Analysis Overview
SHA256
901c6ac0a6c491a212fc65f2b0d46c9c9889c4b60fad044bdb581d6d7bb94a02
Threat Level: Known bad
The file 2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Xmrig family
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:45
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:45
Reported
2024-06-01 15:48
Platform
win7-20240221-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dTpskZN.exe | N/A |
| N/A | N/A | C:\Windows\System\ZXMfZpu.exe | N/A |
| N/A | N/A | C:\Windows\System\JlrTebm.exe | N/A |
| N/A | N/A | C:\Windows\System\yHlKGdh.exe | N/A |
| N/A | N/A | C:\Windows\System\ITzkBuF.exe | N/A |
| N/A | N/A | C:\Windows\System\ekDwZVE.exe | N/A |
| N/A | N/A | C:\Windows\System\AbKeNWG.exe | N/A |
| N/A | N/A | C:\Windows\System\amqItfy.exe | N/A |
| N/A | N/A | C:\Windows\System\EytSYpV.exe | N/A |
| N/A | N/A | C:\Windows\System\vDzQnNE.exe | N/A |
| N/A | N/A | C:\Windows\System\CXchmCe.exe | N/A |
| N/A | N/A | C:\Windows\System\FEXpPGa.exe | N/A |
| N/A | N/A | C:\Windows\System\exouqCV.exe | N/A |
| N/A | N/A | C:\Windows\System\wGsnATT.exe | N/A |
| N/A | N/A | C:\Windows\System\dvOqknK.exe | N/A |
| N/A | N/A | C:\Windows\System\BzTZTPz.exe | N/A |
| N/A | N/A | C:\Windows\System\DpZpLjk.exe | N/A |
| N/A | N/A | C:\Windows\System\JUTPhdj.exe | N/A |
| N/A | N/A | C:\Windows\System\UziJOyJ.exe | N/A |
| N/A | N/A | C:\Windows\System\WzOamGD.exe | N/A |
| N/A | N/A | C:\Windows\System\KeQinmw.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dTpskZN.exe
C:\Windows\System\dTpskZN.exe
C:\Windows\System\ZXMfZpu.exe
C:\Windows\System\ZXMfZpu.exe
C:\Windows\System\JlrTebm.exe
C:\Windows\System\JlrTebm.exe
C:\Windows\System\yHlKGdh.exe
C:\Windows\System\yHlKGdh.exe
C:\Windows\System\ITzkBuF.exe
C:\Windows\System\ITzkBuF.exe
C:\Windows\System\ekDwZVE.exe
C:\Windows\System\ekDwZVE.exe
C:\Windows\System\AbKeNWG.exe
C:\Windows\System\AbKeNWG.exe
C:\Windows\System\vDzQnNE.exe
C:\Windows\System\vDzQnNE.exe
C:\Windows\System\amqItfy.exe
C:\Windows\System\amqItfy.exe
C:\Windows\System\CXchmCe.exe
C:\Windows\System\CXchmCe.exe
C:\Windows\System\EytSYpV.exe
C:\Windows\System\EytSYpV.exe
C:\Windows\System\DpZpLjk.exe
C:\Windows\System\DpZpLjk.exe
C:\Windows\System\FEXpPGa.exe
C:\Windows\System\FEXpPGa.exe
C:\Windows\System\JUTPhdj.exe
C:\Windows\System\JUTPhdj.exe
C:\Windows\System\exouqCV.exe
C:\Windows\System\exouqCV.exe
C:\Windows\System\UziJOyJ.exe
C:\Windows\System\UziJOyJ.exe
C:\Windows\System\wGsnATT.exe
C:\Windows\System\wGsnATT.exe
C:\Windows\System\WzOamGD.exe
C:\Windows\System\WzOamGD.exe
C:\Windows\System\dvOqknK.exe
C:\Windows\System\dvOqknK.exe
C:\Windows\System\KeQinmw.exe
C:\Windows\System\KeQinmw.exe
C:\Windows\System\BzTZTPz.exe
C:\Windows\System\BzTZTPz.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2180-114-0x0000000002370000-0x00000000026C4000-memory.dmp
\Windows\system\KeQinmw.exe
| MD5 | 9bd07cc9963f1d3b1662affa62f12464 |
| SHA1 | 26de346589f72a9169df5fb17e038e68d6b24ee7 |
| SHA256 | 89cc97b16320f785394ef5de4c6c9c4b06b640cb23a1a28c153b8add57f325cb |
| SHA512 | 2fb0cbed06707b334cdcc821ff72e86a1241388a142843619d49a5fd9480a438a1ece7c6c5c86564ed06212ac0064de4c8a3f83af394d6e5b3b2c40c7dab64bc |
\Windows\system\WzOamGD.exe
| MD5 | 8a3a7eac656e7177b270113d7d692f98 |
| SHA1 | ec58106c7690c4e3325f42f379a7b867623f74a8 |
| SHA256 | fc622b04c05820dac7cf772a210af030752eda2506d65903bc0fca19b74ce360 |
| SHA512 | ac6115ff100163bc791d747aeefdb025a026f3780e2397962c9f37796236491952189c853d1110ddc65bded13f352f17ed0a01e1510e709d54095318e87b063c |
memory/2992-95-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2180-94-0x0000000002370000-0x00000000026C4000-memory.dmp
\Windows\system\UziJOyJ.exe
| MD5 | cb1f1b052ad8263172da46dac27d9d2f |
| SHA1 | b4ecbe6e6c85c2ff8f363f4cf7af5e009e00ac50 |
| SHA256 | b0709f2f228cbba5b450c55547daad3b55f36a2aba4b737bd493f860f5a3c1fb |
| SHA512 | 01226ef9262f0ad5705f2f4406e78703ba1f4e265a95fe7343d89bd7952fe9e4efb9f56ead3647165e39fbc61b5d6354a0e6b370706553cac55358120ae4c280 |
memory/2180-84-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2180-135-0x000000013F470000-0x000000013F7C4000-memory.dmp
\Windows\system\JUTPhdj.exe
| MD5 | 4b99ed879e5b7e2b721ce99c015ba243 |
| SHA1 | 3a136a160b9d6b5108e13528861470aaaf08a8cc |
| SHA256 | 983c73b71c988200f239ac173aa11c2ab3ef22722f36ce0718ef926fb4a52e87 |
| SHA512 | 2de3bb3d013179ce4aaafe310dead9b464577d6817113bfba53ee1f35b88779ed3662cc9ab5f5a34177f8f310a0ca85ede34486e98130dc82f7c85307c068f5d |
C:\Windows\system\CXchmCe.exe
| MD5 | be53e99e19e66d39d3c36f41aa3fec60 |
| SHA1 | 302425bc50b4e87dae4d8c7406b781638dfcec7b |
| SHA256 | 51325830205c2ee0edbce89ef2d57d84dc90d9180d5b30270c20d9bbc587af71 |
| SHA512 | a16f4216f9898bef4f12dc7a5afa957ec495575bbf316f9acc6f7861c52c92a5f04d9ee627398f997ca7430c9b4bbb7d4a1cefcb667545821ddc64e32b7712a3 |
\Windows\system\DpZpLjk.exe
| MD5 | 8c23816eb9b303e305b9552626838883 |
| SHA1 | dbaa4e9a0eed60c87c007fcc98bc77a63d2282f5 |
| SHA256 | a5a365948750a5991dbbfee8c66a4a5c938f66386b82120730604d3550ec9e8d |
| SHA512 | 018330433fd957de02602947765d85992abdeac8c29ff54023643f048b3bf1eba1e3542798185ade7c09b226be34cc6d974e8340e4ec31d6803981e070d909b4 |
memory/588-62-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2180-121-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2688-120-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2180-51-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/324-136-0x000000013FDB0000-0x0000000140104000-memory.dmp
\Windows\system\vDzQnNE.exe
| MD5 | c62d1d62d1f0af8cdba6ac8db785dcd3 |
| SHA1 | 02e041565c734da50a6635b8a91ad004a70e96df |
| SHA256 | 5b6fdc09008ec4305717aac1d4a8ae2d30c99b1a2624ab5c73b88e2492aeeef3 |
| SHA512 | 8b4e27dc1db6b0c0a1758856231bd9b197e4890398a8cabd0ef52fe4c21e8b5710c144f7c557527fa3d783d15979f1b10cfeade32f3abbc0064979bee9160b0e |
memory/2180-119-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2180-118-0x000000013F830000-0x000000013FB84000-memory.dmp
C:\Windows\system\BzTZTPz.exe
| MD5 | af23d849611468cffac4b073fa876298 |
| SHA1 | e1fb6b2c12c206a95386f6546974ebcaeec0b157 |
| SHA256 | a8bc4c9e997836b2da649a8f6912412fda54c0cf10bb127f879f2050b1a96482 |
| SHA512 | 844faa7f4a5872c09ff9cb05914db9338d88559e0fa993bcf3a6b3bb0a88ea7f9b2de4711bc874b53a87c53f7d559427a9889a690e3d0f21d4d77a330a21c554 |
memory/2180-110-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\dvOqknK.exe
| MD5 | 0734ec3e4b2b7e970c132ec475734c14 |
| SHA1 | 99348a6d85b832b7cde7cd39510cffbad9976950 |
| SHA256 | c6be7df3679765c2cddf03fb102dbdd9179c58bb5955a846360ea713420ffb13 |
| SHA512 | 2b589cb51b25f4e14315d2df33565fb36ca9299e13b6c251c55fda934ee97006401399ec61a8e4e84413206befb06d9b16a399f7f0288dc7d39112f51f74c9d6 |
memory/2520-102-0x000000013F370000-0x000000013F6C4000-memory.dmp
C:\Windows\system\wGsnATT.exe
| MD5 | 793906678ea48968fc7bcb0a49285aad |
| SHA1 | 1ce3bdc039fb880757a3156e3237995d7e430e33 |
| SHA256 | f0031a36c4b2a00b39fba7710db387ad82b67ce1c4a919b8efdc9f8b00e68eb0 |
| SHA512 | 1195ba5b2377749d5ed05c9a3f433c680e5108eae2f432e2fcece6c0e2fb14f5d76a115d50f64e258ab6e986f0dccb14d9e85f8956132025929dcd4f1e354bae |
memory/2180-99-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/900-90-0x000000013F640000-0x000000013F994000-memory.dmp
C:\Windows\system\exouqCV.exe
| MD5 | cea930affc3e29a27cd156d77909ca9d |
| SHA1 | 1692b073ba12015effecd9b4271dbfdb4b5b56fe |
| SHA256 | 227e3785d1868463194ea1cf6e1a282aaf7ca79f714c947b0cb771e0e82dfdbc |
| SHA512 | b80c46dad9346ba8e1484225bbee43292437eb72b49bd0e4a1b3d1fa256bcbcc2e2aaa75b54db35fdcba308664e14302766916f60242cfc0bb5bf90e721d7d4e |
memory/2640-88-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2600-80-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\FEXpPGa.exe
| MD5 | 965b96589472ec4a5e1eb6db24532e4b |
| SHA1 | 61abef3909c3f87e126824bd45a50fb6c295b7ef |
| SHA256 | 2d7a665f08c6ab52cadfbbeee77bec460dc2eab36106912ac755a37d4c8c7610 |
| SHA512 | 0666e8a3bd8c66648ee7abdbba0b3814443585d92a465a850e2d61942d1015cc4428670d036c3fb8ab269398115a75a024434557d6402a2fb4b54133ba2570c8 |
C:\Windows\system\EytSYpV.exe
| MD5 | 0829c4f0e3ed3fb5a1e346e5b60c18cb |
| SHA1 | aef68af101ea32994c6b149b9045c9c7d7b052d0 |
| SHA256 | e6b3bdbdd170f438555edf6826638d2b22a0b5120cfeb2a6c792a724aa830a2c |
| SHA512 | ca4a66fc7b00507beeb8e3578df5432784f34048861dd7c511400d53854c59ef07ddf01a3e93de753e905a19cb459d2e09a3be24ad6d07f9e4819fc2fc7a8b0c |
C:\Windows\system\amqItfy.exe
| MD5 | a78000a1433dcd5627c7c68f0f5756b0 |
| SHA1 | 59a7f0d88e887985db5efdeef0720418f3dbcbdd |
| SHA256 | ea85cc83f38cc7a6700756eb8f9a962ab712f767c95d29f4c81d6bed0b1fcc9f |
| SHA512 | e5bc72e49a1b3293b0089f4e0d4d9e01792536bf2900aec38bf59dc303fa5dea7e91c0aef0b8879865ffb8818ff7134cba589c2adfd40ef5cf7b108a16a85f6f |
C:\Windows\system\AbKeNWG.exe
| MD5 | 907e61bdd172441e7408ae40419ec34e |
| SHA1 | 6bdfe1bb4ba4c742cd2f6d31a4e385597548503c |
| SHA256 | 22be21d76db3226a8039bcea5a0cb24c8c6d7d2681768a74e0a0384ff63403fc |
| SHA512 | 49362cb9d893111107d4bcb6c57502cec84e4b76b7e5fb20efe3b6cb5f27ed3e3bfbf191da625d462b7f876117579a73f9bbb8f739c786dcb3f0c1916914a8d0 |
memory/3012-44-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2180-42-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2860-41-0x000000013F830000-0x000000013FB84000-memory.dmp
\Windows\system\ekDwZVE.exe
| MD5 | 361a8bd03a714598d5018c857040121f |
| SHA1 | 614b7db3048a058e83ab46d3c1f046256a3032cc |
| SHA256 | e93849d89c9a568daa7c25edf49f147091385b08c8efa1fe92bfbbde3c4a2b71 |
| SHA512 | e793a50d37f4bc365f68a832281744ff988df1f347bf57d54ffaa8e154ba003317c3155351d0fa5eae1b7b4224dac0a393df57cee364e1aae8025c2dc55da4cd |
memory/2180-40-0x000000013F830000-0x000000013FB84000-memory.dmp
C:\Windows\system\ITzkBuF.exe
| MD5 | a88db5b76932f4b2668e366d20367c97 |
| SHA1 | c033237328aa505a36bf11f2b369d7f5d949f8b5 |
| SHA256 | 63fb3f84af6a9a9735b01e0748827124377d0488842dab7d67c64609dd2501e9 |
| SHA512 | e882f64ba09de064a4e95af3312ec682f345cad9a0608122d56183572fc3bbf9f9757bee608e60c348959ad6e8255712240d21d7ab3c920f3272bc71cb60e1cb |
memory/2180-30-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2876-29-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/284-26-0x000000013F090000-0x000000013F3E4000-memory.dmp
\Windows\system\yHlKGdh.exe
| MD5 | 5374bbdafe2601f9feff8aaa516798d3 |
| SHA1 | 83a29a47b6112be7872920d017093e3dd39e6f15 |
| SHA256 | cfab3e11865f024836f6e253a95fc4503bb96ef939c77cf24212faecb55794ae |
| SHA512 | b7847be652d416d9115722fa4295585c5f29470a1cf0e28ee4c062f1bd5360806efb8b457db9bb4c20ea12ee27526b9bd883db8f6d5a582bc3d49346e9fe8b59 |
memory/2180-25-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\JlrTebm.exe
| MD5 | 617d0b816799d2d1d82c822785149ca9 |
| SHA1 | 737ec467492f66dd07997c8783ae723b70f978f1 |
| SHA256 | 438a939d4f235cae33b4258a31d16c88b0b65a4daf7729402a859151bfca6c12 |
| SHA512 | 2c82209659e4ca82e9ae048561e11638fbf490f76b9c17c0e02047121f1ac79bbf22cecb07b5ca2ed91041adcb89b52e43b107642a160d3ace07d3f7fc1e6fa2 |
memory/2180-16-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2956-15-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/324-13-0x000000013FDB0000-0x0000000140104000-memory.dmp
C:\Windows\system\ZXMfZpu.exe
| MD5 | 51dc2a54c24ee8c83e2f841950f176cc |
| SHA1 | 5a79b3478f181f7b5a4d14df481c05df0182932a |
| SHA256 | 64c2c2fae0bae16d4d21f3911698d63c22cf255f8974582817bb57c125e0e8ce |
| SHA512 | 1994b9c18b821dde12ebc335b7cab2b30267523ea87b5040590914e340892757db9cca5c1a95aa696e2f00a54f14fc4b24f6bd3d4b6d5d3240254115f7eef705 |
memory/2180-7-0x000000013FDB0000-0x0000000140104000-memory.dmp
C:\Windows\system\dTpskZN.exe
| MD5 | b79c945ff9bff991bfaa43c20318797f |
| SHA1 | a32886b473b08966baf7fdbe82486dae00b5eb87 |
| SHA256 | b27eb0432f29b1f811c0715abac88782a0686afca3d28ba305819314adffd096 |
| SHA512 | 47b3f986d46f7b8fc6f0704045206aee1c515bec8a86bd955604e4c4beb6b3f4754d765ff6c00d04fecc8872655aad2847450178f00af19763a0e65fa3d18f71 |
memory/2180-1-0x00000000003F0000-0x0000000000400000-memory.dmp
memory/2180-0-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2956-137-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2876-138-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2180-139-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/3012-140-0x000000013F520000-0x000000013F874000-memory.dmp
memory/588-141-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2688-142-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/324-143-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2956-144-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/284-145-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2876-146-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2860-147-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/3012-148-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2600-149-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/588-150-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/900-151-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2640-152-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2520-154-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2992-153-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2688-155-0x000000013FAF0000-0x000000013FE44000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:45
Reported
2024-06-01 15:48
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\arUESyV.exe | N/A |
| N/A | N/A | C:\Windows\System\FoTfXGF.exe | N/A |
| N/A | N/A | C:\Windows\System\atIoMRj.exe | N/A |
| N/A | N/A | C:\Windows\System\QzzzlBn.exe | N/A |
| N/A | N/A | C:\Windows\System\ssCpgNK.exe | N/A |
| N/A | N/A | C:\Windows\System\UTZILws.exe | N/A |
| N/A | N/A | C:\Windows\System\qyNCVox.exe | N/A |
| N/A | N/A | C:\Windows\System\cwNUqLi.exe | N/A |
| N/A | N/A | C:\Windows\System\gCqlNFw.exe | N/A |
| N/A | N/A | C:\Windows\System\qwLRlyB.exe | N/A |
| N/A | N/A | C:\Windows\System\amNBlCa.exe | N/A |
| N/A | N/A | C:\Windows\System\DOdGfBt.exe | N/A |
| N/A | N/A | C:\Windows\System\zvzdvAo.exe | N/A |
| N/A | N/A | C:\Windows\System\gONlbyN.exe | N/A |
| N/A | N/A | C:\Windows\System\fZEEnnl.exe | N/A |
| N/A | N/A | C:\Windows\System\LbtFzXG.exe | N/A |
| N/A | N/A | C:\Windows\System\gFmwepo.exe | N/A |
| N/A | N/A | C:\Windows\System\ZDsaepx.exe | N/A |
| N/A | N/A | C:\Windows\System\jOOduUl.exe | N/A |
| N/A | N/A | C:\Windows\System\vljErqr.exe | N/A |
| N/A | N/A | C:\Windows\System\qFTCLMb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\arUESyV.exe
C:\Windows\System\arUESyV.exe
C:\Windows\System\FoTfXGF.exe
C:\Windows\System\FoTfXGF.exe
C:\Windows\System\atIoMRj.exe
C:\Windows\System\atIoMRj.exe
C:\Windows\System\QzzzlBn.exe
C:\Windows\System\QzzzlBn.exe
C:\Windows\System\ssCpgNK.exe
C:\Windows\System\ssCpgNK.exe
C:\Windows\System\UTZILws.exe
C:\Windows\System\UTZILws.exe
C:\Windows\System\qyNCVox.exe
C:\Windows\System\qyNCVox.exe
C:\Windows\System\cwNUqLi.exe
C:\Windows\System\cwNUqLi.exe
C:\Windows\System\gCqlNFw.exe
C:\Windows\System\gCqlNFw.exe
C:\Windows\System\qwLRlyB.exe
C:\Windows\System\qwLRlyB.exe
C:\Windows\System\amNBlCa.exe
C:\Windows\System\amNBlCa.exe
C:\Windows\System\DOdGfBt.exe
C:\Windows\System\DOdGfBt.exe
C:\Windows\System\zvzdvAo.exe
C:\Windows\System\zvzdvAo.exe
C:\Windows\System\gONlbyN.exe
C:\Windows\System\gONlbyN.exe
C:\Windows\System\fZEEnnl.exe
C:\Windows\System\fZEEnnl.exe
C:\Windows\System\LbtFzXG.exe
C:\Windows\System\LbtFzXG.exe
C:\Windows\System\gFmwepo.exe
C:\Windows\System\gFmwepo.exe
C:\Windows\System\ZDsaepx.exe
C:\Windows\System\ZDsaepx.exe
C:\Windows\System\jOOduUl.exe
C:\Windows\System\jOOduUl.exe
C:\Windows\System\vljErqr.exe
C:\Windows\System\vljErqr.exe
C:\Windows\System\qFTCLMb.exe
C:\Windows\System\qFTCLMb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2348-0-0x00007FF743AA0000-0x00007FF743DF4000-memory.dmp
memory/2348-1-0x000001E5A1310000-0x000001E5A1320000-memory.dmp
C:\Windows\System\arUESyV.exe
| MD5 | 1f4ed630a60b160404c0d57d33d69189 |
| SHA1 | 2000b7f55b8deacc74099590e6d1afe30ab86029 |
| SHA256 | 0df1f91835585e1ab68783d97c9b029e843bee2b2007593a9ad6c342dc906b43 |
| SHA512 | aae1cae39eb64336329c79cc2877458db3fc535d51e5e036bab1fe99d29fcfa61a486cdd909ff0894a05b3487a5500d3930558c08721c5c9cd227c241c21bf4f |
memory/264-6-0x00007FF7B93E0000-0x00007FF7B9734000-memory.dmp
C:\Windows\System\FoTfXGF.exe
| MD5 | bce73dd54312279e69472e7a5711b4b7 |
| SHA1 | a65cf6994c929b116fc7dc3c9a71f636ffd155d1 |
| SHA256 | bfbf20864cac99d667b9d7f1d25567dc16356a846c030f0a24399c2bb5b815e3 |
| SHA512 | 56812f58a6f7942bd3ba4dc9e7ab23479deff48da0f157d5bf4e5e9a039797d5e1fcbc54fa700ff3c312b686ba11b02d7c8270d4c07c00c42d12aeb7d8cc8f09 |
memory/4920-14-0x00007FF711410000-0x00007FF711764000-memory.dmp
C:\Windows\System\atIoMRj.exe
| MD5 | 58ac3650bd9d01dbdc1f934e794a59e3 |
| SHA1 | 9d9f4cdc52880f2a8b9543494426eb4196b0b268 |
| SHA256 | a15b1b2417f24277776f6f0a53e0c5ac8f5bb3e219f2b2a8dc0233544a78b240 |
| SHA512 | 64f088f3fd72e8a94076c0da1d93d95a738b6ccfe100481599858a44325be17b813177c12bc46e1601506a4f1f3d446fb40cdc74eaf0b7ad0ffcd6f26ab96d49 |
memory/4624-20-0x00007FF6BB410000-0x00007FF6BB764000-memory.dmp
C:\Windows\System\QzzzlBn.exe
| MD5 | d38063daf386104370218f7a4e7d7a3b |
| SHA1 | 4200cdbb581a783efae6d208213fa5428ff7dda9 |
| SHA256 | 4fa9fccff8adf568235fdb76767df29c7e22eec7c30d1824a6ac6ba43359348b |
| SHA512 | 466fd68aaf83c38951d370100bd3ff7b01e9d8d71bda1d77a77c4f3be4b8df2745e9e653bcd398fd5b87b23163d12d24ddc458c3c638a0cb85a6cb55c153ad6f |
memory/1472-26-0x00007FF774970000-0x00007FF774CC4000-memory.dmp
C:\Windows\System\ssCpgNK.exe
| MD5 | 95bfdfb8a3f42c6c55ebe546ee5d9e3d |
| SHA1 | d59bb3408270a365527d2f68e59d8ffd00868ecf |
| SHA256 | b63a280bfeb2e9d4bc6047bcf3ca5aa341732a39eba00c783578da420c535769 |
| SHA512 | 5e60fcf621009e2347577fc69213edae84370d9eb28c4400a0fea7b8f01f9d7c5e832668dcf2086f80764b6fb9f50dee286a8029e01c5aaba203be96d989e609 |
C:\Windows\System\UTZILws.exe
| MD5 | 41fc3a02c97ffbb69ea3cad3568435ce |
| SHA1 | 172a2d2d71afdb549a7fee978b3cd6508f70dba2 |
| SHA256 | a7d3b5633357612df87c52bee42c641051bc8cedf3c28e73aa9406f0238e6329 |
| SHA512 | af10b556cde4838da66359ee5a605e289e779a1e8d6fb89e1ba3cab71a57a0b1ae2d2bd4433637c2e3e7d15b68e35603835186d3f05e288193a046a267d55c41 |
memory/3416-35-0x00007FF672880000-0x00007FF672BD4000-memory.dmp
C:\Windows\System\cwNUqLi.exe
| MD5 | 52374cedbb0c122a95f985d6a4eaf0cb |
| SHA1 | a40b98489040c81b9672feccc2ea662ea3d6e1c6 |
| SHA256 | 4eda88aa34fc29e333ef97a851fec1972012298a6aa5b71c90e53068818d8ac6 |
| SHA512 | 2fb88018fba2b813ccbaa92f7255a6e67eea0e169b5081eade674bb3176b60d2380ec50d4b86f3d6cc28022ab140adda9c8fe1094602f03387248304f8c66292 |
C:\Windows\System\qwLRlyB.exe
| MD5 | 181a395d613f525c6b97ef4ba66a1007 |
| SHA1 | 4132ed74c51d606dfa1e05c413a48ded69e7f5e6 |
| SHA256 | 668ec22a441a98c5726669a3ad32f8d2a0b292d23dd3a1453963e5a57ac7ccf7 |
| SHA512 | 8628b3ea8d1fb660973013ebbaa00c166867706da8467fe577578dab8dc0c7daf78cb1252bf448eab413d5673a9b31a1bcc7446c04c40992a426ae189f171fb4 |
C:\Windows\System\amNBlCa.exe
| MD5 | bdc1e5be5b855bdda1ec5a6b8a50f862 |
| SHA1 | d119b8169be6ea1cd9244843af359727ef5a5d40 |
| SHA256 | 92dece39c783cedfa29a028a81b068528bb7d3234964c5eef7c0ab28fe625c05 |
| SHA512 | 0be71b008877702959d9f7e7439f63241008c2e686669a240670c181813b7538dbb4cfdf807be7ce98c061c1621569804c50e503f6ddea181528c98cbef47c4b |
C:\Windows\System\DOdGfBt.exe
| MD5 | 6d2c070204191055042db76135a28713 |
| SHA1 | 4d1c0c66aa920df7f8406b2ebc2bcc819203ee29 |
| SHA256 | 70bdf0c236e42e62d58e2f7a0d925e0ef37e97e30c237ac49a58467dec0e5faf |
| SHA512 | 64c18bc0b1cb46b3940b83b14434529ad6a78bcff3e3623e245bdc31e6655ddd6ddcadc8584f896c6155ca1e5df575dc6bcfbce7f0609f9b6cb36f87c0d06740 |
C:\Windows\System\fZEEnnl.exe
| MD5 | eae541b98d46f75fb9f11fa41b046fc3 |
| SHA1 | a8e423065e294d6d7dd601e5006d377afc390bd9 |
| SHA256 | a722245fa93849956d66969c3779990eed8a5064c589fa9eccc1bb17393aeab9 |
| SHA512 | a34e86e492c0e6e9b567a5447ad4d2fc9f4f6f56d3eacc5f7a575e116e021f7c3b4ffd82ce68f077d1303c75611804fa2a3cfa023ad650564cd7c25a3b2e40c9 |
C:\Windows\System\ZDsaepx.exe
| MD5 | c8d00fa33f2aaddb269f7a44b036af52 |
| SHA1 | f1af1925071b60c37f19a565e7728a2b582625bd |
| SHA256 | c4b1a3777ba3186ddfddacc819cb153e83c08017c0d845b50035f2c13fd9ff67 |
| SHA512 | 748db20434f4da4b66ab32ac4c091a428b1395d2e147559e8c76e9199c0cc07365c3a0c3aeb879e8debbde24561126745dc1cbaec688fdff6d868887fcbdfe48 |
C:\Windows\System\qFTCLMb.exe
| MD5 | 69a0502cc23d739534a28c57fb8d7157 |
| SHA1 | ad8a00f803938dc7e9c94dbf61d40b8554dd4f00 |
| SHA256 | c1fbee92367f676c515cd02a92bc9a2fc95c071ad35a3217d3eddd87e5f1c5ba |
| SHA512 | d9a38915d355dc3dcbfd9d0ec348d9b03013a7403cfac6af6ede5d81df6edf4880bebe7514b04e7fbf6f296a62b13f66f75905297682c34ede02b97f6880b101 |
C:\Windows\System\vljErqr.exe
| MD5 | f6d32408e729bbcf8d732f54f6d7ff1c |
| SHA1 | c9d79e367615597d80e48edb030ddee42535e754 |
| SHA256 | d926050e9fb958766acde8ddf2afbd797fd6261855197eda15598ef3bfd56fc2 |
| SHA512 | e2ac1b7ab52bc12d5f03ba4ef1d6123e9019a54bf5e242dcedc330d89a974b352aebfeb9b67b443d7df186f679e0447fb52bb38eee08a7469a78ca02e166edde |
C:\Windows\System\jOOduUl.exe
| MD5 | 96ee818d5d4e4dc85b46479350888d29 |
| SHA1 | 5674edf634d766549c5882babe6d3dd4a57762f1 |
| SHA256 | 40769511374c015f946ef9af9ec3b2c82e540fd8e4257e11a0e8879459f5e8ad |
| SHA512 | 3decbc16dfc9bfc05b964f91c1ff0fc7eb18d57e7217a9ee2fdac2c653a2add81a00d5c83b19dd14d10d94f1cddf29d3e4468eaabf2126090020f245a0de763b |
C:\Windows\System\gFmwepo.exe
| MD5 | 465c2e1a3b45c820a2cd442959ef86bd |
| SHA1 | e468905eb1426c265ac6c76ce1c9b1912cc1e5c8 |
| SHA256 | e42a829c34076ddc44ffc4009297e5c334e19b19b02f647b74d52347e0271c69 |
| SHA512 | aa59d67cf40fc42e63226b6d82fa7bbaab0352441e125eec6b1cdb32baf371c4953bd8931cee0f25531859cd1df2558155e2594eee8c4409a0c9cba73ebf877f |
C:\Windows\System\LbtFzXG.exe
| MD5 | 743f07d0a5eae6fd8c1eba2e5aa6f138 |
| SHA1 | 27e2d523be43b42c1110c5a96f4e9f259d08275d |
| SHA256 | dcdb99d719eedf3e6e00452a3ad388a70a3b371a1caf683d300f746df12e09b5 |
| SHA512 | b7e8d9a8fead2dcc5ec5918bedfaa34ccfef2ebe004330f41148130f64c7f6c2756b1e5890309aa86e18f33e6ecfde6d8ff67ba0a34e8a3468b174e27a3b8649 |
C:\Windows\System\gONlbyN.exe
| MD5 | fce3f3f8a0934e8588e331492a31ee61 |
| SHA1 | 402557b378c613703b28f83cf85b565cda85f709 |
| SHA256 | def91247785b8e4546f06c9d98b5c007336615d7cd156ecc039eb45103e33f60 |
| SHA512 | e5eb09e3530b906f853b9a964750ef54678050966f7f02259e66f9df4e98b14317bd59491330e84a4078d2ea9ca76576f514112353e096a87c422d8c82b7ef07 |
C:\Windows\System\zvzdvAo.exe
| MD5 | b3411483f9116ed81a8af145d4082f0f |
| SHA1 | d6936375c2bede924b87e820f90a22d657e4997c |
| SHA256 | aabd4ffb6756e01d4edd4b522d482661071fd1ad859c109b9992f0ff49b56362 |
| SHA512 | 23eb8c78cf6921d56329204c3df72e7e16e2e2330377f40e92460adcbad069dfd8b217f983a37d8e8b8282db28599df502eaef43e7c62a7705808af7a9084ce9 |
C:\Windows\System\gCqlNFw.exe
| MD5 | 59136a431ca5fbf60773d44f31e3db36 |
| SHA1 | 74c0841a54059341bc425aa812397bbf8492b677 |
| SHA256 | e8ec920553b4767abe5d9e39a4f506ac3811898d38c0cfa3b3b52126d126bbf9 |
| SHA512 | ef2bfe3be6fd78ff05da9c90e8de274a9f9dc2859706b20d5ac1e6b180098ad5fc0d432cff586940216a1c0b9b50e5fae48a223bd389e0c7fdb8cf609685415e |
C:\Windows\System\qyNCVox.exe
| MD5 | 5b5a6350e842582ea2554b515c364096 |
| SHA1 | 6358278dea81169ae850e37b03e38111bd7eb32b |
| SHA256 | 3cf75a96058a04cc763097fb2625cf467a9249530790695e8a5777614ca82d29 |
| SHA512 | d67cf6f0ccac6db80e235c6e6e1ff789cf68950524b7ec0811ffeed077e9bfe24c43573056afbeb79b74095c5c281c8a908403209edce77b63dc8cafdda21c3e |
memory/4528-36-0x00007FF7338B0000-0x00007FF733C04000-memory.dmp
memory/3388-113-0x00007FF79AFE0000-0x00007FF79B334000-memory.dmp
memory/932-114-0x00007FF7E4870000-0x00007FF7E4BC4000-memory.dmp
memory/4544-115-0x00007FF756FD0000-0x00007FF757324000-memory.dmp
memory/4852-117-0x00007FF75A0C0000-0x00007FF75A414000-memory.dmp
memory/4340-118-0x00007FF766F20000-0x00007FF767274000-memory.dmp
memory/5024-120-0x00007FF652A30000-0x00007FF652D84000-memory.dmp
memory/4792-121-0x00007FF7F87D0000-0x00007FF7F8B24000-memory.dmp
memory/4080-123-0x00007FF652CD0000-0x00007FF653024000-memory.dmp
memory/5020-125-0x00007FF637D90000-0x00007FF6380E4000-memory.dmp
memory/4168-127-0x00007FF7B7E30000-0x00007FF7B8184000-memory.dmp
memory/4556-126-0x00007FF771770000-0x00007FF771AC4000-memory.dmp
memory/4628-124-0x00007FF677510000-0x00007FF677864000-memory.dmp
memory/1560-122-0x00007FF7BC520000-0x00007FF7BC874000-memory.dmp
memory/3964-119-0x00007FF66D2B0000-0x00007FF66D604000-memory.dmp
memory/3936-116-0x00007FF62BCD0000-0x00007FF62C024000-memory.dmp
memory/2348-128-0x00007FF743AA0000-0x00007FF743DF4000-memory.dmp
memory/264-129-0x00007FF7B93E0000-0x00007FF7B9734000-memory.dmp
memory/4920-130-0x00007FF711410000-0x00007FF711764000-memory.dmp
memory/4528-131-0x00007FF7338B0000-0x00007FF733C04000-memory.dmp
memory/264-132-0x00007FF7B93E0000-0x00007FF7B9734000-memory.dmp
memory/4920-133-0x00007FF711410000-0x00007FF711764000-memory.dmp
memory/4624-134-0x00007FF6BB410000-0x00007FF6BB764000-memory.dmp
memory/1472-135-0x00007FF774970000-0x00007FF774CC4000-memory.dmp
memory/3416-136-0x00007FF672880000-0x00007FF672BD4000-memory.dmp
memory/4528-137-0x00007FF7338B0000-0x00007FF733C04000-memory.dmp
memory/3388-138-0x00007FF79AFE0000-0x00007FF79B334000-memory.dmp
memory/932-139-0x00007FF7E4870000-0x00007FF7E4BC4000-memory.dmp
memory/4544-140-0x00007FF756FD0000-0x00007FF757324000-memory.dmp
memory/4792-142-0x00007FF7F87D0000-0x00007FF7F8B24000-memory.dmp
memory/3964-147-0x00007FF66D2B0000-0x00007FF66D604000-memory.dmp
memory/4080-148-0x00007FF652CD0000-0x00007FF653024000-memory.dmp
memory/4628-149-0x00007FF677510000-0x00007FF677864000-memory.dmp
memory/5024-146-0x00007FF652A30000-0x00007FF652D84000-memory.dmp
memory/4852-144-0x00007FF75A0C0000-0x00007FF75A414000-memory.dmp
memory/4340-143-0x00007FF766F20000-0x00007FF767274000-memory.dmp
memory/1560-145-0x00007FF7BC520000-0x00007FF7BC874000-memory.dmp
memory/3936-141-0x00007FF62BCD0000-0x00007FF62C024000-memory.dmp
memory/5020-152-0x00007FF637D90000-0x00007FF6380E4000-memory.dmp
memory/4556-151-0x00007FF771770000-0x00007FF771AC4000-memory.dmp
memory/4168-150-0x00007FF7B7E30000-0x00007FF7B8184000-memory.dmp