Analysis Overview
SHA256
2f16c643beee07be92c48a208324ee02e17aa5e38a6a9931bcfd1a275ee32977
Threat Level: Known bad
The file 2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike
Detects Reflective DLL injection artifacts
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 21:45
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 21:45
Reported
2024-05-29 21:48
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\GnGCYWs.exe | N/A |
| N/A | N/A | C:\Windows\System\jttpHAZ.exe | N/A |
| N/A | N/A | C:\Windows\System\emtOngR.exe | N/A |
| N/A | N/A | C:\Windows\System\xwJTuny.exe | N/A |
| N/A | N/A | C:\Windows\System\KUsRHJc.exe | N/A |
| N/A | N/A | C:\Windows\System\wbNqUFW.exe | N/A |
| N/A | N/A | C:\Windows\System\EZLTpAv.exe | N/A |
| N/A | N/A | C:\Windows\System\PeDtEwB.exe | N/A |
| N/A | N/A | C:\Windows\System\wfHsJaL.exe | N/A |
| N/A | N/A | C:\Windows\System\MFAgQKN.exe | N/A |
| N/A | N/A | C:\Windows\System\hinXZZY.exe | N/A |
| N/A | N/A | C:\Windows\System\KRCHzLZ.exe | N/A |
| N/A | N/A | C:\Windows\System\gTzXEYg.exe | N/A |
| N/A | N/A | C:\Windows\System\SoEXCvd.exe | N/A |
| N/A | N/A | C:\Windows\System\djVYptz.exe | N/A |
| N/A | N/A | C:\Windows\System\FkiohBG.exe | N/A |
| N/A | N/A | C:\Windows\System\MgDWUfp.exe | N/A |
| N/A | N/A | C:\Windows\System\vmtzApb.exe | N/A |
| N/A | N/A | C:\Windows\System\NJItCUk.exe | N/A |
| N/A | N/A | C:\Windows\System\LEsqsYi.exe | N/A |
| N/A | N/A | C:\Windows\System\qDMqUHX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\GnGCYWs.exe
C:\Windows\System\GnGCYWs.exe
C:\Windows\System\jttpHAZ.exe
C:\Windows\System\jttpHAZ.exe
C:\Windows\System\emtOngR.exe
C:\Windows\System\emtOngR.exe
C:\Windows\System\KUsRHJc.exe
C:\Windows\System\KUsRHJc.exe
C:\Windows\System\xwJTuny.exe
C:\Windows\System\xwJTuny.exe
C:\Windows\System\wbNqUFW.exe
C:\Windows\System\wbNqUFW.exe
C:\Windows\System\EZLTpAv.exe
C:\Windows\System\EZLTpAv.exe
C:\Windows\System\PeDtEwB.exe
C:\Windows\System\PeDtEwB.exe
C:\Windows\System\wfHsJaL.exe
C:\Windows\System\wfHsJaL.exe
C:\Windows\System\MFAgQKN.exe
C:\Windows\System\MFAgQKN.exe
C:\Windows\System\hinXZZY.exe
C:\Windows\System\hinXZZY.exe
C:\Windows\System\KRCHzLZ.exe
C:\Windows\System\KRCHzLZ.exe
C:\Windows\System\gTzXEYg.exe
C:\Windows\System\gTzXEYg.exe
C:\Windows\System\SoEXCvd.exe
C:\Windows\System\SoEXCvd.exe
C:\Windows\System\djVYptz.exe
C:\Windows\System\djVYptz.exe
C:\Windows\System\FkiohBG.exe
C:\Windows\System\FkiohBG.exe
C:\Windows\System\MgDWUfp.exe
C:\Windows\System\MgDWUfp.exe
C:\Windows\System\vmtzApb.exe
C:\Windows\System\vmtzApb.exe
C:\Windows\System\NJItCUk.exe
C:\Windows\System\NJItCUk.exe
C:\Windows\System\LEsqsYi.exe
C:\Windows\System\LEsqsYi.exe
C:\Windows\System\qDMqUHX.exe
C:\Windows\System\qDMqUHX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1252-0-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1252-1-0x0000000000090000-0x00000000000A0000-memory.dmp
\Windows\system\GnGCYWs.exe
| MD5 | e861091ef84186e08a967ef890b6fc13 |
| SHA1 | 4e9dd0123682796e59f90b9a8bc771a03be30f7b |
| SHA256 | 10f306836ac7f6c833e5c1dd03734b2cd2ec32560563e856f8f006ebcfd783e1 |
| SHA512 | 409c9756bd0c367d1d47f9da53d98c09c1c547dd195ac571ed636d0123f9eb8c0ece929d89e5c80e1245983786755d60adc684fd8d374539945002e1afb51ec9 |
C:\Windows\system\KUsRHJc.exe
| MD5 | cb186589855eb6188729041d8b5641d1 |
| SHA1 | efebf6823850a767597f7afce1e678295a714b50 |
| SHA256 | e434958ae30385dc9cb916d90f01bff43fd7a9d0e7555c092d93d3163c3ab011 |
| SHA512 | b62f0d0413a2bc18fd575043d5bd453fac9ad6ab5eaa738c2b2806cfb71f71f8b3ee841d188bac2fd2181fa8ed1534cc2b4b5eacc91a69859929d8f2098329b6 |
memory/1252-27-0x000000013F6C0000-0x000000013FA11000-memory.dmp
C:\Windows\system\emtOngR.exe
| MD5 | 6c90c9072bf479b5e5de39169f97e960 |
| SHA1 | cddfe588574202d1e73733732f23855e83a491ef |
| SHA256 | d23c7c1a551f8a99c19411f9b3285f1967361daf0c06f488c2b3035e8f70690b |
| SHA512 | 3bf3fdd3e7ee028048f73805d10e43ae192785c92ca57bf4bfc2c1bac458820b0cfd45ddff2e558c22c4548ac5404dcb8d7ebb92bf05d304fbee391edc73a2cb |
C:\Windows\system\xwJTuny.exe
| MD5 | 96b521dfb34e4f74f66f4ab7c4df4503 |
| SHA1 | fa00b3d21c9d863bd114f686e5a73c4e3149b39f |
| SHA256 | 551cb1fbe3b3506104d1711a1d50b6e2a07dbe12a195d28a95000e4dbca1507b |
| SHA512 | a93b8c41f6bf659474175f0026128cb472ff4ab39fc362bab62a6554782d49bc221ac3ec5c8de95f4a81a26d63f5ea17c13de7435e0dc5759ff6bc3b9918d565 |
memory/1252-30-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2064-35-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2744-42-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2612-49-0x000000013FD70000-0x00000001400C1000-memory.dmp
C:\Windows\system\wfHsJaL.exe
| MD5 | 6a54268f0547773ac1572ff516f99f04 |
| SHA1 | c5c705a2fded03cb3fab0d5d935d65decdac8890 |
| SHA256 | ac30665c9d67c37fe882c0a61f356b36e4d61cb092ef1234db2cbbde5bf56e0d |
| SHA512 | ff6be585b54d56b037f412d871ec778c379684e19445314c111e484f515e575df5e33b93791fb8adf8a5f5d898b7d4163ca25e01ab06bdd602600aef29220186 |
\Windows\system\MFAgQKN.exe
| MD5 | 90923b89b44995040afd9d172cd62f8d |
| SHA1 | bbdba5e0a0be7c5fd8a61ac6437f558b88add459 |
| SHA256 | 384a6cbcd74fe2547260bac80e25c7f788d029072a67010aa5aa505b40c5ce8a |
| SHA512 | 9748d688d7209461d376b5144f3bf450fbe9bfcb4ee1eed838355ba34eec938e1ac969bf3e27c4ce9dfc58d11b5626d3acd781f47c7b6c0a0b3f9929ef4fb2a2 |
memory/2560-76-0x000000013F730000-0x000000013FA81000-memory.dmp
C:\Windows\system\KRCHzLZ.exe
| MD5 | a0ad246459131dfa14fd899f45130725 |
| SHA1 | 509b89a3853687a7e5f3cfd8db303b266a0542af |
| SHA256 | 4b4acfb0ee265190e9a2e595c8d56f75d19d72c82bb03782dd3a1550ca6edf5f |
| SHA512 | d6cbd6322cce80325121bc572c536f4b7167a2fe643f80c36af65cc7eb55dacf9bc9b1490d5d13ce64d5c4414a496b325c5e0336aab86be5d35cf03432558e6a |
memory/2536-82-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/1252-87-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1676-89-0x000000013FD20000-0x0000000140071000-memory.dmp
C:\Windows\system\vmtzApb.exe
| MD5 | 8b3deca2ceed77f1ca7e1269f3bf5577 |
| SHA1 | f44d779f08f086b26235b7051945af62dfa5fbce |
| SHA256 | 82e4087b77d34b796815680fb564ca523213a5619df96c9d47c72942a5b67286 |
| SHA512 | 513bdd7bab68144605c16547d479b2dba3d56c63990883c943411e8c16a6505d141141b1f702e815e1dd648727a252d2f42e915c73918070b4b0cf9d481626cf |
C:\Windows\system\LEsqsYi.exe
| MD5 | 4e24520f00643fc6bba2dae573d02d3d |
| SHA1 | f78b51a582b95f5deef3cce4a87ab68764b1f57d |
| SHA256 | 5bd802b731ae45c640dd126eecbf5fde78f71a1ec7790ac7b2bd1de9b1a9b350 |
| SHA512 | f174f014a01d0d33eb47980d04d49e3b4b4f5621f9a5c6bb039ebb4bcd20ab6f0b18a38016dffc6bc63bd66e38933c2389cb6c12fbc9e7dddf03acd877eb92c8 |
C:\Windows\system\qDMqUHX.exe
| MD5 | 032523dd4718165a569df02309f714b7 |
| SHA1 | 2aa551e8f67c26909c09fb696b4dd02a409d6b06 |
| SHA256 | 5e7c44dda2aa24566b114850a65b8daeb01b7b9d977761b6039a22bc58cdd879 |
| SHA512 | 3ddf5e6a422cac00f98c88ed4d9351e1fa19eb953ebdf1db1c0922ed435361b171a4c177190511433e2445aff83dc45210a65527e5a53dd33c610ed435418058 |
C:\Windows\system\FkiohBG.exe
| MD5 | c93c34b9e9b7f02208da3bf6f58a9bfc |
| SHA1 | 0f2a8b1fb66eb2aa34b716192ccba8c12a86b0db |
| SHA256 | edf9a853e4ee40454c00d81bf8ebaed78830bd6e74ae0f9d2229a460ca0333e5 |
| SHA512 | e31f7c79b72cee09386913085e6d2577d751ada967182159f2e82df4df457ef09e53a8fee5e1445fb00377c892143d7b25957e28609e7dfd0aec489ca311b3dc |
C:\Windows\system\NJItCUk.exe
| MD5 | ee833c586776418ac338e8a9ecabf8f4 |
| SHA1 | ef18ebcaf7b6bb2b212c7513dad077f970b2ed7c |
| SHA256 | 367f82808926099952e0d2e8803f5541a7d299e361407d023cce3b79b0140053 |
| SHA512 | 43a3108df02862e62ce0beef7047bbdc18f24b9317d507e5fb3d275aa69b7b1a3ce7084d91f14a1dbee09bae07dbe638420a14f68690b1d43ddc68bd6bab3901 |
C:\Windows\system\MgDWUfp.exe
| MD5 | c431f60866b4cdf896dc45959e5e159a |
| SHA1 | 428c037051e7e1b85d7994ff65966e41b6fa525c |
| SHA256 | a23e06423960a92e4ae614923c3bbdb4b0393c06d27093ea5c3c7a443a65efdf |
| SHA512 | c8369063e81786f457c1952af7150d2baf0d170e9ff10bdffbe7c5e741ac408a4cbd3f7ae06b2a491f16ad0d1ef86fdcb01e8181ceec229a140346eacb7d8f5f |
memory/1252-102-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2744-132-0x000000013FC40000-0x000000013FF91000-memory.dmp
C:\Windows\system\djVYptz.exe
| MD5 | 53ff5dfc2889a6bdadfc151afbc9c86b |
| SHA1 | 5b7af84da1846e47f16cd65c508051994d8b2603 |
| SHA256 | 81c7b67b8736505949d34694acea8884367909758e09a601253efa6d83f2dd8c |
| SHA512 | 0407faee73e2f5a0f183ad64023abf07d35978cf475bc2814f7aa7611b818bb9f17c87cca95bc74868a8f3fa3f271e3d7ec1c3c2e4923ff1908db15d785c8975 |
memory/1908-96-0x000000013FFA0000-0x00000001402F1000-memory.dmp
C:\Windows\system\SoEXCvd.exe
| MD5 | dbd1424acbb0efdf1d48c7b2de5e5b75 |
| SHA1 | 86b80a1fa62b6ab718686278f0024712ae0f7f8e |
| SHA256 | c097c021523dd0ca5385d0f8b43650287320c2b0443cf17f0739811b6d68a43b |
| SHA512 | 8d8c9af3b4294ba95f8fc9b72552868669859d64334bb8905e5a60c34c3c2af235ea0f5049de551c415e3a486cb62b04d465bd501c290ba0a8f0ccf1c900e7d2 |
memory/1252-88-0x0000000002170000-0x00000000024C1000-memory.dmp
C:\Windows\system\gTzXEYg.exe
| MD5 | dcdc9a9c61f9f1014b39d47597b96edb |
| SHA1 | 0be7e0f06a31abbef8647d1649ee7720811e2637 |
| SHA256 | ff3f31aecee078a72ae0e267de5195f118e556a79f9649ec96302d506ce3f51a |
| SHA512 | 49b716919dad6f2ff24d95e4ec53ded3962ed32f29b149895724bc207fa755d42b799c71b85cf85f1c74aa8df02c0dfd119424f3ad46f1c7b541d7022f14f91b |
memory/1252-75-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/1568-69-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/1252-66-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2592-65-0x000000013FE90000-0x00000001401E1000-memory.dmp
C:\Windows\system\hinXZZY.exe
| MD5 | 3cc8cdc3cc95cc162ad2b2e7c7fd5ea5 |
| SHA1 | a000892888f121e0e664e5b89ea0781ac27aad86 |
| SHA256 | f02e99d7a543bc0bd64e4f99d699a69596b7a2e4f9c48fcbbdc346697636827a |
| SHA512 | 92a0137e5330ab6bfa88e85ade4c7c5a6e1d029944a8d8fe4dcab1eaab0a512e311c97cd347c005996b034f73f3126bd560b4ee8bde70b3d951fd800106b118d |
memory/2788-54-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/1252-53-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
C:\Windows\system\PeDtEwB.exe
| MD5 | 88a4e47f7e810d6dc1244a491a4fe546 |
| SHA1 | 2670b89b43b4f0f07917bcf61fb80092437d3c28 |
| SHA256 | ccc90e9bed4288f77943e311e352c15e82660a0eaa16fb3ac986240f4a9af5e5 |
| SHA512 | 60e69e40da98c8e391517caaad2fc455d3b947b830a5a05294a6d1b2d04623abfb0fc72d123acd7b57daa0842163241e2469cf8603f510a98eb835231c0c6cdb |
memory/2788-133-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
C:\Windows\system\wbNqUFW.exe
| MD5 | 9aa62b984f19a9e5c7706e30775c352c |
| SHA1 | 3f38719db8f99f5cc36b5cfafa58934b82dd8801 |
| SHA256 | 4b9e017a3414e4e8109b8959018a4b8080e82c7191b07943ba975d6558dda19e |
| SHA512 | 6cdfe0df1e048feb2dc378ff5347a42c16771dd1418e91bf8c1f45e823572bc59e5b3c10129fdc3e8b090ee3455addc34eabb1f6d16fcb75aa32f1f14f55d966 |
memory/1252-40-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2112-39-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2016-38-0x000000013F470000-0x000000013F7C1000-memory.dmp
C:\Windows\system\EZLTpAv.exe
| MD5 | 2c2e89dcbd1b9e85d2211920630f60b3 |
| SHA1 | b5034183e0a2a48f9aba11e4e34f083a9690bfa7 |
| SHA256 | d1a3854407d3a1c2da2517efe475efc2120f01c25fe4c02aba1f20905979ee2f |
| SHA512 | 7af99cbb81429e5a82aedc729ab4be3b4530a3ecb9256d816008582b875ce09c40683dd1e9e17f50b86522ec1c3acaaad8a37c17bb4d8b08428aa4b70246e0c7 |
memory/2828-37-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/1252-36-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/1252-34-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2140-29-0x000000013F6C0000-0x000000013FA11000-memory.dmp
C:\Windows\system\jttpHAZ.exe
| MD5 | ed522e29008ae423d191facccfc7f0df |
| SHA1 | 48346f0cb7db1fc85742ddd115e1d7bcfb4476a1 |
| SHA256 | c198ad6ad0789efcca761f97675a4201332baffb538bf869f039d489b6940251 |
| SHA512 | 6511cf2915da743c459fccb9b7cf481d96052e1b81fc74d72539bbe16ea34f61016e3b64d9758d8b0b79538b45495818b6e46b8530225276166c51f77a4ae103 |
memory/1252-134-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1676-147-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2572-154-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/544-155-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/1804-153-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/1800-151-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/1028-150-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/1484-149-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2208-152-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/1252-156-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1252-171-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/1252-179-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2016-209-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2064-213-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2828-215-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2140-212-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/2112-217-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2612-219-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2788-223-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2744-221-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2592-225-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/1568-227-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2560-229-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/2536-231-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/1676-233-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/1908-235-0x000000013FFA0000-0x00000001402F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 21:45
Reported
2024-05-29 21:48
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KQbhrxk.exe | N/A |
| N/A | N/A | C:\Windows\System\EcmxJbO.exe | N/A |
| N/A | N/A | C:\Windows\System\NeVtEqU.exe | N/A |
| N/A | N/A | C:\Windows\System\kUWcckO.exe | N/A |
| N/A | N/A | C:\Windows\System\VfGOPMt.exe | N/A |
| N/A | N/A | C:\Windows\System\zlrmqni.exe | N/A |
| N/A | N/A | C:\Windows\System\GCIDiqE.exe | N/A |
| N/A | N/A | C:\Windows\System\hmopByX.exe | N/A |
| N/A | N/A | C:\Windows\System\yIyPxzF.exe | N/A |
| N/A | N/A | C:\Windows\System\ggRpZPq.exe | N/A |
| N/A | N/A | C:\Windows\System\DuToMMT.exe | N/A |
| N/A | N/A | C:\Windows\System\CjyxfmH.exe | N/A |
| N/A | N/A | C:\Windows\System\mbQjYeS.exe | N/A |
| N/A | N/A | C:\Windows\System\uBJCIar.exe | N/A |
| N/A | N/A | C:\Windows\System\cPGVsHb.exe | N/A |
| N/A | N/A | C:\Windows\System\WPWsplJ.exe | N/A |
| N/A | N/A | C:\Windows\System\dhJFyBV.exe | N/A |
| N/A | N/A | C:\Windows\System\tiQHIGp.exe | N/A |
| N/A | N/A | C:\Windows\System\HrIGsmB.exe | N/A |
| N/A | N/A | C:\Windows\System\apaUoUf.exe | N/A |
| N/A | N/A | C:\Windows\System\BxMNUKw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KQbhrxk.exe
C:\Windows\System\KQbhrxk.exe
C:\Windows\System\EcmxJbO.exe
C:\Windows\System\EcmxJbO.exe
C:\Windows\System\NeVtEqU.exe
C:\Windows\System\NeVtEqU.exe
C:\Windows\System\kUWcckO.exe
C:\Windows\System\kUWcckO.exe
C:\Windows\System\VfGOPMt.exe
C:\Windows\System\VfGOPMt.exe
C:\Windows\System\zlrmqni.exe
C:\Windows\System\zlrmqni.exe
C:\Windows\System\GCIDiqE.exe
C:\Windows\System\GCIDiqE.exe
C:\Windows\System\hmopByX.exe
C:\Windows\System\hmopByX.exe
C:\Windows\System\yIyPxzF.exe
C:\Windows\System\yIyPxzF.exe
C:\Windows\System\ggRpZPq.exe
C:\Windows\System\ggRpZPq.exe
C:\Windows\System\DuToMMT.exe
C:\Windows\System\DuToMMT.exe
C:\Windows\System\CjyxfmH.exe
C:\Windows\System\CjyxfmH.exe
C:\Windows\System\mbQjYeS.exe
C:\Windows\System\mbQjYeS.exe
C:\Windows\System\uBJCIar.exe
C:\Windows\System\uBJCIar.exe
C:\Windows\System\cPGVsHb.exe
C:\Windows\System\cPGVsHb.exe
C:\Windows\System\WPWsplJ.exe
C:\Windows\System\WPWsplJ.exe
C:\Windows\System\dhJFyBV.exe
C:\Windows\System\dhJFyBV.exe
C:\Windows\System\tiQHIGp.exe
C:\Windows\System\tiQHIGp.exe
C:\Windows\System\HrIGsmB.exe
C:\Windows\System\HrIGsmB.exe
C:\Windows\System\apaUoUf.exe
C:\Windows\System\apaUoUf.exe
C:\Windows\System\BxMNUKw.exe
C:\Windows\System\BxMNUKw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3872-0-0x00007FF7157B0000-0x00007FF715B01000-memory.dmp
memory/3872-1-0x0000027EC6CD0000-0x0000027EC6CE0000-memory.dmp
C:\Windows\System\KQbhrxk.exe
| MD5 | 6c218defd608b557e9be8b1f762277f9 |
| SHA1 | 6b50e1d431ea00038fcfde6c39a1d1969d5475d0 |
| SHA256 | 3dc169b9b8d2dcdec2bc22ccb5de4b0fc1fbf0468d1d929bdb162705f78cd2f2 |
| SHA512 | 749f3edeb744f89e8c4d33693e90cfdc353c6686b5bdd567d6face79b54b019814d00f39d4e48d83d923ece03757fa8d8c58c50612fc9dc82fcb135b0cd352aa |
memory/2816-7-0x00007FF7D24B0000-0x00007FF7D2801000-memory.dmp
C:\Windows\System\EcmxJbO.exe
| MD5 | 93cbf72946e9e5749b239d34a7409f36 |
| SHA1 | 9d5de17fdefbae6041a6428798e8841d1ce62274 |
| SHA256 | ddf3795d47bd4f515c37088796b344c3df04aacb1cfb725f06d024de19a47d40 |
| SHA512 | 5c8d7020d4a985727a040c488b2954fc08b825f05d355b16c0bfa1646944bd42a762c6e585cc60b4947f633602b1f5ac11ef33e725949d46a3c35fa44128e177 |
C:\Windows\System\NeVtEqU.exe
| MD5 | 6828ef454ba0724c83c1ce5f20201610 |
| SHA1 | 3072fca735624c38f554a4e9089c5c7f0cb488f5 |
| SHA256 | e86a29fb4852f6584492206ef75eb395bf76a7df8683fc990399c1cee1c38ecb |
| SHA512 | 2d665a4dde9ce28e66001ac1869a5524c76751352d9166bde42efc22ac6cefd028422ec4d10c2da3f57d1017d022836c4531d8f3008768bc6d1e3af7a496fdd2 |
memory/4252-14-0x00007FF730900000-0x00007FF730C51000-memory.dmp
C:\Windows\System\kUWcckO.exe
| MD5 | 3b2cf6cfa6ca584814261d5578b001ee |
| SHA1 | 0de865417d8cd15e9a445cfa4d15365423fecd50 |
| SHA256 | 26f5f19270f738374ed631af135ea3e60c74a7233ec9d413b1f79743f3d75cf9 |
| SHA512 | b4d3fca10ebad44e376c1549988ef145ce8c7e821b6b48b286cb94fd243e6410604a08257531876c56ed1b6478abbbb3bf7f55f0ee0856d506b2835386a28130 |
C:\Windows\System\VfGOPMt.exe
| MD5 | bb6bfffb4b3b4d75bf33bbfaac58c597 |
| SHA1 | 5c2d59e39e23a1a014d173424109b0ae914f7190 |
| SHA256 | 5055067983c9498a91c39175f046020ed68831771418ea6d9008f0a37ecec4c0 |
| SHA512 | 648ad2ec5ae4394f7fd7e3e2a4b625be247f8a6a612735501d6be8157b9a19e2ea1d8e9bcf5adbab06e1e9c96c7b57958e7df7bed1a56c72ef06551d73a11968 |
C:\Windows\System\zlrmqni.exe
| MD5 | cd53c6a84fd65d786961b0777eb05f27 |
| SHA1 | d502ff5d1ebb2e78ce12b1206cd2c02d78b8edc4 |
| SHA256 | ae2bff5517c83a0dc79cef869d473ff181c9121bb6067e51b9426ff088c0f0d3 |
| SHA512 | 06405c53cd437baf966ae4d1be8d1f65050ee82969618b7a45d28e8fb4747553d087c4006a8770c7c96c4165f2738b8a329837d0f33789127aa2dc5ba11af863 |
C:\Windows\System\GCIDiqE.exe
| MD5 | d3f7aa0e69bfddeff3719b352b5b6075 |
| SHA1 | adfc720ad0f27c9997e5a5c504ff95db3618181e |
| SHA256 | b2fddb4ed80b9030c172321d486e2cdeb46cfa507cef1a9ab34ae80fe2a5ab5c |
| SHA512 | 5744d7f0c7eba54d2216ecba175d014f2c03e7f194ee2ef6b31fb8bd584f6a062410dc47ee232eeef8ff95337edd88b489e25b9825797b4c6e0ec86708459555 |
C:\Windows\System\hmopByX.exe
| MD5 | f8e07867ca19afe78f06f609ae907ada |
| SHA1 | 1423f46dd5e4bffede7eaf78ff83a18e90cea6d4 |
| SHA256 | 449f8a1bf732a4263974a5470c15f72c775846edb08177ea71b420042ac45a72 |
| SHA512 | 83c834d1f4b50365ce834579f370327f81815800198716b842a5abb39000b7bbf642dddac4f009c8b5ac5f627ee09b42b7b584c756bf3c7a4216c5a14f353638 |
memory/4372-52-0x00007FF6172E0000-0x00007FF617631000-memory.dmp
C:\Windows\System\DuToMMT.exe
| MD5 | 0aac4b7d32e5b65a50bb74fbb9a7e99e |
| SHA1 | c8c5d91795a2acd0af93dfd7bf52f81c1b319ed0 |
| SHA256 | d68379583eb3a22eea3ce2d827a696bc5b775928aa240d3281c1f0d791019b0f |
| SHA512 | 5dfe71b3b95f9e86218e3355bed52e837d3a9da7f4b1a87e42254c464d3eca0cbb58e149307ec3cbacb4b8d0a426de2720e695e9b9cc9e3630c7e57e461cedac |
C:\Windows\System\CjyxfmH.exe
| MD5 | ae9d6da4e29a955da1a3a19d2663b547 |
| SHA1 | 2899a0eadd7ca782d745f398fd561725a4f41607 |
| SHA256 | 762b9b2c21a591bf3b7f4486c1b0bfea40137acb53309381b9ab3c7626147606 |
| SHA512 | b0e69b980c1e8d074d9dedb7b149c4e3bc9d7d9348b4950e9b77e6859843afaee30a1abf273787184c891ce899819e798740b84badff30d19492c850451a309c |
memory/2988-79-0x00007FF786D50000-0x00007FF7870A1000-memory.dmp
memory/4852-86-0x00007FF6AF090000-0x00007FF6AF3E1000-memory.dmp
C:\Windows\System\tiQHIGp.exe
| MD5 | b7fa25e3a5e9e1a252e344c5e4f72a59 |
| SHA1 | f99c914488ed2face49e2692949448fe069f052f |
| SHA256 | da40cf9de70c3f1775a491590c09b7ebd39f6676809dbb6cf887fd3f4157c8be |
| SHA512 | 6d8e06bfc98431505e0dfad6d56a0ba202b7f85b3f6d945e0932e20a8bec0322bd633b43ff15cb6237f1600b68f20b619b4d1845085b27b1d6f9e10871a4374a |
C:\Windows\System\WPWsplJ.exe
| MD5 | d2f73f20f3579cc259f150145df88b8a |
| SHA1 | 86ac7669ca874c9c4c97f235ad45290f4f97f0b7 |
| SHA256 | a30a1279c17a40060d9036321f3a088ccf36a4c8f6f3892041b1cc3e26b8c5c1 |
| SHA512 | 6cd7a96b5b32de12b7149f8b22ae8262463dd5429521992756115e7aa0b4fe7b04b3bdc6186b33142a2b3bb182b0b31032c98e0be37911aa1c7dabf61f16d5fb |
C:\Windows\System\BxMNUKw.exe
| MD5 | a81d343f92e7220435c65396c19530ac |
| SHA1 | 4b9ffba4b37fa5be8fe91d38d12869b574bde06c |
| SHA256 | c1b49105037d85310ad3f7111bffd446729492ae1b82482f8526d6921a053d8b |
| SHA512 | 87e41200b2cfe07ac9ddfcace61b22be328dc56747abd8017ada074a4556b3dd202c29b76c749d9956a1162c3587cacd0c46e8be93467ea353a5061804a0868c |
C:\Windows\System\HrIGsmB.exe
| MD5 | 06a63bba548b165f0989125044be671a |
| SHA1 | f7610203dc8891f34eb90b895c84a76d379d315d |
| SHA256 | 1e7e3b1b7781b53dc274df67a46a5afa3c99bc0a394028fa5d461ac7ba506b67 |
| SHA512 | 0c0282e82bd6493dd2b1f1547c8ad39001b65c758dcf989b2c3fd2a09be9d999967918f9efa78fc54501694a73b2071eefcf699e529687f1041f0b945a226336 |
memory/1376-127-0x00007FF794FD0000-0x00007FF795321000-memory.dmp
memory/2032-126-0x00007FF62A7C0000-0x00007FF62AB11000-memory.dmp
C:\Windows\System\apaUoUf.exe
| MD5 | c0b14e2f413ee990974dc121db77ac88 |
| SHA1 | d130e3f5b8458e879eacf4af38673a93f32c8bfa |
| SHA256 | 76399fccd6faeb24769de880f302066bdaf2143880d7acea12e8d331bb88f577 |
| SHA512 | b1c4346d750e8b64d4c2fe544f5957fc7d34fd74970ce6a8b33033a1fb7b94068baf1ee2379ce0b351f0cad4f2407c517dde19d4f8141c1acf7bb08435a7fed1 |
memory/1432-121-0x00007FF721260000-0x00007FF7215B1000-memory.dmp
memory/3736-117-0x00007FF6BA840000-0x00007FF6BAB91000-memory.dmp
C:\Windows\System\dhJFyBV.exe
| MD5 | 2ed8157a7c39e4bc21e94fec389a9b7c |
| SHA1 | 741eafc94f1e368c1b917fceb00e01f203b417a8 |
| SHA256 | dff811aac871acda7fce14634a1622751cf9700c3117d7591a75345e226bfa2d |
| SHA512 | 7a560c38bf35f941005d7472e1d7965b5db55f5e6c957fb6a9ba2f2abe3d91771a09cf7928c6200afeb9d8dfb41bd3844040b8c52dc97f958740ce072b458dfa |
memory/3572-120-0x00007FF7E43A0000-0x00007FF7E46F1000-memory.dmp
memory/2984-105-0x00007FF6AE450000-0x00007FF6AE7A1000-memory.dmp
C:\Windows\System\cPGVsHb.exe
| MD5 | a689f9991acb25cc725587ca75f61aec |
| SHA1 | 0d1044a7364ba63d82f4ceb5b951a8dba859bdbd |
| SHA256 | 923914b3a70f6e9dd9748eb454cbb5f572874c978eec23b166c8ed93a343db8d |
| SHA512 | 16bf7e95618c59d0e3d7df68bd07b13ddf8ca072b35ceb86981fd1e358b23a61b941035d973a0e1138618ade5b30520276ff3b271d5609b534c6fa7d38793b2b |
memory/812-98-0x00007FF7A4250000-0x00007FF7A45A1000-memory.dmp
C:\Windows\System\uBJCIar.exe
| MD5 | 7b7edd81e7012ae57f62068f74464676 |
| SHA1 | 480c38901d8346a39b82dbbfbd974d2763efda68 |
| SHA256 | 746d225371594fa5d5d9e73b3b7f47d21982e6b488b74421b00549755c22f9d3 |
| SHA512 | e5cb98754cff915eec93528f012f6caeb0d104c3c95f9c2d4706cdba5fb23c4339cd54c0ece42d170acdf31311e28b9ed4339b7d7206a5c11a47467298e8c4e9 |
memory/3052-91-0x00007FF66A420000-0x00007FF66A771000-memory.dmp
C:\Windows\System\mbQjYeS.exe
| MD5 | be01081b3abf781341faa8dc02655a4e |
| SHA1 | 1afe4eb00fb92d3ec9ec6d819dcbb9a03a4028bc |
| SHA256 | 777a7ef2629d3dce42215522f5b2779a3b09760b5401b7cf55c4b6fe2e42e7ca |
| SHA512 | 0010a0394daf2e377450d152989337f4d45624b1c376d1ed48bfadf64cb7461aa023039a881fac4cf6f6c8ea36de7671f14ec55329850991534c554eafad02b7 |
memory/2816-80-0x00007FF7D24B0000-0x00007FF7D2801000-memory.dmp
memory/1628-76-0x00007FF658EF0000-0x00007FF659241000-memory.dmp
memory/3872-71-0x00007FF7157B0000-0x00007FF715B01000-memory.dmp
memory/2528-70-0x00007FF7E3C20000-0x00007FF7E3F71000-memory.dmp
C:\Windows\System\ggRpZPq.exe
| MD5 | c7bc7eb8d5784de2eb80faebe9349d8e |
| SHA1 | d676dec04043d07446f85002fe26efd5d82f717d |
| SHA256 | 0afecd25b755c9bb89feaa625805abab3e10bc6547e54f6d19e5a7ec42a7f65b |
| SHA512 | 8ae28944cb9593358d0cd7b239322642fa2772c81c020a12116d28d1e91534be37078bd6bf0c0572ec4c7367a05b4806bec7574b39eeb30fd2940d25a71bbe57 |
memory/5108-64-0x00007FF73FC60000-0x00007FF73FFB1000-memory.dmp
memory/3976-59-0x00007FF658400000-0x00007FF658751000-memory.dmp
memory/1404-51-0x00007FF6ED2B0000-0x00007FF6ED601000-memory.dmp
C:\Windows\System\yIyPxzF.exe
| MD5 | 26e61cbfeb1668e805882cc95ac9b464 |
| SHA1 | 4ca1bb83f3ac7bb171eb09613c413527cdf833d0 |
| SHA256 | 8cccac7e10efcdc1196383d3d3fdd44d0f334fddf6f74f0932fb230ae587760f |
| SHA512 | 27253a776aa4942b79e342581ec0af13811a48030726757adc2527b9c1687e9d137fa3bcb04f315c1574fa0c3e60312301e59d18cca85e77071e1306014105b5 |
memory/1888-38-0x00007FF7E4BA0000-0x00007FF7E4EF1000-memory.dmp
memory/1360-34-0x00007FF738340000-0x00007FF738691000-memory.dmp
memory/1168-31-0x00007FF6E10F0000-0x00007FF6E1441000-memory.dmp
memory/2984-22-0x00007FF6AE450000-0x00007FF6AE7A1000-memory.dmp
memory/1888-131-0x00007FF7E4BA0000-0x00007FF7E4EF1000-memory.dmp
memory/3872-132-0x00007FF7157B0000-0x00007FF715B01000-memory.dmp
memory/2528-143-0x00007FF7E3C20000-0x00007FF7E3F71000-memory.dmp
memory/3052-147-0x00007FF66A420000-0x00007FF66A771000-memory.dmp
memory/4852-145-0x00007FF6AF090000-0x00007FF6AF3E1000-memory.dmp
memory/812-148-0x00007FF7A4250000-0x00007FF7A45A1000-memory.dmp
memory/2988-146-0x00007FF786D50000-0x00007FF7870A1000-memory.dmp
memory/1628-144-0x00007FF658EF0000-0x00007FF659241000-memory.dmp
memory/5108-142-0x00007FF73FC60000-0x00007FF73FFB1000-memory.dmp
memory/3976-141-0x00007FF658400000-0x00007FF658751000-memory.dmp
memory/4372-140-0x00007FF6172E0000-0x00007FF617631000-memory.dmp
memory/1432-152-0x00007FF721260000-0x00007FF7215B1000-memory.dmp
memory/1376-153-0x00007FF794FD0000-0x00007FF795321000-memory.dmp
memory/3572-150-0x00007FF7E43A0000-0x00007FF7E46F1000-memory.dmp
memory/3872-154-0x00007FF7157B0000-0x00007FF715B01000-memory.dmp
memory/2816-203-0x00007FF7D24B0000-0x00007FF7D2801000-memory.dmp
memory/4252-205-0x00007FF730900000-0x00007FF730C51000-memory.dmp
memory/2984-207-0x00007FF6AE450000-0x00007FF6AE7A1000-memory.dmp
memory/1168-209-0x00007FF6E10F0000-0x00007FF6E1441000-memory.dmp
memory/1360-211-0x00007FF738340000-0x00007FF738691000-memory.dmp
memory/1404-215-0x00007FF6ED2B0000-0x00007FF6ED601000-memory.dmp
memory/1888-214-0x00007FF7E4BA0000-0x00007FF7E4EF1000-memory.dmp
memory/3976-218-0x00007FF658400000-0x00007FF658751000-memory.dmp
memory/4372-219-0x00007FF6172E0000-0x00007FF617631000-memory.dmp
memory/5108-221-0x00007FF73FC60000-0x00007FF73FFB1000-memory.dmp
memory/2528-223-0x00007FF7E3C20000-0x00007FF7E3F71000-memory.dmp
memory/4852-225-0x00007FF6AF090000-0x00007FF6AF3E1000-memory.dmp
memory/1628-227-0x00007FF658EF0000-0x00007FF659241000-memory.dmp
memory/2988-229-0x00007FF786D50000-0x00007FF7870A1000-memory.dmp
memory/3052-231-0x00007FF66A420000-0x00007FF66A771000-memory.dmp
memory/3736-235-0x00007FF6BA840000-0x00007FF6BAB91000-memory.dmp
memory/812-233-0x00007FF7A4250000-0x00007FF7A45A1000-memory.dmp
memory/2032-237-0x00007FF62A7C0000-0x00007FF62AB11000-memory.dmp
memory/3572-242-0x00007FF7E43A0000-0x00007FF7E46F1000-memory.dmp
memory/1432-244-0x00007FF721260000-0x00007FF7215B1000-memory.dmp
memory/1376-246-0x00007FF794FD0000-0x00007FF795321000-memory.dmp