Analysis Overview
SHA256
3e368ff3e96eb93578430d1c8fcb6320c3fa8088577b494827648de625c78a15
Threat Level: Known bad
The file 2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike
XMRig Miner payload
Xmrig family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 14:30
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 14:30
Reported
2024-06-06 14:33
Platform
win7-20240221-en
Max time kernel
138s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BHCjaVH.exe | N/A |
| N/A | N/A | C:\Windows\System\tjfpqAs.exe | N/A |
| N/A | N/A | C:\Windows\System\mgbccqq.exe | N/A |
| N/A | N/A | C:\Windows\System\Rstiyqx.exe | N/A |
| N/A | N/A | C:\Windows\System\tyjRIwu.exe | N/A |
| N/A | N/A | C:\Windows\System\EYjFFXB.exe | N/A |
| N/A | N/A | C:\Windows\System\mpxHDYa.exe | N/A |
| N/A | N/A | C:\Windows\System\FWJESZa.exe | N/A |
| N/A | N/A | C:\Windows\System\vOTkTgZ.exe | N/A |
| N/A | N/A | C:\Windows\System\IkCflYo.exe | N/A |
| N/A | N/A | C:\Windows\System\ItbkGfr.exe | N/A |
| N/A | N/A | C:\Windows\System\tQBXCAE.exe | N/A |
| N/A | N/A | C:\Windows\System\BBFRDHC.exe | N/A |
| N/A | N/A | C:\Windows\System\bLPatrj.exe | N/A |
| N/A | N/A | C:\Windows\System\KQgiXDT.exe | N/A |
| N/A | N/A | C:\Windows\System\SmxUJTR.exe | N/A |
| N/A | N/A | C:\Windows\System\cuyUwJq.exe | N/A |
| N/A | N/A | C:\Windows\System\alDTIJD.exe | N/A |
| N/A | N/A | C:\Windows\System\GRgXyxC.exe | N/A |
| N/A | N/A | C:\Windows\System\cgVcpwe.exe | N/A |
| N/A | N/A | C:\Windows\System\AxsZdZI.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\BHCjaVH.exe
C:\Windows\System\BHCjaVH.exe
C:\Windows\System\tjfpqAs.exe
C:\Windows\System\tjfpqAs.exe
C:\Windows\System\mgbccqq.exe
C:\Windows\System\mgbccqq.exe
C:\Windows\System\Rstiyqx.exe
C:\Windows\System\Rstiyqx.exe
C:\Windows\System\tyjRIwu.exe
C:\Windows\System\tyjRIwu.exe
C:\Windows\System\EYjFFXB.exe
C:\Windows\System\EYjFFXB.exe
C:\Windows\System\mpxHDYa.exe
C:\Windows\System\mpxHDYa.exe
C:\Windows\System\FWJESZa.exe
C:\Windows\System\FWJESZa.exe
C:\Windows\System\vOTkTgZ.exe
C:\Windows\System\vOTkTgZ.exe
C:\Windows\System\BBFRDHC.exe
C:\Windows\System\BBFRDHC.exe
C:\Windows\System\IkCflYo.exe
C:\Windows\System\IkCflYo.exe
C:\Windows\System\cuyUwJq.exe
C:\Windows\System\cuyUwJq.exe
C:\Windows\System\ItbkGfr.exe
C:\Windows\System\ItbkGfr.exe
C:\Windows\System\alDTIJD.exe
C:\Windows\System\alDTIJD.exe
C:\Windows\System\tQBXCAE.exe
C:\Windows\System\tQBXCAE.exe
C:\Windows\System\GRgXyxC.exe
C:\Windows\System\GRgXyxC.exe
C:\Windows\System\bLPatrj.exe
C:\Windows\System\bLPatrj.exe
C:\Windows\System\cgVcpwe.exe
C:\Windows\System\cgVcpwe.exe
C:\Windows\System\KQgiXDT.exe
C:\Windows\System\KQgiXDT.exe
C:\Windows\System\AxsZdZI.exe
C:\Windows\System\AxsZdZI.exe
C:\Windows\System\SmxUJTR.exe
C:\Windows\System\SmxUJTR.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1692-0-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1692-1-0x0000000000190000-0x00000000001A0000-memory.dmp
C:\Windows\system\BHCjaVH.exe
| MD5 | 0917ba49b21219ba280aa056ade32ef8 |
| SHA1 | 14e656c6619adccf65a6b1b041b586b7895bb73e |
| SHA256 | cdbcafbfb60abc3d86277494b8c3634046f01b74c739bd65ce495a3812f879b2 |
| SHA512 | 352574114d2b9a435f08030c250ac05b439b8ee5e1e9b1ca98aa49a322c129f06223e01ec3de5e3779463b94da48f3092ab53b720027387fab30f5a6428109ba |
C:\Windows\system\tjfpqAs.exe
| MD5 | ee941557df3ce6ceebf1c7114f663a72 |
| SHA1 | 8552c83041ba1467fee03c53578681b15ea2723e |
| SHA256 | 376f22e287e220ff46fb0961fb0fc8ec07380c4c6db5c3bf32a9c0a5c93e633d |
| SHA512 | f71f609b517f9d39a01b6ff4859bac2e914cadd7db9dd182c30296fa17f5dc35385c1df2eac6fcb15b739e8d3263894f5babd9949fbc947e1952a047512db732 |
C:\Windows\system\mgbccqq.exe
| MD5 | d64a7d64b7c42e75d9ab75f040304498 |
| SHA1 | 7893d070e854d5645edbf342a53efe007a088ba8 |
| SHA256 | 372cb93bdaf27631a3d127e5fb30c58a516f9ed75a345eca5b02a64a4cde6065 |
| SHA512 | 4e85dcd25fe54e06152728bb58b47d70ec7a817356e6d63ef0107eba1571b0cd9253631867ee4a820744c4adb937f758a0f36fd3d2847ed05395cd41a1f9005a |
\Windows\system\Rstiyqx.exe
| MD5 | 2920ead5ef63e300aa80af029ac579b4 |
| SHA1 | b8ce5aeb01753328e4998a40462b844a6b784493 |
| SHA256 | 568999708a15f74cedc6ac4d519a79096c39d9bc7e933a09dea051c04d341732 |
| SHA512 | b7b574ae82b0addda31a84a267e17e952d19ef11f95e75f83c8db6cef1ba5b411bfb82619e41a89ca6724e13548734816314b3f34ca2ad9b4f0ba561eac4fe41 |
C:\Windows\system\tyjRIwu.exe
| MD5 | be059e47d333b7f78ba1ff824b7ec9cb |
| SHA1 | c2e42caf56eb8ec4bbccfe3b6efb176af9bd8457 |
| SHA256 | ede5ffc777e2e79f905856c72bf27890bf98f64809c46edb27996aca66cea1fa |
| SHA512 | e3fd0bac49729bf6cc602c9c3d5a8949cce8cf1e7afa43fc59168fce6af5628fc8d002346d704ab4dc1a41a447c44b0fa0ccb3943298ea6fd08321826515e98b |
C:\Windows\system\mpxHDYa.exe
| MD5 | c10e5c16efc15178ed97d4bb2a39d99c |
| SHA1 | 225f7ed74eaa154e2bcbe4ecc2a138fa3644138f |
| SHA256 | 72dca3017fce89f6be7478b3e5f5456afd1b5c18b40590680c404b4d0d88d28e |
| SHA512 | 5bd5401ce603b6db79da6262edaaca5c5bf2827b9cff7c0d9a7eafb2862ff43d99bdd33bb9b2ed4c9fb66c0882c08fd8f286c007f0a776ad33717ec9fe76df7b |
C:\Windows\system\FWJESZa.exe
| MD5 | 41773d419968bee8345cd4aafa51f0ab |
| SHA1 | a7d9f3a751d8ca24da4b734bf7066a6e2d553af5 |
| SHA256 | 42ebc6895128b97db509008952ff621411c684d321bd9636ef89bffdd34a373f |
| SHA512 | 62a0ed8d53afeeb2940f84c9296744d92f130d11d388c0bba83b5a95babe4c6a0b0cbc734445a93b730a2c39ef98ea07d4235141181f6d697e74c58fd55ca9f0 |
memory/2468-118-0x000000013F840000-0x000000013FB94000-memory.dmp
C:\Windows\system\cgVcpwe.exe
| MD5 | 1db5ceeda4bbaa42bf4f2613ac955c32 |
| SHA1 | 833d1adf03b2110556e76d775e78960366f47aaa |
| SHA256 | def0020a27bbd1f29511c82d58f93ae041c1103824f0bbeb98bce2fe07583d33 |
| SHA512 | c60916df98dcd62110817fc396ca851dd0e9324bdce5e07087811335e6829e2f108e7c65b6cc7aca3c008d5e38dd16cd9003853511d104010f3a582bb55bd925 |
\Windows\system\AxsZdZI.exe
| MD5 | 7a4e34dc32e86b37800983294c7ba17a |
| SHA1 | 5482f4138cc16869012d546ad1b4be0fc040c217 |
| SHA256 | 20a7aba8ceca471b02a6b6385f81a5aab0f38c614eafbfee37304e1e47c5bac3 |
| SHA512 | b328121cf333c6bd27878cb20afc2d0fa22f207bfa15244bc2850956b0c32e3adb037a9906909738f2ff4d12e4354177beb1dbb11000af1d09b31768eed5f7a9 |
C:\Windows\system\BBFRDHC.exe
| MD5 | 99cfe365a3d64a035139c025943142d8 |
| SHA1 | a23d50491b473af3e5afb79b80fa5fab50efaf0d |
| SHA256 | 42c7953080c019a2cdb77a1cfe8a4f8b472865e3d4244a52f4dcf993b139e481 |
| SHA512 | e30accad7e454d1a067b92ef3aee1c37cea26916d72d89907e05c4fc0138510b5de2d0d27e7adec6ff55d4ae3d1ad15d49ac37fc94434a020ddee23416021f34 |
\Windows\system\GRgXyxC.exe
| MD5 | 5f506ed223e8444211ffc3c7aa0f47d1 |
| SHA1 | 304b7347494b982ccb9efa6e202b0921457c8ae2 |
| SHA256 | bfd30658d0396ca351814fb07bbafdd3feefe4f31aa4da9e65dcb5c38ad42d16 |
| SHA512 | 86ee7a11d84845d5eb661766b4144cd2b80b7cb71d0ba342cfcb4806810b37aa0e8c181dbc45d5066526fa969ff0ec5b4ae1ba0052ffce3e99a9b1cbbdfc8f07 |
\Windows\system\alDTIJD.exe
| MD5 | 5e798ac0b209c975cedf9993b0217707 |
| SHA1 | 8dbcd0dbecc8736ce049af55235dc5c4116f8a51 |
| SHA256 | eaf170c56a56ffb6d866b7027f3ba2e132b38a3be13ec1107a441d98661b6b06 |
| SHA512 | 4b772b81b53537042d828b4e77c87987a9c1418e1a2aeae3aa6e21a3b33e42db3df0629675ef2b7bd3a7092d04f3798c9d1df3cbd8997636e4b08be5fefbbf52 |
C:\Windows\system\IkCflYo.exe
| MD5 | d39b27d70a35cd6f5401cf4a4947b209 |
| SHA1 | 7ad9853d74f702f6f8b738c42f5964f646532401 |
| SHA256 | e9f560cfb432ae1238329df86fd956231d7b49ff09a6174a6fcdba3298b52b90 |
| SHA512 | b179458f1d560712e5ca5aa7f6e9d797225ea39f0d1602dabffef205761041fc9962d5a1baf23e6baea3ca686734a9f7b8538738085e534defaacb718ef3d24e |
\Windows\system\cuyUwJq.exe
| MD5 | bc80f29969fcac10d8bebdc5277c31b5 |
| SHA1 | f87cc909ec491bba2b6fd0e27d6f5346edbfaebd |
| SHA256 | afc76091f893aded2e61f09cd337d8d9db9759d447a5ff8f56a68dd57e82e737 |
| SHA512 | a8091ad9eefdbac6a71c61392aca5019ef1a26482ffade3897d94960cff78c45528759f7d5fd141f59a2e72ee85d1cdead653c504165f8e2837def17eb9d2fd3 |
memory/2704-119-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/1692-117-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/816-116-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/1692-115-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/1692-114-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2996-113-0x000000013F420000-0x000000013F774000-memory.dmp
memory/1692-112-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2604-111-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1692-110-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/1692-109-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1692-108-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2448-107-0x000000013F310000-0x000000013F664000-memory.dmp
memory/1692-106-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2576-105-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/1692-104-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2440-103-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/1692-102-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2524-101-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/1692-100-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2540-99-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/1692-98-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2460-97-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/1692-96-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2144-95-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1692-94-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\SmxUJTR.exe
| MD5 | 11058c2ce6ec0ef88bb88b0d76df64ea |
| SHA1 | c88712ae26ea2265be5afa8b11575eb3e75170cb |
| SHA256 | abef12f4d87250e4dcaeab1c5ff9d995680a95fcf56f7b0af18524c208d57047 |
| SHA512 | 261e86d4e87a8b33b32faededc46874d5795bd9000c132e096c126a5e9c377982ce2a9a30bc9445e2b4c351618648b01e11fde1d99b7ca5e0437ff36662d202e |
memory/2784-92-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1692-86-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1692-84-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\KQgiXDT.exe
| MD5 | 08554496a32f211b3fdbeaab117b0313 |
| SHA1 | 74191895e9f3029a1e3a0dc5b51121b7b8019b00 |
| SHA256 | aff800f24b107524b50a8c0cc4c28d8efb20fbd68d902d3f219b377ba4a00fff |
| SHA512 | 33706e80b8831773b36f604db868648602b0597686f36fdab118d069d5ccedca4654c818afb1dc5d8e44c576ae02f71ac515ae88213f546ce3c0750d3bd6041d |
C:\Windows\system\bLPatrj.exe
| MD5 | 313d35fbeb284bf86bac438f81c628d4 |
| SHA1 | 5dca6160bd7053294676f9ad65ca2828f3377bcd |
| SHA256 | 9fd83cb09076d2efbd499a9b827535495010294a101337b3fbb1d8ea35c3edf9 |
| SHA512 | 9a0aba025019c600fdf935c3f5409ae43e8a09cf538681680fc0b3f49a1360ad3f640458c3942f63e7f42a081732aa9598fa5a026bae54dc17777246ca22917d |
C:\Windows\system\tQBXCAE.exe
| MD5 | 9b734ea0d448dfc2df02c88b481a83b9 |
| SHA1 | b71ff3bd548abd5bc0f59721a13fdb187e8332b7 |
| SHA256 | 3a5c4375380d4635d4faa0ff368c764bb7f85f8c5611a5c633b2a1b72b74d7e1 |
| SHA512 | 8fcb65fe35efafe5310b6aa9b907c99a52b0f136311533177200cc97fd161358f7d73d29e38c2bfbd3bc4ef8443e3fb42864ee4d289fabff52ea7dfbe7d7ccb2 |
C:\Windows\system\ItbkGfr.exe
| MD5 | 604f1b891a2456d3470bce79b0db40a4 |
| SHA1 | 242d38a40a8236362608c75e5635da947a56989a |
| SHA256 | 4616af2651d9812bea50723358acc155e5a3a323dd92028cbe66acd1c2d0e009 |
| SHA512 | 3b3b4b4735eec6e8ae169aed3c09e400009096407aa1abffb91d117ffe1b943222fa44178192cd5f97ed05ed5a50afc6614911388f4595f5223805b8cac0b261 |
C:\Windows\system\vOTkTgZ.exe
| MD5 | 62ef0941444eef27eac5dc7f319bb681 |
| SHA1 | 3f71567701bee32ea458958b31b077da3ab37420 |
| SHA256 | ea094f80c8c10019b6a00e491e35c3c18a736a4d1a864575ce4b569ba9d77129 |
| SHA512 | d32e231e8b1fd956b62ce79edfbe30f7c49a742e15867b8fe5dc789afe0d8102aabafd07bb5dbb4dac847cfa735df5b32bd1a8cb27100b30f4e5eea7a824cc20 |
C:\Windows\system\EYjFFXB.exe
| MD5 | 93408af1daea67f3cfc6a1840c716151 |
| SHA1 | 7f3da42a346c881f6eef29383bc49761ad9f7488 |
| SHA256 | 38626beca2ae2cb27fb56e1b5245f28f1dfef863696b2c3453ef44672091b9f6 |
| SHA512 | b50d8638d82a095316d1b07663675515c236a4e4c7d38440e88d2197e59436bd051a116aa3dfef45a70f2bb2f9108ff451f5c238f2f7eebba7259c1b3ff9e38e |
memory/1692-136-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1692-137-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/1692-138-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2996-139-0x000000013F420000-0x000000013F774000-memory.dmp
memory/816-140-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2468-141-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2704-142-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2604-151-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2440-150-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2784-149-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2576-148-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2460-146-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2540-145-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2524-144-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2144-143-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2448-147-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2468-152-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/816-154-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2996-153-0x000000013F420000-0x000000013F774000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 14:30
Reported
2024-06-06 14:33
Platform
win10v2004-20240426-en
Max time kernel
137s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rKltete.exe | N/A |
| N/A | N/A | C:\Windows\System\sayhkHR.exe | N/A |
| N/A | N/A | C:\Windows\System\tFqnlDZ.exe | N/A |
| N/A | N/A | C:\Windows\System\jkIunKh.exe | N/A |
| N/A | N/A | C:\Windows\System\pNAoEIC.exe | N/A |
| N/A | N/A | C:\Windows\System\xnvpPiR.exe | N/A |
| N/A | N/A | C:\Windows\System\IqFKbLG.exe | N/A |
| N/A | N/A | C:\Windows\System\CttRTDF.exe | N/A |
| N/A | N/A | C:\Windows\System\pRkqSWT.exe | N/A |
| N/A | N/A | C:\Windows\System\JSNjkuT.exe | N/A |
| N/A | N/A | C:\Windows\System\ltKRQvE.exe | N/A |
| N/A | N/A | C:\Windows\System\ccLFwSj.exe | N/A |
| N/A | N/A | C:\Windows\System\pUWtyOZ.exe | N/A |
| N/A | N/A | C:\Windows\System\BNneqTE.exe | N/A |
| N/A | N/A | C:\Windows\System\xoDnIQR.exe | N/A |
| N/A | N/A | C:\Windows\System\fhXLUDC.exe | N/A |
| N/A | N/A | C:\Windows\System\dBpJXft.exe | N/A |
| N/A | N/A | C:\Windows\System\droVJZE.exe | N/A |
| N/A | N/A | C:\Windows\System\ubnwrrM.exe | N/A |
| N/A | N/A | C:\Windows\System\PkvwvkB.exe | N/A |
| N/A | N/A | C:\Windows\System\kFhUtvL.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\rKltete.exe
C:\Windows\System\rKltete.exe
C:\Windows\System\sayhkHR.exe
C:\Windows\System\sayhkHR.exe
C:\Windows\System\tFqnlDZ.exe
C:\Windows\System\tFqnlDZ.exe
C:\Windows\System\jkIunKh.exe
C:\Windows\System\jkIunKh.exe
C:\Windows\System\pNAoEIC.exe
C:\Windows\System\pNAoEIC.exe
C:\Windows\System\xnvpPiR.exe
C:\Windows\System\xnvpPiR.exe
C:\Windows\System\IqFKbLG.exe
C:\Windows\System\IqFKbLG.exe
C:\Windows\System\CttRTDF.exe
C:\Windows\System\CttRTDF.exe
C:\Windows\System\pRkqSWT.exe
C:\Windows\System\pRkqSWT.exe
C:\Windows\System\JSNjkuT.exe
C:\Windows\System\JSNjkuT.exe
C:\Windows\System\ltKRQvE.exe
C:\Windows\System\ltKRQvE.exe
C:\Windows\System\ccLFwSj.exe
C:\Windows\System\ccLFwSj.exe
C:\Windows\System\pUWtyOZ.exe
C:\Windows\System\pUWtyOZ.exe
C:\Windows\System\BNneqTE.exe
C:\Windows\System\BNneqTE.exe
C:\Windows\System\xoDnIQR.exe
C:\Windows\System\xoDnIQR.exe
C:\Windows\System\fhXLUDC.exe
C:\Windows\System\fhXLUDC.exe
C:\Windows\System\dBpJXft.exe
C:\Windows\System\dBpJXft.exe
C:\Windows\System\droVJZE.exe
C:\Windows\System\droVJZE.exe
C:\Windows\System\ubnwrrM.exe
C:\Windows\System\ubnwrrM.exe
C:\Windows\System\PkvwvkB.exe
C:\Windows\System\PkvwvkB.exe
C:\Windows\System\kFhUtvL.exe
C:\Windows\System\kFhUtvL.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4492-0-0x00007FF69BD20000-0x00007FF69C074000-memory.dmp
memory/4492-1-0x0000018CF77D0000-0x0000018CF77E0000-memory.dmp
C:\Windows\System\rKltete.exe
| MD5 | 47a338578379579e94cbcca9c2e0d0af |
| SHA1 | ab2ad4b82c9a37e41f82bc12dad54c1b0028cf43 |
| SHA256 | 74293dce66a23c2e10cf04cebc962d70a6cfb7d1b0f1216d4226b958dff4bc2d |
| SHA512 | 649a011be0f4c837cb5a283a0bd5a457f18bce60068bc2338bf59fd0116839b449347edd5271dc83b2c0c84a84ed129d7a0a42085a10551533728ee45c294bc9 |
memory/1280-8-0x00007FF72FF90000-0x00007FF7302E4000-memory.dmp
C:\Windows\System\sayhkHR.exe
| MD5 | c54f703e8c34e11dffcf7bd3a88fb23b |
| SHA1 | dde78ddb69571f7e194122920bc01e9890534e57 |
| SHA256 | 33da098a4a70249f7b4cd2a71ecd813f76b615cb0b87fde63cca96352b813d36 |
| SHA512 | 7d963f54ab840553d3ce7a7783901f1fffc40d4495f2bf128a731ed5544419192719aa3d758439b1acbddd85b5ce17df31b19c00cd94b8292b9377d92d127230 |
C:\Windows\System\tFqnlDZ.exe
| MD5 | 9dd7c577d12ff69814910a7d41f8e449 |
| SHA1 | 3e37ac7abec610d72ac7d1d75d8e0096ed568cc6 |
| SHA256 | cb68fab9c55dce1b7ef521f675b80f9aa7c90cbae82d6e10a30829b1b79fa526 |
| SHA512 | a528212e589c0d07a3d215979755779ad4d29e9d78b1af0fa693b7f1600690718bda277e620e6b91af2baa31762d3b7e456f3751b7f9be7741e2208ae94ce3ab |
memory/4200-14-0x00007FF752770000-0x00007FF752AC4000-memory.dmp
memory/4652-20-0x00007FF6A96F0000-0x00007FF6A9A44000-memory.dmp
C:\Windows\System\jkIunKh.exe
| MD5 | b0b49edc433b768502e2b37eb3cd7577 |
| SHA1 | 17c053c1dfc81d74ea2cee52d089c4a77fdc56ca |
| SHA256 | ef5c30557342fcfa13fae23b98687657d31eccdb8f5b6802f111131e7760d377 |
| SHA512 | 818fdbda0b16f4b286a1a533b4df1b9a4f4588adb6e04fa8e6d58224f0c12f8ef8f2c3b399e01837f9e446116641427b8b83dc294e3151bd06a0840872bc4672 |
memory/3880-26-0x00007FF6F7B90000-0x00007FF6F7EE4000-memory.dmp
C:\Windows\System\pNAoEIC.exe
| MD5 | e40459ab5b674a4694708aded5b31bfd |
| SHA1 | 0ce2f7be5cfdf46b36eba7ab340d69767e16bd31 |
| SHA256 | 548b1179b7c572ef7ca0d7e893785a7ec401a52661ea7c5ccb95e1a278fba0f8 |
| SHA512 | a694e0d3f413c3dae2c0ee5d41bd331fd282ab4a11982d83e3d9dc257225f4fc6edd3ccb35246f2af15705ec1848f1e69d10f3ac9afd7a014526c067fa2ae2ce |
C:\Windows\System\xnvpPiR.exe
| MD5 | cb32c9a3100111686250cdd6da189a87 |
| SHA1 | 55a67acb56983f1e28e0d5ded88a34d1f0906dd9 |
| SHA256 | b3e4c0a32d3da3ba47a716add644ba635a7657844c516c84eaad84dcb227bef8 |
| SHA512 | 57522cf8dcbef4f566b05e9a107ed81c9e9e9adf0892b0b3b8830cd5bcde38a430d55328135e6c8b84e4bc10f9678e1ce79cdb70409356763a2a4bd14ad06eef |
memory/4180-38-0x00007FF7353F0000-0x00007FF735744000-memory.dmp
C:\Windows\System\IqFKbLG.exe
| MD5 | 9f61eba254e253e98b6afd345a484c35 |
| SHA1 | 0a41967502e8ed516f493cf098d00ee76e53dc52 |
| SHA256 | 715bda86f6e6b74a4d438e22056598049f2ed64dacad7ba91299b6922f35b9cf |
| SHA512 | d0d525d67454a67ad579a207fe916ca5e120dbe1597fa4c8b1edb1bb2b14d7dfa094a293bdc9e756ef5e742bab8bf64561646b87b7eae546f86ac9b4c8a39a87 |
memory/2724-32-0x00007FF7CC500000-0x00007FF7CC854000-memory.dmp
memory/4332-44-0x00007FF65BA00000-0x00007FF65BD54000-memory.dmp
C:\Windows\System\CttRTDF.exe
| MD5 | 35ce8c41e6f67f820cf31b3e5d9b0ea5 |
| SHA1 | 6ba2ccf6c13a17fe2b6dd5c3ca1750928b9f8fe7 |
| SHA256 | 4c640e04dd89974163e981a2230270daac17926ce36b90b5c17067629fb47ede |
| SHA512 | ff380e825a9de2905fed74a8f488f3f1b2364cb96608a1a98ab22c49c2b45e692fa45ffe1ffadbd173dbd45c55d67941ca9ad465091387d017a08ee13156e369 |
memory/1196-50-0x00007FF719F50000-0x00007FF71A2A4000-memory.dmp
C:\Windows\System\pRkqSWT.exe
| MD5 | cbf15f59ffdc85b89713820566300fbb |
| SHA1 | 66505a3aedd75e1414c958ed5029f43fbe667587 |
| SHA256 | b3356a73d1edf37f2ce9c267d3cc59a3c535c7ea4eb82e4d4e734c97d86a2054 |
| SHA512 | 3dab3e10e318551140c7ce920cd42dd881dc047e6b811163e0ed69191b1231cd783d5f22bdc0e2d147d00f92a1fb1a9983efa3d115a2d8c642cffd0a9de323ff |
C:\Windows\System\JSNjkuT.exe
| MD5 | ad78a8823b67f4bd7478956e58988f9f |
| SHA1 | 96d5623e1f5773a272ca8b49afd13c40507a5343 |
| SHA256 | d7b18b53cc6ea26886d525dbd0bd96913dd33d0b68417ea0687d82f9d54c8b72 |
| SHA512 | b3e41d07b4edb30ab6d8a0a3710a9afee78428571d703598bf5eace5c115ff40f40738c7d3934e69cbdb1d83e1d56e3db64dd544a7f740d6a17bf768eab88243 |
memory/4420-62-0x00007FF7FEB50000-0x00007FF7FEEA4000-memory.dmp
memory/4492-61-0x00007FF69BD20000-0x00007FF69C074000-memory.dmp
memory/1908-56-0x00007FF7FEF90000-0x00007FF7FF2E4000-memory.dmp
memory/1280-71-0x00007FF72FF90000-0x00007FF7302E4000-memory.dmp
C:\Windows\System\ccLFwSj.exe
| MD5 | 1b3ada09b5f140b0a0fe272a37385f94 |
| SHA1 | 9d3aee1034e82849984c0a5141298fb520e2ab8b |
| SHA256 | 65fbc44e1f1e11fb8a178be9800fafcbdf61ba9b5d1b12bd17de8b315634af37 |
| SHA512 | 6d9fc8337a2b291960426986ba86e9338db729406b79d656e5908a15b41f496e237be25d9a453c12de6bebbac7ce662b10bc407e4dade0a9929c5cce7f1be835 |
memory/4988-72-0x00007FF7D1F50000-0x00007FF7D22A4000-memory.dmp
C:\Windows\System\ltKRQvE.exe
| MD5 | 7b5731d1ad2853417e8af9179c8ea581 |
| SHA1 | f30521882ad86cffcacec8060a95c1477c3db873 |
| SHA256 | 750f96cc2c493315f734b992c67d7285d03e93f3009bada4e3205abd12bc4a97 |
| SHA512 | 33b909ba4185dc23959eaf02600c2446fef4d1994c62038ec62834c5f1337987faf67a7052a06bfd7cffb23bb23dfe141aa27165ddda7b9824e4457b32f9fabb |
memory/1620-79-0x00007FF7C91E0000-0x00007FF7C9534000-memory.dmp
C:\Windows\System\pUWtyOZ.exe
| MD5 | be770b048b6960c13d35b2dbce9b58f6 |
| SHA1 | df42b480d9bf8997a38ea4b5ef68048fcf909ebc |
| SHA256 | 96dc230508667d27567eda136d2af946aee579cc02fb3949f96ac1daee2fe2c5 |
| SHA512 | 068b06c16302b3df5795551d2c03acdf822fd5ee3488ce3fdd025c33172e0886c1709a801ca340f74066037b480a3495fa999049164d02116d494d15b01419f8 |
memory/1696-80-0x00007FF759D70000-0x00007FF75A0C4000-memory.dmp
C:\Windows\System\BNneqTE.exe
| MD5 | ce0fb0af943df76e93758da63348f49c |
| SHA1 | 4366bc205fd77e0a11a0de12d950ebd7be9eb228 |
| SHA256 | da57a99a2b2b84118cd1136ebc33232e7c4ccdf9e33e480f501f2bb530985097 |
| SHA512 | c3511d5d7d8097c68d21ae88659b9af1b2d16d086e16187b51d624547ee836bf5c6de0ea396d7183b3f1d03b84fa39870b49f1601eb0f7ffb6c3883957079c00 |
memory/1452-88-0x00007FF658560000-0x00007FF6588B4000-memory.dmp
C:\Windows\System\xoDnIQR.exe
| MD5 | 5d23cd642acd5aaf7b0a5fb71e06d297 |
| SHA1 | 7a8efb4beb97c6255f102a8e86cb07a342cd02c2 |
| SHA256 | 6a578df76ab7be6edc3b8b97782170dc7f817532a615cd788ab23c86240620a6 |
| SHA512 | 21c6b1a065b3200892a8ec6be0587c9869b43d61cec06b8bc2ee0910c24df931836dbc59ea779f3e01d8dddfb0062c275470bd43e29fe511d320fe859e9ae58a |
C:\Windows\System\fhXLUDC.exe
| MD5 | dcaec5743b7d702540a33425e0d4a4fb |
| SHA1 | dbee39835fe9c8f133aa268a842ed9df698090a1 |
| SHA256 | 5196784d13b7cc63ffb0a681b5134e6dcb33c493bc48fbb893ade21f6356cdab |
| SHA512 | f1fbb2151e4f0384749fc1a4aa5ed519775e156aa227c3b92741a1ef25c10f3c8509cbcc61e351929455bb985e70cce2ab112f1418f3a152a93022e28bfcf1c2 |
memory/4020-100-0x00007FF6E75D0000-0x00007FF6E7924000-memory.dmp
memory/4164-94-0x00007FF786B90000-0x00007FF786EE4000-memory.dmp
memory/1360-106-0x00007FF6ADD50000-0x00007FF6AE0A4000-memory.dmp
C:\Windows\System\dBpJXft.exe
| MD5 | fa6109772dee9c65913715e33041969b |
| SHA1 | d1cf9e38a55f1dcd94bcc9597230d73dd69573fd |
| SHA256 | 7fccaae6137acc43f1f5491e31cdad25fdb35465c88873cfaa1fcdac1ef40050 |
| SHA512 | db85d5351c0a933967909395c20f733a82bb7b79e0e54669ee6272788bd6ee34087a2a86a59996451e88eac373738020950229933f957a99fa2aa4ca897d3fe9 |
C:\Windows\System\droVJZE.exe
| MD5 | e946bf5b35025a526595a46e310f9798 |
| SHA1 | 8bd0d6910f6eef926eadcb0abf31b3137922d125 |
| SHA256 | a06e8e51da3888cda1084a0746bcb7565c38ec5da777e95f82150a844a6a1ef4 |
| SHA512 | c5ce05e28d06ab60cb0df50ebc7d64f4e19163660af7db91395d3ebee102c430ff8df301c915bce8a602512dfda16d3c020a3aecaf44ae9cb81adf87e921954d |
C:\Windows\System\ubnwrrM.exe
| MD5 | f35b6ef561ffdb6086146c2f25888869 |
| SHA1 | 4efe7c7d1efb0c159a1c86d8cec6329446a3cdf3 |
| SHA256 | cf1ade4e3c34f1ea05c93472785a0bbf8e98e1df96fcc05f1a954e34791cb676 |
| SHA512 | 18e37bc6905346e9da22ec3bf16a77397a520c07c1d582933480b39e9e7a721965f150b8a88f7cf1c1a0b000dab0ee0c047f2bb8998fb866b9730fdef3a38d6c |
C:\Windows\System\PkvwvkB.exe
| MD5 | 47e5116cb60499ce0bceba30a9d80b51 |
| SHA1 | 1e277d9e9335cd09af3562b23f13a68c4271af2c |
| SHA256 | 1b43c3a9e29da2e3f1c7dd76ceef708b5285b0ce386820c11561519010b8b436 |
| SHA512 | aed04f6cc4e3ec44c1d227d42ff471d02769db7063de8db2754f3a911ed96d7f4c0ddaefa5bce8c58d69b4657b4d67b49c898e6126d85e63089b0d466fd828c3 |
C:\Windows\System\kFhUtvL.exe
| MD5 | 93dea7fa1c3a32eead1b17728086f3e2 |
| SHA1 | 68d40816a8577e9f20d50280346c7c265d3dd334 |
| SHA256 | 73d68a519381bb320a75551a550314b9cb99a6ccaed7e7142fc12b75b4ae6e8c |
| SHA512 | eab157bc5ed41ad3f1113e5c0b7458135f87fd9fc01f76297c341b92d058e1711690b8d978ae862a2997d797fd9c540b4138dc8fc2c459622e8a0c0660482298 |
memory/3864-123-0x00007FF6BD2F0000-0x00007FF6BD644000-memory.dmp
memory/4420-122-0x00007FF7FEB50000-0x00007FF7FEEA4000-memory.dmp
memory/2028-118-0x00007FF79BEB0000-0x00007FF79C204000-memory.dmp
memory/4124-111-0x00007FF660140000-0x00007FF660494000-memory.dmp
memory/2444-130-0x00007FF74FF10000-0x00007FF750264000-memory.dmp
memory/1696-131-0x00007FF759D70000-0x00007FF75A0C4000-memory.dmp
memory/4124-132-0x00007FF660140000-0x00007FF660494000-memory.dmp
memory/3864-133-0x00007FF6BD2F0000-0x00007FF6BD644000-memory.dmp
memory/1280-134-0x00007FF72FF90000-0x00007FF7302E4000-memory.dmp
memory/4200-135-0x00007FF752770000-0x00007FF752AC4000-memory.dmp
memory/4652-136-0x00007FF6A96F0000-0x00007FF6A9A44000-memory.dmp
memory/3880-137-0x00007FF6F7B90000-0x00007FF6F7EE4000-memory.dmp
memory/2724-138-0x00007FF7CC500000-0x00007FF7CC854000-memory.dmp
memory/4180-139-0x00007FF7353F0000-0x00007FF735744000-memory.dmp
memory/4332-140-0x00007FF65BA00000-0x00007FF65BD54000-memory.dmp
memory/1196-141-0x00007FF719F50000-0x00007FF71A2A4000-memory.dmp
memory/1908-142-0x00007FF7FEF90000-0x00007FF7FF2E4000-memory.dmp
memory/4420-143-0x00007FF7FEB50000-0x00007FF7FEEA4000-memory.dmp
memory/4988-144-0x00007FF7D1F50000-0x00007FF7D22A4000-memory.dmp
memory/1620-145-0x00007FF7C91E0000-0x00007FF7C9534000-memory.dmp
memory/1696-146-0x00007FF759D70000-0x00007FF75A0C4000-memory.dmp
memory/1452-147-0x00007FF658560000-0x00007FF6588B4000-memory.dmp
memory/4164-148-0x00007FF786B90000-0x00007FF786EE4000-memory.dmp
memory/4020-149-0x00007FF6E75D0000-0x00007FF6E7924000-memory.dmp
memory/1360-150-0x00007FF6ADD50000-0x00007FF6AE0A4000-memory.dmp
memory/4124-151-0x00007FF660140000-0x00007FF660494000-memory.dmp
memory/2028-152-0x00007FF79BEB0000-0x00007FF79C204000-memory.dmp
memory/3864-153-0x00007FF6BD2F0000-0x00007FF6BD644000-memory.dmp
memory/2444-154-0x00007FF74FF10000-0x00007FF750264000-memory.dmp