cacbd12b1ed7c |
| SHA1 | 9c1b28e6c193b912c377c43d104f20604b314ba8 |
| SHA256 | 7049e53902bd90d0a2a687c343b0de76464c3a4216ca69187289bf61cbcf5296 |
| SHA512 | 742574d5dfa571cebec0e2b6f12a6260f585fae010eff00f25492b58d5b66220c89db6feb00460ad45fe57f8fba9c7c2664111afb045c24856d53718bb829503 |
memory/1896-42-0x00007FF690B70000-0x00007FF690EC4000-memory.dmp
C:\Windows\System\wfZrOet.exe
| MD5 | 3e04e5acfed836aa39da1d0968662074 |
| SHA1 | 74dc1ef472adea18995b3ca9ad1dddac95a8ea0a |
| SHA256 | 82971320545cefe8e724688ae5d337f23be728fda5d9efc31bc91002334f1943 |
| SHA512 | 186e67775ea16b1181eaa2b230caf031a338b77ee5372186a01ab6568444599388144444c2653e970c8004fefc9bd3c785565772601c23a496bcbe471567b497 |
C:\Windows\System\XHJaKzf.exe
| MD5 | 3b03f7be7b6887faa7706fe8018cabd9 |
| SHA1 | 343af3d37b52fa9a23b421b61b5ce0402fca1285 |
| SHA256 | f118b81fe3ad66de13141e673b235e42a9763c2f88897d7531b8a25755be3c2c |
| SHA512 | a65de9a26736155bda84e084cf78ff406bdb7cd1489871861039560451217c9c9293032d68726d15abdb4ef60200ecf1d8c07b7dfa22314fd679c54dd73dc61a |
C:\Windows\System\dnRlZrw.exe
| MD5 | ca47567a66febfa076b0394bb09dcb9f |
| SHA1 | 1662ac81609b31f4f52eb26add720764b6a6604d |
| SHA256 | 9d6db74539c98cb3c2c226be9c49141a5507e87fd738ab75676a90b93ce8ac6d |
| SHA512 | c8f5f34568fe28314c176834fd075ca23dccb1be45121036087d80c667d30510fcf5515cb88298f777988ae20f4efa2a49ec9d05bbcc0b9f5633df6d4bbee811 |
memory/2008-135-0x00007FF6DC490000-0x00007FF6DC7E4000-memory.dmp
memory/1428-136-0x00007FF7FDCC0000-0x00007FF7FE014000-memory.dmp
memory/4608-137-0x00007FF6552A0000-0x00007FF6555F4000-memory.dmp
memory/3716-138-0x00007FF6D8FC0000-0x00007FF6D9314000-memory.dmp
memory/2744-139-0x00007FF788900000-0x00007FF788C54000-memory.dmp
memory/4460-140-0x00007FF73C220000-0x00007FF73C574000-memory.dmp
memory/2248-141-0x00007FF6E88D0000-0x00007FF6E8C24000-memory.dmp
memory/1004-142-0x00007FF722170000-0x00007FF7224C4000-memory.dmp
memory/3952-143-0x00007FF655390000-0x00007FF6556E4000-memory.dmp
memory/5016-144-0x00007FF7C90B0000-0x00007FF7C9404000-memory.dmp
memory/1376-145-0x00007FF768780000-0x00007FF768AD4000-memory.dmp
memory/852-147-0x00007FF6C4C10000-0x00007FF6C4F64000-memory.dmp
memory/2044-148-0x00007FF71C370000-0x00007FF71C6C4000-memory.dmp
memory/3772-149-0x00007FF73DF60000-0x00007FF73E2B4000-memory.dmp
memory/4860-150-0x00007FF7FF0D0000-0x00007FF7FF424000-memory.dmp
memory/1896-146-0x00007FF690B70000-0x00007FF690EC4000-memory.dmp
memory/2008-151-0x00007FF6DC490000-0x00007FF6DC7E4000-memory.dmp
memory/2524-152-0x00007FF73B2C0000-0x00007FF73B614000-memory.dmp
memory/1428-153-0x00007FF7FDCC0000-0x00007FF7FE014000-memory.dmp
memory/3480-154-0x00007FF6F8DB0000-0x00007FF6F9104000-memory.dmp
memory/4712-155-0x00007FF624030000-0x00007FF624384000-memory.dmp
memory/4608-156-0x00007FF6552A0000-0x00007FF6555F4000-memory.dmp
memory/3716-157-0x00007FF6D8FC0000-0x00007FF6D9314000-memory.dmp
memory/1164-158-0x00007FF659930000-0x00007FF659C84000-memory.dmp
memory/2744-159-0x00007FF788900000-0x00007FF788C54000-memory.dmp
memory/3116-160-0x00007FF6E43D0000-0x00007FF6E4724000-memory.dmp