Analysis Overview
SHA256
fb053700c8e22da1f55e71ee2c0037319850e7396b579c795ab4c74525268737
Threat Level: Known bad
The file 2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike
xmrig
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 19:04
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 19:04
Reported
2024-05-29 19:07
Platform
win7-20240221-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kiWnGSI.exe | N/A |
| N/A | N/A | C:\Windows\System\DSUDzUm.exe | N/A |
| N/A | N/A | C:\Windows\System\nkvRATi.exe | N/A |
| N/A | N/A | C:\Windows\System\kyWQHYX.exe | N/A |
| N/A | N/A | C:\Windows\System\VhxtMAr.exe | N/A |
| N/A | N/A | C:\Windows\System\rPRbOHn.exe | N/A |
| N/A | N/A | C:\Windows\System\CjqOQnp.exe | N/A |
| N/A | N/A | C:\Windows\System\CqbHoMa.exe | N/A |
| N/A | N/A | C:\Windows\System\WAQbBHw.exe | N/A |
| N/A | N/A | C:\Windows\System\ZwUzSPc.exe | N/A |
| N/A | N/A | C:\Windows\System\KadOLwo.exe | N/A |
| N/A | N/A | C:\Windows\System\ppAuObW.exe | N/A |
| N/A | N/A | C:\Windows\System\avpFmpk.exe | N/A |
| N/A | N/A | C:\Windows\System\ldfgeyY.exe | N/A |
| N/A | N/A | C:\Windows\System\pAvtuID.exe | N/A |
| N/A | N/A | C:\Windows\System\fauNMFf.exe | N/A |
| N/A | N/A | C:\Windows\System\lKyVBSN.exe | N/A |
| N/A | N/A | C:\Windows\System\JVRgqNz.exe | N/A |
| N/A | N/A | C:\Windows\System\FEOzMbF.exe | N/A |
| N/A | N/A | C:\Windows\System\DVdZYma.exe | N/A |
| N/A | N/A | C:\Windows\System\KnQvsHO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\kiWnGSI.exe
C:\Windows\System\kiWnGSI.exe
C:\Windows\System\DSUDzUm.exe
C:\Windows\System\DSUDzUm.exe
C:\Windows\System\nkvRATi.exe
C:\Windows\System\nkvRATi.exe
C:\Windows\System\kyWQHYX.exe
C:\Windows\System\kyWQHYX.exe
C:\Windows\System\VhxtMAr.exe
C:\Windows\System\VhxtMAr.exe
C:\Windows\System\rPRbOHn.exe
C:\Windows\System\rPRbOHn.exe
C:\Windows\System\CjqOQnp.exe
C:\Windows\System\CjqOQnp.exe
C:\Windows\System\CqbHoMa.exe
C:\Windows\System\CqbHoMa.exe
C:\Windows\System\WAQbBHw.exe
C:\Windows\System\WAQbBHw.exe
C:\Windows\System\ZwUzSPc.exe
C:\Windows\System\ZwUzSPc.exe
C:\Windows\System\KadOLwo.exe
C:\Windows\System\KadOLwo.exe
C:\Windows\System\ppAuObW.exe
C:\Windows\System\ppAuObW.exe
C:\Windows\System\avpFmpk.exe
C:\Windows\System\avpFmpk.exe
C:\Windows\System\ldfgeyY.exe
C:\Windows\System\ldfgeyY.exe
C:\Windows\System\pAvtuID.exe
C:\Windows\System\pAvtuID.exe
C:\Windows\System\fauNMFf.exe
C:\Windows\System\fauNMFf.exe
C:\Windows\System\lKyVBSN.exe
C:\Windows\System\lKyVBSN.exe
C:\Windows\System\JVRgqNz.exe
C:\Windows\System\JVRgqNz.exe
C:\Windows\System\FEOzMbF.exe
C:\Windows\System\FEOzMbF.exe
C:\Windows\System\DVdZYma.exe
C:\Windows\System\DVdZYma.exe
C:\Windows\System\KnQvsHO.exe
C:\Windows\System\KnQvsHO.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1948-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/1948-1-0x000000013F8F0000-0x000000013FC44000-memory.dmp
C:\Windows\system\kiWnGSI.exe
| MD5 | 7314b8ee3d03920b0f92c9748334ee36 |
| SHA1 | 542bf86d7d6aafe90a3de3c13b07afca810c1fa4 |
| SHA256 | b5aaafe267ca341ad22eed32305f80fba87358642255b5398890cc5f717abfa2 |
| SHA512 | f8901c172531a481159f0b3ec0b83545ab6b6774224c0aa1e40c435e6b42de05c1c4b9f5562d5bdc93b8f8eccf36c3d8060b55ed543db0d466fcd7202f0aa819 |
memory/2228-9-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/1948-8-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\DSUDzUm.exe
| MD5 | bc69747e351d7ce386e8c3b64a9381bd |
| SHA1 | ecca9714f1ac43d74ce9da34807ce9eebd860486 |
| SHA256 | 3dabe4528231c523a991f3636329a8a178e73ae191815877a481f7690ce70ae2 |
| SHA512 | 57e395389ce25ea1d0e2a5030307fb5a8bae3d49442b6f48f3ad3add1b158304fb098bae0c094935e061a28f65107982792aaf206b5b3c8acb3acd64531823c2 |
memory/2480-16-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/1948-15-0x0000000002560000-0x00000000028B4000-memory.dmp
C:\Windows\system\nkvRATi.exe
| MD5 | cb2f3c86cffb5aaf50088258cd646a5f |
| SHA1 | 2ccc8b2f7e3354a6a98067ebdd56597341914596 |
| SHA256 | 7ec7f642e6db593574fe2ed5d796710078a237a4523493eab84fff2bcb5f8a96 |
| SHA512 | c9af1c12a9520d0dbc6adec36e83f41e5c313d5f98133b48b194e8279b3b29a29c92d22256451073c3e5c31f25b3f856faa2cfe0387022b8a665585827214d7e |
C:\Windows\system\kyWQHYX.exe
| MD5 | 713eb06b68e6edb9c2d27008fb2cb1ba |
| SHA1 | cffe1fdbf79e736b3842256307ec40536d4c554f |
| SHA256 | 733e727a2cf192c65836281cec8e61cc3c8958359eacf0d568fc319e3ca17c3f |
| SHA512 | 4dd49d5479a3c7971a550f36002225cc02c6332aaf911e648d9d9da2864a8fae33d564cc207d93d276ea7cc246b4ab16b4da8ef8db89f455a3bc15e959580ee1 |
memory/1948-26-0x0000000002560000-0x00000000028B4000-memory.dmp
memory/2532-24-0x000000013F900000-0x000000013FC54000-memory.dmp
\Windows\system\VhxtMAr.exe
| MD5 | 7b9e21708fb625ebaf34325e1f365348 |
| SHA1 | ffa4f6b30de8ff8d526f9078d0df8021e129a6fe |
| SHA256 | 208a162916e7b09816376e79af9a3992c3f717f4a8ce437fb38bba7b69d14834 |
| SHA512 | 31d5cdaec3c0cdc015d881590c1d95c4d47d3e3b21b2c432b0ef057ef222844247c4d1d1f6983fc53c2d4ae8301d9ff869ff199400488a02841bf1df96816b6a |
C:\Windows\system\CjqOQnp.exe
| MD5 | a37051daa1e26e2fdc5f3c18a994a290 |
| SHA1 | 6754ac79d2e97d96e013d521e1570afe4bc20d76 |
| SHA256 | fcbfe7b55feb08e8f71b3dfa6a8a57b61ea55f62071804bc94b02c11e582f48b |
| SHA512 | d1391a68ba9851e2acd92f05c81c67cb925edcefba6b9ad8854dfd6fbe6a047489f29652e4ff8a73e6b1cf4db1603eec76bf7d6438c93dee1db52bd1fdf23c15 |
C:\Windows\system\CqbHoMa.exe
| MD5 | 056058903a9d4d0f01079c7860516940 |
| SHA1 | 10cb11a049e642f6104e5afffdac2372bcf945c8 |
| SHA256 | 973ade447d9a89dd16663ed58bf001654ee827577de31d626b58f47661555ea1 |
| SHA512 | baf8b02610db8dd8e9e501229509a0a5e5e94e04b5869fa1defa849b68e9d13df3581c57e4a346af3a0915a4186076f9f9efda3a7a106e99c001e229cf55f752 |
C:\Windows\system\ZwUzSPc.exe
| MD5 | 7b421f14f8c3aa873b77b481a66e7f10 |
| SHA1 | aaa96aaab8342c16722062cab8e585555e4e8e69 |
| SHA256 | 3c11c3ae018b16dd85491d959a3b9e4d29d9ad9d7657e361e521ecb7b071c416 |
| SHA512 | d7ccbb7b5a6021b46bb504c007707ff5c44603eca25c5f6795b3901d4b3fa2e2a112e116074ac03a5799e3540d1b8598b53a511336516f633c35b54689c5b35a |
C:\Windows\system\fauNMFf.exe
| MD5 | 18346f21c29b828398fac1af581d7253 |
| SHA1 | 793215a6938128c3fcfd35fc43962b9687f126bc |
| SHA256 | a4649ca0492d60611fad5a19552919dd05b51b5e0559568820dd6ba5f409899f |
| SHA512 | 1ebeebfb3a7250d78b08085ef860d0a48689278c4774b76888580f7b996368ac09a2cf0196a6671912db0ec7dda8d93a209083c4a43ea9e915464e2104b321ac |
\Windows\system\KnQvsHO.exe
| MD5 | e83273e490364a5843cdd43f29f1f69e |
| SHA1 | 14f409f085a6cea586c787124e0bb5ae56e2ec86 |
| SHA256 | de49a3fbeca5ad4168b98b3dbc9dbd4d07ea8ac4b263f12fe23d9a0304e48aa0 |
| SHA512 | fd50b8a44b3bb5883eec498a709b133d7b091fce33aa917f5d3490d7302a1704ea85281cdea9e62597f65ce86f7bfcf1b2ae4e960f74c4c8c7b0d0c237e5e92a |
C:\Windows\system\DVdZYma.exe
| MD5 | ed160aaf55237ba49cd940eac59593a4 |
| SHA1 | bd4a22c2d73be22c927cca58f8ea036fc34f61e0 |
| SHA256 | 0c8f19cdfed2ab157210b9d787294674e15d5a9c4797aeaf1f4e29aea1f5fbe8 |
| SHA512 | 0485f89b2fa277dec257b081c558c4ef2d8163a0a330bc497ff76ee188dc4b8ca1d462a89d8b5266d5190302e7b7095cc3789b7764aca10f7232e45e40279e22 |
C:\Windows\system\FEOzMbF.exe
| MD5 | 52c0e89dd609f74b768fe63cf19622d9 |
| SHA1 | 133f6c668be43d8e3cbdf0e746b384038fb5ddae |
| SHA256 | dd85a8385ef577d171bb4dd79ff4a314fb97be621965051f9c5bca64b85b9c08 |
| SHA512 | 3b2e1bcd9825586e6a12d934cc14e5dad6dc66e35e51bdb5f78126c335202e2d8c89f197801caac7cac24e472c6ce5f80fd3fae7ac1801b0b4d1238018b8d36d |
C:\Windows\system\JVRgqNz.exe
| MD5 | f95aac0f59a9fce5534e93686c9198aa |
| SHA1 | 56d6d3dc959371db7a4afebfefc045b2ffeae149 |
| SHA256 | 46d4ab3ef0a85289922d1569168e4983d99d258bd8b53ee16b9c123eaf66a1d3 |
| SHA512 | 09ddf52750f97853b60397e321fec73a320e6c9651205a0e494f7a4a86598f040d3a6f54f8e430c329f8dadb8b318623ceb5ec3e70327c925f596b2992e065c3 |
C:\Windows\system\lKyVBSN.exe
| MD5 | dba1e268b3d98d3a5be16f8ec263f4c7 |
| SHA1 | 5c2948da21e7743a55e7496e90ee728a062183d6 |
| SHA256 | a71cd1ff0c3417895bf868a98b322779d46c28b25174ad44fa341f6bcac16f5a |
| SHA512 | 33fc3dbe13deeff66cb5b01fe6dd5c2ff71235a9662f1986e4b6c6214aafc1e052197d5eed747293060858b67670d2767b0848d0a11fb60ef1681cc53f8cdb8b |
C:\Windows\system\pAvtuID.exe
| MD5 | 33f3122a8f88ef4b91c3e98150e63b4c |
| SHA1 | b5280fb7c43f00c41eb515cca779dc7638d0b514 |
| SHA256 | 8ad79ef5c0d32657344c046a663941ca5640f371cc435f49cb577e440ac5677f |
| SHA512 | 553a9b98cbff9bdf6e076cbf01f4ecf5fd785cd695f491f38c6e090d422590e151badea8a4255f0676a565051f371a25ec335efb7128fa1eacb49783d7f7e625 |
C:\Windows\system\ldfgeyY.exe
| MD5 | fefb75647526efa3772446e2ae9af5a4 |
| SHA1 | 1b20adcd303b0e6df0338c4420cd78eef7a01eb9 |
| SHA256 | 72ed8a65461f3412bf8f262645435ac3563a2a5ecaa3c9d2dea08e491d18f48b |
| SHA512 | 25ec3badb0e5324e441da3379c1a1947f36e738b8953a4a4a92beae51e493bcecb69562c44a2986595e0ba1b5b840e22c186526349b2ae4f324f3585e0172fdd |
C:\Windows\system\avpFmpk.exe
| MD5 | 9ddc862ec57dbdd11492be4b0e415d5c |
| SHA1 | 3f4ee259a14cf6c4dce108a10cd3c53d28fd17fc |
| SHA256 | c4635f9c0ed4ff7aa5b2bafdba508ed7612006cb5e1918283e19eab965dfd1a3 |
| SHA512 | 2f600a4d461370fff49ad06f7212a55d1a00b890e071c2da06bf1e47e8b92454ef15cb52b14702898665906fdd25310d21bfba8e32b517e86b624299fabdd8e5 |
C:\Windows\system\ppAuObW.exe
| MD5 | 3ad865ca45fb6fbc6a7555aa47c28452 |
| SHA1 | 1839a9e3d3e35c71f0242e8f52f3f6c85b505606 |
| SHA256 | 07562b3694730a14613eb4fd1df04cf1ee307ff4732d3b3fe6602580e25293a2 |
| SHA512 | 1ec7689c4a0f9f04fc7f6391e11ec5fca7a985cba30cbae14b297e38adfb2f5920dc20844411c2ebabf37576524b345f459ac120a9442e07dbecce6d9b13fe25 |
memory/2612-113-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2492-114-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1948-115-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/1948-117-0x0000000002560000-0x00000000028B4000-memory.dmp
memory/1948-121-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2412-120-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/1948-119-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2660-118-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/1208-116-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\KadOLwo.exe
| MD5 | fbc0032cccc4435e4ed1d299a3e655fb |
| SHA1 | 636cb9802dd21637e79967f2c078ab2551339ff2 |
| SHA256 | de58efa57ea0e9fc85540ca32aa4e54d563e745c855080dd1237b78adc349ce9 |
| SHA512 | 9f22bb770aceeb89963fdf9fc11d80f736d1245b881be6f98e4bc927f45305ba50551bb7085e948ce4ade660e11eace4b40cc7667faa133adadcfb69cf113ab8 |
C:\Windows\system\WAQbBHw.exe
| MD5 | a9e608bfabeb1a5a9f0fe315c6e58082 |
| SHA1 | b2d0afe43fc9d4de1a15f584cf41c8e4e8cabf16 |
| SHA256 | 1d13f1c2114e1b5b2137d5d05265e33205f04923aff4473b266890cb73b43600 |
| SHA512 | 26215c448fad2822d71f956ea07524d326dd29e1e3d928d368bcc034d6206770da51baf7740135395ad651b78140cebbf66d49abf3077219661b80a7d290b586 |
C:\Windows\system\rPRbOHn.exe
| MD5 | 25cdbd1c99aaee2568bd82effd170611 |
| SHA1 | 0ac6282b6be78816342fd00d9ef94c95a39a22ce |
| SHA256 | 680f547a54ce5d6148b3f2f06370397662369635186db44a43251ef2bb1766a2 |
| SHA512 | bb72d36cf045a1d5ae26ac42b74a3be9a99339d40dd803235881439f5ffb5f4cc971f8a5bab28846866511f54ea0bf9282d8974872102868f00429462e826a94 |
memory/2388-123-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/1948-126-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/3048-129-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1948-131-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/1436-130-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/1948-128-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2852-127-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2440-125-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1948-124-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2496-122-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/1948-132-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/1948-133-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2532-134-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2612-135-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2228-136-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2480-137-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2532-138-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2612-139-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2492-141-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1208-140-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2660-142-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2412-143-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2496-144-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2440-146-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2388-145-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2852-147-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/3048-148-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1436-149-0x000000013F720000-0x000000013FA74000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 19:04
Reported
2024-05-29 19:07
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rvTFjUt.exe | N/A |
| N/A | N/A | C:\Windows\System\kjHLEnQ.exe | N/A |
| N/A | N/A | C:\Windows\System\xMFbawp.exe | N/A |
| N/A | N/A | C:\Windows\System\syllxbu.exe | N/A |
| N/A | N/A | C:\Windows\System\BrjjDPg.exe | N/A |
| N/A | N/A | C:\Windows\System\wpbCyWL.exe | N/A |
| N/A | N/A | C:\Windows\System\VxkbsTz.exe | N/A |
| N/A | N/A | C:\Windows\System\nMyHiZY.exe | N/A |
| N/A | N/A | C:\Windows\System\SVzFOzA.exe | N/A |
| N/A | N/A | C:\Windows\System\FxuQdXi.exe | N/A |
| N/A | N/A | C:\Windows\System\CypEleV.exe | N/A |
| N/A | N/A | C:\Windows\System\phrTarn.exe | N/A |
| N/A | N/A | C:\Windows\System\nMVciAI.exe | N/A |
| N/A | N/A | C:\Windows\System\qwqqrAJ.exe | N/A |
| N/A | N/A | C:\Windows\System\nFRosmP.exe | N/A |
| N/A | N/A | C:\Windows\System\xdPViQd.exe | N/A |
| N/A | N/A | C:\Windows\System\TTSvtJX.exe | N/A |
| N/A | N/A | C:\Windows\System\EOToHCK.exe | N/A |
| N/A | N/A | C:\Windows\System\cLOZBMn.exe | N/A |
| N/A | N/A | C:\Windows\System\hqtgJfc.exe | N/A |
| N/A | N/A | C:\Windows\System\ZagpIdE.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\rvTFjUt.exe
C:\Windows\System\rvTFjUt.exe
C:\Windows\System\kjHLEnQ.exe
C:\Windows\System\kjHLEnQ.exe
C:\Windows\System\xMFbawp.exe
C:\Windows\System\xMFbawp.exe
C:\Windows\System\syllxbu.exe
C:\Windows\System\syllxbu.exe
C:\Windows\System\BrjjDPg.exe
C:\Windows\System\BrjjDPg.exe
C:\Windows\System\wpbCyWL.exe
C:\Windows\System\wpbCyWL.exe
C:\Windows\System\VxkbsTz.exe
C:\Windows\System\VxkbsTz.exe
C:\Windows\System\nMyHiZY.exe
C:\Windows\System\nMyHiZY.exe
C:\Windows\System\SVzFOzA.exe
C:\Windows\System\SVzFOzA.exe
C:\Windows\System\FxuQdXi.exe
C:\Windows\System\FxuQdXi.exe
C:\Windows\System\CypEleV.exe
C:\Windows\System\CypEleV.exe
C:\Windows\System\phrTarn.exe
C:\Windows\System\phrTarn.exe
C:\Windows\System\nMVciAI.exe
C:\Windows\System\nMVciAI.exe
C:\Windows\System\qwqqrAJ.exe
C:\Windows\System\qwqqrAJ.exe
C:\Windows\System\nFRosmP.exe
C:\Windows\System\nFRosmP.exe
C:\Windows\System\xdPViQd.exe
C:\Windows\System\xdPViQd.exe
C:\Windows\System\TTSvtJX.exe
C:\Windows\System\TTSvtJX.exe
C:\Windows\System\EOToHCK.exe
C:\Windows\System\EOToHCK.exe
C:\Windows\System\cLOZBMn.exe
C:\Windows\System\cLOZBMn.exe
C:\Windows\System\hqtgJfc.exe
C:\Windows\System\hqtgJfc.exe
C:\Windows\System\ZagpIdE.exe
C:\Windows\System\ZagpIdE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/5088-0-0x00007FF73AF80000-0x00007FF73B2D4000-memory.dmp
memory/5088-1-0x00000188FA170000-0x00000188FA180000-memory.dmp
C:\Windows\System\rvTFjUt.exe
| MD5 | 78121881c098c0deff65397fdbb8a346 |
| SHA1 | 703a40d3494d2ef9531f06f637964b477e8ceef5 |
| SHA256 | 28e0683831f1ddbefca73a063ec03cdae0d769b64ca338a13e485cfc70b9e288 |
| SHA512 | 4a5efea831bd29c6b3b7e9eb760b49f9ddb72b03deeff837e71d082c1db32201e64a0aa86343aa8c1f7f4221bb396ac25f5d7596466f8ac2d85195267f4458e9 |
memory/3040-8-0x00007FF75FE00000-0x00007FF760154000-memory.dmp
C:\Windows\System\xMFbawp.exe
| MD5 | 8f54b179644aacfdc145ead4e542b6f6 |
| SHA1 | f7600e7cb578325f22b5ede17a62e2573af340a0 |
| SHA256 | ce3389032cd529c6ade77d2e2d94ee6bfdd17388f44e5831da46492f6095d7b7 |
| SHA512 | 16fa37eb3ad469e3ec724ca906041b85df9a602883f06d8c0933f5f617186794f27acb2cff9998a28cb0d995e3bf78dcaeb572f32abbcea1a91398e9702090b1 |
C:\Windows\System\kjHLEnQ.exe
| MD5 | 14f100f1dbcf3f240a52304952b9246a |
| SHA1 | 6819d41ccbfff3a90178c2ab04a62070a6618a60 |
| SHA256 | 35864af4e0db6348b772db5ba70b4332bfd19eac18df12d239afce9179517842 |
| SHA512 | 6b6e578c0ac83b2dc7a657d3e9b6861568ed92f8042e4c6cdfb8ace97fe9b77f99f7988dc1720a375b97f95ca5f0ac0933573d0c8de4140ff155d35768c52aea |
C:\Windows\System\syllxbu.exe
| MD5 | 0b98ece4e68ac7629d5ce0c09a682ed3 |
| SHA1 | 163e257b732afcf6f90bc196e7983beb516b8908 |
| SHA256 | b9fb7c86733b5ba9c780be71ae4c1e955e02c1010f517dede34b93af01d16ac1 |
| SHA512 | a917a9b53777b22c5763be31d67f82aceff0d5d7e2fda56c2d2ce5a3104b84a7e265041add6dc48dbbd13d97d7f0f8e1f066611625fbcba23f7e7a301030403a |
memory/3736-31-0x00007FF77C720000-0x00007FF77CA74000-memory.dmp
C:\Windows\System\wpbCyWL.exe
| MD5 | 0e4dd2d74d63407bc621310ce848ba3c |
| SHA1 | 39245757485b54d77f8166b161e80165c9736b93 |
| SHA256 | dde816f233767e8cbf114aefe6de14825de752f396c689e7660b699074703497 |
| SHA512 | b3246ced9b8e9077178a03dfd42464f983b722309fa859e489de5880da588c4f5ce79ec87d0004cc0c2e9b41f77d87ebb0585c3de1e969487f6a4608dc8e2542 |
C:\Windows\System\VxkbsTz.exe
| MD5 | 47fd7deccc4821a41c0bb7da546224e6 |
| SHA1 | 6090025d9895c332346eec2a8245c964483df477 |
| SHA256 | 590f2c763356c45743337426bea636af601b0c13787ac09c385dee2a8bad41c4 |
| SHA512 | 89449fed6cc59bf99a0fee51bb91eb0b00398b616eccc1298df28d051bda944d5932afbbb2cf78f346ebc8c1aa258239d8a5f0fcef91caf2e2b940d1304231f4 |
C:\Windows\System\SVzFOzA.exe
| MD5 | b9798269112fd978a7fc64ef797bcf12 |
| SHA1 | 4481c8331f7ccb58991d4f9d3d81d702f41c2b18 |
| SHA256 | 69f30a175ab1263bb75788c55e99912be3e6103640b812bed967af00c66fe52d |
| SHA512 | fa7ba9d141d115877e7cf6fcef65939027e3ee79589ad60450dfbed7e99b07ca887fd449761e29750aab6998c50f88541bb4b96454847763d22dbbb941c6cfd2 |
C:\Windows\System\FxuQdXi.exe
| MD5 | 4dc04f4537ef83391695227b18c19ef1 |
| SHA1 | 016e6b9c298424c18186097c57f8307e51841efb |
| SHA256 | e44cb58648b3010cfbb2d222b82a26ee7b68d1211723b77ad485b5069eb025c5 |
| SHA512 | 1354116bc74748a442ba961eb52daebe90cc623a15be7279cb4d4af4da8bc81fc36cbb45e39d86ef3717eaba2be4f6975da6993ab16bc6f5560a8a4c86279498 |
C:\Windows\System\CypEleV.exe
| MD5 | 8fe4d289ac300c491955c9dd2d0c6c1c |
| SHA1 | 5f9e30873aa93db3360039910b7c279d2cbd000c |
| SHA256 | 3a14fd067d2ebf40232ccacf1b11e8339121178b3eceacfa559e30a81c1fd0df |
| SHA512 | e61d3ef13202389e66b20f8c4f8d72df6b3a456c0407119324c7ab3740e659242629ce013007dc489dade4e19ec7474f4b0da926a4b412befe1c35bdb25fd172 |
C:\Windows\System\phrTarn.exe
| MD5 | 8862d4b6405727649718eaa69601b4f5 |
| SHA1 | 5d1aa6a90a935178149971fae6537df8b5a2666a |
| SHA256 | 55c48d8b6a0113e7a3a092b3b7453cf26f96973350cc22ec07750ae180fa9e4a |
| SHA512 | b7b086bcbda0b7675005979f7e66f03a0d31ca89b2f9d3098843ac6a85ae2bdf6a9b01a46b5afb517ee5fe651da07e7c901ee15523161bfc790b8b42c2e952ee |
memory/4568-74-0x00007FF64F950000-0x00007FF64FCA4000-memory.dmp
memory/2736-79-0x00007FF76BBC0000-0x00007FF76BF14000-memory.dmp
memory/1720-80-0x00007FF6D3C70000-0x00007FF6D3FC4000-memory.dmp
memory/2068-78-0x00007FF6F7120000-0x00007FF6F7474000-memory.dmp
memory/4228-77-0x00007FF7C07F0000-0x00007FF7C0B44000-memory.dmp
C:\Windows\System\nMVciAI.exe
| MD5 | 1432dc9a7181f043bac00b477a1ac8cb |
| SHA1 | 1e198c458ea19b43aa4c6b22baf815784c949cd8 |
| SHA256 | 45bf4a282b37b4994b0e5f2d350f2bb42e142df7621acb3b3e0cc61685f3b04a |
| SHA512 | 1681a553ed199c6e1a2509022c36e653d31e1c5e740b5d995d174240e49f8f292343f46ebcf879497c3a6daa0dd5778cc26420754a6334f4b5701ce12025a8c4 |
memory/4124-71-0x00007FF6AFC50000-0x00007FF6AFFA4000-memory.dmp
C:\Windows\System\nMyHiZY.exe
| MD5 | 573b1efbf52e7413f894008c004379d0 |
| SHA1 | 6c6ac242cb3fbc57084cc27504caa7a5427cdabd |
| SHA256 | b79ea6bcaa9970989d15cbe8607a489285e4ae5db46229a9b8dd6a55200e873f |
| SHA512 | 05201c3b5adb88730f0f7e7fbc9cf05cd5f00c3dda23a1538e398ca812344bd0148ec76114a38bd4b8bd862c928b1ce71fc73822ac2608427080c6c524e26418 |
memory/1816-47-0x00007FF611B50000-0x00007FF611EA4000-memory.dmp
C:\Windows\System\BrjjDPg.exe
| MD5 | e8ce01b3c5693de6214d081e50507575 |
| SHA1 | 12f0a27a950524f6a6eda7498f128aa7ead0ecdf |
| SHA256 | 75f1f3896f54357280f8ba1c2967fb231fb36726e9d8ef081806dbe4c6a92ba3 |
| SHA512 | 7200f390ccb0fef995e33aa385d6378502b486edde3540a40a3c1f9a5a9785bb8fc3bef75b55373c7fdb59655bc6732c4b782f491d679ced74b1ad1c7a4ca119 |
memory/2868-32-0x00007FF78A1D0000-0x00007FF78A524000-memory.dmp
memory/1424-29-0x00007FF7D6C90000-0x00007FF7D6FE4000-memory.dmp
memory/1172-28-0x00007FF6DDFE0000-0x00007FF6DE334000-memory.dmp
memory/3880-20-0x00007FF7C3D20000-0x00007FF7C4074000-memory.dmp
C:\Windows\System\qwqqrAJ.exe
| MD5 | d95e25ebba614c23d26b9add44a24250 |
| SHA1 | 7ae68d05a05f46e1205d43d99afe4a77654e9855 |
| SHA256 | fac29b003d9fbe86299428a8270ec69ba60d41dab017342b6583440834027bd9 |
| SHA512 | bb9a63e7b8998b73c4bb911d77d5c018b7f72db60ed9e5fb9d9fa1d86fbefae6794d9b714826618a529ac0bf502063b20289da445274de0e79322c8de7087927 |
C:\Windows\System\nFRosmP.exe
| MD5 | c9a233c3dc398ef48aec654984a8765f |
| SHA1 | c1766321390b772e8f06304af7c58ebe85243434 |
| SHA256 | d7bb9c192c695a42b360f21ff73d313eba8cd8918e0bf52fcb1cb00bbe49d69a |
| SHA512 | d92c3501e1b390ce4acc99786e1272fa55e57988ed7bdbaf1123186df7d922cd039ad2877e7a459fc12aaa5052325348622974c0fd180d6aa7d99c270137bada |
C:\Windows\System\xdPViQd.exe
| MD5 | fefea277715290355710d390965a1f9b |
| SHA1 | e817381ea27ebf0f173920d2260a3748d38cba88 |
| SHA256 | bfad433c3c74efc10833105a9e4a0e8a1c9261dafa72ff86a52e02f6840f14e3 |
| SHA512 | b46eaa4db230f858542a60fe28ef49d6e5df6bbcc911dee9bc7524002711083421b6f8e31bde3b6470caca2459c6c1b2d1b2318e14d2c44feea69c2cd8bff4c4 |
memory/1964-100-0x00007FF7FADD0000-0x00007FF7FB124000-memory.dmp
C:\Windows\System\TTSvtJX.exe
| MD5 | d9bf07ba1a10e478d12706576134883a |
| SHA1 | 1e04652eb4b92794b58ab442da9c168f25cc4869 |
| SHA256 | 79456ef7e560508e61d676396b3655cb98453aab1366bff99fc21af32735e7e2 |
| SHA512 | c26c9a8790fc48e9914b0cb9631e69054bf71fbc831c52041c99079b275ba84804e28b573031a610ca65734579c48352d6a903683109ad11b26b0106e59e4dc1 |
memory/4752-110-0x00007FF75C5A0000-0x00007FF75C8F4000-memory.dmp
C:\Windows\System\EOToHCK.exe
| MD5 | f378f38f122a02a5ff72bba9e2cc8110 |
| SHA1 | 55fece22f903d9e9b4c473150f6fe5c13ca657e1 |
| SHA256 | 1eaf5d924ce90d96dd3fa1a03f51e90f338f444c1624e18c45d6a8899e415efd |
| SHA512 | 18c800ea6087272fd081229a7d7920e5f6d0736ecd70964829828b835126d3e2767acfa35e3f1fe5b6986e4c3d72a2fd4e9c88f481ad1db77c7bb1c3b37e62e1 |
memory/4468-109-0x00007FF659290000-0x00007FF6595E4000-memory.dmp
memory/3040-105-0x00007FF75FE00000-0x00007FF760154000-memory.dmp
memory/5088-98-0x00007FF73AF80000-0x00007FF73B2D4000-memory.dmp
memory/3712-96-0x00007FF65D140000-0x00007FF65D494000-memory.dmp
memory/4672-86-0x00007FF6FA300000-0x00007FF6FA654000-memory.dmp
C:\Windows\System\cLOZBMn.exe
| MD5 | 63f7cf20107017862490e0631b0af8fc |
| SHA1 | 688381a73443372db7a56594e82f1ec8f43e2eb4 |
| SHA256 | 39c95f9a5892d37ad5cb7cdce18d568f33bb09024f92d96cfc61832f4336c65d |
| SHA512 | ef7d4daf4b21f26fcd1b4307f04060470d9982376f1c1e4cc8e86101c0a8920d2b973b5005be54b352aa74679afac70b081dbd2e9a1c714e02865fc1c9a40980 |
memory/1424-116-0x00007FF7D6C90000-0x00007FF7D6FE4000-memory.dmp
C:\Windows\System\hqtgJfc.exe
| MD5 | 5311ca3d45a634b1237433ec491d68e0 |
| SHA1 | f03f1482c841fec8f23bb6749ea942b345964a6d |
| SHA256 | 195b6cfd3b099a4a44ebb28b360bcce14fa514ed0b1f7d70429b044cd546b4b7 |
| SHA512 | af499166d87bb92b51018e6e89b240bb8e8247a209ffc74c9ec61aa5b9807d45ab9c70bbd9f085d819836c1f7dcefb3a00ccf32c9d827c2dcf6c033b61af386b |
C:\Windows\System\ZagpIdE.exe
| MD5 | d2840a7433e9d3c2707b85fedc4df778 |
| SHA1 | 187332f9e4f9e2a36f41b520490d968fbc8fd24a |
| SHA256 | 779138722bdda7fdc944dc69b45ebdf5bebf80ff949872e252af1ee066a6a20e |
| SHA512 | 5d6f40d5f081046c3b48836102ec4fecaf04677ee786a8fea328fb6a278cbc1039a59e5bfc026440be7dee148e49880be18683092503fe0b361d0bcbb8beed8b |
memory/3372-129-0x00007FF6E5050000-0x00007FF6E53A4000-memory.dmp
memory/3736-120-0x00007FF77C720000-0x00007FF77CA74000-memory.dmp
memory/1528-130-0x00007FF78D380000-0x00007FF78D6D4000-memory.dmp
memory/4560-131-0x00007FF694870000-0x00007FF694BC4000-memory.dmp
memory/2868-132-0x00007FF78A1D0000-0x00007FF78A524000-memory.dmp
memory/1816-133-0x00007FF611B50000-0x00007FF611EA4000-memory.dmp
memory/4672-134-0x00007FF6FA300000-0x00007FF6FA654000-memory.dmp
memory/1964-135-0x00007FF7FADD0000-0x00007FF7FB124000-memory.dmp
memory/4752-136-0x00007FF75C5A0000-0x00007FF75C8F4000-memory.dmp
memory/3372-137-0x00007FF6E5050000-0x00007FF6E53A4000-memory.dmp
memory/3040-138-0x00007FF75FE00000-0x00007FF760154000-memory.dmp
memory/3880-139-0x00007FF7C3D20000-0x00007FF7C4074000-memory.dmp
memory/1172-140-0x00007FF6DDFE0000-0x00007FF6DE334000-memory.dmp
memory/3736-141-0x00007FF77C720000-0x00007FF77CA74000-memory.dmp
memory/2868-142-0x00007FF78A1D0000-0x00007FF78A524000-memory.dmp
memory/1720-145-0x00007FF6D3C70000-0x00007FF6D3FC4000-memory.dmp
memory/4124-144-0x00007FF6AFC50000-0x00007FF6AFFA4000-memory.dmp
memory/1816-146-0x00007FF611B50000-0x00007FF611EA4000-memory.dmp
memory/1424-143-0x00007FF7D6C90000-0x00007FF7D6FE4000-memory.dmp
memory/4568-147-0x00007FF64F950000-0x00007FF64FCA4000-memory.dmp
memory/4228-150-0x00007FF7C07F0000-0x00007FF7C0B44000-memory.dmp
memory/2068-149-0x00007FF6F7120000-0x00007FF6F7474000-memory.dmp
memory/2736-148-0x00007FF76BBC0000-0x00007FF76BF14000-memory.dmp
memory/4672-151-0x00007FF6FA300000-0x00007FF6FA654000-memory.dmp
memory/3712-152-0x00007FF65D140000-0x00007FF65D494000-memory.dmp
memory/1964-153-0x00007FF7FADD0000-0x00007FF7FB124000-memory.dmp
memory/4468-155-0x00007FF659290000-0x00007FF6595E4000-memory.dmp
memory/4752-154-0x00007FF75C5A0000-0x00007FF75C8F4000-memory.dmp
memory/3372-156-0x00007FF6E5050000-0x00007FF6E53A4000-memory.dmp
memory/4560-157-0x00007FF694870000-0x00007FF694BC4000-memory.dmp
memory/1528-158-0x00007FF78D380000-0x00007FF78D6D4000-memory.dmp