Analysis Overview
SHA256
df0b9a534d45764fd14bac8531c59bed3907f4a5d7b695ac044d60f4992896be
Threat Level: Known bad
The file 2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
Xmrig family
xmrig
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 23:21
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 23:21
Reported
2024-06-06 23:24
Platform
win7-20240221-en
Max time kernel
137s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\VhWtUqm.exe | N/A |
| N/A | N/A | C:\Windows\System\pAFmoFY.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNRAYqg.exe | N/A |
| N/A | N/A | C:\Windows\System\FbClxMG.exe | N/A |
| N/A | N/A | C:\Windows\System\cTIQZfP.exe | N/A |
| N/A | N/A | C:\Windows\System\MvmxSFO.exe | N/A |
| N/A | N/A | C:\Windows\System\EVEYOdY.exe | N/A |
| N/A | N/A | C:\Windows\System\jgNUVjn.exe | N/A |
| N/A | N/A | C:\Windows\System\bNPDhdK.exe | N/A |
| N/A | N/A | C:\Windows\System\qovqMFe.exe | N/A |
| N/A | N/A | C:\Windows\System\gKjrVQA.exe | N/A |
| N/A | N/A | C:\Windows\System\kuaCwXt.exe | N/A |
| N/A | N/A | C:\Windows\System\MKZSvtY.exe | N/A |
| N/A | N/A | C:\Windows\System\mRqntGl.exe | N/A |
| N/A | N/A | C:\Windows\System\XuAiQVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\KZLFmZL.exe | N/A |
| N/A | N/A | C:\Windows\System\mrdcjnH.exe | N/A |
| N/A | N/A | C:\Windows\System\AjLkJPC.exe | N/A |
| N/A | N/A | C:\Windows\System\gFTDBYB.exe | N/A |
| N/A | N/A | C:\Windows\System\XmMZceg.exe | N/A |
| N/A | N/A | C:\Windows\System\zrBrvyw.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\VhWtUqm.exe
C:\Windows\System\VhWtUqm.exe
C:\Windows\System\pAFmoFY.exe
C:\Windows\System\pAFmoFY.exe
C:\Windows\System\ZNRAYqg.exe
C:\Windows\System\ZNRAYqg.exe
C:\Windows\System\FbClxMG.exe
C:\Windows\System\FbClxMG.exe
C:\Windows\System\cTIQZfP.exe
C:\Windows\System\cTIQZfP.exe
C:\Windows\System\MvmxSFO.exe
C:\Windows\System\MvmxSFO.exe
C:\Windows\System\EVEYOdY.exe
C:\Windows\System\EVEYOdY.exe
C:\Windows\System\jgNUVjn.exe
C:\Windows\System\jgNUVjn.exe
C:\Windows\System\bNPDhdK.exe
C:\Windows\System\bNPDhdK.exe
C:\Windows\System\qovqMFe.exe
C:\Windows\System\qovqMFe.exe
C:\Windows\System\gKjrVQA.exe
C:\Windows\System\gKjrVQA.exe
C:\Windows\System\kuaCwXt.exe
C:\Windows\System\kuaCwXt.exe
C:\Windows\System\mRqntGl.exe
C:\Windows\System\mRqntGl.exe
C:\Windows\System\MKZSvtY.exe
C:\Windows\System\MKZSvtY.exe
C:\Windows\System\AjLkJPC.exe
C:\Windows\System\AjLkJPC.exe
C:\Windows\System\XuAiQVQ.exe
C:\Windows\System\XuAiQVQ.exe
C:\Windows\System\gFTDBYB.exe
C:\Windows\System\gFTDBYB.exe
C:\Windows\System\KZLFmZL.exe
C:\Windows\System\KZLFmZL.exe
C:\Windows\System\XmMZceg.exe
C:\Windows\System\XmMZceg.exe
C:\Windows\System\mrdcjnH.exe
C:\Windows\System\mrdcjnH.exe
C:\Windows\System\zrBrvyw.exe
C:\Windows\System\zrBrvyw.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3064-0-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/3064-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\VhWtUqm.exe
| MD5 | 0100ed89ca85ca6cc934570271909710 |
| SHA1 | 5e4a78b3492b72319b540476f4fddd32cfc23fe9 |
| SHA256 | 85d642d0e0880e9458b27f273d35186aa4732b5151d06c2871f7a3011aa39f8a |
| SHA512 | 11369124a37cb3266897c41915e56c24a390e1c31a0c41878bd3599e88a689591177104c796253a7841a601f76751696a35be9cfef40a188b9829607c6751bd9 |
memory/1872-9-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/3064-8-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
\Windows\system\pAFmoFY.exe
| MD5 | b0127299f797cb7bd681d12fa6dab5ff |
| SHA1 | aacf63bfb99664e16b4a8627932d2d049b63517c |
| SHA256 | 0b9a1c3dccf5b1af7bc6a5667d5c62792a49d10529e505711b778f45973c2693 |
| SHA512 | 7852a19b241883a395c23924874bd741f113ff345ea1af87fd6ba9ba55b0cc265cc25d3b42ad03a0ce6cfa5ede6da06625e647daf809aaedcce45f02042bfb02 |
C:\Windows\system\ZNRAYqg.exe
| MD5 | bdc8ec587c9592411e85a4c7179f4c12 |
| SHA1 | 09c71b12fe6f8630efe110f8312986e2107cfa1f |
| SHA256 | 943f8681659e19da74dcf1ffd2447eb01cbeb008f5f3419e160e5f1002a81890 |
| SHA512 | a4601201729a74365050b9510f5ccecd91a9d97106a76b439e0d6884937be64a89c011fcc5f3abb1362315725827b54622dadeab08b8f95b5c509022ea0399b7 |
memory/1988-17-0x000000013FAC0000-0x000000013FE14000-memory.dmp
C:\Windows\system\FbClxMG.exe
| MD5 | 78ad31ea7881758071a52c3966f27883 |
| SHA1 | e1fbf9c111e63c525f649aa57a8badea9d888870 |
| SHA256 | 17c1ef031ceb4c6be63a119b9052ab8ff5348d51beed930fb022705ff791c7df |
| SHA512 | b943e171acdbe12ffff845f20015eb81e8b96133a12d1510b77a1b42c2dd5b67e3b829b00feb520c0e23ee97f8143530f00a2404e551cd78fb676472cdade0e5 |
memory/3064-28-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2620-29-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2516-27-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/3064-23-0x00000000024B0000-0x0000000002804000-memory.dmp
C:\Windows\system\cTIQZfP.exe
| MD5 | 5c71b5b79d7001baee359e39aad94b38 |
| SHA1 | 63a34dd07310630308e1645c678164140887ecde |
| SHA256 | a94dcbe1e3981f47ffdb4bbafd014add391a2579b37ff056b71de14d8691caed |
| SHA512 | cfb31b71d25668be2d022c402eceb68ad7088406d6f4bf14f19e609266635df44425aa3b981c2fd09ebfd74ccb5f462144a98a384cb151b0589470ade3867107 |
memory/2540-39-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2716-43-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/3064-41-0x00000000024B0000-0x0000000002804000-memory.dmp
C:\Windows\system\MvmxSFO.exe
| MD5 | 1d9dd2919111dd9f3bfabf9e80584386 |
| SHA1 | 41400fc2ecd2ed52a67053298bb17e567416e115 |
| SHA256 | 14c03cb6e6e598a544b6c1d2a08179923a4e969c0d6bd257fc898e69eb745d5b |
| SHA512 | 320843660e280c2af163eaabd84c322ca9db518824361e6f11dff997e7663372d2a7db0f5532df7a42754abdce8c371ae265eb104584eae15ee31c03bc5e9afc |
memory/3064-37-0x000000013F240000-0x000000013F594000-memory.dmp
\Windows\system\jgNUVjn.exe
| MD5 | 705eeebe0dbe59d458eedb91aaf080ce |
| SHA1 | 0a4c7a3fae9ace2503404ba7c2a5df4ed65539a9 |
| SHA256 | 37f17c085cd9b04e05f553e100bddfa4603644fe878f9655a37e339eebc1cba7 |
| SHA512 | c8fc5b85df87b8d634a4203cbb6f0d772bfcac88f37e4dd75a4206092d4326ca5dfa26a4b676df8c70430934ffde38bc5e4b52ff7931e9b2dcd90aeeab38ee9f |
memory/2584-55-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/3064-63-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/3064-62-0x000000013FF10000-0x0000000140264000-memory.dmp
C:\Windows\system\bNPDhdK.exe
| MD5 | 208dafa074ac123d00c12fe271a57d0a |
| SHA1 | 930d77c9250f26ccb1c1d33f9380500dc4c533e0 |
| SHA256 | 4ba1d706e8b2d347c0d2b40ff36a58f51a692bc7454a32fe9649f330c9aa7a7c |
| SHA512 | 89f427a50a5f13283c166ec3d3eba3d0614b61920042e56cf127f4d6c3cff039f75411dc9865f57f4e145e2e26cc4faf13c9c732cc82afc57e65677afb2b03ba |
memory/2416-64-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2448-57-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/3064-48-0x000000013F970000-0x000000013FCC4000-memory.dmp
C:\Windows\system\EVEYOdY.exe
| MD5 | 2192f64625de8bd09eb425b5301a53b3 |
| SHA1 | 81745742c0e2e52aa5e0024579df1ed049630a0e |
| SHA256 | 117f07a23d113bc08d670c6da11fd8a42773dfe616f0c642dd38ad3b8b6fc188 |
| SHA512 | 919e65ecafb5947f4ad15bc02a49173f3065035e3893aab5edb163a6cd0961b4f9476900a8537ac953665c3f51f1e5f21ab913255b2ec3843c71a91b2d72b637 |
memory/2516-71-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/1612-73-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/3064-72-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/1988-70-0x000000013FAC0000-0x000000013FE14000-memory.dmp
C:\Windows\system\qovqMFe.exe
| MD5 | 58c1e6e18ccec45d6d879e861730424d |
| SHA1 | 53118d970a4e39eebced1c55a27c5e996914a982 |
| SHA256 | cb39a2da033074d851c84675ecc539970a7c926b939d80fe3cd639e0b922d7f5 |
| SHA512 | b0c723e5551d7854706c2ffbc2fc96b9cc8ac18c8b278dd19301c28833e6778161b7fa7023b4190c72b9bb568b458eae651a53b7c948e224636dd024d3104bc1 |
C:\Windows\system\gKjrVQA.exe
| MD5 | e90dd655ca19fca58cbf5bdf97323c0c |
| SHA1 | 047a0d9076969b34d8f13c4f2d48f38258dd5f8c |
| SHA256 | 7b85a3ac91ed9dea9392ae106b4bac4fe85cba7a52c37ce75273cc1440f1d1b8 |
| SHA512 | 4fb7d60ed3211ba8572ded330ae1f26399520215b0b46d32eb51ee278fb357bde14dfe7174b9d95a8869c5bbb53d276965a4242c782b7480649fa328a2e55a04 |
memory/2760-80-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/3064-79-0x00000000024B0000-0x0000000002804000-memory.dmp
\Windows\system\kuaCwXt.exe
| MD5 | 170a47f9b4a1dc7eb15bea2c43292a41 |
| SHA1 | fecde0ca5a01c6f254cae05c30be2e5b9f032b35 |
| SHA256 | 9713dddeb97eefe481abca3573ac93f5fd761caafda183f3df1a3f36157bda35 |
| SHA512 | 0222c9df203bdc27d82429d961dca6a7c6105ebed7c89448a2c4ae86106ead1ea55ba49361791417becfad44545319986372bf73d97733ef85cff39c55e41711 |
\Windows\system\MKZSvtY.exe
| MD5 | 182fc86a57c54b602e536edf176ebbf9 |
| SHA1 | 5facedafd825d7f6309b9a34e48fd9531b4e37cf |
| SHA256 | 613c78104e5d75cb74ec0bacfa2cef593e6295732d11029797b679dbb5af9df7 |
| SHA512 | 72084e11dcc41eaa7d9b2d26dc64edf58898c6d324f2102b429392be4d4e2e2302bb1ce7efd97cc8b6a049d3ea90e52b8f9c71773b676d8a873ae4f1f158c9c5 |
\Windows\system\XuAiQVQ.exe
| MD5 | 124c950ae78f448f63a9a44787f405c3 |
| SHA1 | c84522c446af821dd59f3b0d5f3308b6af780c00 |
| SHA256 | 843ce5175d1f0c3281ccc62c50df2318a8d57c137466f8684a9cfb4438e90869 |
| SHA512 | 8f95a15d007c03d205756132ffbc884818641b874c87bb73e10cd10b760c1a1debcdfe620fdb67a51e89490de80bd8d422ac717bf07e0c50dd4c0cc058db2b89 |
memory/3064-116-0x000000013F4E0000-0x000000013F834000-memory.dmp
C:\Windows\system\mrdcjnH.exe
| MD5 | 7edc3c51d81942541062a40612988b76 |
| SHA1 | 82622a401fa47cfd39f9756eee95967d64048cdb |
| SHA256 | 4e7e40681a98167046dfe9e4d1e264eb642d0d0772e16fc970976387727cac01 |
| SHA512 | e0be8d7cd2756fb5c43e41e4d6b08fb23e584ff1c0d870584a2b0de66962451305233c200a5f8267e5889a03e7541b4c3d376dc2c8d766cbfd9a866372fa2b04 |
C:\Windows\system\AjLkJPC.exe
| MD5 | c90e3d285dde457c334949a87667cbb2 |
| SHA1 | 0f700664d3e736a0b9c8159acabafe615bb031ca |
| SHA256 | 55fefc5b5afe80b56a060ac8c154de86114b630add8cbb1dcf0a9ea52f756fc8 |
| SHA512 | e06d8ef9116a55110f29cc4dd87842bc8e322e18e36fae77a3da13993b033de6f5bafe33325d5ede3bdcdac81ed702b1c9cf4b116765a42283b3dbab91182012 |
\Windows\system\zrBrvyw.exe
| MD5 | 6cd961357a4249f5aa062c35d0e8eb56 |
| SHA1 | 4fb9e4acd1a8ed9e91ea585205b01de461b6bac2 |
| SHA256 | ec6f2bbdf4286454a52c024eb5ffe76f49d42ebed05399b97282b5bebd10b677 |
| SHA512 | 25a07031e308207984c8d034f13bb9eb42e28b6ee52e33742d216f28898c553052ab40bd0656ee641bce89fc50e40b6ba90196199b8820da8d69cd08c9a28b8c |
C:\Windows\system\KZLFmZL.exe
| MD5 | cd8a478ee3e049c8a1e4fbc4752b6b83 |
| SHA1 | 58a992a49c1f91f89b9dafa89ed31aca73e0dd8e |
| SHA256 | 27070b9d706835898dae6c7abc29f0c220156d048433edf3b8d0ffecbed10c89 |
| SHA512 | f0b0c82d1435919ba0b075489cc3833f3c8f6e13364411af93201007ae7723fbf2d855988dd1c75edb05b0a8169b478b2f2c2cf8a2a06aeba3caa0cf240624cd |
\Windows\system\XmMZceg.exe
| MD5 | 1de31ea9beea17367eb250ef6264c9af |
| SHA1 | b1ae33c0956f2c4ab5f14fb2348a11527f6ad796 |
| SHA256 | 2d699c3d301c0fb12c15e40cfb87b3a7c2ae5d6ad3379ee16c5399a931dbdb26 |
| SHA512 | 0f6bae68fab302e9b5d6e662b1a4f7b1e22c9b4c165af291e01e9602e507dc66120e77f605821181ecfe40661a52d17098cebadc4e2ae50847b3b800c24223df |
\Windows\system\gFTDBYB.exe
| MD5 | fe928464de8d5c2f66f49ee7502e04f3 |
| SHA1 | 23a1a134cf0ec715c3076d25e05a091535cdb429 |
| SHA256 | 05ad5afd509c61767a9c27670f662d4b2715ace8d825fc3b631717a3a7d3a7be |
| SHA512 | 34ad223da3d624b52dec9217f70dec63d19cf103f0800c47d5094df7d0c083c6fb0ce9e549a538edf48e3173aa942ae8e42fbf587f3c34c9b1235a864360ecce |
C:\Windows\system\mRqntGl.exe
| MD5 | a06132dc81d54ee139e985d31e1877f9 |
| SHA1 | d3efd3c8396985e79c67d6e9967148353be64660 |
| SHA256 | cc51e3e73b7a7cba13e4b7102e46c459170c3f686848140fe0d7b36113adc609 |
| SHA512 | 7264dbdfa10b0def34f317ff576d8299ccae0764c253ddbbc9c7a2bb0694d2b004413b67ddd754dc0bca73a390a85b151c8d387dd5113e4c4f63e73b6420ba9e |
memory/3064-129-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2828-128-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/356-127-0x000000013F140000-0x000000013F494000-memory.dmp
memory/1440-124-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/3064-123-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/3064-122-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2540-106-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2716-135-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/3064-134-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2584-140-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/1872-141-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/1988-142-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2620-144-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2516-143-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2540-145-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2716-146-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2448-147-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2584-148-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2416-149-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/1612-150-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2760-151-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2828-152-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/1440-153-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/356-154-0x000000013F140000-0x000000013F494000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 23:21
Reported
2024-06-06 23:24
Platform
win10v2004-20240426-en
Max time kernel
136s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\VhWtUqm.exe | N/A |
| N/A | N/A | C:\Windows\System\pAFmoFY.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNRAYqg.exe | N/A |
| N/A | N/A | C:\Windows\System\FbClxMG.exe | N/A |
| N/A | N/A | C:\Windows\System\cTIQZfP.exe | N/A |
| N/A | N/A | C:\Windows\System\MvmxSFO.exe | N/A |
| N/A | N/A | C:\Windows\System\EVEYOdY.exe | N/A |
| N/A | N/A | C:\Windows\System\jgNUVjn.exe | N/A |
| N/A | N/A | C:\Windows\System\bNPDhdK.exe | N/A |
| N/A | N/A | C:\Windows\System\qovqMFe.exe | N/A |
| N/A | N/A | C:\Windows\System\gKjrVQA.exe | N/A |
| N/A | N/A | C:\Windows\System\kuaCwXt.exe | N/A |
| N/A | N/A | C:\Windows\System\mRqntGl.exe | N/A |
| N/A | N/A | C:\Windows\System\MKZSvtY.exe | N/A |
| N/A | N/A | C:\Windows\System\AjLkJPC.exe | N/A |
| N/A | N/A | C:\Windows\System\XuAiQVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\gFTDBYB.exe | N/A |
| N/A | N/A | C:\Windows\System\KZLFmZL.exe | N/A |
| N/A | N/A | C:\Windows\System\XmMZceg.exe | N/A |
| N/A | N/A | C:\Windows\System\mrdcjnH.exe | N/A |
| N/A | N/A | C:\Windows\System\zrBrvyw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\VhWtUqm.exe
C:\Windows\System\VhWtUqm.exe
C:\Windows\System\pAFmoFY.exe
C:\Windows\System\pAFmoFY.exe
C:\Windows\System\ZNRAYqg.exe
C:\Windows\System\ZNRAYqg.exe
C:\Windows\System\FbClxMG.exe
C:\Windows\System\FbClxMG.exe
C:\Windows\System\cTIQZfP.exe
C:\Windows\System\cTIQZfP.exe
C:\Windows\System\MvmxSFO.exe
C:\Windows\System\MvmxSFO.exe
C:\Windows\System\EVEYOdY.exe
C:\Windows\System\EVEYOdY.exe
C:\Windows\System\jgNUVjn.exe
C:\Windows\System\jgNUVjn.exe
C:\Windows\System\bNPDhdK.exe
C:\Windows\System\bNPDhdK.exe
C:\Windows\System\qovqMFe.exe
C:\Windows\System\qovqMFe.exe
C:\Windows\System\gKjrVQA.exe
C:\Windows\System\gKjrVQA.exe
C:\Windows\System\kuaCwXt.exe
C:\Windows\System\kuaCwXt.exe
C:\Windows\System\mRqntGl.exe
C:\Windows\System\mRqntGl.exe
C:\Windows\System\MKZSvtY.exe
C:\Windows\System\MKZSvtY.exe
C:\Windows\System\AjLkJPC.exe
C:\Windows\System\AjLkJPC.exe
C:\Windows\System\XuAiQVQ.exe
C:\Windows\System\XuAiQVQ.exe
C:\Windows\System\gFTDBYB.exe
C:\Windows\System\gFTDBYB.exe
C:\Windows\System\KZLFmZL.exe
C:\Windows\System\KZLFmZL.exe
C:\Windows\System\XmMZceg.exe
C:\Windows\System\XmMZceg.exe
C:\Windows\System\mrdcjnH.exe
C:\Windows\System\mrdcjnH.exe
C:\Windows\System\zrBrvyw.exe
C:\Windows\System\zrBrvyw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4612-0-0x00007FF6E9010000-0x00007FF6E9364000-memory.dmp
memory/4612-1-0x000001A1856F0000-0x000001A185700000-memory.dmp
C:\Windows\System\VhWtUqm.exe
| MD5 | 0100ed89ca85ca6cc934570271909710 |
| SHA1 | 5e4a78b3492b72319b540476f4fddd32cfc23fe9 |
| SHA256 | 85d642d0e0880e9458b27f273d35186aa4732b5151d06c2871f7a3011aa39f8a |
| SHA512 | 11369124a37cb3266897c41915e56c24a390e1c31a0c41878bd3599e88a689591177104c796253a7841a601f76751696a35be9cfef40a188b9829607c6751bd9 |
memory/4892-8-0x00007FF6288D0000-0x00007FF628C24000-memory.dmp
C:\Windows\System\pAFmoFY.exe
| MD5 | b0127299f797cb7bd681d12fa6dab5ff |
| SHA1 | aacf63bfb99664e16b4a8627932d2d049b63517c |
| SHA256 | 0b9a1c3dccf5b1af7bc6a5667d5c62792a49d10529e505711b778f45973c2693 |
| SHA512 | 7852a19b241883a395c23924874bd741f113ff345ea1af87fd6ba9ba55b0cc265cc25d3b42ad03a0ce6cfa5ede6da06625e647daf809aaedcce45f02042bfb02 |
C:\Windows\System\ZNRAYqg.exe
| MD5 | bdc8ec587c9592411e85a4c7179f4c12 |
| SHA1 | 09c71b12fe6f8630efe110f8312986e2107cfa1f |
| SHA256 | 943f8681659e19da74dcf1ffd2447eb01cbeb008f5f3419e160e5f1002a81890 |
| SHA512 | a4601201729a74365050b9510f5ccecd91a9d97106a76b439e0d6884937be64a89c011fcc5f3abb1362315725827b54622dadeab08b8f95b5c509022ea0399b7 |
memory/2280-14-0x00007FF683B90000-0x00007FF683EE4000-memory.dmp
memory/4896-20-0x00007FF724DA0000-0x00007FF7250F4000-memory.dmp
C:\Windows\System\FbClxMG.exe
| MD5 | 78ad31ea7881758071a52c3966f27883 |
| SHA1 | e1fbf9c111e63c525f649aa57a8badea9d888870 |
| SHA256 | 17c1ef031ceb4c6be63a119b9052ab8ff5348d51beed930fb022705ff791c7df |
| SHA512 | b943e171acdbe12ffff845f20015eb81e8b96133a12d1510b77a1b42c2dd5b67e3b829b00feb520c0e23ee97f8143530f00a2404e551cd78fb676472cdade0e5 |
C:\Windows\System\cTIQZfP.exe
| MD5 | 5c71b5b79d7001baee359e39aad94b38 |
| SHA1 | 63a34dd07310630308e1645c678164140887ecde |
| SHA256 | a94dcbe1e3981f47ffdb4bbafd014add391a2579b37ff056b71de14d8691caed |
| SHA512 | cfb31b71d25668be2d022c402eceb68ad7088406d6f4bf14f19e609266635df44425aa3b981c2fd09ebfd74ccb5f462144a98a384cb151b0589470ade3867107 |
memory/4256-30-0x00007FF6B5EF0000-0x00007FF6B6244000-memory.dmp
C:\Windows\System\MvmxSFO.exe
| MD5 | 1d9dd2919111dd9f3bfabf9e80584386 |
| SHA1 | 41400fc2ecd2ed52a67053298bb17e567416e115 |
| SHA256 | 14c03cb6e6e598a544b6c1d2a08179923a4e969c0d6bd257fc898e69eb745d5b |
| SHA512 | 320843660e280c2af163eaabd84c322ca9db518824361e6f11dff997e7663372d2a7db0f5532df7a42754abdce8c371ae265eb104584eae15ee31c03bc5e9afc |
C:\Windows\System\jgNUVjn.exe
| MD5 | 705eeebe0dbe59d458eedb91aaf080ce |
| SHA1 | 0a4c7a3fae9ace2503404ba7c2a5df4ed65539a9 |
| SHA256 | 37f17c085cd9b04e05f553e100bddfa4603644fe878f9655a37e339eebc1cba7 |
| SHA512 | c8fc5b85df87b8d634a4203cbb6f0d772bfcac88f37e4dd75a4206092d4326ca5dfa26a4b676df8c70430934ffde38bc5e4b52ff7931e9b2dcd90aeeab38ee9f |
C:\Windows\System\gKjrVQA.exe
| MD5 | e90dd655ca19fca58cbf5bdf97323c0c |
| SHA1 | 047a0d9076969b34d8f13c4f2d48f38258dd5f8c |
| SHA256 | 7b85a3ac91ed9dea9392ae106b4bac4fe85cba7a52c37ce75273cc1440f1d1b8 |
| SHA512 | 4fb7d60ed3211ba8572ded330ae1f26399520215b0b46d32eb51ee278fb357bde14dfe7174b9d95a8869c5bbb53d276965a4242c782b7480649fa328a2e55a04 |
memory/4892-69-0x00007FF6288D0000-0x00007FF628C24000-memory.dmp
memory/4208-70-0x00007FF79CA00000-0x00007FF79CD54000-memory.dmp
memory/2300-65-0x00007FF7A5CD0000-0x00007FF7A6024000-memory.dmp
C:\Windows\System\qovqMFe.exe
| MD5 | 58c1e6e18ccec45d6d879e861730424d |
| SHA1 | 53118d970a4e39eebced1c55a27c5e996914a982 |
| SHA256 | cb39a2da033074d851c84675ecc539970a7c926b939d80fe3cd639e0b922d7f5 |
| SHA512 | b0c723e5551d7854706c2ffbc2fc96b9cc8ac18c8b278dd19301c28833e6778161b7fa7023b4190c72b9bb568b458eae651a53b7c948e224636dd024d3104bc1 |
memory/4612-59-0x00007FF6E9010000-0x00007FF6E9364000-memory.dmp
memory/1072-58-0x00007FF79F230000-0x00007FF79F584000-memory.dmp
C:\Windows\System\bNPDhdK.exe
| MD5 | 208dafa074ac123d00c12fe271a57d0a |
| SHA1 | 930d77c9250f26ccb1c1d33f9380500dc4c533e0 |
| SHA256 | 4ba1d706e8b2d347c0d2b40ff36a58f51a692bc7454a32fe9649f330c9aa7a7c |
| SHA512 | 89f427a50a5f13283c166ec3d3eba3d0614b61920042e56cf127f4d6c3cff039f75411dc9865f57f4e145e2e26cc4faf13c9c732cc82afc57e65677afb2b03ba |
memory/2616-50-0x00007FF750A20000-0x00007FF750D74000-memory.dmp
C:\Windows\System\EVEYOdY.exe
| MD5 | 2192f64625de8bd09eb425b5301a53b3 |
| SHA1 | 81745742c0e2e52aa5e0024579df1ed049630a0e |
| SHA256 | 117f07a23d113bc08d670c6da11fd8a42773dfe616f0c642dd38ad3b8b6fc188 |
| SHA512 | 919e65ecafb5947f4ad15bc02a49173f3065035e3893aab5edb163a6cd0961b4f9476900a8537ac953665c3f51f1e5f21ab913255b2ec3843c71a91b2d72b637 |
memory/4024-44-0x00007FF659E80000-0x00007FF65A1D4000-memory.dmp
memory/4156-38-0x00007FF708160000-0x00007FF7084B4000-memory.dmp
memory/1004-80-0x00007FF648320000-0x00007FF648674000-memory.dmp
memory/2712-83-0x00007FF6121A0000-0x00007FF6124F4000-memory.dmp
memory/2868-115-0x00007FF7F5E50000-0x00007FF7F61A4000-memory.dmp
C:\Windows\System\mrdcjnH.exe
| MD5 | 7edc3c51d81942541062a40612988b76 |
| SHA1 | 82622a401fa47cfd39f9756eee95967d64048cdb |
| SHA256 | 4e7e40681a98167046dfe9e4d1e264eb642d0d0772e16fc970976387727cac01 |
| SHA512 | e0be8d7cd2756fb5c43e41e4d6b08fb23e584ff1c0d870584a2b0de66962451305233c200a5f8267e5889a03e7541b4c3d376dc2c8d766cbfd9a866372fa2b04 |
memory/2616-125-0x00007FF750A20000-0x00007FF750D74000-memory.dmp
C:\Windows\System\zrBrvyw.exe
| MD5 | 6cd961357a4249f5aa062c35d0e8eb56 |
| SHA1 | 4fb9e4acd1a8ed9e91ea585205b01de461b6bac2 |
| SHA256 | ec6f2bbdf4286454a52c024eb5ffe76f49d42ebed05399b97282b5bebd10b677 |
| SHA512 | 25a07031e308207984c8d034f13bb9eb42e28b6ee52e33742d216f28898c553052ab40bd0656ee641bce89fc50e40b6ba90196199b8820da8d69cd08c9a28b8c |
memory/1768-133-0x00007FF7BF670000-0x00007FF7BF9C4000-memory.dmp
memory/1072-132-0x00007FF79F230000-0x00007FF79F584000-memory.dmp
memory/4116-131-0x00007FF65BA40000-0x00007FF65BD94000-memory.dmp
memory/1940-124-0x00007FF7872C0000-0x00007FF787614000-memory.dmp
memory/2708-121-0x00007FF6B6870000-0x00007FF6B6BC4000-memory.dmp
C:\Windows\System\XmMZceg.exe
| MD5 | 1de31ea9beea17367eb250ef6264c9af |
| SHA1 | b1ae33c0956f2c4ab5f14fb2348a11527f6ad796 |
| SHA256 | 2d699c3d301c0fb12c15e40cfb87b3a7c2ae5d6ad3379ee16c5399a931dbdb26 |
| SHA512 | 0f6bae68fab302e9b5d6e662b1a4f7b1e22c9b4c165af291e01e9602e507dc66120e77f605821181ecfe40661a52d17098cebadc4e2ae50847b3b800c24223df |
C:\Windows\System\KZLFmZL.exe
| MD5 | cd8a478ee3e049c8a1e4fbc4752b6b83 |
| SHA1 | 58a992a49c1f91f89b9dafa89ed31aca73e0dd8e |
| SHA256 | 27070b9d706835898dae6c7abc29f0c220156d048433edf3b8d0ffecbed10c89 |
| SHA512 | f0b0c82d1435919ba0b075489cc3833f3c8f6e13364411af93201007ae7723fbf2d855988dd1c75edb05b0a8169b478b2f2c2cf8a2a06aeba3caa0cf240624cd |
memory/2292-113-0x00007FF6157B0000-0x00007FF615B04000-memory.dmp
C:\Windows\System\gFTDBYB.exe
| MD5 | fe928464de8d5c2f66f49ee7502e04f3 |
| SHA1 | 23a1a134cf0ec715c3076d25e05a091535cdb429 |
| SHA256 | 05ad5afd509c61767a9c27670f662d4b2715ace8d825fc3b631717a3a7d3a7be |
| SHA512 | 34ad223da3d624b52dec9217f70dec63d19cf103f0800c47d5094df7d0c083c6fb0ce9e549a538edf48e3173aa942ae8e42fbf587f3c34c9b1235a864360ecce |
memory/4024-107-0x00007FF659E80000-0x00007FF65A1D4000-memory.dmp
memory/4156-106-0x00007FF708160000-0x00007FF7084B4000-memory.dmp
C:\Windows\System\XuAiQVQ.exe
| MD5 | 124c950ae78f448f63a9a44787f405c3 |
| SHA1 | c84522c446af821dd59f3b0d5f3308b6af780c00 |
| SHA256 | 843ce5175d1f0c3281ccc62c50df2318a8d57c137466f8684a9cfb4438e90869 |
| SHA512 | 8f95a15d007c03d205756132ffbc884818641b874c87bb73e10cd10b760c1a1debcdfe620fdb67a51e89490de80bd8d422ac717bf07e0c50dd4c0cc058db2b89 |
memory/2216-98-0x00007FF6FD070000-0x00007FF6FD3C4000-memory.dmp
memory/4256-93-0x00007FF6B5EF0000-0x00007FF6B6244000-memory.dmp
C:\Windows\System\AjLkJPC.exe
| MD5 | c90e3d285dde457c334949a87667cbb2 |
| SHA1 | 0f700664d3e736a0b9c8159acabafe615bb031ca |
| SHA256 | 55fefc5b5afe80b56a060ac8c154de86114b630add8cbb1dcf0a9ea52f756fc8 |
| SHA512 | e06d8ef9116a55110f29cc4dd87842bc8e322e18e36fae77a3da13993b033de6f5bafe33325d5ede3bdcdac81ed702b1c9cf4b116765a42283b3dbab91182012 |
C:\Windows\System\MKZSvtY.exe
| MD5 | 182fc86a57c54b602e536edf176ebbf9 |
| SHA1 | 5facedafd825d7f6309b9a34e48fd9531b4e37cf |
| SHA256 | 613c78104e5d75cb74ec0bacfa2cef593e6295732d11029797b679dbb5af9df7 |
| SHA512 | 72084e11dcc41eaa7d9b2d26dc64edf58898c6d324f2102b429392be4d4e2e2302bb1ce7efd97cc8b6a049d3ea90e52b8f9c71773b676d8a873ae4f1f158c9c5 |
memory/5116-87-0x00007FF798430000-0x00007FF798784000-memory.dmp
memory/4896-82-0x00007FF724DA0000-0x00007FF7250F4000-memory.dmp
C:\Windows\System\mRqntGl.exe
| MD5 | a06132dc81d54ee139e985d31e1877f9 |
| SHA1 | d3efd3c8396985e79c67d6e9967148353be64660 |
| SHA256 | cc51e3e73b7a7cba13e4b7102e46c459170c3f686848140fe0d7b36113adc609 |
| SHA512 | 7264dbdfa10b0def34f317ff576d8299ccae0764c253ddbbc9c7a2bb0694d2b004413b67ddd754dc0bca73a390a85b151c8d387dd5113e4c4f63e73b6420ba9e |
C:\Windows\System\kuaCwXt.exe
| MD5 | 170a47f9b4a1dc7eb15bea2c43292a41 |
| SHA1 | fecde0ca5a01c6f254cae05c30be2e5b9f032b35 |
| SHA256 | 9713dddeb97eefe481abca3573ac93f5fd761caafda183f3df1a3f36157bda35 |
| SHA512 | 0222c9df203bdc27d82429d961dca6a7c6105ebed7c89448a2c4ae86106ead1ea55ba49361791417becfad44545319986372bf73d97733ef85cff39c55e41711 |
memory/4284-26-0x00007FF76A7F0000-0x00007FF76AB44000-memory.dmp
memory/2300-136-0x00007FF7A5CD0000-0x00007FF7A6024000-memory.dmp
memory/5116-137-0x00007FF798430000-0x00007FF798784000-memory.dmp
memory/2216-138-0x00007FF6FD070000-0x00007FF6FD3C4000-memory.dmp
memory/2868-139-0x00007FF7F5E50000-0x00007FF7F61A4000-memory.dmp
memory/1768-140-0x00007FF7BF670000-0x00007FF7BF9C4000-memory.dmp
memory/4892-141-0x00007FF6288D0000-0x00007FF628C24000-memory.dmp
memory/2280-142-0x00007FF683B90000-0x00007FF683EE4000-memory.dmp
memory/4896-143-0x00007FF724DA0000-0x00007FF7250F4000-memory.dmp
memory/4284-144-0x00007FF76A7F0000-0x00007FF76AB44000-memory.dmp
memory/4256-145-0x00007FF6B5EF0000-0x00007FF6B6244000-memory.dmp
memory/4156-146-0x00007FF708160000-0x00007FF7084B4000-memory.dmp
memory/4024-147-0x00007FF659E80000-0x00007FF65A1D4000-memory.dmp
memory/2616-149-0x00007FF750A20000-0x00007FF750D74000-memory.dmp
memory/4208-151-0x00007FF79CA00000-0x00007FF79CD54000-memory.dmp
memory/2300-150-0x00007FF7A5CD0000-0x00007FF7A6024000-memory.dmp
memory/1072-148-0x00007FF79F230000-0x00007FF79F584000-memory.dmp
memory/1004-152-0x00007FF648320000-0x00007FF648674000-memory.dmp
memory/2712-153-0x00007FF6121A0000-0x00007FF6124F4000-memory.dmp
memory/2216-155-0x00007FF6FD070000-0x00007FF6FD3C4000-memory.dmp
memory/2292-156-0x00007FF6157B0000-0x00007FF615B04000-memory.dmp
memory/5116-154-0x00007FF798430000-0x00007FF798784000-memory.dmp
memory/2708-157-0x00007FF6B6870000-0x00007FF6B6BC4000-memory.dmp
memory/1940-159-0x00007FF7872C0000-0x00007FF787614000-memory.dmp
memory/2868-158-0x00007FF7F5E50000-0x00007FF7F61A4000-memory.dmp
memory/4116-160-0x00007FF65BA40000-0x00007FF65BD94000-memory.dmp
memory/1768-161-0x00007FF7BF670000-0x00007FF7BF9C4000-memory.dmp