Analysis Overview
SHA256
1c0fab33e33f0ac4e6aec87af27cf6920c1a260222c6784810390a78f3b1476c
Threat Level: Known bad
The file 2024-06-08_52e97a120d43e1836816f5a6f9dac14f_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 04:16
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 04:16
Reported
2024-06-08 04:19
Platform
win7-20240221-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KpbiAkW.exe | N/A |
| N/A | N/A | C:\Windows\System\RPyEDQX.exe | N/A |
| N/A | N/A | C:\Windows\System\PeyZJZV.exe | N/A |
| N/A | N/A | C:\Windows\System\yhRTsgw.exe | N/A |
| N/A | N/A | C:\Windows\System\oupOVtz.exe | N/A |
| N/A | N/A | C:\Windows\System\nVvwsGW.exe | N/A |
| N/A | N/A | C:\Windows\System\seacZFg.exe | N/A |
| N/A | N/A | C:\Windows\System\xMvtmEB.exe | N/A |
| N/A | N/A | C:\Windows\System\Sylsmvi.exe | N/A |
| N/A | N/A | C:\Windows\System\GUGJqiV.exe | N/A |
| N/A | N/A | C:\Windows\System\sBJavbT.exe | N/A |
| N/A | N/A | C:\Windows\System\sTZJruu.exe | N/A |
| N/A | N/A | C:\Windows\System\BgqcIMt.exe | N/A |
| N/A | N/A | C:\Windows\System\jAjOcGX.exe | N/A |
| N/A | N/A | C:\Windows\System\iQNaQTB.exe | N/A |
| N/A | N/A | C:\Windows\System\IdkQcAo.exe | N/A |
| N/A | N/A | C:\Windows\System\KmuGhhj.exe | N/A |
| N/A | N/A | C:\Windows\System\hNqmefG.exe | N/A |
| N/A | N/A | C:\Windows\System\VhfvvLY.exe | N/A |
| N/A | N/A | C:\Windows\System\jDeQiTB.exe | N/A |
| N/A | N/A | C:\Windows\System\OhchaBw.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_52e97a120d43e1836816f5a6f9dac14f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_52e97a120d43e1836816f5a6f9dac14f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_52e97a120d43e1836816f5a6f9dac14f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_52e97a120d43e1836816f5a6f9dac14f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KpbiAkW.exe
C:\Windows\System\KpbiAkW.exe
C:\Windows\System\RPyEDQX.exe
C:\Windows\System\RPyEDQX.exe
C:\Windows\System\PeyZJZV.exe
C:\Windows\System\PeyZJZV.exe
C:\Windows\System\yhRTsgw.exe
C:\Windows\System\yhRTsgw.exe
C:\Windows\System\oupOVtz.exe
C:\Windows\System\oupOVtz.exe
C:\Windows\System\nVvwsGW.exe
C:\Windows\System\nVvwsGW.exe
C:\Windows\System\seacZFg.exe
C:\Windows\System\seacZFg.exe
C:\Windows\System\xMvtmEB.exe
C:\Windows\System\xMvtmEB.exe
C:\Windows\System\Sylsmvi.exe
C:\Windows\System\Sylsmvi.exe
C:\Windows\System\GUGJqiV.exe
C:\Windows\System\GUGJqiV.exe
C:\Windows\System\sBJavbT.exe
C:\Windows\System\sBJavbT.exe
C:\Windows\System\sTZJruu.exe
C:\Windows\System\sTZJruu.exe
C:\Windows\System\BgqcIMt.exe
C:\Windows\System\BgqcIMt.exe
C:\Windows\System\jAjOcGX.exe
C:\Windows\System\jAjOcGX.exe
C:\Windows\System\iQNaQTB.exe
C:\Windows\System\iQNaQTB.exe
C:\Windows\System\IdkQcAo.exe
C:\Windows\System\IdkQcAo.exe
C:\Windows\System\KmuGhhj.exe
C:\Windows\System\KmuGhhj.exe
C:\Windows\System\hNqmefG.exe
C:\Windows\System\hNqmefG.exe
C:\Windows\System\VhfvvLY.exe
C:\Windows\System\VhfvvLY.exe
C:\Windows\System\jDeQiTB.exe
C:\Windows\System\jDeQiTB.exe
C:\Windows\System\OhchaBw.exe
C:\Windows\System\OhchaBw.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3000-0-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/3000-1-0x0000000000090000-0x00000000000A0000-memory.dmp
\Windows\system\KpbiAkW.exe
| MD5 | c46638b079a1f2d6da9ea2ef16acdffe |
| SHA1 | b86608d4a4fc61a0df08265beac8bfdeb5e8e6de |
| SHA256 | 596613e3c4f72c148fcdadfe7aaffa0b46462714b594f0a9a18e03f3e68837bd |
| SHA512 | e2f2db75c96eeadb4d1249bec6d1337011d673f2f6e2e8f7d66e667959c2a3275d875adf52c1d4dea337ca95a2cfdb608ad659442d85a4589615bd8e7ac28f73 |
memory/3000-8-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/3000-13-0x000000013F080000-0x000000013F3D4000-memory.dmp
C:\Windows\system\PeyZJZV.exe
| MD5 | 10c9b4300c4a0f795af2a0faec232405 |
| SHA1 | 06a968c0d67a034d51953da082ecaacb1cba4e1c |
| SHA256 | bab291fde6bc002bba5ed7a56d8586489f6847fa3f9efa98ea48b4d76910c1e8 |
| SHA512 | 9050b5b13d8e1f353c628a750b3f129ce9eab867f5043a2f5f758f7d4acf63d31bb06030f9ed2c6fbe28df68fd42305f9d7d8029e51723ed429be7a005fedbe5 |
C:\Windows\system\RPyEDQX.exe
| MD5 | 0f6620051408bc85b4f50b172cb8c8a1 |
| SHA1 | 37a752099a27071b46a69599975fb55f9b077f70 |
| SHA256 | 5cb4454e9f2fa5c25d55be64b39e3f359d97dae896ccfeaf446423afb51f1aa7 |
| SHA512 | 717edcfdd79fdcff654239d8df8e3b06f693c99457e54240d1b9b47856a00d4ef1f924c076957d56a350977e98ffa0c2f5f8486ad62909571fd28c7a078cbf69 |
C:\Windows\system\yhRTsgw.exe
| MD5 | aa01994afcf8436c611f6ffa87995587 |
| SHA1 | daa890f198344b5f8c4051bb5d3a4e91422b099a |
| SHA256 | e3fab48768fc68f0aa4b1fa882c299a6236a5046964720de25da564e666152aa |
| SHA512 | 3bdfb769813fa5c3721d814e59194326730b2d9b31c6102b152b74278d2e5b3354548a625777bc2a6515e56806c01f59efe864a1cc0e0003e5aa14d681ed2b66 |
C:\Windows\system\nVvwsGW.exe
| MD5 | a08a57c6042a3e6fdfc06d683b9fa03e |
| SHA1 | d7997d7fef6f822d7b4764731ceb76963b9cbe40 |
| SHA256 | c7a261f87a51ec014e9b75953ac137b0f659c3a7d1c8506edd8d24cabef14a20 |
| SHA512 | 57c1b77f99967f6d09a32a50cb1813fd92e2bd8c95940911f8a8b6dbc557af23c57b156a626196217ee778df2977427740fa4078ca74d60a651bbf8b86e9fd2b |
C:\Windows\system\seacZFg.exe
| MD5 | 4ce6607a8ee3a06d4512b06367c30ea3 |
| SHA1 | d3fecbcb74bd497dcbff79353090ad73d31f917b |
| SHA256 | 7679975867840260a94a0c0b2aece161b9ecfabe7c9cfea46a071a7be85f4724 |
| SHA512 | 5ada2904bc5fbfbe50ee3ac42223ea94778697a29be4eb1847c16ad8b4c127a252fdbb6b8ea5175d9922127fa2d3867b25bde6205ee493e1b3d2d3d1a711e198 |
C:\Windows\system\GUGJqiV.exe
| MD5 | ee293d1f529d390d1b4a402a3cba8d81 |
| SHA1 | aa88bc276023ef019151723fe486ce7c6c1ac615 |
| SHA256 | bbd5911c7979fe72906182665d6d7e093526fc79cebee5183f1a117517721346 |
| SHA512 | 5549f368f95baddf8ff7b8159321486a33791a0adea7a32808456dcbd61fa62758b5e2352274286ee248b5c55e9ebbf0e2a6eee73595a9929eefa36f7207b9c0 |
C:\Windows\system\KmuGhhj.exe
| MD5 | e37e420b206ade4856aab1fb7160da41 |
| SHA1 | 6965050d290f32e13ac2a9ca5e5e4c6959cc4f9b |
| SHA256 | 20a5b93ed609bcc3d416d74fe67628becff8e2af2777627d42f0aca4dc6efd12 |
| SHA512 | b16acd49e2bb952b57bcc4586a6ad9d8b7f173d3366c4dd58e08ee2af0f602a956c6204ae0dfcf35b22c11a7b94273df01bd3aa86a15beac10950659c0899d6f |
C:\Windows\system\jDeQiTB.exe
| MD5 | af645a68d41d170a9ea64d4ac2b0ff1a |
| SHA1 | 85300afb3883623b1770d388cd040ae86e1a910f |
| SHA256 | ae5aea7e2b2f80ee7410226ef6fc4df4d047d2f7b069552db5d2d232b0608a93 |
| SHA512 | bd5e31b944532349ece1fcb66205bfcee72dc6c196aa060c7e1e38602a3d0131e95bbf97ea5852a91712c8b7a6608e9079cdc12dd3088379f902cda555640e7c |
\Windows\system\OhchaBw.exe
| MD5 | 6fad087ea276fb3460715a536742ea2f |
| SHA1 | 34baefded314f44e2f8f821527d2c519524cfd18 |
| SHA256 | 873890c00da77eb0e47be41076f756fb5ecc948ac39e578a73320f7565fd6bd5 |
| SHA512 | 28d70b94d1bce0b7b1368fecf6789208137abccb946cd6492cd49dcaa2982672c3c3260ef803486d6b43d044c225daded1da37615e5047b5bea7f56ea81bcb53 |
C:\Windows\system\VhfvvLY.exe
| MD5 | b89a1342e484b11628b636c2eb5d5f51 |
| SHA1 | dc128dc31dcf377b81c7350675ebb870974bfff9 |
| SHA256 | f68784f9f9e20c8039abb87385d4c091a7d1655118fedd1f4edb41350bbbe62a |
| SHA512 | 41c2bb0e73d59c38ab6cd72c1bd0cf865e77db70d8e3b3957863186c51450dcfbc0992eec09790580fe20c417f728d11e95f57d6d0cf427d3a03c54a4038428d |
C:\Windows\system\hNqmefG.exe
| MD5 | 90951de0774112988e59a415f4fb7c98 |
| SHA1 | ca90dd2066dcb2f38ab45b57807c5f3a99376256 |
| SHA256 | 57469f411af5552922e5cf87c7d66b1b98c2bc874ed935027120090c6847fc35 |
| SHA512 | 2ce9089d852b412f7f08a03564ab1550271ff31ad00e69d47729709c7d46277812a8b6a6d04419754a4bfc23c3820782a1393b3a56f9949a969bed74719ec351 |
memory/3000-113-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/1340-112-0x000000013F030000-0x000000013F384000-memory.dmp
memory/3000-111-0x000000013F030000-0x000000013F384000-memory.dmp
memory/1664-110-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2828-109-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/1072-108-0x000000013FA20000-0x000000013FD74000-memory.dmp
C:\Windows\system\IdkQcAo.exe
| MD5 | 7e5ac77211289ec90cb631732f357e5f |
| SHA1 | 1a4d750939e30fff02905060f49ac74267f4799e |
| SHA256 | 15b151aaf56cc0493700beb88e501ee7c41c36d1c21047e9459ec7b2c021a7e2 |
| SHA512 | ce8f6d3d39ecb6268f29c0ba68f2f0bb646d531c3918381d29cdcb866386757ace1bd2c7d30b177dccb089bcdc2c35266989229059bde51a14d5155964942bb9 |
C:\Windows\system\iQNaQTB.exe
| MD5 | 2bc64157dc83271d47021e7260298c3d |
| SHA1 | 16ec69d217e8309b319081eb1b5fa477b408ae62 |
| SHA256 | 08977d3e049d5065aeed787a871700290ab9aec1adfce36b01c279d5903897da |
| SHA512 | 124f2d1be4aa23bb6e7dfbefeaea569c4430dfc135cf5a4cac83f6a88de6cdc959b13ef3b3f1e3021b81f4c2c884ace26dc562476e101e3e8afc31397b5493ae |
C:\Windows\system\jAjOcGX.exe
| MD5 | 9bf4207267487b7f3b083808cb733ab2 |
| SHA1 | f28217f8a8058d594519797f1c229c34a222d753 |
| SHA256 | 25e9b1e04a11d50a122d19b9279b88bd74fcf8aabe121b9deef6cf039cc7729e |
| SHA512 | beb26d9086b399cea35c9e4f93582b1842b761ed21abaf3c858a8349374ebb70401670d04753d51dd307ff487e857cbec51088a1b55f1c6f3943ea354a3f6fd5 |
C:\Windows\system\BgqcIMt.exe
| MD5 | 8098809c2373ff4601cc8d051b4b344f |
| SHA1 | 06dfbd769a1a56a5cd2ee7acf56978eb04958ce8 |
| SHA256 | 1a454bec31f207cd52a0474a6408110649c628e6f7cb2acc3c2961536c784b72 |
| SHA512 | 7c080bde484e8933234fd5f0090422df317a2199345a414e94a7e9028aa268228b9d7eefd6a98bb5cacc6306a2c3c1ca3c66add96c1c86c9141188897e2766b7 |
C:\Windows\system\sTZJruu.exe
| MD5 | a1dcfaeab95a1fed3e81a24da6eb88cc |
| SHA1 | 6fd093afe6deb447c957a57384175af75a4b8711 |
| SHA256 | d3f7ef1b6e94a256efd4a2e4d6a9b15afa8604e0222c8ea9559bb06945289617 |
| SHA512 | 24740e6c77ff17d5f232ff6aad3281ec0a28c95fbd79ff02dc54e400bad332a09c327cca7eaee27999d2998dd6ac5383de984386f406407aaabb49a3636f6558 |
C:\Windows\system\sBJavbT.exe
| MD5 | 1426e7ae9f2a315335e417b613765257 |
| SHA1 | 822f4b2fff221c0fb9bd7ec5f95db8acc9d625ed |
| SHA256 | db71f12e359e475842dba68eb29fd59a25c83649be494dce71d1e76676a5062b |
| SHA512 | 7be4808c1a1b0706d1f70f117059cb3baeec2e40ad86758786c449252684cae4c66e5a5121cdad850b3e67cd5fa61922bd7489e0123b54e0f2b151f6d2c519fc |
C:\Windows\system\Sylsmvi.exe
| MD5 | 32fb7f6872b9a45296d1f4f972ab038f |
| SHA1 | ac8c90ffb3c9f685265188cbe0fd75986ab70c90 |
| SHA256 | 7f86efa1a69fb11a60ef70466e311e6740e8a027fad420d1ed46a684986f1bda |
| SHA512 | 2b36a603b73658a45a3afc529302d7248e2848446c81f5d0138d827f24a7faeed3c444bfa1aed6959b56220d1df622f3d981b42a734fc89452ba2880da3024c5 |
C:\Windows\system\xMvtmEB.exe
| MD5 | eeaa53504c2a57f91cdf8b5ecd1f48dc |
| SHA1 | 23bc36872edcea2a261d74c443ad9ad234dd1e2f |
| SHA256 | d062444372f61a7fa6284375200946a83623105d09de59fc9d245730e91cd0a3 |
| SHA512 | 4c6b9c9ca9820055271a0014ac3993afcb0b11dbea3d9d6c2bc2aad97ef79a35dc41c8c31ad2431ef7105367532a071f5f045cc18b607aa8a45286738cd44909 |
C:\Windows\system\oupOVtz.exe
| MD5 | 2a6b0cb8df418c1ec8e5ebdc18297797 |
| SHA1 | 7d81ebe73c37a06102bbabd80075a7dfe6877af2 |
| SHA256 | af3a3e4373a94cbb39a9abdeab30f339a8c8a23e631cda1c0a174484d5822152 |
| SHA512 | ce4a24be49d6bdcab007af0eadad4d66fd67ebc295206bcf95da84983c4a113d66f520dd517ef434e04deb7fbd95027f5b48af5b11e7ce066299178432adda24 |
memory/2628-115-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2840-118-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/3000-119-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2752-122-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/3000-121-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2428-126-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/3000-131-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/3000-130-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2932-129-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/3000-128-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2496-127-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2472-125-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/3000-124-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/3020-123-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2748-120-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/3000-117-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/2724-116-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/3000-132-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1664-133-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/1072-134-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2828-135-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2628-137-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2724-138-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2840-140-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/3020-142-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2472-143-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2932-146-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2496-145-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2428-144-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2752-141-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2748-139-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1340-136-0x000000013F030000-0x000000013F384000-memory.dmp
memory/1664-147-0x000000013FE00000-0x0000000140154000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 04:16
Reported
2024-06-08 04:19
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\GEHDpJe.exe | N/A |
| N/A | N/A | C:\Windows\System\EgEEApi.exe | N/A |
| N/A | N/A | C:\Windows\System\gmXuAGS.exe | N/A |
| N/A | N/A | C:\Windows\System\XinJXEK.exe | N/A |
| N/A | N/A | C:\Windows\System\XLsTzTw.exe | N/A |
| N/A | N/A | C:\Windows\System\lLRJWYK.exe | N/A |
| N/A | N/A | C:\Windows\System\itdshPf.exe | N/A |
| N/A | N/A | C:\Windows\System\fFKxpCf.exe | N/A |
| N/A | N/A | C:\Windows\System\QNtdydg.exe | N/A |
| N/A | N/A | C:\Windows\System\mtxAhes.exe | N/A |
| N/A | N/A | C:\Windows\System\WpdJIoY.exe | N/A |
| N/A | N/A | C:\Windows\System\steTLTE.exe | N/A |
| N/A | N/A | C:\Windows\System\CYSQnGH.exe | N/A |
| N/A | N/A | C:\Windows\System\HvdkWbB.exe | N/A |
| N/A | N/A | C:\Windows\System\jsdlUEZ.exe | N/A |
| N/A | N/A | C:\Windows\System\rFwMURl.exe | N/A |
| N/A | N/A | C:\Windows\System\tlpXLMD.exe | N/A |
| N/A | N/A | C:\Windows\System\kRLeWOA.exe | N/A |
| N/A | N/A | C:\Windows\System\kIniEsz.exe | N/A |
| N/A | N/A | C:\Windows\System\cTwnmXw.exe | N/A |
| N/A | N/A | C:\Windows\System\DnUKaqX.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_52e97a120d43e1836816f5a6f9dac14f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_52e97a120d43e1836816f5a6f9dac14f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_52e97a120d43e1836816f5a6f9dac14f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_52e97a120d43e1836816f5a6f9dac14f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\GEHDpJe.exe
C:\Windows\System\GEHDpJe.exe
C:\Windows\System\EgEEApi.exe
C:\Windows\System\EgEEApi.exe
C:\Windows\System\gmXuAGS.exe
C:\Windows\System\gmXuAGS.exe
C:\Windows\System\XinJXEK.exe
C:\Windows\System\XinJXEK.exe
C:\Windows\System\XLsTzTw.exe
C:\Windows\System\XLsTzTw.exe
C:\Windows\System\lLRJWYK.exe
C:\Windows\System\lLRJWYK.exe
C:\Windows\System\itdshPf.exe
C:\Windows\System\itdshPf.exe
C:\Windows\System\fFKxpCf.exe
C:\Windows\System\fFKxpCf.exe
C:\Windows\System\QNtdydg.exe
C:\Windows\System\QNtdydg.exe
C:\Windows\System\mtxAhes.exe
C:\Windows\System\mtxAhes.exe
C:\Windows\System\WpdJIoY.exe
C:\Windows\System\WpdJIoY.exe
C:\Windows\System\steTLTE.exe
C:\Windows\System\steTLTE.exe
C:\Windows\System\CYSQnGH.exe
C:\Windows\System\CYSQnGH.exe
C:\Windows\System\HvdkWbB.exe
C:\Windows\System\HvdkWbB.exe
C:\Windows\System\jsdlUEZ.exe
C:\Windows\System\jsdlUEZ.exe
C:\Windows\System\rFwMURl.exe
C:\Windows\System\rFwMURl.exe
C:\Windows\System\tlpXLMD.exe
C:\Windows\System\tlpXLMD.exe
C:\Windows\System\kRLeWOA.exe
C:\Windows\System\kRLeWOA.exe
C:\Windows\System\kIniEsz.exe
C:\Windows\System\kIniEsz.exe
C:\Windows\System\cTwnmXw.exe
C:\Windows\System\cTwnmXw.exe
C:\Windows\System\DnUKaqX.exe
C:\Windows\System\DnUKaqX.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/3256-0-0x00007FF660980000-0x00007FF660CD4000-memory.dmp
C:\Windows\System\GEHDpJe.exe
| MD5 | ec3d3ef8cbe74c8e10267a3d904f7905 |
| SHA1 | 907e24d6c7b06d1d099f539452203f3106ff1ceb |
| SHA256 | e18942be8526008f0955d305acac8c456ef5ca243760c4ad3b5aa750c14a8f2f |
| SHA512 | fdd83d15074331a160614e4c8ea6b284ca1cc87402edf38832928424054f9d66a65c6594e72b2b8919ca8ed1a375fbf247bf96dbf285778620d7c1f98a787b90 |
memory/1424-8-0x00007FF7DBD10000-0x00007FF7DC064000-memory.dmp
C:\Windows\System\gmXuAGS.exe
| MD5 | 7b93dc1034bf7eb30a10c2e5002ade77 |
| SHA1 | db92de6f9fe48e9cedbbabc5f8dc10955c723a0b |
| SHA256 | ba0a0a285cc3003905703c67a521830e717b0fa1fbc9637d49d5c10f0cfc6720 |
| SHA512 | d93dc4ff337bbfec96f0bf721a3ec45e0220d35b6f882e7bad6e988816a0e165a2570d2c709c52a61fce08f648f1f609dd86afbabd4fec551e916b7ddea78c60 |
memory/2260-14-0x00007FF604600000-0x00007FF604954000-memory.dmp
C:\Windows\System\EgEEApi.exe
| MD5 | 6e20c1464f2f11359d03740e39e646c8 |
| SHA1 | e90209ae46e403e71a97b0f056c5611d8850af0f |
| SHA256 | e9593ce32c1f94db36680e392134bf6ea24ae6d0ede4ec413f37566a5f2d14d1 |
| SHA512 | 3c5d83e738534c4ac0713b5c116bdf631b564cab66985488e774409d89d4217b15f7b4d1125192155a4943ff3a81fa41e606de408ffb1a46a6a0a426634ea7fe |
memory/3256-1-0x0000024533540000-0x0000024533550000-memory.dmp
memory/1240-19-0x00007FF63A650000-0x00007FF63A9A4000-memory.dmp
memory/2088-26-0x00007FF602D10000-0x00007FF603064000-memory.dmp
C:\Windows\System\XinJXEK.exe
| MD5 | 6749f560e9d4fcbab822c559fd603cfc |
| SHA1 | 26f9bd3066b8d7c059ebe7d7e1fbfd937730f4a0 |
| SHA256 | c9a797c9f7cda2ad8a67682d2abff9adf14a4eca67f2f0b8a78542101185d778 |
| SHA512 | 5edb1c8d0a1d0d30175f2430e9736b765e19cb64c808d22d4a5eba90f67559969412b687e4bb3244f4a122d168bfefb0f751fff8e19e4345f9263f389483cd5d |
C:\Windows\System\XLsTzTw.exe
| MD5 | 9dc45c500a54b06aa71fda4d5a54ded6 |
| SHA1 | 0b4e448c2052b2d219b2dcff92e902f6a4d17897 |
| SHA256 | 109ac01fb5231d99f997e4b0bb3d33c036dcbb6590816f87645961adb5476e63 |
| SHA512 | c05260ae5b530a4400a810cc8a8bc4b4bd6df7a5117cde79176f1c0756876b21263f3b48936b6db720020392f18fd98d11ae83f544aa1cabfb755334b7af0322 |
memory/3288-32-0x00007FF748830000-0x00007FF748B84000-memory.dmp
C:\Windows\System\lLRJWYK.exe
| MD5 | a6111da166178b3bce834c317c41aad7 |
| SHA1 | c4479a9a35a6e1a72e5f9e72bb35a1b1fcfaeba4 |
| SHA256 | c57f230e3d5bbca372c969619e71282ca3efff0562e5566e7fa561737bfba705 |
| SHA512 | 79b7e74a4d7be9713eb608b38e01d72c084e2fb0d6da66759f8282e53f42fdbeb6da70483171796ade8afebb973fae03a3a035002ff0716e0ac048172b0bf6af |
memory/4380-37-0x00007FF6AD8C0000-0x00007FF6ADC14000-memory.dmp
memory/4764-42-0x00007FF7CD440000-0x00007FF7CD794000-memory.dmp
C:\Windows\System\fFKxpCf.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\System\fFKxpCf.exe
| MD5 | bb33ee0423f926afd71d4e430a414c18 |
| SHA1 | 73b56334926cbc9346e0184f9b9e5a8396c8a696 |
| SHA256 | 58301cdc339218a65a7a961562b71f36aa556418dd1a9dd600c6445e6f082e42 |
| SHA512 | 0925bfd2f7439f0ef0a9351c25d7a7e073d06dffec91124e2298ff958e2727e270a6c5c1f48b34ce20057f239e89707b61b6fae8ab968c7ff3bf28cca8313029 |
C:\Windows\System\QNtdydg.exe
| MD5 | b83b0fa4fa669304aa2bf969347e07db |
| SHA1 | 1ffeed1b6959369ebdac2956224c33f597929fa0 |
| SHA256 | 267db8492ce6e10600445803f285ae2af24523218f9c98c7ea51358c46958e56 |
| SHA512 | 64c489c21c239d6fa44c1b00e5843e40c5905e3fd3530e98ad72f9502135c107898300d4d5a9b537868ab21e2891e4cdf7bb6de4e0d487d17c4d301db244d4d9 |
memory/4068-56-0x00007FF71BE20000-0x00007FF71C174000-memory.dmp
memory/4840-55-0x00007FF783D60000-0x00007FF7840B4000-memory.dmp
C:\Windows\System\itdshPf.exe
| MD5 | d8e2d4d7cd62d032a0b0fb4b53da5918 |
| SHA1 | 14f31689cf2d14507c39b3910e689041f5b0ff08 |
| SHA256 | 60517c4ecf0b9094b0c51e9312dc893ad540e4bc1aba20ae15af751e9a459212 |
| SHA512 | 52fc6f2eb183e755e1738e2ad367d5c4a3c46c11256b9af8eaaa6a9a4a2f8a9916f0644c0dfa1bbdd86805555bf01dfa9abce87d4fda85f1a37dec99e1eb6295 |
C:\Windows\System\mtxAhes.exe
| MD5 | 8e975a0b16aded8dc97afd9bb6b353f8 |
| SHA1 | 2986da2a051b6b370d218703443825bf4bf48dd3 |
| SHA256 | 86daf609582c9c794a56ae26993a2dfa4af704141ad7763148c671f2e5395ba3 |
| SHA512 | 1bef76ef34f69c6f0668a1e664bd1a18ba62a8c8d8c908a76dc82283d763f793d4b708483a25bca4f8b2149155922520188b86cc1f248c10a0a2b7fb66023e04 |
memory/3256-64-0x00007FF660980000-0x00007FF660CD4000-memory.dmp
C:\Windows\System\steTLTE.exe
| MD5 | b65dc9da1636131cc4d8a1604e74f344 |
| SHA1 | 643aaa9588c10ff017dc266626dc653964710268 |
| SHA256 | 280e8b4ab5c35bbc6fd7601ddb84973c716eb21dc6574f1b22e3ce0fc7adc1fb |
| SHA512 | bd03ea4914b22113d180a8f08101d778e6bd1edcb78c96ff233c9629c91c8ec60564d4cb4d11f9e585be0a1cfbeda5e0b77c29c8690f623d470375ade8595584 |
C:\Windows\System\WpdJIoY.exe
| MD5 | d30d3cb0d5c1e9aa9a0d29cac4632a64 |
| SHA1 | f0838cf874d131b3ab64cb2e4220873a0cf841e0 |
| SHA256 | 634e49fb02baf7118c4ff0f6c95e6325dacedf0bc796bf520e17313bd393b05e |
| SHA512 | 4f8294d0c24edbc304b4a0520ff4c3b4385591777c49222c99ae747028bdde7ea91a3d35d32ea8da16977a016f258008780914b40bc4122e335fe6813b15c472 |
memory/3936-65-0x00007FF6970B0000-0x00007FF697404000-memory.dmp
memory/1172-74-0x00007FF689170000-0x00007FF6894C4000-memory.dmp
memory/2060-75-0x00007FF7EA950000-0x00007FF7EACA4000-memory.dmp
C:\Windows\System\CYSQnGH.exe
| MD5 | e490c0bda9e36a15cff5c2f4e0f6f174 |
| SHA1 | db824f75636da1ffb9acfca511a92a475358aebb |
| SHA256 | ec2dadef4d571ae2a324a42e8f5a1ad798baeb2adfad0619f8be13a4d31d4de4 |
| SHA512 | b6e76b974bf0d41126639ac7158473ba9fc93452c3d47ad5c932f77a34537c17659909b1015d2eaed61dbce21f0ab0336aa64423db4cec690e980b9211ec1da3 |
memory/804-81-0x00007FF79BD90000-0x00007FF79C0E4000-memory.dmp
C:\Windows\System\HvdkWbB.exe
| MD5 | 17e596d4b883e02b23a81b3e589bb611 |
| SHA1 | 88b611b95bd4c568f0ddff2780b188b3a1326293 |
| SHA256 | b49cd7f3d59fff0a2fb74b4386378a250eea8d1189e26fa4e08fa23448eb49b4 |
| SHA512 | 95a17f6af868e9eae43a633216419f69c27a4e9c7a87835de559fad11ff590337181a77251912618ca0321f1e46cc537ee2578b38f31c694d92133c1555657a1 |
memory/4736-88-0x00007FF620750000-0x00007FF620AA4000-memory.dmp
memory/1240-87-0x00007FF63A650000-0x00007FF63A9A4000-memory.dmp
C:\Windows\System\jsdlUEZ.exe
| MD5 | 1326cf338b58382caf11326c26ca60d6 |
| SHA1 | 56bab845bedb2fef36772e15af20785f733333a2 |
| SHA256 | c671df1e6a965ae9e34fb92c8a6e3544495c11dbf09a49171d5010e5dcc16306 |
| SHA512 | 659265c8f44db4070222c28a81a5c36d894335899bab84d0a26823186b600a4c4d431cff1df7db28aee24c3cfa1a602d4dcb2b98a1b65f9be9a6e7ed87df5606 |
memory/1032-95-0x00007FF798AD0000-0x00007FF798E24000-memory.dmp
C:\Windows\System\rFwMURl.exe
| MD5 | b4419fbad67f942d0b30e6516a3e91e7 |
| SHA1 | 6bf1a56bcc46372b33c1616f2018ca73e5083943 |
| SHA256 | a299bbffde756a7d42e02a700e0172d490bbcd9d484bc779de91011b37b51d98 |
| SHA512 | 15b556b6f607363bbd748c981d5e8b5a7e460b817cab07de553ee215329eab8a2dae2820fc3ba3fa810f46f463d843030c9f44fe184571cf0f34bc7106350918 |
memory/2088-94-0x00007FF602D10000-0x00007FF603064000-memory.dmp
memory/3164-101-0x00007FF7FAAC0000-0x00007FF7FAE14000-memory.dmp
C:\Windows\System\tlpXLMD.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
memory/4380-107-0x00007FF6AD8C0000-0x00007FF6ADC14000-memory.dmp
C:\Windows\System\kRLeWOA.exe
| MD5 | 3dce0e9447b2436a17fad704f076f94e |
| SHA1 | d4aea26c87f2f47316732f93ae8b65a43bfb288d |
| SHA256 | 9c39a94b0096b0bfc26a5429dc4e0e048b25f150254810844d2a8eed542725ff |
| SHA512 | bb2ede6bf4a1e93d1cc286180de793c5d3a0d48d37d07374de900de4244af6049a083a866c60ae28ebde7d77715c0aabda22102d7d07ccd4351b5e2895ab49bb |
C:\Windows\System\kIniEsz.exe
| MD5 | 90aea5c098d350fa026d43d66e7e2db8 |
| SHA1 | ee7e691749d438b056191c736c54d060e4c9dbf0 |
| SHA256 | 1089ba11f3e5218d4e64e495839081fc492a39904117e8462739d1b5b9f722fb |
| SHA512 | 4f58b7353a20243b3e8272a695391a00db21968cb21e2f94247f5d869cb9425fc483194abbf7f47d9250d877410ce51b9202e9739b29145acc105c6375a0de34 |
memory/4388-125-0x00007FF62F310000-0x00007FF62F664000-memory.dmp
C:\Windows\System\cTwnmXw.exe
| MD5 | 47e1c949dadc469fd0a78f62b0ebcc4e |
| SHA1 | c9909ffb5ad031715a558dec06458220ea438b13 |
| SHA256 | b17006c0e9275c21264298e3a3013c762e12418f4923659a3ad948308962cf3d |
| SHA512 | ee2f1b14dc22e5b14c705043fa2c27e6cc16495bba3f69e74d636aa2b671e85a251209ea50e8af2376e11c14cd998107fd0447c3477912edbeb214f8d512d243 |
memory/4916-124-0x00007FF65DD60000-0x00007FF65E0B4000-memory.dmp
memory/1508-120-0x00007FF7D05B0000-0x00007FF7D0904000-memory.dmp
C:\Windows\System\DnUKaqX.exe
| MD5 | df2d2d445172f1bb73447ea4a48a03ad |
| SHA1 | 277c9439dfbf7c95abb70f0e79f89a3b0e6e1351 |
| SHA256 | e4fbfc104c191e5ca50f659a835f730b271bce6d3709d76a7846215450fdcecd |
| SHA512 | f4288d6b4f5134ee0da0414df0674a54ca30bb786aa07f55a7f7183559c23e554b3115ff4b7e18a2cb694ccc70e39fa90db0d40fe7961017c69e891b42a937df |
memory/4764-114-0x00007FF7CD440000-0x00007FF7CD794000-memory.dmp
memory/372-108-0x00007FF7517E0000-0x00007FF751B34000-memory.dmp
C:\Windows\System\tlpXLMD.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/3924-132-0x00007FF6B3330000-0x00007FF6B3684000-memory.dmp
memory/4388-133-0x00007FF62F310000-0x00007FF62F664000-memory.dmp
memory/1424-134-0x00007FF7DBD10000-0x00007FF7DC064000-memory.dmp
memory/2260-135-0x00007FF604600000-0x00007FF604954000-memory.dmp
memory/1240-136-0x00007FF63A650000-0x00007FF63A9A4000-memory.dmp
memory/2088-137-0x00007FF602D10000-0x00007FF603064000-memory.dmp
memory/3288-138-0x00007FF748830000-0x00007FF748B84000-memory.dmp
memory/4380-139-0x00007FF6AD8C0000-0x00007FF6ADC14000-memory.dmp
memory/4840-141-0x00007FF783D60000-0x00007FF7840B4000-memory.dmp
memory/4764-140-0x00007FF7CD440000-0x00007FF7CD794000-memory.dmp
memory/4068-142-0x00007FF71BE20000-0x00007FF71C174000-memory.dmp
memory/3936-143-0x00007FF6970B0000-0x00007FF697404000-memory.dmp
memory/2060-145-0x00007FF7EA950000-0x00007FF7EACA4000-memory.dmp
memory/1172-144-0x00007FF689170000-0x00007FF6894C4000-memory.dmp
memory/804-146-0x00007FF79BD90000-0x00007FF79C0E4000-memory.dmp
memory/4736-147-0x00007FF620750000-0x00007FF620AA4000-memory.dmp
memory/1032-148-0x00007FF798AD0000-0x00007FF798E24000-memory.dmp
memory/3164-149-0x00007FF7FAAC0000-0x00007FF7FAE14000-memory.dmp
memory/372-150-0x00007FF7517E0000-0x00007FF751B34000-memory.dmp
memory/1508-151-0x00007FF7D05B0000-0x00007FF7D0904000-memory.dmp
memory/4916-152-0x00007FF65DD60000-0x00007FF65E0B4000-memory.dmp
memory/4388-153-0x00007FF62F310000-0x00007FF62F664000-memory.dmp
memory/3924-154-0x00007FF6B3330000-0x00007FF6B3684000-memory.dmp