Analysis Overview
SHA256
d54a54268ba46df1eac71f7cbe612fd13a7d4c6918f5e5cbb77205819f4709d2
Threat Level: Known bad
The file 2024-06-08_b77d0f3f68adacb40f5b193d20a20b0e_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobaltstrike
XMRig Miner payload
xmrig
UPX dump on OEP (original entry point)
Xmrig family
Cobaltstrike family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 17:20
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 17:20
Reported
2024-06-08 17:22
Platform
win7-20240215-en
Max time kernel
132s
Max time network
142s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\uvcOiqK.exe | N/A |
| N/A | N/A | C:\Windows\System\pKybaam.exe | N/A |
| N/A | N/A | C:\Windows\System\eWBzPIx.exe | N/A |
| N/A | N/A | C:\Windows\System\bXpXkog.exe | N/A |
| N/A | N/A | C:\Windows\System\ejTunDp.exe | N/A |
| N/A | N/A | C:\Windows\System\usoqlQz.exe | N/A |
| N/A | N/A | C:\Windows\System\APGeNbB.exe | N/A |
| N/A | N/A | C:\Windows\System\LkgMtmJ.exe | N/A |
| N/A | N/A | C:\Windows\System\QqBGksS.exe | N/A |
| N/A | N/A | C:\Windows\System\eEHAnAp.exe | N/A |
| N/A | N/A | C:\Windows\System\mwFtNCn.exe | N/A |
| N/A | N/A | C:\Windows\System\crEOSFS.exe | N/A |
| N/A | N/A | C:\Windows\System\jjXBfwo.exe | N/A |
| N/A | N/A | C:\Windows\System\oiZtytp.exe | N/A |
| N/A | N/A | C:\Windows\System\rOBpVlx.exe | N/A |
| N/A | N/A | C:\Windows\System\YucITJf.exe | N/A |
| N/A | N/A | C:\Windows\System\soIgrkI.exe | N/A |
| N/A | N/A | C:\Windows\System\JIjsLri.exe | N/A |
| N/A | N/A | C:\Windows\System\FNcildP.exe | N/A |
| N/A | N/A | C:\Windows\System\sktsCxk.exe | N/A |
| N/A | N/A | C:\Windows\System\KfGKuzG.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77d0f3f68adacb40f5b193d20a20b0e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77d0f3f68adacb40f5b193d20a20b0e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77d0f3f68adacb40f5b193d20a20b0e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77d0f3f68adacb40f5b193d20a20b0e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\uvcOiqK.exe
C:\Windows\System\uvcOiqK.exe
C:\Windows\System\pKybaam.exe
C:\Windows\System\pKybaam.exe
C:\Windows\System\eWBzPIx.exe
C:\Windows\System\eWBzPIx.exe
C:\Windows\System\ejTunDp.exe
C:\Windows\System\ejTunDp.exe
C:\Windows\System\bXpXkog.exe
C:\Windows\System\bXpXkog.exe
C:\Windows\System\LkgMtmJ.exe
C:\Windows\System\LkgMtmJ.exe
C:\Windows\System\usoqlQz.exe
C:\Windows\System\usoqlQz.exe
C:\Windows\System\mwFtNCn.exe
C:\Windows\System\mwFtNCn.exe
C:\Windows\System\APGeNbB.exe
C:\Windows\System\APGeNbB.exe
C:\Windows\System\YucITJf.exe
C:\Windows\System\YucITJf.exe
C:\Windows\System\QqBGksS.exe
C:\Windows\System\QqBGksS.exe
C:\Windows\System\soIgrkI.exe
C:\Windows\System\soIgrkI.exe
C:\Windows\System\eEHAnAp.exe
C:\Windows\System\eEHAnAp.exe
C:\Windows\System\JIjsLri.exe
C:\Windows\System\JIjsLri.exe
C:\Windows\System\crEOSFS.exe
C:\Windows\System\crEOSFS.exe
C:\Windows\System\FNcildP.exe
C:\Windows\System\FNcildP.exe
C:\Windows\System\jjXBfwo.exe
C:\Windows\System\jjXBfwo.exe
C:\Windows\System\sktsCxk.exe
C:\Windows\System\sktsCxk.exe
C:\Windows\System\oiZtytp.exe
C:\Windows\System\oiZtytp.exe
C:\Windows\System\KfGKuzG.exe
C:\Windows\System\KfGKuzG.exe
C:\Windows\System\rOBpVlx.exe
C:\Windows\System\rOBpVlx.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/384-0-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/384-1-0x0000000000190000-0x00000000001A0000-memory.dmp
C:\Windows\system\uvcOiqK.exe
| MD5 | 4052af64e302b76d1c9876b340576bfa |
| SHA1 | c6160c5eabdaf58a77e6f3448476b6530c26e176 |
| SHA256 | 32de7993823799afda62d7d9e8dd3919f19d35fc8b1c9e0efc824135d6bbd4f4 |
| SHA512 | fca47bfe02e50f157aa119748d3f676580ef9144a03f471a480b8bb6a51c5ef79c56f0a89370c7dd062813a504e5c9e571d60da96eaea2ee9a98655fcc8773f2 |
\Windows\system\APGeNbB.exe
| MD5 | 1ec3abed4cd22379c8ac217baf480e8e |
| SHA1 | cfd8a2fb5e3000fb5f6b0522d6c1700b9190f5cf |
| SHA256 | b66a31a845dd060afadda6a32503081c57f8f16aea2d10b121e80e4895894d2e |
| SHA512 | 126bdbfb352d97c92cb5b1d73b378a0df85f431749258a8eee0a4d4efb2d39dbd1c8f9b34ed0c3f41dd63c10cf9bd380e2c54d7a65b91e12b28d0f7f1f42c314 |
memory/384-35-0x00000000021B0000-0x0000000002504000-memory.dmp
C:\Windows\system\ejTunDp.exe
| MD5 | 431fd9e85b95256cf2d0d15048b9fe7f |
| SHA1 | 489539849140961e321c9f2e33d0dce49f536a23 |
| SHA256 | 5d6684610f1775b4ff8a5511774c23455472d4e918cb474f5487d7efffb04722 |
| SHA512 | d41512f603c59e05f9c546ef13b20fbfbbea33d7c16ba17587637a4cc6cbcc216113b96f13e54831a2385dfe8b53821199ad37c3573e065ba2ebcd8279ff189f |
\Windows\system\usoqlQz.exe
| MD5 | 89881a333b885371dd9a82b1dbcd4dab |
| SHA1 | e1dc7d105b043fb3fa00556a8f33880388d76212 |
| SHA256 | 3f157baf2bd41c839f7516923f62103bcfc5ec531bdf3972d12a2d480e642b58 |
| SHA512 | 7ad992596235bae71d6ff44765184a2654c0f072de7d5d944bdbbbd9a00dbfc9581af8d178339584765c9664f8e9ef9fa9f947e819a26ce1db70f48e64d64ff7 |
C:\Windows\system\bXpXkog.exe
| MD5 | c72bc35c5bfc4eef726f53f5826384fb |
| SHA1 | ef50444b4cf99f18ec6c32a2a7e02e2aa24a2a16 |
| SHA256 | f63804ceaf70b2881dc572b1dd44a33aeddd02ab7eb15808c1933c5019e9c9cb |
| SHA512 | 0341606eb4cbb0d8750c92d27b240824279042d5c2135bd6965b66128cb80b8739bc06f0e02e15d2a7d9fc5390126ac31f09009d914618160b045926a94a3bb8 |
C:\Windows\system\eWBzPIx.exe
| MD5 | 0d6b99ee80287b632588fe0837ebafc9 |
| SHA1 | a38d133ab99ccb5a8c2af200e772082e8b868cd9 |
| SHA256 | 93999b81a1a06e48f6edeca87ce7e9d5d1c48acb35dc029cb9cb2e18ed451532 |
| SHA512 | 81ac68700e8090c9bec1b3bdbda8c56712c628e56f5595bea7b86ab47fb9a4bdad914daf8c7e067f6c814cf9a79d21c047a0ffdd4a1b8d3ed7bb350963159e70 |
\Windows\system\LkgMtmJ.exe
| MD5 | 960cefe8beb75e3a3b365e7e92d03180 |
| SHA1 | f2bbc02abdd4891d9a21417f8616cdb6615cffe8 |
| SHA256 | 501d2391a986b62dd31bf239229b10ada1d73a4f45656288d5471b2d42ce2ff7 |
| SHA512 | bb4cefc0e8297558d68876d1617101a40155d43e02f2de686be5480dc918bd7052a098178c7dced514d927325e25b8aec8e6d430425eda9b4fd930729bd54830 |
memory/1856-23-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/384-18-0x000000013F6D0000-0x000000013FA24000-memory.dmp
C:\Windows\system\pKybaam.exe
| MD5 | 1f408a74a8ac3f3e4e09dfe04a34d3d9 |
| SHA1 | 90181f980c52541f0688fc9cb009dc6e47310601 |
| SHA256 | ca64277c16c6d610ba5a6126ba4d43fa73354fa71569b344331629f81d05ab2c |
| SHA512 | 218021ed56274332782828486b51c3186d9f7378578755fafe24d9c98ae4e161d302d71c7d3fc79a8fb3059bd8398cf313d1b0f54146ec534cc04e87f7231191 |
memory/384-120-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/3060-63-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
\Windows\system\KfGKuzG.exe
| MD5 | 38c3cf2de13d8e32084ad5a538e27e7b |
| SHA1 | a6138ea6c3873d52e8ad86e08eadd02bdb374185 |
| SHA256 | fe1ea4450c3b033b62db8652d1dce37947c107f0ca15bf5d8b060fc5a0d10ed2 |
| SHA512 | d71378b3d346ff1ff1de233d6cff0096ef8760a15067358780719cd6fc81aa7bf4eaf05eace7e876f82d4b12cff757c05dd3a48bfab86d2aac6e5b1761e9b5c1 |
\Windows\system\sktsCxk.exe
| MD5 | 1d3585aae87276f4562a95c72f463891 |
| SHA1 | 5d0a24169e42d03551106d1d779bae143f830562 |
| SHA256 | b0f123fec82f08ec1dd86d22faaffb49c3b8acdc8eda0932ae5630069a5d97a9 |
| SHA512 | 90a98a078856a8caa10ee137aab3add2187d10bfda6ea215e093c319b4d517e935b54319490cd93f01c08c2e2777575e04bb8797cd16e3e129e28c631a7c9d1b |
\Windows\system\FNcildP.exe
| MD5 | 103f520664b3c8a5dfa7afc8c1a5927d |
| SHA1 | f4359c06a1b48ddef117d69c159942aa71374a1c |
| SHA256 | 9ab62ee64481f7338f5846517db843e86a9f49e6023e8949bcc40cfb6a52af0d |
| SHA512 | cc5804c05ee5645ff95b3538668da6924a2fb9e9c10322594741035d0f54ce7789e41b55058ea418e82ae44979c8450cc47e1c017faf577ed015aee6accb6a57 |
memory/2516-77-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/384-74-0x000000013F3F0000-0x000000013F744000-memory.dmp
\Windows\system\JIjsLri.exe
| MD5 | a25977acf0797ba82c7e450b9f0b933a |
| SHA1 | 3f2c537802c55959fe3dd8d9f1fdf5d1895b6af0 |
| SHA256 | 68f20fe8cb9c1254ecfdf8f33ec9fdd169ce06e94c0199c9c4930e690ae80f27 |
| SHA512 | b4cf44f903ea5fd9667f28a3489017251463ea5889e6b5916cbd9b8658971567c315c13cb3d2055904494c13c52e13bb8f067613e71c581edfd26f2722cb5464 |
\Windows\system\soIgrkI.exe
| MD5 | 64e81a4e73b463774d740ae679964920 |
| SHA1 | 7027a315d0a6c20739620fe078d6886f886764e8 |
| SHA256 | be7a32144bee3d67841d9e4d655326029ddbf46f773010a18b1d69f4e3141f72 |
| SHA512 | 4d554d4e514dc05ca6d4f2ebf9baeea87f4199d2cf9b1a99977d789cc8e3470829273ce838675c652658a38d8101e5fef2d897e7e7aeb9242ad0b46a507f9c98 |
memory/384-56-0x000000013F2F0000-0x000000013F644000-memory.dmp
\Windows\system\YucITJf.exe
| MD5 | ca0262c56d4fa4e4e2b61128219687cc |
| SHA1 | 9855049115d2bcddf72f99bfce9e5cb698712f99 |
| SHA256 | 5e62c570ae5044c7d33adff7b652c7cd15d04b4464d74db25b2dec1597c03241 |
| SHA512 | 14625c301f44e56019638c67f7c0199c9f34d5a759fd9b38a4268f32a8bfd27ecbc2722ee9a76460a429abdbe19846c9a49345c62512e5f5b969ca67c0ba36d6 |
memory/384-122-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/384-121-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/384-119-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/384-118-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/384-117-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/2564-116-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/384-115-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/384-114-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/384-113-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2712-112-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/384-111-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/384-110-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/384-109-0x000000013F6D0000-0x000000013FA24000-memory.dmp
C:\Windows\system\rOBpVlx.exe
| MD5 | b33b1ad011c0fa07366411a21e1bf48a |
| SHA1 | 40bf5edb574d3d91f15a9818d509c57de5eb2140 |
| SHA256 | f6f41524276cc8f85cb87939dc9c3b97365cc3879554b275318e8c7658b9eef7 |
| SHA512 | d2c8cf8e491f4739992b370161fe58e87b19f76b728668130f5eaf235d6744631ca95aeb74f995298a72545c8d278748829fb4fdad8a2d369e6d5b8c6259da0f |
C:\Windows\system\oiZtytp.exe
| MD5 | 2fe8c260a8a496f4cbcb46e67b6f9b9b |
| SHA1 | 4e34a7fe8fd09c2d8bd70de2aec38b3f19888f90 |
| SHA256 | 78cbb4d4536561b49809a5f157f082cf77000ab14fdc48a1b38e835d19900b68 |
| SHA512 | 5e13d153a0ba99f1005b88cdb477657e300886d5e9f57533c39eeffab3ec8fd981155e9ae41cbd10edc37165984d09963fbefb60b00619b162530edafa20a87c |
C:\Windows\system\jjXBfwo.exe
| MD5 | 6cd59bbaf392c8a52f8504b3be1dc054 |
| SHA1 | 3c846fc51a800a9d2c9972cd67b2eea289fc0eb2 |
| SHA256 | e82727545dc1d175b8e78eb764856fb41fe6bfa3d24fedeea6aa9dca05af0af4 |
| SHA512 | 8494d63cbfd58a4f39ade9ed0acd4f10299ccf3cf2c5b3801e3636a0e902abbc7285fdc56ef2d922f22e7185d9d063284275ada7b6875920c6de51f5c890f7e9 |
C:\Windows\system\crEOSFS.exe
| MD5 | 704d52fc57da993247fabb8b9024dcdd |
| SHA1 | 3290f00214f654996a4c1501a3521da0c3b94a7e |
| SHA256 | 6dc4c817073fd73632841713e64f8af34c3851919a571a9ad15a0e5902bf1442 |
| SHA512 | 8d37566ec47a0f859dc1259f2fffe7e65e663dad7145a7c095423b5194ef8f696b6bd137471d1a2dd78c414eccbf50569c6e06fdd2fff0d4173650abaaf0b780 |
memory/384-95-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\mwFtNCn.exe
| MD5 | 15eb4df17b35d674ced17c8048b3ff37 |
| SHA1 | 5212e686624a56b9dd6d9aee3d9f742f338efc55 |
| SHA256 | 08992e48bb4ed0054b06489c56a757ecbc3e1e6107335ae915dd0910e78d2c1e |
| SHA512 | e83226e78805b8cabe0d8d34b50e8bd79998099321f733876ecb0329960e714ac56beb4d5eb2326cb0c1f25d3e9de12ec0cbc2923ffbe6f1b6e3d3e8a1db14b1 |
memory/1708-86-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2488-70-0x000000013FF10000-0x0000000140264000-memory.dmp
C:\Windows\system\eEHAnAp.exe
| MD5 | 8f9babfdee1b8a795c8dd87b2257d361 |
| SHA1 | 4ac54916cffc0b112872eb9b6142e0f867d76139 |
| SHA256 | ff148b53aa31083c265340d6c080a98ffe94bb07031e86a141e58583a9a2088d |
| SHA512 | ae63f647897ca403d81443fd60bf9d62c94bf4a573196536922a7bd6b1fb9adfc860daadbdc0989b4416db0461d98215420f828424461cc26109f2411e665fab |
C:\Windows\system\QqBGksS.exe
| MD5 | 7059dcad934a9fef9f03986ce31a0507 |
| SHA1 | c83b9e64247536794c5765f2e36163eece09a038 |
| SHA256 | 4d085536a72524d155033467e6db7f3c0304c0789dfe3aaf0d7209cc986900a8 |
| SHA512 | c979a00b544beafeb0a5decaa89a39aac722f083f3d6925531e8fb64c9832bb2c3fc49bd65caa7f3abf007820ff4c9585727871d73090fa53a0e798d4a49b5d0 |
memory/2596-66-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2556-52-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2136-50-0x000000013F600000-0x000000013F954000-memory.dmp
memory/384-47-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/384-40-0x000000013F600000-0x000000013F954000-memory.dmp
memory/384-136-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/384-137-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2516-138-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/1856-139-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/1708-140-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2136-141-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2556-142-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/3060-143-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2488-144-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2596-145-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2712-146-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2516-148-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2564-147-0x000000013FD70000-0x00000001400C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 17:20
Reported
2024-06-08 17:22
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\uvcOiqK.exe | N/A |
| N/A | N/A | C:\Windows\System\pKybaam.exe | N/A |
| N/A | N/A | C:\Windows\System\eWBzPIx.exe | N/A |
| N/A | N/A | C:\Windows\System\ejTunDp.exe | N/A |
| N/A | N/A | C:\Windows\System\bXpXkog.exe | N/A |
| N/A | N/A | C:\Windows\System\LkgMtmJ.exe | N/A |
| N/A | N/A | C:\Windows\System\usoqlQz.exe | N/A |
| N/A | N/A | C:\Windows\System\mwFtNCn.exe | N/A |
| N/A | N/A | C:\Windows\System\APGeNbB.exe | N/A |
| N/A | N/A | C:\Windows\System\YucITJf.exe | N/A |
| N/A | N/A | C:\Windows\System\QqBGksS.exe | N/A |
| N/A | N/A | C:\Windows\System\soIgrkI.exe | N/A |
| N/A | N/A | C:\Windows\System\eEHAnAp.exe | N/A |
| N/A | N/A | C:\Windows\System\JIjsLri.exe | N/A |
| N/A | N/A | C:\Windows\System\crEOSFS.exe | N/A |
| N/A | N/A | C:\Windows\System\FNcildP.exe | N/A |
| N/A | N/A | C:\Windows\System\jjXBfwo.exe | N/A |
| N/A | N/A | C:\Windows\System\sktsCxk.exe | N/A |
| N/A | N/A | C:\Windows\System\oiZtytp.exe | N/A |
| N/A | N/A | C:\Windows\System\KfGKuzG.exe | N/A |
| N/A | N/A | C:\Windows\System\rOBpVlx.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77d0f3f68adacb40f5b193d20a20b0e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77d0f3f68adacb40f5b193d20a20b0e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77d0f3f68adacb40f5b193d20a20b0e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77d0f3f68adacb40f5b193d20a20b0e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\uvcOiqK.exe
C:\Windows\System\uvcOiqK.exe
C:\Windows\System\pKybaam.exe
C:\Windows\System\pKybaam.exe
C:\Windows\System\eWBzPIx.exe
C:\Windows\System\eWBzPIx.exe
C:\Windows\System\ejTunDp.exe
C:\Windows\System\ejTunDp.exe
C:\Windows\System\bXpXkog.exe
C:\Windows\System\bXpXkog.exe
C:\Windows\System\LkgMtmJ.exe
C:\Windows\System\LkgMtmJ.exe
C:\Windows\System\usoqlQz.exe
C:\Windows\System\usoqlQz.exe
C:\Windows\System\mwFtNCn.exe
C:\Windows\System\mwFtNCn.exe
C:\Windows\System\APGeNbB.exe
C:\Windows\System\APGeNbB.exe
C:\Windows\System\YucITJf.exe
C:\Windows\System\YucITJf.exe
C:\Windows\System\QqBGksS.exe
C:\Windows\System\QqBGksS.exe
C:\Windows\System\soIgrkI.exe
C:\Windows\System\soIgrkI.exe
C:\Windows\System\eEHAnAp.exe
C:\Windows\System\eEHAnAp.exe
C:\Windows\System\JIjsLri.exe
C:\Windows\System\JIjsLri.exe
C:\Windows\System\crEOSFS.exe
C:\Windows\System\crEOSFS.exe
C:\Windows\System\FNcildP.exe
C:\Windows\System\FNcildP.exe
C:\Windows\System\jjXBfwo.exe
C:\Windows\System\jjXBfwo.exe
C:\Windows\System\sktsCxk.exe
C:\Windows\System\sktsCxk.exe
C:\Windows\System\oiZtytp.exe
C:\Windows\System\oiZtytp.exe
C:\Windows\System\KfGKuzG.exe
C:\Windows\System\KfGKuzG.exe
C:\Windows\System\rOBpVlx.exe
C:\Windows\System\rOBpVlx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3360-0-0x00007FF70B930000-0x00007FF70BC84000-memory.dmp
memory/3360-1-0x000001EB75160000-0x000001EB75170000-memory.dmp
C:\Windows\System\uvcOiqK.exe
| MD5 | 4052af64e302b76d1c9876b340576bfa |
| SHA1 | c6160c5eabdaf58a77e6f3448476b6530c26e176 |
| SHA256 | 32de7993823799afda62d7d9e8dd3919f19d35fc8b1c9e0efc824135d6bbd4f4 |
| SHA512 | fca47bfe02e50f157aa119748d3f676580ef9144a03f471a480b8bb6a51c5ef79c56f0a89370c7dd062813a504e5c9e571d60da96eaea2ee9a98655fcc8773f2 |
memory/3936-8-0x00007FF6D75E0000-0x00007FF6D7934000-memory.dmp
C:\Windows\System\pKybaam.exe
| MD5 | 1f408a74a8ac3f3e4e09dfe04a34d3d9 |
| SHA1 | 90181f980c52541f0688fc9cb009dc6e47310601 |
| SHA256 | ca64277c16c6d610ba5a6126ba4d43fa73354fa71569b344331629f81d05ab2c |
| SHA512 | 218021ed56274332782828486b51c3186d9f7378578755fafe24d9c98ae4e161d302d71c7d3fc79a8fb3059bd8398cf313d1b0f54146ec534cc04e87f7231191 |
C:\Windows\System\eWBzPIx.exe
| MD5 | 0d6b99ee80287b632588fe0837ebafc9 |
| SHA1 | a38d133ab99ccb5a8c2af200e772082e8b868cd9 |
| SHA256 | 93999b81a1a06e48f6edeca87ce7e9d5d1c48acb35dc029cb9cb2e18ed451532 |
| SHA512 | 81ac68700e8090c9bec1b3bdbda8c56712c628e56f5595bea7b86ab47fb9a4bdad914daf8c7e067f6c814cf9a79d21c047a0ffdd4a1b8d3ed7bb350963159e70 |
memory/1056-18-0x00007FF750E50000-0x00007FF7511A4000-memory.dmp
C:\Windows\System\ejTunDp.exe
| MD5 | 431fd9e85b95256cf2d0d15048b9fe7f |
| SHA1 | 489539849140961e321c9f2e33d0dce49f536a23 |
| SHA256 | 5d6684610f1775b4ff8a5511774c23455472d4e918cb474f5487d7efffb04722 |
| SHA512 | d41512f603c59e05f9c546ef13b20fbfbbea33d7c16ba17587637a4cc6cbcc216113b96f13e54831a2385dfe8b53821199ad37c3573e065ba2ebcd8279ff189f |
C:\Windows\System\LkgMtmJ.exe
| MD5 | 960cefe8beb75e3a3b365e7e92d03180 |
| SHA1 | f2bbc02abdd4891d9a21417f8616cdb6615cffe8 |
| SHA256 | 501d2391a986b62dd31bf239229b10ada1d73a4f45656288d5471b2d42ce2ff7 |
| SHA512 | bb4cefc0e8297558d68876d1617101a40155d43e02f2de686be5480dc918bd7052a098178c7dced514d927325e25b8aec8e6d430425eda9b4fd930729bd54830 |
C:\Windows\System\bXpXkog.exe
| MD5 | c72bc35c5bfc4eef726f53f5826384fb |
| SHA1 | ef50444b4cf99f18ec6c32a2a7e02e2aa24a2a16 |
| SHA256 | f63804ceaf70b2881dc572b1dd44a33aeddd02ab7eb15808c1933c5019e9c9cb |
| SHA512 | 0341606eb4cbb0d8750c92d27b240824279042d5c2135bd6965b66128cb80b8739bc06f0e02e15d2a7d9fc5390126ac31f09009d914618160b045926a94a3bb8 |
C:\Windows\System\usoqlQz.exe
| MD5 | 89881a333b885371dd9a82b1dbcd4dab |
| SHA1 | e1dc7d105b043fb3fa00556a8f33880388d76212 |
| SHA256 | 3f157baf2bd41c839f7516923f62103bcfc5ec531bdf3972d12a2d480e642b58 |
| SHA512 | 7ad992596235bae71d6ff44765184a2654c0f072de7d5d944bdbbbd9a00dbfc9581af8d178339584765c9664f8e9ef9fa9f947e819a26ce1db70f48e64d64ff7 |
memory/3472-44-0x00007FF6654C0000-0x00007FF665814000-memory.dmp
C:\Windows\System\mwFtNCn.exe
| MD5 | 15eb4df17b35d674ced17c8048b3ff37 |
| SHA1 | 5212e686624a56b9dd6d9aee3d9f742f338efc55 |
| SHA256 | 08992e48bb4ed0054b06489c56a757ecbc3e1e6107335ae915dd0910e78d2c1e |
| SHA512 | e83226e78805b8cabe0d8d34b50e8bd79998099321f733876ecb0329960e714ac56beb4d5eb2326cb0c1f25d3e9de12ec0cbc2923ffbe6f1b6e3d3e8a1db14b1 |
memory/4396-47-0x00007FF65C410000-0x00007FF65C764000-memory.dmp
memory/4024-45-0x00007FF6FAF70000-0x00007FF6FB2C4000-memory.dmp
memory/1328-41-0x00007FF6A91C0000-0x00007FF6A9514000-memory.dmp
memory/1808-28-0x00007FF676EF0000-0x00007FF677244000-memory.dmp
memory/3496-20-0x00007FF60C410000-0x00007FF60C764000-memory.dmp
C:\Windows\System\APGeNbB.exe
| MD5 | 1ec3abed4cd22379c8ac217baf480e8e |
| SHA1 | cfd8a2fb5e3000fb5f6b0522d6c1700b9190f5cf |
| SHA256 | b66a31a845dd060afadda6a32503081c57f8f16aea2d10b121e80e4895894d2e |
| SHA512 | 126bdbfb352d97c92cb5b1d73b378a0df85f431749258a8eee0a4d4efb2d39dbd1c8f9b34ed0c3f41dd63c10cf9bd380e2c54d7a65b91e12b28d0f7f1f42c314 |
memory/4968-57-0x00007FF60C120000-0x00007FF60C474000-memory.dmp
C:\Windows\System\YucITJf.exe
| MD5 | ca0262c56d4fa4e4e2b61128219687cc |
| SHA1 | 9855049115d2bcddf72f99bfce9e5cb698712f99 |
| SHA256 | 5e62c570ae5044c7d33adff7b652c7cd15d04b4464d74db25b2dec1597c03241 |
| SHA512 | 14625c301f44e56019638c67f7c0199c9f34d5a759fd9b38a4268f32a8bfd27ecbc2722ee9a76460a429abdbe19846c9a49345c62512e5f5b969ca67c0ba36d6 |
memory/2948-62-0x00007FF7A3060000-0x00007FF7A33B4000-memory.dmp
C:\Windows\System\QqBGksS.exe
| MD5 | 7059dcad934a9fef9f03986ce31a0507 |
| SHA1 | c83b9e64247536794c5765f2e36163eece09a038 |
| SHA256 | 4d085536a72524d155033467e6db7f3c0304c0789dfe3aaf0d7209cc986900a8 |
| SHA512 | c979a00b544beafeb0a5decaa89a39aac722f083f3d6925531e8fb64c9832bb2c3fc49bd65caa7f3abf007820ff4c9585727871d73090fa53a0e798d4a49b5d0 |
C:\Windows\System\soIgrkI.exe
| MD5 | 64e81a4e73b463774d740ae679964920 |
| SHA1 | 7027a315d0a6c20739620fe078d6886f886764e8 |
| SHA256 | be7a32144bee3d67841d9e4d655326029ddbf46f773010a18b1d69f4e3141f72 |
| SHA512 | 4d554d4e514dc05ca6d4f2ebf9baeea87f4199d2cf9b1a99977d789cc8e3470829273ce838675c652658a38d8101e5fef2d897e7e7aeb9242ad0b46a507f9c98 |
memory/2452-68-0x00007FF676440000-0x00007FF676794000-memory.dmp
memory/3360-76-0x00007FF70B930000-0x00007FF70BC84000-memory.dmp
memory/3936-81-0x00007FF6D75E0000-0x00007FF6D7934000-memory.dmp
memory/4700-87-0x00007FF6921D0000-0x00007FF692524000-memory.dmp
C:\Windows\System\crEOSFS.exe
| MD5 | 704d52fc57da993247fabb8b9024dcdd |
| SHA1 | 3290f00214f654996a4c1501a3521da0c3b94a7e |
| SHA256 | 6dc4c817073fd73632841713e64f8af34c3851919a571a9ad15a0e5902bf1442 |
| SHA512 | 8d37566ec47a0f859dc1259f2fffe7e65e663dad7145a7c095423b5194ef8f696b6bd137471d1a2dd78c414eccbf50569c6e06fdd2fff0d4173650abaaf0b780 |
memory/5064-101-0x00007FF7702D0000-0x00007FF770624000-memory.dmp
memory/1204-103-0x00007FF7B8140000-0x00007FF7B8494000-memory.dmp
C:\Windows\System\FNcildP.exe
| MD5 | 103f520664b3c8a5dfa7afc8c1a5927d |
| SHA1 | f4359c06a1b48ddef117d69c159942aa71374a1c |
| SHA256 | 9ab62ee64481f7338f5846517db843e86a9f49e6023e8949bcc40cfb6a52af0d |
| SHA512 | cc5804c05ee5645ff95b3538668da6924a2fb9e9c10322594741035d0f54ce7789e41b55058ea418e82ae44979c8450cc47e1c017faf577ed015aee6accb6a57 |
memory/1736-104-0x00007FF7CCCC0000-0x00007FF7CD014000-memory.dmp
C:\Windows\System\jjXBfwo.exe
| MD5 | 6cd59bbaf392c8a52f8504b3be1dc054 |
| SHA1 | 3c846fc51a800a9d2c9972cd67b2eea289fc0eb2 |
| SHA256 | e82727545dc1d175b8e78eb764856fb41fe6bfa3d24fedeea6aa9dca05af0af4 |
| SHA512 | 8494d63cbfd58a4f39ade9ed0acd4f10299ccf3cf2c5b3801e3636a0e902abbc7285fdc56ef2d922f22e7185d9d063284275ada7b6875920c6de51f5c890f7e9 |
memory/1328-97-0x00007FF6A91C0000-0x00007FF6A9514000-memory.dmp
memory/3496-93-0x00007FF60C410000-0x00007FF60C764000-memory.dmp
memory/4556-89-0x00007FF73ABE0000-0x00007FF73AF34000-memory.dmp
C:\Windows\System\eEHAnAp.exe
| MD5 | 8f9babfdee1b8a795c8dd87b2257d361 |
| SHA1 | 4ac54916cffc0b112872eb9b6142e0f867d76139 |
| SHA256 | ff148b53aa31083c265340d6c080a98ffe94bb07031e86a141e58583a9a2088d |
| SHA512 | ae63f647897ca403d81443fd60bf9d62c94bf4a573196536922a7bd6b1fb9adfc860daadbdc0989b4416db0461d98215420f828424461cc26109f2411e665fab |
C:\Windows\System\JIjsLri.exe
| MD5 | a25977acf0797ba82c7e450b9f0b933a |
| SHA1 | 3f2c537802c55959fe3dd8d9f1fdf5d1895b6af0 |
| SHA256 | 68f20fe8cb9c1254ecfdf8f33ec9fdd169ce06e94c0199c9c4930e690ae80f27 |
| SHA512 | b4cf44f903ea5fd9667f28a3489017251463ea5889e6b5916cbd9b8658971567c315c13cb3d2055904494c13c52e13bb8f067613e71c581edfd26f2722cb5464 |
memory/2820-80-0x00007FF680B20000-0x00007FF680E74000-memory.dmp
memory/3424-117-0x00007FF71DBC0000-0x00007FF71DF14000-memory.dmp
C:\Windows\System\sktsCxk.exe
| MD5 | 1d3585aae87276f4562a95c72f463891 |
| SHA1 | 5d0a24169e42d03551106d1d779bae143f830562 |
| SHA256 | b0f123fec82f08ec1dd86d22faaffb49c3b8acdc8eda0932ae5630069a5d97a9 |
| SHA512 | 90a98a078856a8caa10ee137aab3add2187d10bfda6ea215e093c319b4d517e935b54319490cd93f01c08c2e2777575e04bb8797cd16e3e129e28c631a7c9d1b |
memory/784-121-0x00007FF76CE10000-0x00007FF76D164000-memory.dmp
C:\Windows\System\oiZtytp.exe
| MD5 | 2fe8c260a8a496f4cbcb46e67b6f9b9b |
| SHA1 | 4e34a7fe8fd09c2d8bd70de2aec38b3f19888f90 |
| SHA256 | 78cbb4d4536561b49809a5f157f082cf77000ab14fdc48a1b38e835d19900b68 |
| SHA512 | 5e13d153a0ba99f1005b88cdb477657e300886d5e9f57533c39eeffab3ec8fd981155e9ae41cbd10edc37165984d09963fbefb60b00619b162530edafa20a87c |
C:\Windows\System\KfGKuzG.exe
| MD5 | 38c3cf2de13d8e32084ad5a538e27e7b |
| SHA1 | a6138ea6c3873d52e8ad86e08eadd02bdb374185 |
| SHA256 | fe1ea4450c3b033b62db8652d1dce37947c107f0ca15bf5d8b060fc5a0d10ed2 |
| SHA512 | d71378b3d346ff1ff1de233d6cff0096ef8760a15067358780719cd6fc81aa7bf4eaf05eace7e876f82d4b12cff757c05dd3a48bfab86d2aac6e5b1761e9b5c1 |
C:\Windows\System\rOBpVlx.exe
| MD5 | b33b1ad011c0fa07366411a21e1bf48a |
| SHA1 | 40bf5edb574d3d91f15a9818d509c57de5eb2140 |
| SHA256 | f6f41524276cc8f85cb87939dc9c3b97365cc3879554b275318e8c7658b9eef7 |
| SHA512 | d2c8cf8e491f4739992b370161fe58e87b19f76b728668130f5eaf235d6744631ca95aeb74f995298a72545c8d278748829fb4fdad8a2d369e6d5b8c6259da0f |
memory/4580-128-0x00007FF726CA0000-0x00007FF726FF4000-memory.dmp
memory/4396-114-0x00007FF65C410000-0x00007FF65C764000-memory.dmp
memory/2452-132-0x00007FF676440000-0x00007FF676794000-memory.dmp
memory/2284-133-0x00007FF7EE3D0000-0x00007FF7EE724000-memory.dmp
memory/4700-134-0x00007FF6921D0000-0x00007FF692524000-memory.dmp
memory/4556-135-0x00007FF73ABE0000-0x00007FF73AF34000-memory.dmp
memory/1204-136-0x00007FF7B8140000-0x00007FF7B8494000-memory.dmp
memory/1736-137-0x00007FF7CCCC0000-0x00007FF7CD014000-memory.dmp
memory/784-138-0x00007FF76CE10000-0x00007FF76D164000-memory.dmp
memory/3936-139-0x00007FF6D75E0000-0x00007FF6D7934000-memory.dmp
memory/1056-140-0x00007FF750E50000-0x00007FF7511A4000-memory.dmp
memory/3496-141-0x00007FF60C410000-0x00007FF60C764000-memory.dmp
memory/1808-142-0x00007FF676EF0000-0x00007FF677244000-memory.dmp
memory/3472-144-0x00007FF6654C0000-0x00007FF665814000-memory.dmp
memory/4024-143-0x00007FF6FAF70000-0x00007FF6FB2C4000-memory.dmp
memory/1328-145-0x00007FF6A91C0000-0x00007FF6A9514000-memory.dmp
memory/4396-146-0x00007FF65C410000-0x00007FF65C764000-memory.dmp
memory/4968-147-0x00007FF60C120000-0x00007FF60C474000-memory.dmp
memory/2948-148-0x00007FF7A3060000-0x00007FF7A33B4000-memory.dmp
memory/2452-149-0x00007FF676440000-0x00007FF676794000-memory.dmp
memory/2820-150-0x00007FF680B20000-0x00007FF680E74000-memory.dmp
memory/4556-151-0x00007FF73ABE0000-0x00007FF73AF34000-memory.dmp
memory/4700-152-0x00007FF6921D0000-0x00007FF692524000-memory.dmp
memory/1204-154-0x00007FF7B8140000-0x00007FF7B8494000-memory.dmp
memory/5064-153-0x00007FF7702D0000-0x00007FF770624000-memory.dmp
memory/1736-155-0x00007FF7CCCC0000-0x00007FF7CD014000-memory.dmp
memory/3424-156-0x00007FF71DBC0000-0x00007FF71DF14000-memory.dmp
memory/784-157-0x00007FF76CE10000-0x00007FF76D164000-memory.dmp
memory/4580-158-0x00007FF726CA0000-0x00007FF726FF4000-memory.dmp
memory/2284-159-0x00007FF7EE3D0000-0x00007FF7EE724000-memory.dmp