Analysis Overview
SHA256
097e368f8c0e0d3c1526fe2bf8165507a2392ec0fba5a12fec4e5da2879f7d7f
Threat Level: Known bad
The file 2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
xmrig
Xmrig family
Cobaltstrike
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 01:26
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 01:26
Reported
2024-06-01 01:28
Platform
win7-20240508-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xAkDMud.exe | N/A |
| N/A | N/A | C:\Windows\System\EmqJphz.exe | N/A |
| N/A | N/A | C:\Windows\System\yALrgGu.exe | N/A |
| N/A | N/A | C:\Windows\System\FcmJkjK.exe | N/A |
| N/A | N/A | C:\Windows\System\zrDTFTb.exe | N/A |
| N/A | N/A | C:\Windows\System\szYZCrE.exe | N/A |
| N/A | N/A | C:\Windows\System\KybiJSJ.exe | N/A |
| N/A | N/A | C:\Windows\System\sBLJRtI.exe | N/A |
| N/A | N/A | C:\Windows\System\TzgBkDI.exe | N/A |
| N/A | N/A | C:\Windows\System\xIrlONw.exe | N/A |
| N/A | N/A | C:\Windows\System\gfQNwCi.exe | N/A |
| N/A | N/A | C:\Windows\System\HDhfZIG.exe | N/A |
| N/A | N/A | C:\Windows\System\jYWvaWR.exe | N/A |
| N/A | N/A | C:\Windows\System\Rcfozfl.exe | N/A |
| N/A | N/A | C:\Windows\System\rMsjTHr.exe | N/A |
| N/A | N/A | C:\Windows\System\HQagaED.exe | N/A |
| N/A | N/A | C:\Windows\System\PRggXTW.exe | N/A |
| N/A | N/A | C:\Windows\System\riqFOCH.exe | N/A |
| N/A | N/A | C:\Windows\System\srFjmjD.exe | N/A |
| N/A | N/A | C:\Windows\System\oEFNqxn.exe | N/A |
| N/A | N/A | C:\Windows\System\gAwOWWD.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\xAkDMud.exe
C:\Windows\System\xAkDMud.exe
C:\Windows\System\EmqJphz.exe
C:\Windows\System\EmqJphz.exe
C:\Windows\System\yALrgGu.exe
C:\Windows\System\yALrgGu.exe
C:\Windows\System\FcmJkjK.exe
C:\Windows\System\FcmJkjK.exe
C:\Windows\System\szYZCrE.exe
C:\Windows\System\szYZCrE.exe
C:\Windows\System\zrDTFTb.exe
C:\Windows\System\zrDTFTb.exe
C:\Windows\System\KybiJSJ.exe
C:\Windows\System\KybiJSJ.exe
C:\Windows\System\sBLJRtI.exe
C:\Windows\System\sBLJRtI.exe
C:\Windows\System\jYWvaWR.exe
C:\Windows\System\jYWvaWR.exe
C:\Windows\System\TzgBkDI.exe
C:\Windows\System\TzgBkDI.exe
C:\Windows\System\rMsjTHr.exe
C:\Windows\System\rMsjTHr.exe
C:\Windows\System\xIrlONw.exe
C:\Windows\System\xIrlONw.exe
C:\Windows\System\HQagaED.exe
C:\Windows\System\HQagaED.exe
C:\Windows\System\gfQNwCi.exe
C:\Windows\System\gfQNwCi.exe
C:\Windows\System\PRggXTW.exe
C:\Windows\System\PRggXTW.exe
C:\Windows\System\HDhfZIG.exe
C:\Windows\System\HDhfZIG.exe
C:\Windows\System\riqFOCH.exe
C:\Windows\System\riqFOCH.exe
C:\Windows\System\Rcfozfl.exe
C:\Windows\System\Rcfozfl.exe
C:\Windows\System\srFjmjD.exe
C:\Windows\System\srFjmjD.exe
C:\Windows\System\oEFNqxn.exe
C:\Windows\System\oEFNqxn.exe
C:\Windows\System\gAwOWWD.exe
C:\Windows\System\gAwOWWD.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1276-0-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/1276-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\xAkDMud.exe
| MD5 | a335f20ccd4671ef2bab3a1c197acacb |
| SHA1 | 2c76a8b83a6c3518b8521e4b8622d732a712a399 |
| SHA256 | ff429cc9a52d6e5cf76f0deb0d838a55b85cb3a9edc190103724816d37ec6002 |
| SHA512 | 11a8a5a03ec98fd70dbc20f7c9614c922ebb3e0471a201a0daa9c62080360b2f25eb0d9cbbd63024c61ac200e6a6a548b10ff21c1463dc1cf830cab1af87334a |
memory/1276-6-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2008-9-0x000000013F0D0000-0x000000013F424000-memory.dmp
\Windows\system\EmqJphz.exe
| MD5 | a48adad1d2e25ebc567962f3ae548f3e |
| SHA1 | 2581c993c5ad533f7ba2c8f145db8d3594fb0bf5 |
| SHA256 | b9e6303d0511a99e62141a0dbe569b5ec09a7ab16da55c1cde3e43075670c178 |
| SHA512 | 922880199d47e1b8952999209b8e5d7d2daa6723063a42a749df54fd5d5317fed48126a72ed7c3ad1106ae731d955eb669bd1ab1beb9b0a1da36a7187697fd21 |
memory/1276-15-0x0000000002220000-0x0000000002574000-memory.dmp
memory/3000-16-0x000000013F440000-0x000000013F794000-memory.dmp
C:\Windows\system\yALrgGu.exe
| MD5 | e8b2a4a40c84c2dbfc64cfadb5d13969 |
| SHA1 | a449c6d07a01a5e5f731e653f35bcd4ea4a5605d |
| SHA256 | 048c7b38aa09474526622e62f93913edaed4d412965f65f47d27c8c718b40861 |
| SHA512 | b70956f4105b2681f33be314561ca5cde0e0107fbce9c9bd6feec82c96e7a09806d0bafdd1e9d2e3d658844bcc23f20c49c73eaf6e01e6566450859730170665 |
memory/3040-22-0x000000013F3C0000-0x000000013F714000-memory.dmp
\Windows\system\FcmJkjK.exe
| MD5 | 0f3f68afd90fed7077f6633dfadfcc4b |
| SHA1 | 59a22d772acbe382dfeca45e9a490c842076c6a2 |
| SHA256 | be960b9ac74d7c3adc8db892d53b5a102230f15139864a5b27b8caa2e387ebaa |
| SHA512 | b89aac23357fcd52a9d3c1ba100f44927e54ccf95eeed2710304eabeb5b1ed353281afca69f8272bfef222a91ac6fc4de86cbc0d4e93ce6a121db30960e4869d |
memory/1276-27-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2692-29-0x000000013FDC0000-0x0000000140114000-memory.dmp
C:\Windows\system\zrDTFTb.exe
| MD5 | f1e80b4a5f0325c483c4df92c597a092 |
| SHA1 | 1b10a28db8968d36b850d0c529c04064d4bf226c |
| SHA256 | 9208c1a7ce85459c4e5d621d2646e04b7c5a0d515f6c4715970d4232a001c136 |
| SHA512 | 54b28258364a258ee900c469e3c84d5e486f93d407b37b912e4c45df200b7b434ebcbdf91e3a220e02e932ed77108c292816a131cedf4612df04c0fcfa21bb63 |
C:\Windows\system\szYZCrE.exe
| MD5 | f417c649afcfc0d5aa176d9bb03a3e3b |
| SHA1 | 020083ce47be1db3891b35a235452b67c5b0c139 |
| SHA256 | 142d10dd382c9f726aa31f90114747e4b2403dae7186a03e2a129efb2b04e51a |
| SHA512 | c89c5a1ff3c9fd7a4b093999aed52568afa7b0621dc5aeb658fed868f3471e99d120f482706224e021a9d193420d8d51204e72401d6f8f4e8885034309da5c04 |
\Windows\system\KybiJSJ.exe
| MD5 | bd2022f4e71bb33b4a2b69dd2bd9e652 |
| SHA1 | d92fa6ca6e92f5128f224bd3a7ee9f1d9d6cd78f |
| SHA256 | 33db0710a2ee5efc150a70ef58114faddab3cc8d4f5ee8048938f37484954693 |
| SHA512 | 13be899c0feaa5174194686550c2cd510cb0993ff9d5cbf2a3e5e9fe0207cf898e623471433838b2305f5249685dd644d373e3108778904d8f73f46a1de8f0a4 |
memory/2748-50-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2008-48-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2840-47-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/1276-45-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/1276-44-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2844-43-0x000000013FA00000-0x000000013FD54000-memory.dmp
\Windows\system\sBLJRtI.exe
| MD5 | 362d767cf86fc1a5f80c47bddb9a35cf |
| SHA1 | a98451ccb2a4565344416ff6e7bbf0ace981ce92 |
| SHA256 | f7c65fc5eda882cdb06790308421e37a40fa74bde4fa5eca44e73a942aa3f39a |
| SHA512 | 58586fdfe5fc8e9d2afc33cb8dc9533e7912bb9f5240781ed24356d63f1f4874fdea12d31f107cc75d2cdbf7040290cf853bf8210018ea88390d33837382d1c7 |
memory/1276-55-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2576-56-0x000000013F040000-0x000000013F394000-memory.dmp
C:\Windows\system\TzgBkDI.exe
| MD5 | cb12efca7471932e856516edc9634aaa |
| SHA1 | 5075680c9b190b6a4ba851cb2a4e6fcad7c803fa |
| SHA256 | ea8b4d14c08b0d7eca14c5a483338704adf5638f4447b2af94f29ac52d232582 |
| SHA512 | 9d83b07e36494e08207570bdf691be48cb8034602c1a6b8619af0b1991105780b22f83d37765c215a1ef6bf750438f1fb88389d36954c6fa3e4ed6605d93a72c |
\Windows\system\xIrlONw.exe
| MD5 | f48851f350bb787b8fa0b09adef3c7a4 |
| SHA1 | 71e6fc66befb59e067f1e63cdb2b461a5b337584 |
| SHA256 | 71710c1f4ab1ea7cddb0e02cb14db56bff1f54d1ed7754c782e21908aa4311b7 |
| SHA512 | c1072d3fcfa4db04b520a82cdae664b8c56deeaf1569adfb0755631a61f44325bc1ee5bb2dd029dfff6f26be3afe32801f7d94fd93107ba641506e8f29aced23 |
C:\Windows\system\gfQNwCi.exe
| MD5 | 707a56c257aa6d49c9b555d588afeffd |
| SHA1 | 7672d774c4dfefe6fb5c4ec8b2a355ae2b41de93 |
| SHA256 | a197e97b67ac99907bcd7f2f5dc7f062ff005cffd5536d9cc2e535842bde8aeb |
| SHA512 | 897d164be6e16e8ee4198ff68585acda1c763aa04a00251828adff3d9091c6d4e8293fa6f63931f8aa1756498153291669a54479b8c244aeb98b9045167c1b98 |
memory/1276-93-0x0000000002220000-0x0000000002574000-memory.dmp
C:\Windows\system\HDhfZIG.exe
| MD5 | 20760e5b6f3cc015208f99a67ad7ebf2 |
| SHA1 | 871682825b6a5bd2795bdcbb424dfcde473b3ce9 |
| SHA256 | 1530d09e10216f4a6496544a908001e669b5ea5cb3eb8f398f7d9548f41562cc |
| SHA512 | 0a4b225cc9f687ff8cad37578732ececdf5efd726f5ce190f34d2ad9860115e22d0d32c8bf325bc8c7360d5dd3526f557cbe3ecd281815e8f7592a87bb57e112 |
memory/1276-94-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/1276-97-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2640-98-0x000000013FD40000-0x0000000140094000-memory.dmp
C:\Windows\system\rMsjTHr.exe
| MD5 | 903a8a7b145effc47e881014f624247e |
| SHA1 | 7e59f74b38198a21baf6e329f94db8c3adaf132b |
| SHA256 | f0821d33cf3ecc65ea7234d9869b44c342076fddc09417a2165eed783c36c67b |
| SHA512 | cb51a4b4977d7d62152aec8d2cb1914057e58cedda121ff8764e27804ab1ac239f93ffa324756d3f62bf8f1d3f73475ce62b0990f1dc83f4799cf87fc3246438 |
memory/1276-61-0x0000000002220000-0x0000000002574000-memory.dmp
C:\Windows\system\oEFNqxn.exe
| MD5 | 8a6d8147fbd484c84b82f2dcf052d738 |
| SHA1 | 288d60eadbbed17ea95fd9b3e98c89682d740c72 |
| SHA256 | 68a5460af5dd8a2ad4814163b055359571b9950a53c394675bdd15c939cb2189 |
| SHA512 | 1d1168522878a3c9377ebb4f1a85d13113e344ba73bae77552b109c1f7c57d19b4e1aff6039df7084c485af515ef481e37260aa4955b21108e5112453371e62e |
\Windows\system\gAwOWWD.exe
| MD5 | 6fc4ba3d7328db5518e8bedff595a0f9 |
| SHA1 | 26144b8d632dc1919191a27256ec31c2821f41ac |
| SHA256 | 27b0392f23eba62ecd0875c59a1ca7d7dc44d21f1c8e5c6f332cf244020236a2 |
| SHA512 | 625a82c1a795a8f9120f30d433e1df402e39831ace0c6849b04f537ddbdc50aa624188feb25040e4fd3dc1dcbee0c8ebfcac323cbc339ca78063d36dd8b7b3cd |
C:\Windows\system\srFjmjD.exe
| MD5 | ea87226ad5ad50447031851afcb58137 |
| SHA1 | 215c18ef16f4232b8bbdaf320b93af1bbbcf6c4c |
| SHA256 | 7bed6f41c383f0f05f6dd66bcd0e8c4bb9e868b15cd715ad891af5a01ae395a6 |
| SHA512 | d06db758bbeb94e4287e44c70350dd53023fa4fa7fd4c268e42ced4fc357f1fd12999daa2830fa9c59babdd741836b70fc6bbf912e2467034ed359dffbab295f |
C:\Windows\system\riqFOCH.exe
| MD5 | a4a3f870df8d0e03bcbf770a58a83337 |
| SHA1 | 43c77b71986f4407982871434bacc57ca752fb6e |
| SHA256 | 7b7eefbbc9b9c57ac9eb546ef8dff33706ef6ef7d686d51399657c9f09d6a82f |
| SHA512 | e1915975ecfcdbae75d080cd393cdb2bd966fa1f9a584329b44fb3bcc52e4a087bd25d63860d01c06abcf9fbbd82a6ccbe04e620dfdabdc9cca67082c208efec |
C:\Windows\system\PRggXTW.exe
| MD5 | 27fbc3901e6bcb35e2637c8f27277f67 |
| SHA1 | 796369ab7650ca14faaa0af49ac317476c07cead |
| SHA256 | b32b5d91e8dd51ed19e1d5a8c4dc9bd44d7af1ac6016ce2f5452544a3c1b53c2 |
| SHA512 | 1343ee5941700aab0d42f15f14af704461c2d913721d1e950deb39c11a473a70bfcd6b7973cadb930ba7115f7b3985dc2fa73ca922cb3399fc5c73162192a149 |
C:\Windows\system\HQagaED.exe
| MD5 | f8da21b057e1d9bdf4fef8bbcadd27cc |
| SHA1 | eb3abd7b14c2c79febe649518eb19930b34dfc23 |
| SHA256 | 9ed823dd190ff8115090dceec6c993665c6fa1ebfe70504368ad28822ad4bb77 |
| SHA512 | 73f34ad77050a930d4197b39660b8cf4704016d0c1498b08dc907ade2c6ff05a03bf584501767ddc2f0a3178738f2471d543876726fab553cfdd9324a1e566aa |
memory/1276-104-0x000000013F640000-0x000000013F994000-memory.dmp
C:\Windows\system\jYWvaWR.exe
| MD5 | e40924d3af95db1c359fede440eb7a6d |
| SHA1 | 8f9e79f77efb3ac18af4de419d7ccf2c43485bca |
| SHA256 | 02a0385f4d64829f098d6e68840a2a029c82114cd6b9fe9879c3e5817354b929 |
| SHA512 | b4eb1ebf867926471d22264b170997d4f018316ea81130123fa1d0b5cfc20022da1b5afe8fc18ffeaf918f6a044dd0b94ab03eb1703c9eeed3235570c4afba97 |
memory/812-89-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2288-86-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/1276-79-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2540-69-0x000000013F7B0000-0x000000013FB04000-memory.dmp
C:\Windows\system\Rcfozfl.exe
| MD5 | d436309042b39d1e9dcb88aec744ab6d |
| SHA1 | dc4e81af955fff274a2fc08237b58bfc53223a45 |
| SHA256 | 28461db39b17f61485e967e17cf7c17bdb832262ebfe60163e5a2205f7b71114 |
| SHA512 | 6fb12c25942183956a706d33a0b3628a3ad6cf00e50aac51511263884faef494b736b028a50abf08754af84b0f2847471ff381e305392a48f8b7076ab000e4f0 |
memory/1276-96-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2748-133-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/1276-134-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2576-135-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2540-136-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1276-137-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1276-138-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/1276-139-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2640-140-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1276-141-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2008-142-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/3000-143-0x000000013F440000-0x000000013F794000-memory.dmp
memory/3040-144-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2692-145-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2840-146-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2844-147-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2748-148-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2576-149-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2540-150-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2288-151-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/812-152-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2640-153-0x000000013FD40000-0x0000000140094000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 01:26
Reported
2024-06-01 01:28
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\Kidgbpr.exe | N/A |
| N/A | N/A | C:\Windows\System\adQYyKH.exe | N/A |
| N/A | N/A | C:\Windows\System\ZTfLpwG.exe | N/A |
| N/A | N/A | C:\Windows\System\VjBHIyM.exe | N/A |
| N/A | N/A | C:\Windows\System\FTEFjFq.exe | N/A |
| N/A | N/A | C:\Windows\System\JtVWRxY.exe | N/A |
| N/A | N/A | C:\Windows\System\xaQHdVm.exe | N/A |
| N/A | N/A | C:\Windows\System\PlEBVSx.exe | N/A |
| N/A | N/A | C:\Windows\System\jxxMHGR.exe | N/A |
| N/A | N/A | C:\Windows\System\XJxrMTU.exe | N/A |
| N/A | N/A | C:\Windows\System\kXQWbXX.exe | N/A |
| N/A | N/A | C:\Windows\System\xIarCen.exe | N/A |
| N/A | N/A | C:\Windows\System\YyubLaG.exe | N/A |
| N/A | N/A | C:\Windows\System\pJmgUXE.exe | N/A |
| N/A | N/A | C:\Windows\System\DZPPURC.exe | N/A |
| N/A | N/A | C:\Windows\System\zKfwSlB.exe | N/A |
| N/A | N/A | C:\Windows\System\ytVGFjk.exe | N/A |
| N/A | N/A | C:\Windows\System\GWqvnTP.exe | N/A |
| N/A | N/A | C:\Windows\System\tGGiQFk.exe | N/A |
| N/A | N/A | C:\Windows\System\ZbcmsFa.exe | N/A |
| N/A | N/A | C:\Windows\System\oKtcUjG.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\Kidgbpr.exe
C:\Windows\System\Kidgbpr.exe
C:\Windows\System\adQYyKH.exe
C:\Windows\System\adQYyKH.exe
C:\Windows\System\ZTfLpwG.exe
C:\Windows\System\ZTfLpwG.exe
C:\Windows\System\VjBHIyM.exe
C:\Windows\System\VjBHIyM.exe
C:\Windows\System\FTEFjFq.exe
C:\Windows\System\FTEFjFq.exe
C:\Windows\System\JtVWRxY.exe
C:\Windows\System\JtVWRxY.exe
C:\Windows\System\xaQHdVm.exe
C:\Windows\System\xaQHdVm.exe
C:\Windows\System\PlEBVSx.exe
C:\Windows\System\PlEBVSx.exe
C:\Windows\System\jxxMHGR.exe
C:\Windows\System\jxxMHGR.exe
C:\Windows\System\XJxrMTU.exe
C:\Windows\System\XJxrMTU.exe
C:\Windows\System\kXQWbXX.exe
C:\Windows\System\kXQWbXX.exe
C:\Windows\System\xIarCen.exe
C:\Windows\System\xIarCen.exe
C:\Windows\System\YyubLaG.exe
C:\Windows\System\YyubLaG.exe
C:\Windows\System\pJmgUXE.exe
C:\Windows\System\pJmgUXE.exe
C:\Windows\System\DZPPURC.exe
C:\Windows\System\DZPPURC.exe
C:\Windows\System\zKfwSlB.exe
C:\Windows\System\zKfwSlB.exe
C:\Windows\System\ytVGFjk.exe
C:\Windows\System\ytVGFjk.exe
C:\Windows\System\GWqvnTP.exe
C:\Windows\System\GWqvnTP.exe
C:\Windows\System\tGGiQFk.exe
C:\Windows\System\tGGiQFk.exe
C:\Windows\System\oKtcUjG.exe
C:\Windows\System\oKtcUjG.exe
C:\Windows\System\ZbcmsFa.exe
C:\Windows\System\ZbcmsFa.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4448 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3176-0-0x00007FF7F81E0000-0x00007FF7F8534000-memory.dmp
memory/3176-1-0x000001306EF80000-0x000001306EF90000-memory.dmp
C:\Windows\System\Kidgbpr.exe
| MD5 | 154f3822b3d9489522bc4a5baa7b45d9 |
| SHA1 | b1d6cde8ea79ab47f3cd1e7d2c48e30b7311d92d |
| SHA256 | 29b640dc7a55f695a08fe5fe0a7a97fb0f6df802fef86754172dd3d26cb62a1f |
| SHA512 | 7a902ba16c948b2a6ca54b4fd428783fb5c7eaa5ec9f569cf36d21fac0a00ba301536064ee6e38a7e52b09702de4e241fe34747f44db692a3d73c15eb9abcc9c |
memory/1384-8-0x00007FF74DA20000-0x00007FF74DD74000-memory.dmp
C:\Windows\System\adQYyKH.exe
| MD5 | 791a374cfb6aa540760ab5106792b262 |
| SHA1 | 26a44d26680b4de49e7c06569e66d4b4b760a111 |
| SHA256 | 0464323b845c48e9acdf1d2f9a7591b43983f6e99322b01b3b1d80bb65fe3058 |
| SHA512 | cab6ce8d25ec3bfc1b56c05e85fb068e304801d32dae3495889a03cfa52bbe4d194214bd0166f32b0d0304a00f8a8a17d4d137286c92ac0f06bb99e957bd6777 |
memory/884-14-0x00007FF70C000000-0x00007FF70C354000-memory.dmp
C:\Windows\System\ZTfLpwG.exe
| MD5 | 431fea44cdd761e56974a5f6c829d94e |
| SHA1 | e4ae0c868424ca44403739533913a67d6aebcbe0 |
| SHA256 | ca91f6d28b5b49dfdd32a9875300790722be5afa8b970b4fccf8b64940dc1562 |
| SHA512 | dc0731343dd23015256e7e5fee36dca4cf9da4856420f56df7c199587c4258a4ba6fdb558f23554e4166a320913257355c249be2bbdec9f2a20a7e58f657537e |
memory/4856-20-0x00007FF79BB10000-0x00007FF79BE64000-memory.dmp
C:\Windows\System\VjBHIyM.exe
| MD5 | d756261fd6b8d96c7b3a9605b2e382a2 |
| SHA1 | 84e357606e64ab87f17d367bac3a247c442cc97c |
| SHA256 | 5b7fe93891fb00c6e04c2340b31bceab0d12c07dfd57fa03802e8ed00fcbe305 |
| SHA512 | 8dfeaaa18b75ca50fe24558bf8e9dab335bcdaf632cb04888f08bb209bc89f5ba6d696cd046d0415a4c4335f0e638af210825503d2d28f522ab9c3b104ee99b6 |
memory/4984-26-0x00007FF6F20F0000-0x00007FF6F2444000-memory.dmp
C:\Windows\System\FTEFjFq.exe
| MD5 | 88f30745d1a3d25b96cfc3bf8993a498 |
| SHA1 | 896d9e31477ec57090f8869624b0e6884ac85f93 |
| SHA256 | 311e9841a1ad792696f8605d6324e96d901d0ac7fa7dac02319c86934e23e369 |
| SHA512 | e6649c9594ad69eada0aaca1a469a00d80edc560763564128b0bb27d9283b62ddfebc99c793ea91d0d25c92e6134f67b48e90459890228cb3c6b8882c6858cac |
memory/220-32-0x00007FF62BAC0000-0x00007FF62BE14000-memory.dmp
C:\Windows\System\JtVWRxY.exe
| MD5 | 1228a4b62dac6075c31e3b0c9b908be7 |
| SHA1 | 6c0eff82cda46337bfc4c4a17db84aa2469355b7 |
| SHA256 | acf38f43e8b94650a9585955d5fe0fa45603c0de62804d547dbc8378d1ca1dbc |
| SHA512 | a871733b99a4bf922768c17d74e93869bb0f9868d6eb7ee5000116a160c05b7ddd028197f682cadc9e235cc49d43dfc16b5ff214a3a5f2f7244f92bd3a32689f |
memory/1836-38-0x00007FF73E3B0000-0x00007FF73E704000-memory.dmp
C:\Windows\System\xaQHdVm.exe
| MD5 | da816c980a43cd2c6924f8f565a40af3 |
| SHA1 | 7429e487a7b3f582f2341a4a3714d27d2b29bbdd |
| SHA256 | 2edc35ddf9608644392a4fa92fe824686daa33b9dd16d2eca4e80ad173247de0 |
| SHA512 | 6d5f19372e9effc32c8a6d0b25b590eb9e57df9d411965f5864034e7596ef99932e5cb0eabed90bef46efd215fd971ba601fe7786f1314154d95f82bb3d5a503 |
memory/2904-44-0x00007FF6E9C20000-0x00007FF6E9F74000-memory.dmp
C:\Windows\System\PlEBVSx.exe
| MD5 | 2f63f2d3d92353a6dd921dda30b7fa82 |
| SHA1 | 90681aff42a17ec751de5dc1170b7ead9294bc68 |
| SHA256 | 80bb76e476865534c315e97a21007249f20fab495b07531756f428d501ba7ce8 |
| SHA512 | 63925ef3139c2ac90c86d257db1d884286fe5ab96378a6703390c039c7c4cb707cdcea5ccbc519649e9033363091b308d6c611a7f99c083983969121c98ca8df |
memory/1016-50-0x00007FF6AACD0000-0x00007FF6AB024000-memory.dmp
C:\Windows\System\jxxMHGR.exe
| MD5 | a751c697e643fafbb366260cdce6db86 |
| SHA1 | 3561a2e02218efd9ae0f9594b8f37195b47b36dc |
| SHA256 | 2b7f5c4f87c5b20aca447c90d8797ee83c8bbde0c36b3e0ca65af8167f4c62e7 |
| SHA512 | bf0c37b06d4580a815e5ed3254eebca6b3d62d4dc4d142ed2ddef53c54f94e550fdb42872df4a92254df1c65c32f29fcf6f86ad02332b994a818928a29239699 |
memory/4104-56-0x00007FF62E9F0000-0x00007FF62ED44000-memory.dmp
C:\Windows\System\XJxrMTU.exe
| MD5 | cf3f4eb17ee94ccb614255f3b135f1cd |
| SHA1 | a913d1ba657cb53dd1437da3dfc17751f148d1ad |
| SHA256 | c6a6d8ea99f6a40baeef5175cb0d454d2045043bf4353e8ce693c59306bf88c7 |
| SHA512 | 33a9543deb372877b1e39006e3d2a71d2612fda39c65b49f714ceeaf21a1cf68708c9e92b30d42cf63d41c20cb2bde976c8eba5650b5c7c99d7444a16dce1657 |
memory/3176-62-0x00007FF7F81E0000-0x00007FF7F8534000-memory.dmp
memory/3944-63-0x00007FF781BC0000-0x00007FF781F14000-memory.dmp
C:\Windows\System\kXQWbXX.exe
| MD5 | 59d2f5312f344b36996e3dd0f87b2c7a |
| SHA1 | 634075bc988e12540cc4df2ea8c7624e954843ed |
| SHA256 | e408e6ad767a6a54ba4296ac5de940a27d10ff93afb4471a046c237202f18491 |
| SHA512 | 116afd91f65677ae6ea258c6aa61541693890942ebbe1439b12ac0e32a39f6f0e5c94fe21e64f113678a60cd352dd3abe95f9c46754b4f4b39d269928b4784f2 |
memory/1384-67-0x00007FF74DA20000-0x00007FF74DD74000-memory.dmp
memory/2756-68-0x00007FF602E50000-0x00007FF6031A4000-memory.dmp
C:\Windows\System\xIarCen.exe
| MD5 | 16fad712b6d8351b9c279db8fb17c00f |
| SHA1 | 2ee9a08a4173f5471ae244cb86b35280e17b66a7 |
| SHA256 | e1f098c8d1241c4e9d0fce06ed10decc014417e0e28ac2313c7060842d83b450 |
| SHA512 | 389b82c8b953570ad7b200fce5a20bc5042841a2ace30a47a73eed0eda37f414f38ec90a480b0da2c872209fbba3119d3b29f0930ea968a3f8aa4788f271a11a |
C:\Windows\System\YyubLaG.exe
| MD5 | 7fa84798bc8cf55f79edd56c27c41e68 |
| SHA1 | f7cdf8b2657c1edd9a74c30611e37218c8295968 |
| SHA256 | 0da65bc3d979fb2ee8a25dbde128d2d6615547465e2e5cedb3d5a7b2008078be |
| SHA512 | 925da7b5f6eaddf5ecb0d05f05153ee0c4c914cccfd90c04f599225502375c753d59dfbe773c287cdb7c032871e61a07d57a2ddd0492eafadcd067ca55491030 |
C:\Windows\System\pJmgUXE.exe
| MD5 | 2f8a842b25e6c85fb144f0263e08a5ca |
| SHA1 | 8ac8e3734ab59710705d6c7fe5c319d3a4891159 |
| SHA256 | 480e5eba2e4d1121af30e1acd7515f2da138e4784eba2ce798949efbdd40e69b |
| SHA512 | 7a073e058f5e7735cbe44b6bf1da4b16b42526694d808bbb739449fde7e33a7087a46e9c4857c22557a5e659b94a86c4df8649ee7f5c42bb60abd36d93f1ed94 |
memory/4636-88-0x00007FF791350000-0x00007FF7916A4000-memory.dmp
memory/2600-91-0x00007FF76E370000-0x00007FF76E6C4000-memory.dmp
memory/4984-92-0x00007FF6F20F0000-0x00007FF6F2444000-memory.dmp
memory/2912-97-0x00007FF7FE5E0000-0x00007FF7FE934000-memory.dmp
C:\Windows\System\zKfwSlB.exe
| MD5 | fa5d0ad4565a6bc770c771e54df8800d |
| SHA1 | 1494ff87bd82485b399d98087e0cbd768b87fd65 |
| SHA256 | 4a09fda490c455f3a36f7594da6d7875c9d9795ef333e08cc0d69619ae84609e |
| SHA512 | ae4dda60819cd04b69572d0d97be9fdf63390bc8f052f2404fcbb047bdd14fcecd811e248dcb50fed2f65785f53d349baa19e32a38753eba834f10fd9aad9356 |
C:\Windows\System\DZPPURC.exe
| MD5 | 01371f8a61bdf5a6c0ba39a030c6a2c2 |
| SHA1 | 8129ff0f877f50c32d84557335bb824354f19f41 |
| SHA256 | 0e236426623ff79c496a2949df04af92a89bc0be861029ab44d974ec0abd54a1 |
| SHA512 | 14b41599f9ad71a99cbf1e18b50fc7258db02900d8503d7af44269021b05f9fb91ca4f9228163b36e980f797d4ec1ac00222d4e1c1ca1c56d41abf17b8c95349 |
memory/3820-86-0x00007FF6E5D40000-0x00007FF6E6094000-memory.dmp
memory/2124-104-0x00007FF686610000-0x00007FF686964000-memory.dmp
memory/2604-107-0x00007FF6C4FD0000-0x00007FF6C5324000-memory.dmp
C:\Windows\System\ytVGFjk.exe
| MD5 | 2f80ca27c905b30dce5045506305651e |
| SHA1 | df7f4fcdf50312b38423fdea57e5aeb799d37976 |
| SHA256 | 7563377a06602ea8bf0b0175f5b38b6e12c3462edbf6c5e2a8d88a6a1e4dc0a6 |
| SHA512 | df4b4f22407b60d9f21b407b9147c7ea3576299ed8ad3d4d82bea3d43976062b901d3a44fbd378cbb65c34f009e7adb87d2035af5f7360942d2f3dde15dc624a |
C:\Windows\System\tGGiQFk.exe
| MD5 | 006be624eec3f0e66393392d7c8ef250 |
| SHA1 | b29953eb2123ac27bf982b0cd43b3395eb7ce026 |
| SHA256 | 3eac14eba073ec44640c7586fff81a84913577f3f85997a93446244fdf832734 |
| SHA512 | b7db43b22b9228928c17c3590edded77442c9ba3b6bfeeedbd417a1e78eb05d02c3e5e61fd18a00e4a66a44c83140a2bc56e1e9dd4b37f26d04331461ccc2a56 |
memory/1016-123-0x00007FF6AACD0000-0x00007FF6AB024000-memory.dmp
C:\Windows\System\ZbcmsFa.exe
| MD5 | 0ca18e4d654c7b486ec950574f33a2ca |
| SHA1 | d50ab760fae50b4301c7c7afdf69d78fb1d188c2 |
| SHA256 | f1a965be878c43a99241e24cf10e497ef6f99dc6619aa6584346f487e4e400bd |
| SHA512 | 2cf7a560a1b6107755284a06077d0463b82cd99f211245d938c5640e7ac73b240a9788e0bced0d664da6eda5658d3f3f9138eb160356f79625e07938aefbd4a5 |
C:\Windows\System\oKtcUjG.exe
| MD5 | c5ff939f6f436dba85026b80c63c7b98 |
| SHA1 | c8bdc446ec569d0b0b864a632780ab7a251b9170 |
| SHA256 | e4f8c883c296b02cffe5719d1399670298aea532239867f92998872841053eea |
| SHA512 | d5ef4a357f0cbcf213fcaaaa65ed8e891be048667d00ab10974a689047e6b8f336f4487fcf6205650ca13993536dc737635d1169ca4d8346e036a05572295c9f |
memory/4460-128-0x00007FF671E30000-0x00007FF672184000-memory.dmp
memory/2316-125-0x00007FF7844E0000-0x00007FF784834000-memory.dmp
memory/3620-124-0x00007FF612140000-0x00007FF612494000-memory.dmp
memory/2904-121-0x00007FF6E9C20000-0x00007FF6E9F74000-memory.dmp
C:\Windows\System\GWqvnTP.exe
| MD5 | dd54f4f1ef113c389116aeee9f752920 |
| SHA1 | 9ed06851b4086ea6095b808b3da3cf8de3b421f4 |
| SHA256 | 44edb155af777c30fad047f0cd8247813001110c611263866a66287e6e1f13c7 |
| SHA512 | 92d32bf655f543c8d7940c6badd6ca78757dace4bdb3c615e07b2dcaaa3d8a22a35140a834f0a773897ab50b114b4882e020ad2ff4e6ad9c86bca617a840fa28 |
memory/4104-132-0x00007FF62E9F0000-0x00007FF62ED44000-memory.dmp
memory/4860-133-0x00007FF603F40000-0x00007FF604294000-memory.dmp
memory/2756-134-0x00007FF602E50000-0x00007FF6031A4000-memory.dmp
memory/2912-135-0x00007FF7FE5E0000-0x00007FF7FE934000-memory.dmp
memory/2604-136-0x00007FF6C4FD0000-0x00007FF6C5324000-memory.dmp
memory/1384-137-0x00007FF74DA20000-0x00007FF74DD74000-memory.dmp
memory/884-138-0x00007FF70C000000-0x00007FF70C354000-memory.dmp
memory/4856-139-0x00007FF79BB10000-0x00007FF79BE64000-memory.dmp
memory/4984-140-0x00007FF6F20F0000-0x00007FF6F2444000-memory.dmp
memory/220-141-0x00007FF62BAC0000-0x00007FF62BE14000-memory.dmp
memory/1836-142-0x00007FF73E3B0000-0x00007FF73E704000-memory.dmp
memory/2904-143-0x00007FF6E9C20000-0x00007FF6E9F74000-memory.dmp
memory/1016-144-0x00007FF6AACD0000-0x00007FF6AB024000-memory.dmp
memory/4104-145-0x00007FF62E9F0000-0x00007FF62ED44000-memory.dmp
memory/3944-146-0x00007FF781BC0000-0x00007FF781F14000-memory.dmp
memory/2756-147-0x00007FF602E50000-0x00007FF6031A4000-memory.dmp
memory/3820-148-0x00007FF6E5D40000-0x00007FF6E6094000-memory.dmp
memory/4636-149-0x00007FF791350000-0x00007FF7916A4000-memory.dmp
memory/2600-150-0x00007FF76E370000-0x00007FF76E6C4000-memory.dmp
memory/2912-151-0x00007FF7FE5E0000-0x00007FF7FE934000-memory.dmp
memory/2124-152-0x00007FF686610000-0x00007FF686964000-memory.dmp
memory/2604-153-0x00007FF6C4FD0000-0x00007FF6C5324000-memory.dmp
memory/3620-154-0x00007FF612140000-0x00007FF612494000-memory.dmp
memory/2316-155-0x00007FF7844E0000-0x00007FF784834000-memory.dmp
memory/4460-156-0x00007FF671E30000-0x00007FF672184000-memory.dmp
memory/4860-157-0x00007FF603F40000-0x00007FF604294000-memory.dmp