Analysis Overview
SHA256
cc10ed67eb1633f366be0a3d378a005e8f6fd5a0a97a0425fc0aff4159fb2970
Threat Level: Known bad
The file 2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 00:50
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 00:49
Reported
2024-05-30 00:52
Platform
win7-20240221-en
Max time kernel
142s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\hYIpsly.exe | N/A |
| N/A | N/A | C:\Windows\System\WWufrzQ.exe | N/A |
| N/A | N/A | C:\Windows\System\fbcmGXF.exe | N/A |
| N/A | N/A | C:\Windows\System\wPOFSyj.exe | N/A |
| N/A | N/A | C:\Windows\System\RWIjGBX.exe | N/A |
| N/A | N/A | C:\Windows\System\FaobcWq.exe | N/A |
| N/A | N/A | C:\Windows\System\KecQdwv.exe | N/A |
| N/A | N/A | C:\Windows\System\qLWqdiA.exe | N/A |
| N/A | N/A | C:\Windows\System\ffkwXZj.exe | N/A |
| N/A | N/A | C:\Windows\System\HpYGpQl.exe | N/A |
| N/A | N/A | C:\Windows\System\xITwksC.exe | N/A |
| N/A | N/A | C:\Windows\System\UnNhnKu.exe | N/A |
| N/A | N/A | C:\Windows\System\cmQOOKv.exe | N/A |
| N/A | N/A | C:\Windows\System\nYsZnKk.exe | N/A |
| N/A | N/A | C:\Windows\System\wYPlXrA.exe | N/A |
| N/A | N/A | C:\Windows\System\YLITSiV.exe | N/A |
| N/A | N/A | C:\Windows\System\sMpcxfa.exe | N/A |
| N/A | N/A | C:\Windows\System\xbowGji.exe | N/A |
| N/A | N/A | C:\Windows\System\RVSXIMU.exe | N/A |
| N/A | N/A | C:\Windows\System\eyaFhfA.exe | N/A |
| N/A | N/A | C:\Windows\System\JMgKqWc.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\hYIpsly.exe
C:\Windows\System\hYIpsly.exe
C:\Windows\System\WWufrzQ.exe
C:\Windows\System\WWufrzQ.exe
C:\Windows\System\fbcmGXF.exe
C:\Windows\System\fbcmGXF.exe
C:\Windows\System\wPOFSyj.exe
C:\Windows\System\wPOFSyj.exe
C:\Windows\System\RWIjGBX.exe
C:\Windows\System\RWIjGBX.exe
C:\Windows\System\qLWqdiA.exe
C:\Windows\System\qLWqdiA.exe
C:\Windows\System\FaobcWq.exe
C:\Windows\System\FaobcWq.exe
C:\Windows\System\ffkwXZj.exe
C:\Windows\System\ffkwXZj.exe
C:\Windows\System\KecQdwv.exe
C:\Windows\System\KecQdwv.exe
C:\Windows\System\HpYGpQl.exe
C:\Windows\System\HpYGpQl.exe
C:\Windows\System\xITwksC.exe
C:\Windows\System\xITwksC.exe
C:\Windows\System\UnNhnKu.exe
C:\Windows\System\UnNhnKu.exe
C:\Windows\System\cmQOOKv.exe
C:\Windows\System\cmQOOKv.exe
C:\Windows\System\nYsZnKk.exe
C:\Windows\System\nYsZnKk.exe
C:\Windows\System\wYPlXrA.exe
C:\Windows\System\wYPlXrA.exe
C:\Windows\System\sMpcxfa.exe
C:\Windows\System\sMpcxfa.exe
C:\Windows\System\YLITSiV.exe
C:\Windows\System\YLITSiV.exe
C:\Windows\System\eyaFhfA.exe
C:\Windows\System\eyaFhfA.exe
C:\Windows\System\xbowGji.exe
C:\Windows\System\xbowGji.exe
C:\Windows\System\JMgKqWc.exe
C:\Windows\System\JMgKqWc.exe
C:\Windows\System\RVSXIMU.exe
C:\Windows\System\RVSXIMU.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2584-0-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2584-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\hYIpsly.exe
| MD5 | 977e7f95f2e76830ab9078a7cdb2f989 |
| SHA1 | a9a3335893865ac6fd1c0a384977debb30c7dcbf |
| SHA256 | 6d01ba72856b09ad04348bde44d4a52d54f6e0dcc73d171dc96e3a8182152aed |
| SHA512 | 9b34a32bf5868fb89c266deca96ce858fd70b1b9117db1549447842eda8b8cc11f8db3c227400c58c4c868b94b03512e68567f8a3efa9d51f51b06928bb3dab0 |
\Windows\system\WWufrzQ.exe
| MD5 | ebecd4505a06b3b452ee66d9d30fccf0 |
| SHA1 | f9cdf0a1d47c973f99f474c1322c6fb35a8600e5 |
| SHA256 | d718920f85d76aa093b95e166cb5d88a5805b9206586882e41474d1114cfc04e |
| SHA512 | 8171e14397c3d07afff29edf7ce984e1f2e92eaf36eb837bc1c6aa944b3c745bba90fdb53aa5aad5b7d3435c04d3e15986464547a50e2d9a43558a783c06f272 |
memory/2600-16-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2584-15-0x00000000023A0000-0x00000000026F1000-memory.dmp
memory/3060-13-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2584-12-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
C:\Windows\system\fbcmGXF.exe
| MD5 | 57ff7b7d024d0a188916d5d0695849ea |
| SHA1 | 7e6fab8e5f921ba36f88c7bd0be87670aa4d2f48 |
| SHA256 | 7510be67900d0b90385d527a888ba5613b46540ab08027d591a43a6bb1925bd1 |
| SHA512 | 23c9a1d31f297ce06729cb5ee3795854ef557a6ec618c32fb65f4543e302942bb5b185327f058429d2d785210f501f25e4542b75436a55e0a41cd84de543ecc3 |
memory/2536-23-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2584-21-0x000000013F260000-0x000000013F5B1000-memory.dmp
\Windows\system\RWIjGBX.exe
| MD5 | ad092524b9917bca848149312e37b76f |
| SHA1 | c57fd8e0b1f8b81dcb6fe79958fca9464bf0233d |
| SHA256 | 53074a51492943134d02098baa3a1a3f43f67f3da457983a4602b90fbad390d8 |
| SHA512 | b20fe487ef457e7abc26415c5bd68060ea2ea089d98cf18cd21ca030c207334d67794ed97691a3de390d71e1199963590b3d37c1ace53350e73843c7bc9c46ad |
C:\Windows\system\wPOFSyj.exe
| MD5 | e91b23a43b2cf46ceb2fc28f2e608127 |
| SHA1 | c513e12bc0313cd515733cd4efa8f25bf14c539f |
| SHA256 | 9ff5151294f23af6d5165f46e34df359300620c111a5a2e148f16e8b36c4b954 |
| SHA512 | cd5a89388fbc4dbf1299c5e82359614b2fb32dec9ad008f5b6df2f99fe607289685e9dc91046bba20cb5560768db59213a8391907e0a336266db8bb1d941d6e1 |
memory/2628-29-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2584-47-0x00000000023A0000-0x00000000026F1000-memory.dmp
memory/2556-64-0x000000013FF60000-0x00000001402B1000-memory.dmp
C:\Windows\system\nYsZnKk.exe
| MD5 | d8c830d7a4207f4593acd81216921771 |
| SHA1 | 85ada7ebc7f710fd6c0e1a7ea736bcda618f059e |
| SHA256 | a8cb43f11b4eecffbe5a85a2a9504ade357ffe63bfc5fb1586ae51831a627c1c |
| SHA512 | 8c36969043a18a5183325713db07183704850fea5964d910080e486ece36f4c2ef94f584d6413a7440180cd6212d366471aeed7cbef72ad5f3bf6b4e996bcf65 |
\Windows\system\JMgKqWc.exe
| MD5 | 5f3887ae6f6b80fe5c7a5c423354813a |
| SHA1 | c88ae80a27ab9eb65da3607c3c458945b3f04981 |
| SHA256 | 062b2be383d255487a5bbfca3d6e7cdf1ffe1fffe10a39297d443aed8845bade |
| SHA512 | 6396d0b141edd6ce6348ee34fe7ab994639928d35561c50d6a64d39463ee839ffd48549ae3defb0ec79e5da0457f0a8ed1e575986bbb6def689894765d4b0d72 |
C:\Windows\system\sMpcxfa.exe
| MD5 | bcb96ce57d392ccbc9db3258df959540 |
| SHA1 | f41b969f56731fd2cfe042397fcb9a77a082b0da |
| SHA256 | 47c074fb6b9a4e3fd70f1744b7f09d43603e322862c17ebfa5ff3b0596cdadaa |
| SHA512 | 5aefe43e895fcf902f00a009eb603bf5219255fde882e9d9c8029c3ba552173e42ad6096a1d4367a8506b6326d97f127a0089b11ab0c72109680e783fa5e4df8 |
C:\Windows\system\YLITSiV.exe
| MD5 | 6f9040e91744a2b08ab133cc6047234d |
| SHA1 | 84b546788a8c857ab5ee6a123a8c2ad2e2273848 |
| SHA256 | 03ba2c510780fad5a1072ea7feeb1839d7524b36adbaa31f6b188e35b5dd6b7b |
| SHA512 | 9a655ad77b109a11dfead680d5bda88321275202b8c710bbd85fc15767c41fc0441d14de1eda83d6d5661363e7fd0fd6e0aefd11255f777b9607c1589cd2576c |
\Windows\system\eyaFhfA.exe
| MD5 | 09094a48c5f112f19c329090329db65b |
| SHA1 | b4f59ae7a2fe247008d932c5e9dc5044581179fd |
| SHA256 | db1a4658b60feaed1d252dff1db98d6d1d5c32f1e123751002bb849f080ca6d0 |
| SHA512 | e85d8350cf6b37c86f40a41acf7209d7eed1ed16e9a6f4944bb37b5ae11b61256c7d5000ba13eaf742ecf2c2e0f7856a78c5cb98f5c09a1af8c02b1afdbbceeb |
C:\Windows\system\RVSXIMU.exe
| MD5 | 1dbf77bbfe159b2322251f3f8cafd76e |
| SHA1 | bb49e89d03b41d9bb0f3db6bb40eec883d91a479 |
| SHA256 | 506cb02b0349f3e66379387517319d024739228892afe3dbcd4b46a9fe5fbd25 |
| SHA512 | c275453ab47a908b461150019365088b6f7a8ec2f4ae3f1d4085a6cd077391a79251e9ea88080865c5f4bf261e2a5e53c3b2cf47366250ae51cdf880b0f168ef |
C:\Windows\system\xbowGji.exe
| MD5 | 835dbcd305f8a66dd2581bf10d7908d8 |
| SHA1 | a0caca6ddce31004715a55db513cbb50cf582c72 |
| SHA256 | 630a8f851a2da23080ac8f9a14779b889a93138c8c5e6c4ba50c7f96db7479da |
| SHA512 | 3a1b67a7e2e502c217e3e2d129f8e347a68db6bc67986333b3048467de0be323fcca682c3bdd19916f93db218ab8982e5e81e64d0aec603c4a74552f725b032b |
C:\Windows\system\wYPlXrA.exe
| MD5 | facfd57c3f3f070b8f374f281fb8ee44 |
| SHA1 | 11d42333a56ba8fd8ee39131170e7c1f06e271e2 |
| SHA256 | 244d4d8be52f9efc2f505e4fad4c3db4f71efd6261c9fc709ba2f734db78180f |
| SHA512 | 76affcac84c7e6ee491371d9f25b46e63cf2fd9c6e7569c0de205b830b35fab9b9b9b84ab87c3f8c5f388d409dd4904d63cc41536f25feab8ccc31e55b390bcb |
C:\Windows\system\cmQOOKv.exe
| MD5 | 2129b47422629d076a419f6d10db7404 |
| SHA1 | 26860b75b0f98f68838e09ddebb1575487114a60 |
| SHA256 | dc78e3850be38cebc416fafeda0d5de0897a85ae5a30df66f2bbdee8c0e44eb7 |
| SHA512 | 29596aa9600e59ff9c13cbf815811479fa743daee6a43cbf0495310522aeddec61cc2920235ce808b917185f902cfec7b90d84e3ea2d61095fae52a8c7d0d0a5 |
C:\Windows\system\UnNhnKu.exe
| MD5 | 0537651513953f0470b2387df61a22ad |
| SHA1 | 4fa9b133db44877e1cece39e2ed29397f60f1f42 |
| SHA256 | addca3646a308a6ff105d2b09407d340ab142dad24338794cfba838d3cbc411e |
| SHA512 | 4dd92463196cdbe3a0393aced2afec02e6d31594ea343319bf64572c39d44107e84ab493629b687dfaf16db3293f11ecbc4219a7b00b20cd0f2b7e9a36d28f86 |
C:\Windows\system\xITwksC.exe
| MD5 | 1a0ccedf1e7412c0a646f9f12a549861 |
| SHA1 | 88da5e072fee670d8b8446e42c86e08e11229f9b |
| SHA256 | f9cac9bd6290a806b59d23d3547610f154198c8dd0f09b883b0999fdc1ce4797 |
| SHA512 | 6adda985f1c7fc6353e53ae9775a39ba281ad2f0414cbdb7a9df1563aca6a5a18aa4259a3105a2c36be0072911a4f4fb5a6366e06f8967b9fa9ed705de04e4c7 |
memory/1632-71-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/304-69-0x000000013F040000-0x000000013F391000-memory.dmp
memory/2764-68-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2412-65-0x000000013F350000-0x000000013F6A1000-memory.dmp
C:\Windows\system\HpYGpQl.exe
| MD5 | 7c07f44b399719d614ad20940348c033 |
| SHA1 | f2c31d7679e4282bc8ce626e7ca5dc914ea93558 |
| SHA256 | cadfce18bbc522fc20baba37d92773f1c2c16783af4e8cadb77eb12b75d85fa1 |
| SHA512 | 995155bd4418f62791385b8809a0ca900ca48aba2fad99c97e42f26ba00c78fb757e238c7bc071b0c236def6777cd803001b0f552da7db608bec5014598b6d5b |
C:\Windows\system\ffkwXZj.exe
| MD5 | 31882fa2bee3f5ab45597944c65660ea |
| SHA1 | 7139d1f58fe951ad4ee8a394178076c78d0db8ce |
| SHA256 | fcd3e5b5282eee5f13d729928dcb766b62ea675f516ba8c07c4dec038f4943a5 |
| SHA512 | d69d62d51c00e0f5985c19f953dcd58d7c23ca88f9ff29624045bd4a9ce30b3afa5699a68ceba3ea5d90dc8590c779588f20f9a45c3157df87d2b089a2a41254 |
C:\Windows\system\qLWqdiA.exe
| MD5 | 4b93fe639ef7cf364f1fff8e1a51d241 |
| SHA1 | ad181915b0c9dad08227b0497d0ad0bb1d1540a1 |
| SHA256 | d642a344c4fbe025d786eeb522eae3d7d5beba0648309179d390c30bf8390d3a |
| SHA512 | 81f14943d2e8080611dffb34a3fef515fa2f0e044821c3502cf0cafc8501753c06c7239a8deb4fee4be95496fabe1505507cbb4e4dad9e60bec3611a0b38b53c |
C:\Windows\system\KecQdwv.exe
| MD5 | 7282e9979f52cc103e3b57e745ee4bfe |
| SHA1 | d3620002e47a686ab30c9a347aa197f4cc1f7fa9 |
| SHA256 | 6fb79f0b4120adca56467d5bd76b869b755359fcb46048d6d366898e3893f385 |
| SHA512 | 7da75ca9337ff98d521fde41fd0567e2afd0dfde6efde7638c170b2b4561792e7d81806d46312d811e45d231244d33f51f8b9da6259da38d6523db4701665f85 |
C:\Windows\system\FaobcWq.exe
| MD5 | 7f53acca0c5b0f9015439585f61feeb8 |
| SHA1 | 033822353099840fddc8643b9f27898cb344a82c |
| SHA256 | 33e45304d7bd26a9e2d85ed8c6fdbc0e7052ccf065d6aa004ff1dec46d06f8d9 |
| SHA512 | c0a4d99d16420f15b62d6539850897717b0441b581b60253415b29dd2101122c6599abe035c2c1aedf1604abf69f19cc9026af61aeb5ae4256a0f0e24e17032d |
memory/2584-57-0x00000000023A0000-0x00000000026F1000-memory.dmp
memory/2584-56-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/2584-54-0x000000013F040000-0x000000013F391000-memory.dmp
memory/2840-39-0x000000013F610000-0x000000013F961000-memory.dmp
memory/2584-37-0x000000013F610000-0x000000013F961000-memory.dmp
memory/2584-28-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2584-43-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2820-128-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2584-127-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2584-129-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2952-130-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2584-135-0x000000013F320000-0x000000013F671000-memory.dmp
memory/1456-134-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2584-133-0x00000000023A0000-0x00000000026F1000-memory.dmp
memory/1444-132-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2584-131-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2584-139-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2536-140-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2584-136-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2628-141-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/692-158-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2728-156-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/816-154-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/1560-152-0x000000013F320000-0x000000013F671000-memory.dmp
memory/304-145-0x000000013F040000-0x000000013F391000-memory.dmp
memory/2556-144-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2764-143-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2668-157-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2460-155-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/1452-153-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2584-159-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2584-203-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/3060-205-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2600-207-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2840-231-0x000000013F610000-0x000000013F961000-memory.dmp
memory/2536-229-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2628-233-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2412-235-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/1632-239-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2764-241-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2556-238-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2952-243-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2820-245-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/1444-247-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/1456-249-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/304-258-0x000000013F040000-0x000000013F391000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 00:49
Reported
2024-05-30 00:52
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HntwMjh.exe | N/A |
| N/A | N/A | C:\Windows\System\GGvvIwg.exe | N/A |
| N/A | N/A | C:\Windows\System\aFSaOTm.exe | N/A |
| N/A | N/A | C:\Windows\System\VeJBVUo.exe | N/A |
| N/A | N/A | C:\Windows\System\GCcvNlE.exe | N/A |
| N/A | N/A | C:\Windows\System\RPzEBjC.exe | N/A |
| N/A | N/A | C:\Windows\System\YeJpIUn.exe | N/A |
| N/A | N/A | C:\Windows\System\gImfPfW.exe | N/A |
| N/A | N/A | C:\Windows\System\SkdyjHv.exe | N/A |
| N/A | N/A | C:\Windows\System\WKqnCyI.exe | N/A |
| N/A | N/A | C:\Windows\System\cPPOJgN.exe | N/A |
| N/A | N/A | C:\Windows\System\DgftHAj.exe | N/A |
| N/A | N/A | C:\Windows\System\MtFMrKL.exe | N/A |
| N/A | N/A | C:\Windows\System\xnsLsjT.exe | N/A |
| N/A | N/A | C:\Windows\System\XhiCRov.exe | N/A |
| N/A | N/A | C:\Windows\System\ValRblY.exe | N/A |
| N/A | N/A | C:\Windows\System\BhaMBEc.exe | N/A |
| N/A | N/A | C:\Windows\System\yDauOkf.exe | N/A |
| N/A | N/A | C:\Windows\System\QdwTCGS.exe | N/A |
| N/A | N/A | C:\Windows\System\SPrgytH.exe | N/A |
| N/A | N/A | C:\Windows\System\wVUbugW.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\HntwMjh.exe
C:\Windows\System\HntwMjh.exe
C:\Windows\System\GGvvIwg.exe
C:\Windows\System\GGvvIwg.exe
C:\Windows\System\aFSaOTm.exe
C:\Windows\System\aFSaOTm.exe
C:\Windows\System\VeJBVUo.exe
C:\Windows\System\VeJBVUo.exe
C:\Windows\System\GCcvNlE.exe
C:\Windows\System\GCcvNlE.exe
C:\Windows\System\RPzEBjC.exe
C:\Windows\System\RPzEBjC.exe
C:\Windows\System\YeJpIUn.exe
C:\Windows\System\YeJpIUn.exe
C:\Windows\System\gImfPfW.exe
C:\Windows\System\gImfPfW.exe
C:\Windows\System\SkdyjHv.exe
C:\Windows\System\SkdyjHv.exe
C:\Windows\System\WKqnCyI.exe
C:\Windows\System\WKqnCyI.exe
C:\Windows\System\cPPOJgN.exe
C:\Windows\System\cPPOJgN.exe
C:\Windows\System\DgftHAj.exe
C:\Windows\System\DgftHAj.exe
C:\Windows\System\MtFMrKL.exe
C:\Windows\System\MtFMrKL.exe
C:\Windows\System\xnsLsjT.exe
C:\Windows\System\xnsLsjT.exe
C:\Windows\System\XhiCRov.exe
C:\Windows\System\XhiCRov.exe
C:\Windows\System\ValRblY.exe
C:\Windows\System\ValRblY.exe
C:\Windows\System\BhaMBEc.exe
C:\Windows\System\BhaMBEc.exe
C:\Windows\System\QdwTCGS.exe
C:\Windows\System\QdwTCGS.exe
C:\Windows\System\yDauOkf.exe
C:\Windows\System\yDauOkf.exe
C:\Windows\System\SPrgytH.exe
C:\Windows\System\SPrgytH.exe
C:\Windows\System\wVUbugW.exe
C:\Windows\System\wVUbugW.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2028-0-0x00007FF6CB9B0000-0x00007FF6CBD01000-memory.dmp
memory/2028-1-0x000001F519680000-0x000001F519690000-memory.dmp
C:\Windows\System\HntwMjh.exe
| MD5 | 3d9538448f0e981f0033981ae3cdfa1d |
| SHA1 | 03a35cc5234891f19dcdd330fdb72a7b483bc92e |
| SHA256 | 4915059586ff362ca5362cbe89f70dc990a4c213b242824f18b1b014a52f9c7d |
| SHA512 | 67e6c5d6441d17b12ae96fec63730c7396ed3f4e4acac451f51cb304026d1fa6ba5815fd0c983460172ef1aef478c300b616c576cbf53555e84b5e6ed73840a4 |
memory/2488-7-0x00007FF791D40000-0x00007FF792091000-memory.dmp
C:\Windows\System\aFSaOTm.exe
| MD5 | 29a1233155c4fd6e46b98bcbaac893d6 |
| SHA1 | 9ec0de247ee4f46f2334282028dc19bffebc7953 |
| SHA256 | ec451842bc68279f8a15b502ea45dece55c1df913d1fc4d382b0dc955e19e688 |
| SHA512 | 1ea1fc135a92476ceeb0be3fee36fdcea2c1debad41be6b2d83eec50831f1d4aedae711d0d06c149fba62dd53234a3803f4f2616d79b64c25cea497627e4991b |
C:\Windows\System\GGvvIwg.exe
| MD5 | 93e9e1ab273058fa393564363d05a3cf |
| SHA1 | 2ebbdcc764337c53e42a63812be3371de8d6f89a |
| SHA256 | 429fb77da1726394237634c4f61b0d238a7c80086b3c42e8cba1c898cca066fd |
| SHA512 | d0ca6665a78901bbd4afd652b3cb632238e1a99600414fcb604f00613c13684304152c09be52ee1565952b8d5cb69fa740c6a08f7e22a63c6d12945feab64d13 |
memory/3476-16-0x00007FF77C450000-0x00007FF77C7A1000-memory.dmp
memory/3552-19-0x00007FF6ACBE0000-0x00007FF6ACF31000-memory.dmp
C:\Windows\System\VeJBVUo.exe
| MD5 | 0e38d8894b4939575a29510f7c052efb |
| SHA1 | 1e22de88d123ca6457e2ae02cfecd7d2a2f33921 |
| SHA256 | 7516f107da7122421f1020360430f2148849bab272d13672d7c503078052472a |
| SHA512 | 91684c408515284c367afe3e1f0ef4d50c7c625329d787f5087d3d8faa67496d76d1fd589a25fdf26f1dc1a38d7f518e0c325c3c8ee15dde13f8597c846c7161 |
C:\Windows\System\GCcvNlE.exe
| MD5 | 62b3c54f4f77a15d7f3d6f6f6ed2a7a6 |
| SHA1 | 6dda66d51777b3bb87f37ed71268def41a8ae203 |
| SHA256 | 64b766f34bb81d8be05a2a803349f3dba233a54c623740dd35c8b08146951291 |
| SHA512 | c370bc94026e38e66a82e5a747ac64c6d85c77c0e82f490f714c15da14e8f442076ffa4249fa2f69968980094e2fd0400ef24bfc9242a91247f58bb81d0f3a1e |
memory/3840-28-0x00007FF6131C0000-0x00007FF613511000-memory.dmp
memory/3564-36-0x00007FF68A9E0000-0x00007FF68AD31000-memory.dmp
C:\Windows\System\RPzEBjC.exe
| MD5 | 33dc830ad5d2ee3f2c9c1d64f08b79a1 |
| SHA1 | dad192a9c7e6c7fb03d50969eacdaf241f342b03 |
| SHA256 | fbad5a9ee31229025c83317fcdc897c23cf9b14b1fe9c85a1c807766d4271022 |
| SHA512 | 66da996a6fe856c8db16628b5a1fc3de88555958536492bc1b5ad9ae978eb26ca2cd1e99c3a4e6917cb57ca68bb0b8245a9ca21f134566c188c384985355d913 |
C:\Windows\System\gImfPfW.exe
| MD5 | 335c811fe400c217936472e9bd35476c |
| SHA1 | 765fb4ebbeb72b575e20622faa1053c60f300c21 |
| SHA256 | 158d1db73f511af43694e9903f8bfd8bf9a6582b52b6c7096d7e4a892090db09 |
| SHA512 | 929da10bf8b8d225f2d68b9702c4fbdf24d8b56eee6a81ccf403363f2d8dd78ecaec4cd8f65d5b040beee68f4c3a25a7ab6169dc557fbf28550e14acf2600907 |
C:\Windows\System\SkdyjHv.exe
| MD5 | 4152c7793cfe81fd5731f2a9c7392ee5 |
| SHA1 | 6c09902c396a6e6e955a40fd606ee9b9bd43de97 |
| SHA256 | caf57ea6354542f2be30cc3015fcdf64373d75f5f8602200bd064b64c02a9a38 |
| SHA512 | 2a2a15c717392bf0e4a70084285360b05886119cd9f1d64e9410d4aee3aea0c694d61de6980d923c7274f8250249a5a3a9a4859808238ed1af9bbe0925f69809 |
C:\Windows\System\WKqnCyI.exe
| MD5 | a02761da74008819f74e088b74ff6947 |
| SHA1 | ffc98399ae3d69f38cdfda3b32161914061dc3de |
| SHA256 | e8bcfb5f07a37e864d118b4f1fa80e349e855497590d503ab1e97c6a984d6412 |
| SHA512 | 9fd640a89056f306c81ba173ad4d35af3ee56f917513d05ca80cbd95b11dd5f9285348b3151950525bbe70c67b38452bbf5b25e892e3bc045677591c628f4b8c |
memory/4276-68-0x00007FF753F40000-0x00007FF754291000-memory.dmp
memory/3160-80-0x00007FF714880000-0x00007FF714BD1000-memory.dmp
C:\Windows\System\XhiCRov.exe
| MD5 | 65e6baed943aad99a0f7fa5503c27c3a |
| SHA1 | 79881d366a9c02d62c3a4d997e9e8e6774953c70 |
| SHA256 | 7a715ac824461398879850262d2ec1677277bed53b4174139919a6d604a59612 |
| SHA512 | 88142e38abe5731ce0a5989c88fdea0c01dbacdf31ab556fc0b8f1b6df289cea9d270cb9869fbf21a78186efbeb214d8650cdfc96d96f7dd333fcf44415530d9 |
memory/4888-96-0x00007FF7A6790000-0x00007FF7A6AE1000-memory.dmp
C:\Windows\System\BhaMBEc.exe
| MD5 | 23179f24da1b2404cc52ac4c4f2ae175 |
| SHA1 | 8f898d6bcad4a48a8968c3386f4a5ade2551e49a |
| SHA256 | 388ff1a9d0f2f720b14b68483f82081065568edf14500b093ee3390ba1a28de6 |
| SHA512 | c8be716adb1819b66f71550e8bc7c17aa3dd7b6f83e401a37320fb6c3becfda84866c09b72bfb82ba3389558368ebe83ff71ad0b743d9f5733c6c7c3c9027e48 |
C:\Windows\System\yDauOkf.exe
| MD5 | 273b7497a256f1ae146db5bd68e2488b |
| SHA1 | db2ef44c134e0b1a938c00692e34c354d1386c9f |
| SHA256 | 5ed9d58dd187ab7bd66ead97eb9eabede8fed1575f5770d63fc480d9e51d904b |
| SHA512 | b148de424c0bdb98d265cb3eb8fcfb77dc1792b8ac0df1996cdec81f2e40b7c9b413712c5e7d5e54fd45d012568a44c10369d065d3726f785c9c73708b49b4ab |
C:\Windows\System\wVUbugW.exe
| MD5 | 9aacea93b5f8551ab442e22751c0d13f |
| SHA1 | ca6603fc1a22b3ce612c92278a885d65c2625105 |
| SHA256 | 7156e992f6c5ceead0c7adeb2e0ddbf8fcc52bfc0919caaf93f7beae63e72e62 |
| SHA512 | 14d7bbf05779ee8e356673f8115d4f5a9dd1d8eb1b338b3441b0543243e01952e7cf273c7148472363af1b8185564087f1166764980d9657666d3245c07910af |
C:\Windows\System\SPrgytH.exe
| MD5 | 2016623a0789566f8ccaa8a51b8a419e |
| SHA1 | 75294f50f40a246c7a3e28cb38b36318739fe441 |
| SHA256 | 7bbdbf71ce1099d83fdd5ab144bc593da90329ee5461fd0440091ed80ed7d95f |
| SHA512 | c7a721decea8a282e2261688ecc7e1e6b00d8295a4a0d64873fd285dbf28a8a9b1ec883e8c75ff7b07146048ad7bc68919e47b390af9e6ccd3af9ddb41097b57 |
C:\Windows\System\QdwTCGS.exe
| MD5 | 28b38fc2f637cc05fe119bc6675af7c3 |
| SHA1 | ee3b10b4f206eed7286803e7b8100b9028440fe8 |
| SHA256 | 21cb94ce9034c4a44839edeac74a5b29acc22062159a8b49d5194d83a706b6e4 |
| SHA512 | 7f327e5dd86a3dfed3cc291877e3eb582e4798753a95b66e8c3014a6d00e0b5c97ad1dc6d049591e9201854d57787825faa44713b862fc44fd6fbe0fdc51a8ae |
memory/3476-98-0x00007FF77C450000-0x00007FF77C7A1000-memory.dmp
memory/5108-97-0x00007FF747870000-0x00007FF747BC1000-memory.dmp
memory/2156-95-0x00007FF7CEB90000-0x00007FF7CEEE1000-memory.dmp
memory/4168-94-0x00007FF7892F0000-0x00007FF789641000-memory.dmp
C:\Windows\System\ValRblY.exe
| MD5 | 1feed15509c27b05cd4ee829e9c26e52 |
| SHA1 | e368ff5628f66545880bae42342541ea9f984186 |
| SHA256 | 98d86f38afa5b8ee5411feb471d75b8d8b401fc07ecaed9aee4418c69e3ae8a4 |
| SHA512 | 5e7f5ab69aad99e929231813cc15e70e7d2ef35a0566190cee0bb67fb0436ec2fc6df7585c1f16d2cf1135608fb474e775b3d5c8bae385c93da93273e836fff0 |
memory/2292-91-0x00007FF735090000-0x00007FF7353E1000-memory.dmp
C:\Windows\System\xnsLsjT.exe
| MD5 | cacdf18aa6375790c36483b79394d7f5 |
| SHA1 | 8d458bd09b901a9202cfa253be283e089a50da4e |
| SHA256 | beae46eda015f21846384e6c04c07b439d7308130b37b4d6cf42b95aeaf5eba8 |
| SHA512 | fe7c93cb4888ee2885908ed495f6eb703ab6c48b675fae38a28e01e31d6dc1deebb2ef6cecae8178c692e76f4567644ca37ad450f6b5441d952e314c85ac33cc |
memory/2080-86-0x00007FF7CBC80000-0x00007FF7CBFD1000-memory.dmp
C:\Windows\System\DgftHAj.exe
| MD5 | 211cb521d668836cab55b78d4dee406b |
| SHA1 | dbac04f7f6478c426120f66fcadc7ec858eba92d |
| SHA256 | 350bcac784243f53245e93ed53f4de4d877b6340c076c9f0f5e7fb805a6af40e |
| SHA512 | 1a7671831f77ee19890b5c38742ff246aa8995258a339daba00f57e30d34e53364a6cfd8fd3250eecb4c697e8b189c223c0a9291bf3c1bed33e5a44784d5f487 |
C:\Windows\System\MtFMrKL.exe
| MD5 | 4f80ca701ad75d5687e04b6f10e50467 |
| SHA1 | d3d2a92354d7e22235b523fc1d7d3ae2a2432d68 |
| SHA256 | a06c0ac405cab9928682b7ca6ccb5b9a1b8ea719fe84078fd566830319e8f810 |
| SHA512 | 8fe6bdac9ae1a563970d7603209c64bc2f06e62a52f12ff9def20439060513eae8214094d1ef16f307aa35ffc2ff7b381502f35a811d1045db5a0743699c1bdf |
C:\Windows\System\cPPOJgN.exe
| MD5 | 11f39fe87d591a6a837ea577f8b5c7f4 |
| SHA1 | d0b5715a0bab455495b108785669bd62748fa4df |
| SHA256 | fb22c987a4990e7416f3e8d0e873a5c20bc47315fc0ae04e30bd247ff9756fe5 |
| SHA512 | 1fefa885e88d4b4ff515a676653a2b53ab86dd8866ed987269cf569bd13e5bb85d89be1fe3daa5ebe632706de0b1058649dad1842d0cb04c542362450f29f5e8 |
memory/2176-72-0x00007FF659E10000-0x00007FF65A161000-memory.dmp
memory/5036-62-0x00007FF7CEEC0000-0x00007FF7CF211000-memory.dmp
memory/4420-43-0x00007FF7A5760000-0x00007FF7A5AB1000-memory.dmp
C:\Windows\System\YeJpIUn.exe
| MD5 | 8ff6c4a859f7cd7995866183de755016 |
| SHA1 | 05224f111366493ef06abbf354d606fae5ef3fd4 |
| SHA256 | 086041384de7525b5c193c90bb565f22f5f34f17c0bc92a02ec4ad0e3943b1ce |
| SHA512 | 19fa7c348c8c79b31e2e80dd584209852841464895ca9ade0ae52579a18a62ea5833cfb39c4fc0ccefd32ae3c420f518f560a58c903de6e017f5af5e11c5ff57 |
memory/2596-125-0x00007FF73C720000-0x00007FF73CA71000-memory.dmp
memory/2488-124-0x00007FF791D40000-0x00007FF792091000-memory.dmp
memory/1132-128-0x00007FF6791C0000-0x00007FF679511000-memory.dmp
memory/2632-127-0x00007FF7A7420000-0x00007FF7A7771000-memory.dmp
memory/1484-129-0x00007FF71EB10000-0x00007FF71EE61000-memory.dmp
memory/624-126-0x00007FF60E1D0000-0x00007FF60E521000-memory.dmp
memory/2028-123-0x00007FF6CB9B0000-0x00007FF6CBD01000-memory.dmp
memory/2028-131-0x00007FF6CB9B0000-0x00007FF6CBD01000-memory.dmp
memory/4420-137-0x00007FF7A5760000-0x00007FF7A5AB1000-memory.dmp
memory/3564-136-0x00007FF68A9E0000-0x00007FF68AD31000-memory.dmp
memory/3552-134-0x00007FF6ACBE0000-0x00007FF6ACF31000-memory.dmp
memory/2292-142-0x00007FF735090000-0x00007FF7353E1000-memory.dmp
memory/2176-143-0x00007FF659E10000-0x00007FF65A161000-memory.dmp
memory/2028-153-0x00007FF6CB9B0000-0x00007FF6CBD01000-memory.dmp
memory/2488-202-0x00007FF791D40000-0x00007FF792091000-memory.dmp
memory/3476-204-0x00007FF77C450000-0x00007FF77C7A1000-memory.dmp
memory/3552-206-0x00007FF6ACBE0000-0x00007FF6ACF31000-memory.dmp
memory/3840-208-0x00007FF6131C0000-0x00007FF613511000-memory.dmp
memory/4420-211-0x00007FF7A5760000-0x00007FF7A5AB1000-memory.dmp
memory/5036-212-0x00007FF7CEEC0000-0x00007FF7CF211000-memory.dmp
memory/3564-215-0x00007FF68A9E0000-0x00007FF68AD31000-memory.dmp
memory/4276-216-0x00007FF753F40000-0x00007FF754291000-memory.dmp
memory/3160-218-0x00007FF714880000-0x00007FF714BD1000-memory.dmp
memory/2080-220-0x00007FF7CBC80000-0x00007FF7CBFD1000-memory.dmp
memory/4168-224-0x00007FF7892F0000-0x00007FF789641000-memory.dmp
memory/2176-223-0x00007FF659E10000-0x00007FF65A161000-memory.dmp
memory/2156-228-0x00007FF7CEB90000-0x00007FF7CEEE1000-memory.dmp
memory/4888-227-0x00007FF7A6790000-0x00007FF7A6AE1000-memory.dmp
memory/624-233-0x00007FF60E1D0000-0x00007FF60E521000-memory.dmp
memory/5108-238-0x00007FF747870000-0x00007FF747BC1000-memory.dmp
memory/1484-240-0x00007FF71EB10000-0x00007FF71EE61000-memory.dmp
memory/2596-235-0x00007FF73C720000-0x00007FF73CA71000-memory.dmp
memory/1132-232-0x00007FF6791C0000-0x00007FF679511000-memory.dmp
memory/2632-236-0x00007FF7A7420000-0x00007FF7A7771000-memory.dmp
memory/2292-243-0x00007FF735090000-0x00007FF7353E1000-memory.dmp