Analysis Overview
SHA256
f160177f543ca6ab008a5b1701414de51726e418b5e3a27b73048776d235ee42
Threat Level: Known bad
The file 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike
Detects Reflective DLL injection artifacts
xmrig
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 00:33
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 00:33
Reported
2024-06-07 00:41
Platform
win7-20231129-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZWWHgvh.exe | N/A |
| N/A | N/A | C:\Windows\System\ssKIOYz.exe | N/A |
| N/A | N/A | C:\Windows\System\LVYHduv.exe | N/A |
| N/A | N/A | C:\Windows\System\UHAiqUV.exe | N/A |
| N/A | N/A | C:\Windows\System\xcWJwgA.exe | N/A |
| N/A | N/A | C:\Windows\System\AUWiRwX.exe | N/A |
| N/A | N/A | C:\Windows\System\nduGlfI.exe | N/A |
| N/A | N/A | C:\Windows\System\hgRgYao.exe | N/A |
| N/A | N/A | C:\Windows\System\GiTBmZi.exe | N/A |
| N/A | N/A | C:\Windows\System\UaRkdvH.exe | N/A |
| N/A | N/A | C:\Windows\System\FJygThd.exe | N/A |
| N/A | N/A | C:\Windows\System\KmDBUtn.exe | N/A |
| N/A | N/A | C:\Windows\System\LpyUcog.exe | N/A |
| N/A | N/A | C:\Windows\System\NvgScMj.exe | N/A |
| N/A | N/A | C:\Windows\System\auNCmEh.exe | N/A |
| N/A | N/A | C:\Windows\System\MVnNppt.exe | N/A |
| N/A | N/A | C:\Windows\System\pORdPTn.exe | N/A |
| N/A | N/A | C:\Windows\System\FpWkxbn.exe | N/A |
| N/A | N/A | C:\Windows\System\StPcVvv.exe | N/A |
| N/A | N/A | C:\Windows\System\yLvXuyS.exe | N/A |
| N/A | N/A | C:\Windows\System\CWWDuIR.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZWWHgvh.exe
C:\Windows\System\ZWWHgvh.exe
C:\Windows\System\ssKIOYz.exe
C:\Windows\System\ssKIOYz.exe
C:\Windows\System\LVYHduv.exe
C:\Windows\System\LVYHduv.exe
C:\Windows\System\UHAiqUV.exe
C:\Windows\System\UHAiqUV.exe
C:\Windows\System\xcWJwgA.exe
C:\Windows\System\xcWJwgA.exe
C:\Windows\System\AUWiRwX.exe
C:\Windows\System\AUWiRwX.exe
C:\Windows\System\nduGlfI.exe
C:\Windows\System\nduGlfI.exe
C:\Windows\System\hgRgYao.exe
C:\Windows\System\hgRgYao.exe
C:\Windows\System\GiTBmZi.exe
C:\Windows\System\GiTBmZi.exe
C:\Windows\System\UaRkdvH.exe
C:\Windows\System\UaRkdvH.exe
C:\Windows\System\FJygThd.exe
C:\Windows\System\FJygThd.exe
C:\Windows\System\KmDBUtn.exe
C:\Windows\System\KmDBUtn.exe
C:\Windows\System\LpyUcog.exe
C:\Windows\System\LpyUcog.exe
C:\Windows\System\NvgScMj.exe
C:\Windows\System\NvgScMj.exe
C:\Windows\System\auNCmEh.exe
C:\Windows\System\auNCmEh.exe
C:\Windows\System\MVnNppt.exe
C:\Windows\System\MVnNppt.exe
C:\Windows\System\pORdPTn.exe
C:\Windows\System\pORdPTn.exe
C:\Windows\System\FpWkxbn.exe
C:\Windows\System\FpWkxbn.exe
C:\Windows\System\StPcVvv.exe
C:\Windows\System\StPcVvv.exe
C:\Windows\System\yLvXuyS.exe
C:\Windows\System\yLvXuyS.exe
C:\Windows\System\CWWDuIR.exe
C:\Windows\System\CWWDuIR.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2060-0-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/2060-2-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2060-8-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\ssKIOYz.exe
| MD5 | 0642442db4acbbfb6037e06789624264 |
| SHA1 | 923aee440a6887c7a7a8a78085aa492b2cdcee65 |
| SHA256 | 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85 |
| SHA512 | 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1 |
C:\Windows\system\LVYHduv.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
memory/2132-36-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2060-43-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\hgRgYao.exe
| MD5 | 2c29c56557704a5af675ac862b6acadc |
| SHA1 | 8095e9a472d534a6ef5dc3ab384273149ae12d48 |
| SHA256 | ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d |
| SHA512 | f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049 |
\Windows\system\hgRgYao.exe
| MD5 | 2543c4760bd9af7f70b7834411ab61af |
| SHA1 | ed963cb76a076b222f6cdae99e8563d4444f6351 |
| SHA256 | c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001 |
| SHA512 | 37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56 |
\Windows\system\GiTBmZi.exe
| MD5 | 170dd624fc04fc3839f9c4b66a089ce7 |
| SHA1 | 689050489367e9d7989856de58d7dae4b3e867bb |
| SHA256 | 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b |
| SHA512 | 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a |
memory/2060-58-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2060-57-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2872-64-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2060-71-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\KmDBUtn.exe
| MD5 | 0b1dc771469fa6753e7aace834956918 |
| SHA1 | ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7 |
| SHA256 | 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6 |
| SHA512 | 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60 |
memory/2060-86-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/1524-88-0x000000013F200000-0x000000013F554000-memory.dmp
\Windows\system\NvgScMj.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
memory/2804-102-0x000000013FB30000-0x000000013FE84000-memory.dmp
C:\Windows\system\MVnNppt.exe
| MD5 | 2999532dc35b49213ea1ffa0fdce5d12 |
| SHA1 | ef43e59a954e41cd0180ed84faad7585b07377db |
| SHA256 | 0ee4b22749bab39e71bc09cb3061d879611cd302ace5f52d0ee39806fc242cfa |
| SHA512 | 3390b1a0356277742902797504aa40220556ffc2c1668d719d4a11fe617a089d12a6483eb05a231e0f0e41e230164474503313859fb63fd87f30bf0df1935ba3 |
C:\Windows\system\CWWDuIR.exe
| MD5 | 2b325ba998218e1724cf0adeb30ee980 |
| SHA1 | 91c91f972b93ca21c02dbae5cc375d4e1212c0a0 |
| SHA256 | 3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9 |
| SHA512 | d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5 |
\Windows\system\CWWDuIR.exe
| MD5 | 625ce47337ec454a33d1093ebb762a13 |
| SHA1 | ae84a5a7af055e1dcd1cfa215ed4e31329213bf9 |
| SHA256 | 282cb2c6e835d7fbf977167a0015c254c6f44d191b45362715a418fa0b1c1910 |
| SHA512 | a5e8a61c6450e5e1626fb9c41d48ecf1d923c7479852e4851e9cc9d9d7858d8bafec111b97d26417936ab43c946231ee3186a9980b45659b1912e80063179f2d |
C:\Windows\system\StPcVvv.exe
| MD5 | fbb6a602f644dbf57142122f30692c9a |
| SHA1 | 8158aaa7168744874ea387599d6d2cead21e28a3 |
| SHA256 | 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d |
| SHA512 | 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe |
\Windows\system\MVnNppt.exe
| MD5 | ce95ecfd82cad989d07f01bb5a4e0e62 |
| SHA1 | 9c404e62c6a147d88e2c4214a4a0c1206972e9c1 |
| SHA256 | 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576 |
| SHA512 | c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084 |
memory/2060-103-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2060-96-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2060-90-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/1252-89-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2060-87-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2820-84-0x000000013F8B0000-0x000000013FC04000-memory.dmp
\Windows\system\LpyUcog.exe
| MD5 | 700f275fa85ed6a694cc643a3e6b2d07 |
| SHA1 | 81d7f0b5782d4650c1ffc7f4ce129e2628efd0f3 |
| SHA256 | 9e676c985bfc2e0eebd92922b559476103dfa5b924653ac6ceb075c9d642299f |
| SHA512 | b94579b0ff3aa24dcf186b42ebb4cd1eb44ffa1cdd3f47e6b1a391d05e5994b7ad5eba921b0a20caed26a34ea5b55ddc1e96e64aab45e1e6708d46d079f15944 |
memory/2456-79-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2060-75-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2488-72-0x000000013F960000-0x000000013FCB4000-memory.dmp
C:\Windows\system\UaRkdvH.exe
| MD5 | b0446695b4f6959fd89a363b056867e1 |
| SHA1 | a151e9cc9c24cdebc07f104d747406379efe19cd |
| SHA256 | ce470b3d75e279b518ce166ee9bbc38db16bea110ec8fb660a2c550d54c2e1ca |
| SHA512 | c86dc9b22ad90229c44185eb4e4950e1ab7d56741a7b48345cd57d5c9da0e8462ca09523b4069b58300170180b1a9e074d18956838a56f1c1427c1503d07190c |
memory/2060-59-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/1944-55-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2712-50-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2668-44-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2596-41-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/3044-35-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
C:\Windows\system\AUWiRwX.exe
| MD5 | 9d367348bc2b0a338371873ab92b5ce0 |
| SHA1 | 7f656575ff1e475fc391f43341a8d5f4ac819b19 |
| SHA256 | 54a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309 |
| SHA512 | 8ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454 |
memory/2060-133-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2744-23-0x000000013F650000-0x000000013F9A4000-memory.dmp
\Windows\system\ssKIOYz.exe
| MD5 | fe23d8f2a683ea3c37e211db5c47c198 |
| SHA1 | c8d98757080f758fa71fe2947f967f4c2ba26b77 |
| SHA256 | e791fb8dbe7f5a7d384dc32653c49cf355982fbc2394ea1e3030cd6ebb798cb8 |
| SHA512 | ff5ab31bffe4dcd555455f3d81b2d9fca6cd687b604f37f4aa99e780677c84919321fd43b5fd13f9cb6081978b182fef58c2564f773d39cf2fefe33142ce3656 |
\Windows\system\LVYHduv.exe
| MD5 | 90be846177ebce09b1bfa8b40630684a |
| SHA1 | 43a2c66ff47d9e295f18f8c18fe76b69e8850154 |
| SHA256 | 2237948f07e37d90442b50a92836356588f3ae1e31ae0d8dac227315cf2c7f65 |
| SHA512 | f4ff566c9eaa4a50bcad3cfa87bbb92d072dc2249f94ae304b8cb104e61cee98dba9f3ef0ceebfe48bef05c9c2df36d9188d043c7aa83ca58742993e634b68a6 |
memory/2060-134-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2744-135-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/3044-136-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2132-137-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/1944-138-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2668-139-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2596-140-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2712-141-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2872-142-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2820-143-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2488-144-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2456-145-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/1524-146-0x000000013F200000-0x000000013F554000-memory.dmp
memory/1252-147-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2804-148-0x000000013FB30000-0x000000013FE84000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 00:33
Reported
2024-06-07 00:41
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZWWHgvh.exe | N/A |
| N/A | N/A | C:\Windows\System\ssKIOYz.exe | N/A |
| N/A | N/A | C:\Windows\System\LVYHduv.exe | N/A |
| N/A | N/A | C:\Windows\System\UHAiqUV.exe | N/A |
| N/A | N/A | C:\Windows\System\xcWJwgA.exe | N/A |
| N/A | N/A | C:\Windows\System\AUWiRwX.exe | N/A |
| N/A | N/A | C:\Windows\System\nduGlfI.exe | N/A |
| N/A | N/A | C:\Windows\System\hgRgYao.exe | N/A |
| N/A | N/A | C:\Windows\System\GiTBmZi.exe | N/A |
| N/A | N/A | C:\Windows\System\UaRkdvH.exe | N/A |
| N/A | N/A | C:\Windows\System\FJygThd.exe | N/A |
| N/A | N/A | C:\Windows\System\KmDBUtn.exe | N/A |
| N/A | N/A | C:\Windows\System\LpyUcog.exe | N/A |
| N/A | N/A | C:\Windows\System\NvgScMj.exe | N/A |
| N/A | N/A | C:\Windows\System\auNCmEh.exe | N/A |
| N/A | N/A | C:\Windows\System\MVnNppt.exe | N/A |
| N/A | N/A | C:\Windows\System\FpWkxbn.exe | N/A |
| N/A | N/A | C:\Windows\System\pORdPTn.exe | N/A |
| N/A | N/A | C:\Windows\System\StPcVvv.exe | N/A |
| N/A | N/A | C:\Windows\System\yLvXuyS.exe | N/A |
| N/A | N/A | C:\Windows\System\CWWDuIR.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZWWHgvh.exe
C:\Windows\System\ZWWHgvh.exe
C:\Windows\System\ssKIOYz.exe
C:\Windows\System\ssKIOYz.exe
C:\Windows\System\LVYHduv.exe
C:\Windows\System\LVYHduv.exe
C:\Windows\System\UHAiqUV.exe
C:\Windows\System\UHAiqUV.exe
C:\Windows\System\xcWJwgA.exe
C:\Windows\System\xcWJwgA.exe
C:\Windows\System\AUWiRwX.exe
C:\Windows\System\AUWiRwX.exe
C:\Windows\System\nduGlfI.exe
C:\Windows\System\nduGlfI.exe
C:\Windows\System\hgRgYao.exe
C:\Windows\System\hgRgYao.exe
C:\Windows\System\GiTBmZi.exe
C:\Windows\System\GiTBmZi.exe
C:\Windows\System\UaRkdvH.exe
C:\Windows\System\UaRkdvH.exe
C:\Windows\System\FJygThd.exe
C:\Windows\System\FJygThd.exe
C:\Windows\System\KmDBUtn.exe
C:\Windows\System\KmDBUtn.exe
C:\Windows\System\LpyUcog.exe
C:\Windows\System\LpyUcog.exe
C:\Windows\System\NvgScMj.exe
C:\Windows\System\NvgScMj.exe
C:\Windows\System\auNCmEh.exe
C:\Windows\System\auNCmEh.exe
C:\Windows\System\MVnNppt.exe
C:\Windows\System\MVnNppt.exe
C:\Windows\System\pORdPTn.exe
C:\Windows\System\pORdPTn.exe
C:\Windows\System\FpWkxbn.exe
C:\Windows\System\FpWkxbn.exe
C:\Windows\System\StPcVvv.exe
C:\Windows\System\StPcVvv.exe
C:\Windows\System\yLvXuyS.exe
C:\Windows\System\yLvXuyS.exe
C:\Windows\System\CWWDuIR.exe
C:\Windows\System\CWWDuIR.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4816-0-0x00007FF687CF0000-0x00007FF688044000-memory.dmp
memory/4816-1-0x000002198C7E0000-0x000002198C7F0000-memory.dmp
C:\Windows\System\ZWWHgvh.exe
| MD5 | 6dc83771bd34c0b735d044a5cabe0528 |
| SHA1 | c3c08e81bbd3afa0f0e9c8833b24301005bb1db9 |
| SHA256 | 1581476c88b902c72f245977290123f6aa64a88700aadbbd5946cddcffe461d8 |
| SHA512 | 9ab9bd1e3eb48e7d449c622a76f5b4b337f43d7538f96dd7d0b5b6c3ab43aa597e2795da0ae75e7e18436530208f4d2fb48e722e5b3abb949774b66cc50732a0 |
memory/4056-8-0x00007FF623F50000-0x00007FF6242A4000-memory.dmp
C:\Windows\System\ssKIOYz.exe
| MD5 | 94a3abbac37eb4e74f0d27d1a6130281 |
| SHA1 | 5956452c83f48eec4b571dc56e9968e7381d54f6 |
| SHA256 | f0afa8843922db1372ead1ab37e67873ca94d89d63ffba1f3da2f2e18046ff92 |
| SHA512 | ddb420aac458b545e5c7c57694766e4fc4f89852b3547cf7b541847c36207d616cd53dea27b449d79e83524b524ea043912511f0d1b11770ac1281a00350edcf |
C:\Windows\System\LVYHduv.exe
| MD5 | 6c805e00f83305a937f2312347d47082 |
| SHA1 | c5be3170e02d791cb5b3a9d35869904026aa547d |
| SHA256 | dc87431afebaed54cbbe7684f35337701d01917e1ca1ade8d5c88ce77c143825 |
| SHA512 | 6570961e04c7257cd20b76a8289ebc83d214079a8ff6df2c26aaaea636a01f8d501a95e34605ae98e072e4e27cb1f3b8fb44823f289ac77700a906e4c1768751 |
memory/4516-14-0x00007FF6BE5F0000-0x00007FF6BE944000-memory.dmp
memory/4788-22-0x00007FF6713E0000-0x00007FF671734000-memory.dmp
C:\Windows\System\UHAiqUV.exe
| MD5 | 40f6e6fd0b8d8114c0264e8ebf295ffe |
| SHA1 | 572f7d525ef176ba0f84b353ff628612afe427fa |
| SHA256 | efe2051ae2d11bee31c7cb4d17ad22f47a0d66221bff15a721dc5cb53a717e01 |
| SHA512 | 68bdfdcb0308b99243160793f467959fafb582e706e8b90cdc1860b63e5b549ba7584cab4c39a89c80c5344768ff97b6486a26cdadb126b4afcd2c8c230d3e1c |
C:\Windows\System\xcWJwgA.exe
| MD5 | c20e906475cab36301e4d1d43fda0a86 |
| SHA1 | d8f00e6bb84b399d6a9ae48b8f12d9eddb6270f1 |
| SHA256 | 879de8fa4318301ceb81985239a37446b8ab8f6e0679b0bf2b1eac1370a7a8b7 |
| SHA512 | 1f565d4f05acdec85d23b18116506faf5546f3d1eb13ed095631cf305ab24a05e17c64feede078cb8957145fe7315a7a7601d1088364525a32acbf97745becdb |
memory/4984-40-0x00007FF651920000-0x00007FF651C74000-memory.dmp
C:\Windows\System\AUWiRwX.exe
| MD5 | b68e9afecafc39e6c42b76b58b1b7217 |
| SHA1 | bcaeaa90aef7e44d6b02743a1be6b9a5969dd2d7 |
| SHA256 | c6d267fddf7d37104449370d685cfeece60bb3917ad8f4911a18efe2f73940ae |
| SHA512 | 8a70867717ac9e2f486dd4d44a04ec21f900bf5ae508e96f98f9da331e2d542c468da42ad8d6b75255cf2cff825e472e53212da0f8f95c5d1e1774112a42a908 |
memory/1412-43-0x00007FF6CAF40000-0x00007FF6CB294000-memory.dmp
C:\Windows\System\nduGlfI.exe
| MD5 | 4467ea20160ff6bb5412b9faceddd279 |
| SHA1 | 98a0c4856213277d03023a14eaa670e3bf5713ff |
| SHA256 | 6201f168d62b86426d5a9d4465c331651b757f6083e5dc0f4e8b14e37bc141f4 |
| SHA512 | 231d073087bf06902f6f8c52473cbf4515882284902ec50ba6c28866d22016aa041e5e56b9827b60ccc9dd0f923fb69a263c9542854e0e02e9583a8923cf2ede |
memory/1872-30-0x00007FF71F7C0000-0x00007FF71FB14000-memory.dmp
memory/2232-29-0x00007FF7F4DD0000-0x00007FF7F5124000-memory.dmp
C:\Windows\System\hgRgYao.exe
| MD5 | cf25ade0435a0dbb5332aa5d8ca112bb |
| SHA1 | 444f6c0d4cd089b8e5aba4f021872e152ec42863 |
| SHA256 | 2fbc47f74993a2e30d4108adc878d6c20597d97c687456300eb22e010b303a26 |
| SHA512 | 2b9a78f315e4982b5d558bcf91059f85e4e77b0878f6dddb6a2a9d7ca9e9062fcd55a8b074d700776a422eb3f1c7d1449acd9f8f363f1e63042b7f48a49cee74 |
memory/1884-51-0x00007FF7BE160000-0x00007FF7BE4B4000-memory.dmp
C:\Windows\System\GiTBmZi.exe
| MD5 | 2e6aa64ce2c544b8fd992564509344c9 |
| SHA1 | 1406eb8284965b31362a2edcc6290d69c37cf4ed |
| SHA256 | d2313e7e864889f22892663b09f4f8e6bd5d82269ffb21c70f6b03c5486e886b |
| SHA512 | 4ef67bfaaf610444f6275d96caad998945b69775a0ad1cbfd55ad41286e970edb2c38483136804145222819770ab266dee7808a6b72be95a57cb4600adc48a43 |
C:\Windows\System\UaRkdvH.exe
| MD5 | b0446695b4f6959fd89a363b056867e1 |
| SHA1 | a151e9cc9c24cdebc07f104d747406379efe19cd |
| SHA256 | ce470b3d75e279b518ce166ee9bbc38db16bea110ec8fb660a2c550d54c2e1ca |
| SHA512 | c86dc9b22ad90229c44185eb4e4950e1ab7d56741a7b48345cd57d5c9da0e8462ca09523b4069b58300170180b1a9e074d18956838a56f1c1427c1503d07190c |
memory/628-54-0x00007FF60BD20000-0x00007FF60C074000-memory.dmp
C:\Windows\System\FJygThd.exe
| MD5 | 26709e6a1902bfb57b0a6ddd4148d69d |
| SHA1 | 512d5eb5ae5a134f028a8bb964529406aba51c4c |
| SHA256 | ab501302b4b55ad82871dcac7c18661a132c12bc9d50eb2134c9f96ea24e4906 |
| SHA512 | c1e54c76a1581b974b3e9b961e69ff1ebf27385e99e423c0bbd519796977b7c8a5237feb4b388bb239b91e3f9185a454360053540faceba37534eb1f0c8b9e03 |
memory/4816-68-0x00007FF687CF0000-0x00007FF688044000-memory.dmp
memory/1172-69-0x00007FF696220000-0x00007FF696574000-memory.dmp
memory/1388-65-0x00007FF705810000-0x00007FF705B64000-memory.dmp
C:\Windows\System\KmDBUtn.exe
| MD5 | 59b126bb958f1cdb7fb9ddabc4630fe3 |
| SHA1 | d523676e52a53e6762cf1f3d2079c88a93eaab5a |
| SHA256 | 74b91df4076e8a0048aa30b310f5cea946738c6cbb55c0c589643dd4778e7cb6 |
| SHA512 | 007082c799cdc7b8e8cf8503e1fbbcce6d269006d200bd279c82af8c753c45ab5412b1d06bd6092829fb65f7797ed438cde2f8efa050d04dc4a22f978bb5dbc4 |
memory/3764-74-0x00007FF744460000-0x00007FF7447B4000-memory.dmp
C:\Windows\System\LpyUcog.exe
| MD5 | 700f275fa85ed6a694cc643a3e6b2d07 |
| SHA1 | 81d7f0b5782d4650c1ffc7f4ce129e2628efd0f3 |
| SHA256 | 9e676c985bfc2e0eebd92922b559476103dfa5b924653ac6ceb075c9d642299f |
| SHA512 | b94579b0ff3aa24dcf186b42ebb4cd1eb44ffa1cdd3f47e6b1a391d05e5994b7ad5eba921b0a20caed26a34ea5b55ddc1e96e64aab45e1e6708d46d079f15944 |
memory/4076-83-0x00007FF767D90000-0x00007FF7680E4000-memory.dmp
C:\Windows\System\NvgScMj.exe
| MD5 | 4fa57d94e87818451d29b658dfb412c1 |
| SHA1 | 17edf909b660f59505d8817a6d69bf931d0d3c54 |
| SHA256 | a182fd97fc5dcdc170236d17b5290cbfc6faaf8262d884d37b85b2bff7f9e22d |
| SHA512 | e322fbca930b16bfaabb8d61d45535193badcb64be3a5d50a8a06cce2fce6c40eb077da106b64fd144138d87b80eb7fd8dbb43aff2afa1200cb2494ae3466adc |
C:\Windows\System\auNCmEh.exe
| MD5 | 6e90578b95960481c13b28accf9c926b |
| SHA1 | 16a65c9ca4a38e3922edefd0c24cec5aa4938f5d |
| SHA256 | f13e4b24b54b734fdc77ddbbee8e084aedd434ba47675fe9ba005c98da90999e |
| SHA512 | 489c8e72b1c5915104dde3f136a2a75d3b1684bbe5584db6ae45c8841f361fb9f6224cfc278e805abb7a08171f197c308bf20fe233609a31565f2aed486c9614 |
memory/2232-91-0x00007FF7F4DD0000-0x00007FF7F5124000-memory.dmp
C:\Windows\System\MVnNppt.exe
| MD5 | 2999532dc35b49213ea1ffa0fdce5d12 |
| SHA1 | ef43e59a954e41cd0180ed84faad7585b07377db |
| SHA256 | 0ee4b22749bab39e71bc09cb3061d879611cd302ace5f52d0ee39806fc242cfa |
| SHA512 | 3390b1a0356277742902797504aa40220556ffc2c1668d719d4a11fe617a089d12a6483eb05a231e0f0e41e230164474503313859fb63fd87f30bf0df1935ba3 |
memory/4984-94-0x00007FF651920000-0x00007FF651C74000-memory.dmp
memory/1872-93-0x00007FF71F7C0000-0x00007FF71FB14000-memory.dmp
memory/3588-92-0x00007FF720E00000-0x00007FF721154000-memory.dmp
memory/5104-90-0x00007FF6EEB60000-0x00007FF6EEEB4000-memory.dmp
C:\Windows\System\FpWkxbn.exe
| MD5 | dd7b50e7a9d673d4f6ea2a8aebb653b4 |
| SHA1 | e68d74f4ece5da48268104acc8046fc2f6115256 |
| SHA256 | 45fd5bc069bb30a9d182a24531584b2efda2092e55b81c9e000fcd1e17cf5515 |
| SHA512 | cd9e34b703dcea778f9e8eed8a1271316c76e139a3fd859b1a1ba6734182b495d8d91381cbbafd1be1288f03bc1d8ed5372552550c1472f06b01734b280e147b |
memory/3360-104-0x00007FF7710A0000-0x00007FF7713F4000-memory.dmp
C:\Windows\System\pORdPTn.exe
| MD5 | 56abc6ad9643b8fe62edf9ef9f04e50a |
| SHA1 | 9652514e975f34b101d3c6acad75aec1f8dd60fb |
| SHA256 | 7c53dbb34ed851c5084692e8e0b0391ee63ffe1129750c9180a484155b96c320 |
| SHA512 | bdfaa5bd7ba7d6d5128839cb38980b3fb742b05540dce1db5f82cb03e9ecc78438d74080ba6edb23ac74e710b93cf6cf2d89bf9a447dadac6d04168a6bf1000f |
C:\Windows\System\yLvXuyS.exe
| MD5 | 30f43c3a1e6da063073b05881e977fc9 |
| SHA1 | 7b0163e33f75832c9502dbfca11c64c520cfa97a |
| SHA256 | 18ce5cfc960c5f5c703f08c8a85aab00a26cda3d411aa5ef39e358667c2a3edb |
| SHA512 | ac0aa3347c0a5b9dca4dd072be353b918cc5a1cb94264aefdd63d2db504738a2f3d32b8a2649484920e3179cdc98f370b57038940d52c8530b4c807ebf9c001a |
C:\Windows\System\CWWDuIR.exe
| MD5 | 625ce47337ec454a33d1093ebb762a13 |
| SHA1 | ae84a5a7af055e1dcd1cfa215ed4e31329213bf9 |
| SHA256 | 282cb2c6e835d7fbf977167a0015c254c6f44d191b45362715a418fa0b1c1910 |
| SHA512 | a5e8a61c6450e5e1626fb9c41d48ecf1d923c7479852e4851e9cc9d9d7858d8bafec111b97d26417936ab43c946231ee3186a9980b45659b1912e80063179f2d |
C:\Windows\System\StPcVvv.exe
| MD5 | f915e06efeadac88efdfd3e9083ea9b0 |
| SHA1 | eb7a25ac21349c064327b490a1211bc8ebcccb9c |
| SHA256 | 64d48b71f5d88e54953c3aebfef3971a0c2398c2c707e6b7a16b8a4a85edaea0 |
| SHA512 | d92a4e537024ed0de9b519dba7abd20c712966ab336e35987add996ce478d20c0449c74c9011a7b430e56d361dd902e1a312da1a3817443e049a223f2443d0f8 |
memory/4004-130-0x00007FF676990000-0x00007FF676CE4000-memory.dmp
memory/628-132-0x00007FF60BD20000-0x00007FF60C074000-memory.dmp
memory/4384-131-0x00007FF776910000-0x00007FF776C64000-memory.dmp
memory/3328-129-0x00007FF760FF0000-0x00007FF761344000-memory.dmp
memory/3996-119-0x00007FF7B40D0000-0x00007FF7B4424000-memory.dmp
memory/3316-117-0x00007FF70DB70000-0x00007FF70DEC4000-memory.dmp
memory/3764-133-0x00007FF744460000-0x00007FF7447B4000-memory.dmp
memory/3588-134-0x00007FF720E00000-0x00007FF721154000-memory.dmp
memory/3996-135-0x00007FF7B40D0000-0x00007FF7B4424000-memory.dmp
memory/4056-136-0x00007FF623F50000-0x00007FF6242A4000-memory.dmp
memory/4516-137-0x00007FF6BE5F0000-0x00007FF6BE944000-memory.dmp
memory/4788-138-0x00007FF6713E0000-0x00007FF671734000-memory.dmp
memory/2232-139-0x00007FF7F4DD0000-0x00007FF7F5124000-memory.dmp
memory/4984-141-0x00007FF651920000-0x00007FF651C74000-memory.dmp
memory/1412-140-0x00007FF6CAF40000-0x00007FF6CB294000-memory.dmp
memory/1872-142-0x00007FF71F7C0000-0x00007FF71FB14000-memory.dmp
memory/1884-143-0x00007FF7BE160000-0x00007FF7BE4B4000-memory.dmp
memory/1388-144-0x00007FF705810000-0x00007FF705B64000-memory.dmp
memory/628-145-0x00007FF60BD20000-0x00007FF60C074000-memory.dmp
memory/1172-146-0x00007FF696220000-0x00007FF696574000-memory.dmp
memory/4076-147-0x00007FF767D90000-0x00007FF7680E4000-memory.dmp
memory/3764-148-0x00007FF744460000-0x00007FF7447B4000-memory.dmp
memory/5104-149-0x00007FF6EEB60000-0x00007FF6EEEB4000-memory.dmp
memory/3588-151-0x00007FF720E00000-0x00007FF721154000-memory.dmp
memory/3360-150-0x00007FF7710A0000-0x00007FF7713F4000-memory.dmp
memory/3316-152-0x00007FF70DB70000-0x00007FF70DEC4000-memory.dmp
memory/3328-154-0x00007FF760FF0000-0x00007FF761344000-memory.dmp
memory/3996-155-0x00007FF7B40D0000-0x00007FF7B4424000-memory.dmp
memory/4004-153-0x00007FF676990000-0x00007FF676CE4000-memory.dmp
memory/4384-156-0x00007FF776910000-0x00007FF776C64000-memory.dmp