Analysis Overview
SHA256
901f8912b343fe301814c1278bf706bbbf978dd4968c0c12bbb9c4fe06ef57ab
Threat Level: Known bad
The file 2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 01:00
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 00:56
Reported
2024-06-07 01:03
Platform
win7-20240508-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PxftWdA.exe | N/A |
| N/A | N/A | C:\Windows\System\jYRvaIy.exe | N/A |
| N/A | N/A | C:\Windows\System\HuFrfAY.exe | N/A |
| N/A | N/A | C:\Windows\System\YkMUdli.exe | N/A |
| N/A | N/A | C:\Windows\System\CrxLUMw.exe | N/A |
| N/A | N/A | C:\Windows\System\eXuzHFn.exe | N/A |
| N/A | N/A | C:\Windows\System\lbxXGNd.exe | N/A |
| N/A | N/A | C:\Windows\System\Nomofzt.exe | N/A |
| N/A | N/A | C:\Windows\System\VCqlqmF.exe | N/A |
| N/A | N/A | C:\Windows\System\wFCelRk.exe | N/A |
| N/A | N/A | C:\Windows\System\yQCsUmD.exe | N/A |
| N/A | N/A | C:\Windows\System\udICoVH.exe | N/A |
| N/A | N/A | C:\Windows\System\CrKkQCd.exe | N/A |
| N/A | N/A | C:\Windows\System\HBjYjMm.exe | N/A |
| N/A | N/A | C:\Windows\System\ocoVoby.exe | N/A |
| N/A | N/A | C:\Windows\System\SDMhvZF.exe | N/A |
| N/A | N/A | C:\Windows\System\cRjmnTg.exe | N/A |
| N/A | N/A | C:\Windows\System\FVoneKt.exe | N/A |
| N/A | N/A | C:\Windows\System\OJQUCbr.exe | N/A |
| N/A | N/A | C:\Windows\System\bRCgLDC.exe | N/A |
| N/A | N/A | C:\Windows\System\dXrohOk.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\PxftWdA.exe
C:\Windows\System\PxftWdA.exe
C:\Windows\System\jYRvaIy.exe
C:\Windows\System\jYRvaIy.exe
C:\Windows\System\HuFrfAY.exe
C:\Windows\System\HuFrfAY.exe
C:\Windows\System\YkMUdli.exe
C:\Windows\System\YkMUdli.exe
C:\Windows\System\CrxLUMw.exe
C:\Windows\System\CrxLUMw.exe
C:\Windows\System\eXuzHFn.exe
C:\Windows\System\eXuzHFn.exe
C:\Windows\System\lbxXGNd.exe
C:\Windows\System\lbxXGNd.exe
C:\Windows\System\Nomofzt.exe
C:\Windows\System\Nomofzt.exe
C:\Windows\System\VCqlqmF.exe
C:\Windows\System\VCqlqmF.exe
C:\Windows\System\wFCelRk.exe
C:\Windows\System\wFCelRk.exe
C:\Windows\System\yQCsUmD.exe
C:\Windows\System\yQCsUmD.exe
C:\Windows\System\udICoVH.exe
C:\Windows\System\udICoVH.exe
C:\Windows\System\CrKkQCd.exe
C:\Windows\System\CrKkQCd.exe
C:\Windows\System\ocoVoby.exe
C:\Windows\System\ocoVoby.exe
C:\Windows\System\HBjYjMm.exe
C:\Windows\System\HBjYjMm.exe
C:\Windows\System\OJQUCbr.exe
C:\Windows\System\OJQUCbr.exe
C:\Windows\System\SDMhvZF.exe
C:\Windows\System\SDMhvZF.exe
C:\Windows\System\bRCgLDC.exe
C:\Windows\System\bRCgLDC.exe
C:\Windows\System\cRjmnTg.exe
C:\Windows\System\cRjmnTg.exe
C:\Windows\System\dXrohOk.exe
C:\Windows\System\dXrohOk.exe
C:\Windows\System\FVoneKt.exe
C:\Windows\System\FVoneKt.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1924-0-0x000000013F440000-0x000000013F794000-memory.dmp
memory/1924-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\PxftWdA.exe
| MD5 | 2ba060f7c8c12395ef1670e48fadc092 |
| SHA1 | 544d518afe7a5c9eaec33c21dd9b1af8f08a881f |
| SHA256 | 0a3f9056f5bb3e71c70c28c216f96eb0045e09936b776da27922af498e83bd08 |
| SHA512 | fa722c8cb39ce79d68af71f0d4aa57010e21ea33c66ea586b04d674e761f5db9e0c714e937aaf512ddf093a0fd746a22984633370c5d93778b751f5e1889d62e |
\Windows\system\jYRvaIy.exe
| MD5 | 970f6f8c81bb1e109e7b1a9dc7f6d560 |
| SHA1 | 5b3fbb29089a923636fafaae1fbe2653bd7a070b |
| SHA256 | 964e6b67de000b9f3b357fe409812af26e7b1a592051925fde60652ccfde2b8e |
| SHA512 | cb63d04db617b190c6c2ceef5c13a5210d233abb6c74f9ee24b9741dbede23cfbf989f704547048e2139067e2d144c72f372929a9d842a1e6fe3d38434678b23 |
memory/1924-8-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/3040-13-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/1924-16-0x000000013FD90000-0x00000001400E4000-memory.dmp
C:\Windows\system\HuFrfAY.exe
| MD5 | 7e5e0fba2d05367612198c9c1473f985 |
| SHA1 | 08971a69403c7428ea84cb3c3e2ba30c62cd0878 |
| SHA256 | 98b424fb37668798374d65e4927b8fade42c55ba8abc94b94c2072a74e5e7ddf |
| SHA512 | adfceb8783efe311808773b94805e5ae9c58901e779da4a7b876abeca7b45891966bbf067f04b7e02baf48fb559746b21b2cc2dedf94ccf2db321f3ecb752bbf |
memory/2796-22-0x000000013F910000-0x000000013FC64000-memory.dmp
C:\Windows\system\YkMUdli.exe
| MD5 | a38372331de6de62a2c9a619bfb5e2a9 |
| SHA1 | b536bd6a2f42a5acf8c9f9f03f6ecd0a1019c8f7 |
| SHA256 | 12cc5555a8791af74993c495d9c0c10b061d180ee48a87da35129b44683b9c5d |
| SHA512 | 153559165cc99460a57718c5f3273224fdeae79df67ad7efbe15d246267893d916d8cfcb8d66286af2d31df6e090520b9e3e7c694ac30c1703f9cdf4513e2e08 |
memory/1924-35-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2648-49-0x000000013F4B0000-0x000000013F804000-memory.dmp
C:\Windows\system\eXuzHFn.exe
| MD5 | eef6609fa002c3e6da3ba58a4eb2d8f2 |
| SHA1 | 5a9a87e2b7a1dd53686066fada348932eb1c2c36 |
| SHA256 | e4f96a70f366148ad871898cd0eb4618f2ea4913705fc86dd43453d03a67945d |
| SHA512 | 1f9318a0d887c444f98a7c8a6fe03385a08e6d740c7fac9aeb00029b0313e18786fdf0b3110e317a487e1d07a1910a02d48b614d8b6eb00ac0084b076656abab |
C:\Windows\system\VCqlqmF.exe
| MD5 | 770596b86c298a3e733123216095919c |
| SHA1 | ccde8cab4ea5bb44406c22d56e74e9a7d213ce1d |
| SHA256 | c506f792da412ad152cb617e51fd081381d64a771e48f3ff82ff4bc3db617b51 |
| SHA512 | f3d3b74e7e2a0ff718aaa2dcc7ce16fcec5d628a235781719fe6675f433a6011e51390444e797b3afe4d4947f6b10b8e46a452c9c710e79521d0c405a30c6b36 |
memory/1924-76-0x0000000002310000-0x0000000002664000-memory.dmp
\Windows\system\CrKkQCd.exe
| MD5 | 5a12ca0daed85d511b237243807b97d5 |
| SHA1 | 8ddcd3cd750621265cfcbdfbe7d61e34a7b6d3c0 |
| SHA256 | 6918e18e3bb16caba142aaeb1bab39dd521de834676c885234baa5243afdf7f2 |
| SHA512 | 555f63b848b48204f2bb7a74a2885ff7bc21107310200e5c944b099f7278220df163b31505b1160bd0800b9bae555b8815f2b80801da464fbb1159c213d8b91e |
\Windows\system\ocoVoby.exe
| MD5 | 2dfec3d75cb59469e28bcb4b83d419d2 |
| SHA1 | 486df894cb4ecdd5a4da0d103883016b04235c7c |
| SHA256 | 0e584c3a06571534f0206bcdb26f1e67e6680f30f056f0d1b0a4a7b170eeea43 |
| SHA512 | ac8a69b4ca18d1cfac89f87b7b02c78ec3912fc9b489eb246d376c47cac9d4ad674fc451be2a1967c5fb02a6c1338d93f9705b6005233bc894772db8a72a5cdd |
C:\Windows\system\dXrohOk.exe
| MD5 | a05ce51370a82523a86990eea77dc173 |
| SHA1 | 8abd2d3ad22c62aba38ab4c507ea818876b6216f |
| SHA256 | 876d7ea6e0c1436728da7b29f7c7e06124f75f76d04ca574a2681499ced9c5a6 |
| SHA512 | 18d74cd1b9519a502b4bf6d51a3f006c882b711feb79c720ef8b2e3e13b7516151d9cd560c225497c8a97a468e6c3fdc9dcef97773aed3b0e3b6e292c308598d |
C:\Windows\system\cRjmnTg.exe
| MD5 | a34b39730dc44ae8a5f7801c239af399 |
| SHA1 | fe1298d7a589a670387b67b60cebff2bfee84300 |
| SHA256 | e81b8a6b222e1978dd5ce2ed9e5b5c1ab2790532447fcb61c26e8b4a77c9c370 |
| SHA512 | c054d9830c4da61b99dac6fbf16e14d8a3d829e32340f706ef62f7517ec436e7a539e8a488909a7f44b4824fa7bf98c08f6183b8fa177138a4788f5693b0247e |
\Windows\system\bRCgLDC.exe
| MD5 | 12325dcfa7a8a79433fb1de17d9f2e2b |
| SHA1 | c52f2650251e42a48e12c805cf8ced51dc24d749 |
| SHA256 | b1e5a60b1a565f144e8198354fd99cc26bd322f3bf57feff4ce193a843476afe |
| SHA512 | 64f96b56da2876c16578bac2e6247b89b85b5f22de8d777c9dc341ceb446d13200508995af5e8e9901ea964e09d98fafc5817f28fa2d24334974e029ecf72eaa |
memory/1924-108-0x0000000002310000-0x0000000002664000-memory.dmp
memory/1924-107-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/1924-106-0x0000000002310000-0x0000000002664000-memory.dmp
C:\Windows\system\HBjYjMm.exe
| MD5 | a0afd247e882c8611ed2570c81760ceb |
| SHA1 | b6d0518f534a1a1c7cc5e53d0a181dd132e05f05 |
| SHA256 | 7ef21bbb20070bccf48c52a5bf022128a068a390aa7c3942c5064744cc2ca8ad |
| SHA512 | b7af299b10d197518305cc81d30ff2cd928eeb93992f54a7a935107e28d59a2dfc48c85b2423376ef3c2cc800cd4130ad029b14b74a8886fa745b7d52284c89d |
\Windows\system\OJQUCbr.exe
| MD5 | 37f27559609c0c96ba94ff8b0d4a61c1 |
| SHA1 | 074f09acc937a0465b47efd3093498099fb1ba9b |
| SHA256 | 8bc1705b40fce31098d9480bfc1022f7d5ec48fc0976fd09198d4d6d1b5b7c83 |
| SHA512 | e31fed598ca42b1c84cbd46591c024a6dd61e08de5e1d92a0d23db60038e3e8c24aa3066a77c60c1a2f462cdcf1b0612b10ea131740dba137b19e895015c0f43 |
C:\Windows\system\FVoneKt.exe
| MD5 | 2758f2baedfed3c7f77b35edc977e0ef |
| SHA1 | 08a34e53579edd5bce54fad534d03b95be7b275b |
| SHA256 | feb143d1f72abd87e59ac084b9fb58a29386a2394888f8a09748883c14173d72 |
| SHA512 | 06c55ba2d8dbc454a7cd9a9bb65708b2a43a51fcdc127fc7e5bc39f8486f539fd5dd2feaaf10b36f9f42c064e472c811df66b08a2a7798be086672a190cbb9f6 |
C:\Windows\system\SDMhvZF.exe
| MD5 | 959bd4101e2dcfdd52e2ac9ac3500c9c |
| SHA1 | 24469331ff37ba8b199e54464f38fdc4861e5b93 |
| SHA256 | 7d9a96fa27f722915e5077c439c1dab22705d88ec7137de49e9cdae8c9214ba6 |
| SHA512 | 99fa097acd11d1d698ab8d234c6259c3e0b7a26f47438e14b48f43d63ae99dceaec58d768f46764f99a221235c0182f8a4784468d146f4f086781d9db4f93b76 |
memory/2832-95-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2480-138-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2648-94-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/1924-89-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2668-88-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2724-87-0x000000013F500000-0x000000013F854000-memory.dmp
C:\Windows\system\udICoVH.exe
| MD5 | cc03fa67c5b6a6bd628723b130934c5c |
| SHA1 | b7a159c21f8164f37470acc5f0ca18f1ef3229a7 |
| SHA256 | b0ecae4033aee42b011b96b655edca290f95c3c32e6f4e59241e9f34e4acd19d |
| SHA512 | d2dd19eb3fbee6f41ae554eafd875e0c7437a4488d9816a7f0d06f0b39702ddcdf7f38b8b84c09a4c30a64b942d417f64ee4da94aa9b08aad96a7631964674cf |
memory/1924-81-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2796-80-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/1924-79-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/1928-78-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2292-70-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1924-69-0x0000000002310000-0x0000000002664000-memory.dmp
C:\Windows\system\wFCelRk.exe
| MD5 | 93626213ba9a78ddbbd36cf0799f3b75 |
| SHA1 | 5ca91eae31448631513e46e306cd5abd2d553346 |
| SHA256 | 118009b3b250e561fd63137f2a7ccd9d29fb5ba5093ba8647f4458354ba51b5a |
| SHA512 | 35eaed43effbcdeb7454fae101e3348439bafd0a3bf390c9879f071337d305029520b5f8cab876e1a690ccc7484bdb77cf894bdb9111357b3b4822000fc01260 |
C:\Windows\system\yQCsUmD.exe
| MD5 | 224401a470fd193212b93b4b8bef17b2 |
| SHA1 | 1ae14e45bd4d15ecd566dea2ec10d5743f9b473f |
| SHA256 | 57eab6e33c2098da0df3e60c7b9901a774e23adb582a3bca2406d4db36065967 |
| SHA512 | dcd64cda95d25a7e5a289ebc718241cd84a6d292dbca7a38338f85a35356c8194a525c699176271189037c5b5af37c8b815a5e335219cfde0ef58eb5e481e588 |
memory/2548-62-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2480-56-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1924-55-0x000000013F440000-0x000000013F794000-memory.dmp
C:\Windows\system\Nomofzt.exe
| MD5 | 248dd75cdabe1be06584624ef6fdf221 |
| SHA1 | a0b895e14866772a0c9606b948369cbc73acd5f5 |
| SHA256 | 101d23fa5d5e2b7c9f71d34f9d83ab7bd564096879087b1221aeaa67e8f07dad |
| SHA512 | 42ddb83256adbb142e7fa23b4fdc20d40989fa4f7d4d4cde31a5ab5672ed27ed343217766de99d0ea6d34d6dc1c8826996df1ab543270225a2a68acdafed3fd2 |
memory/1924-40-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2484-37-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/1924-48-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2512-47-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2548-139-0x000000013F610000-0x000000013F964000-memory.dmp
C:\Windows\system\lbxXGNd.exe
| MD5 | b2ed3ddedd8529f18ebf9acba1ea2418 |
| SHA1 | 43e785ea8ed66c2c756035a397136e97169994fa |
| SHA256 | 7af2909ccc19a639371c9a4be53b12e789f2b117bf2f915e9775c7670c613d5d |
| SHA512 | 24cea93b3cf0ad557c1b8421afa8e7f2bac16522e020889251ba7e6920e661a82903d972ca6fd8b0d05159be88903506ac5e420b0f62e44d55b3aaf206830698 |
C:\Windows\system\CrxLUMw.exe
| MD5 | a90822bb5a45cecbfe43b80d4afa0550 |
| SHA1 | bb038b187acf5184022a83228a3983fcce45c92c |
| SHA256 | 47be73d5c3ff43603c6658cf745f630bb9d7bdc8decbe3bbbdac38e7b1be22de |
| SHA512 | 8ad7307152fcb3bd384562645f8631e7e3bd74a382f5631e5409adef1823c72d736294af3799d0d9eca48c27f96e7aca34a49b60a31e8d243a2dfd38fca79f8c |
memory/2724-28-0x000000013F500000-0x000000013F854000-memory.dmp
memory/1924-27-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2580-15-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/1924-140-0x0000000002310000-0x0000000002664000-memory.dmp
memory/1924-141-0x0000000002310000-0x0000000002664000-memory.dmp
memory/1924-142-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/1924-143-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/3040-144-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2580-145-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2796-146-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2484-148-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2512-149-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2648-150-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2724-147-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2480-151-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2548-152-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2292-153-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1928-154-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2668-155-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2832-156-0x000000013FA50000-0x000000013FDA4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 00:56
Reported
2024-06-07 01:03
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cfYXkgV.exe | N/A |
| N/A | N/A | C:\Windows\System\FQrDjlG.exe | N/A |
| N/A | N/A | C:\Windows\System\aNaLoyt.exe | N/A |
| N/A | N/A | C:\Windows\System\orjaJAl.exe | N/A |
| N/A | N/A | C:\Windows\System\ODlrBaj.exe | N/A |
| N/A | N/A | C:\Windows\System\wZMKTbk.exe | N/A |
| N/A | N/A | C:\Windows\System\YDmEaIy.exe | N/A |
| N/A | N/A | C:\Windows\System\rZnfcXq.exe | N/A |
| N/A | N/A | C:\Windows\System\VkRCXWF.exe | N/A |
| N/A | N/A | C:\Windows\System\HPMUNiw.exe | N/A |
| N/A | N/A | C:\Windows\System\rTafcKj.exe | N/A |
| N/A | N/A | C:\Windows\System\uVrHUux.exe | N/A |
| N/A | N/A | C:\Windows\System\cZfnBgg.exe | N/A |
| N/A | N/A | C:\Windows\System\pOKoUoT.exe | N/A |
| N/A | N/A | C:\Windows\System\vKaHgKK.exe | N/A |
| N/A | N/A | C:\Windows\System\yIGtvEm.exe | N/A |
| N/A | N/A | C:\Windows\System\gOrZmOi.exe | N/A |
| N/A | N/A | C:\Windows\System\QDNnArh.exe | N/A |
| N/A | N/A | C:\Windows\System\cnblRxE.exe | N/A |
| N/A | N/A | C:\Windows\System\lcWDMzw.exe | N/A |
| N/A | N/A | C:\Windows\System\qvTTBuY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\cfYXkgV.exe
C:\Windows\System\cfYXkgV.exe
C:\Windows\System\FQrDjlG.exe
C:\Windows\System\FQrDjlG.exe
C:\Windows\System\aNaLoyt.exe
C:\Windows\System\aNaLoyt.exe
C:\Windows\System\orjaJAl.exe
C:\Windows\System\orjaJAl.exe
C:\Windows\System\ODlrBaj.exe
C:\Windows\System\ODlrBaj.exe
C:\Windows\System\wZMKTbk.exe
C:\Windows\System\wZMKTbk.exe
C:\Windows\System\YDmEaIy.exe
C:\Windows\System\YDmEaIy.exe
C:\Windows\System\rZnfcXq.exe
C:\Windows\System\rZnfcXq.exe
C:\Windows\System\VkRCXWF.exe
C:\Windows\System\VkRCXWF.exe
C:\Windows\System\HPMUNiw.exe
C:\Windows\System\HPMUNiw.exe
C:\Windows\System\rTafcKj.exe
C:\Windows\System\rTafcKj.exe
C:\Windows\System\uVrHUux.exe
C:\Windows\System\uVrHUux.exe
C:\Windows\System\cZfnBgg.exe
C:\Windows\System\cZfnBgg.exe
C:\Windows\System\pOKoUoT.exe
C:\Windows\System\pOKoUoT.exe
C:\Windows\System\vKaHgKK.exe
C:\Windows\System\vKaHgKK.exe
C:\Windows\System\yIGtvEm.exe
C:\Windows\System\yIGtvEm.exe
C:\Windows\System\gOrZmOi.exe
C:\Windows\System\gOrZmOi.exe
C:\Windows\System\QDNnArh.exe
C:\Windows\System\QDNnArh.exe
C:\Windows\System\cnblRxE.exe
C:\Windows\System\cnblRxE.exe
C:\Windows\System\lcWDMzw.exe
C:\Windows\System\lcWDMzw.exe
C:\Windows\System\qvTTBuY.exe
C:\Windows\System\qvTTBuY.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.187.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3532-0-0x00007FF71B250000-0x00007FF71B5A4000-memory.dmp
memory/3532-1-0x000001F845D70000-0x000001F845D80000-memory.dmp
C:\Windows\System\cfYXkgV.exe
| MD5 | 139b2d12beab805528f87e12c8580dd7 |
| SHA1 | a9e27bbf24835bce4e2d4df2b98f161bed5c31b0 |
| SHA256 | 315f67ce62001b837ed96623ec5f467e9e205ebd341307a44a2d5643c7050460 |
| SHA512 | 61953af810bb76e4af6be344cb8ee798bb0ac67107a54c017af81e07279a2b0e63ee7283627c0c9c29e259cd5597e89a8422ccf699ed6305b7143bc623ee4804 |
memory/3284-8-0x00007FF798450000-0x00007FF7987A4000-memory.dmp
C:\Windows\System\FQrDjlG.exe
| MD5 | 807ea75b7475fd84f39f9ecea9223a24 |
| SHA1 | 3469f9e828116a5d7566cfaaf3b96944124cc171 |
| SHA256 | d25f38e049a50d9c1b2975d8260d367ec714ee36ca63952ed79dced50df97849 |
| SHA512 | 7aa60bc5eb0df2eb0b539da87bb6345b3c3e787c628745499fa91485a13a848920f3dce940f2eb39880e6b522fe243c6714b01a11ebbb762463f20babdb075bb |
memory/3296-14-0x00007FF7DB4F0000-0x00007FF7DB844000-memory.dmp
C:\Windows\System\aNaLoyt.exe
| MD5 | e6d61b1d9f5b25f8112ef69709f34d95 |
| SHA1 | b8128fe73f9b3219b1d5388a8535befbc57048c3 |
| SHA256 | e2f419383c0b200ccb12ee6178bba39e7fe4f7ad18b4d026ac0978e584c85351 |
| SHA512 | b5152957459924875ac58795d7f5d1d4ba313bf3ccec96e36d4e5e8672192da4ec459bf4b3db71874eb6c643bd1d8bfb94fc09839178885547a59424cd42f797 |
C:\Windows\System\FQrDjlG.exe
| MD5 | 18247d7880140b18ecd39ee1adfc731b |
| SHA1 | a157eaa9dd320bef6dfdb40a50d13608394c09ca |
| SHA256 | 652d7057f0ddb4d1a2f5d0f36605fc024f3683e540781cf247d44de8bd9de6cf |
| SHA512 | 86e803ee8318313ac7802d21e9ddf99485d8242e09c937616b13b7f0891cbb086eda558be30105ad71b938275dcac935eb0d6bca4b99ccf49510a012cfc00f29 |
memory/1120-20-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp
C:\Windows\System\orjaJAl.exe
| MD5 | 5e178e96bebad3d9aedbb0a4c16b0b04 |
| SHA1 | eb2e8ed2fe5d924d8996dc4967b038c6d862b890 |
| SHA256 | 0dc0260993f913e8203ce62a7ee17637350536abc81011cb9e61f53f2f1b3aff |
| SHA512 | c81656157bea48bcd162ddba3c6f83e034cdf9d6c96af791c16a6bbc8d560fad22aee1403efcc16e6d971de2f43a35dc97ddf2fd94aadb6fdeb4297a87c6ae81 |
C:\Windows\System\orjaJAl.exe
| MD5 | a1df3420cf46306b933f609aa091bde6 |
| SHA1 | 03ce76e9fe6f2cdeb3378102ed49d48485ec7843 |
| SHA256 | bcae40deb504422275dc41ae536981fa1c76529cec89792a5d25e945abde44e6 |
| SHA512 | 3e324e98cff88b9150fadb48b306851323411ebcf6295fe7b9fbe18ab5bc686dfb423f26e2dbc80e5e8b763023d53f53f102d1a25698637c3423030b33d31eb2 |
memory/2144-26-0x00007FF6B8830000-0x00007FF6B8B84000-memory.dmp
C:\Windows\System\ODlrBaj.exe
| MD5 | 88424a7d6ba0ed42916fcbedf9cfc771 |
| SHA1 | 681bd1e9be2f1ec7d32463a0b288718d32a5bc6c |
| SHA256 | d6fb17bb30c66883dcb0441bc383b9aa2f865bb6d84f619a01627fd346419f93 |
| SHA512 | 5c8fd0e37d9c461282f92a0bbc790c7a4a1204d903c2e69f607f52f295c84904ab3aa8016ca53e2bbdfe312d926b4625c66b90bd58bfaeaea893056695da6e4d |
memory/1292-32-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp
C:\Windows\System\wZMKTbk.exe
| MD5 | 32041569ce29a5ef50883ca4e87e40ae |
| SHA1 | 62752d482ea7fbac09b013a4fe013fc0d3df3abe |
| SHA256 | 2e3378fbc771dcf65b54c5f4fc3d8b2f4d91a4c0824d0dd8ab6cf9cad9802f08 |
| SHA512 | f73e85b6685b7d4ce370cfab3ac9dd8c2d17fe49cb93ecb85f5f1ba15be35390697e7a824474b95109c653c60fc79b37d0e3c8a6792ee455c62ff2a12d3837b4 |
memory/2912-38-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp
C:\Windows\System\YDmEaIy.exe
| MD5 | 6ba366f6e62a740517f1f3c880a87367 |
| SHA1 | 5036a67d70b28ae4a847548f559883473e13ed46 |
| SHA256 | 7a22ecddc14a8525b748e17ad9851fba8e77fd48b3862600c357764426ea2c71 |
| SHA512 | 0245dd039c9c5f1ec164d0873cfe5d4ba85903f054b68eba14e39262884a6bdb52087e4264b2b61239b7bed4503b9c792da751be4421038cf3110a29f4eb7679 |
memory/1724-47-0x00007FF76D730000-0x00007FF76DA84000-memory.dmp
memory/4356-50-0x00007FF6713C0000-0x00007FF671714000-memory.dmp
C:\Windows\System\VkRCXWF.exe
| MD5 | 484f9bd860840f7d2331986e4199e3d2 |
| SHA1 | eb5448cac8a274aecd2e2e996f7a8c535ce8dfe2 |
| SHA256 | d792f6a1d133eaf0c847fb75869638ea7611e35c703fc655348b58642f5eef41 |
| SHA512 | 30de83fe0665fd35b3e5b2ef1bcd329c5b3c3cda1a0fab51d4301e97e4af95f143875fb670b8aa6d25ab7572333b6c08ac07f838a0611a2110ce3153537d12d2 |
C:\Windows\System\HPMUNiw.exe
| MD5 | b731781bf85531537282fd235875b3ac |
| SHA1 | 59206fda46b1e56bdb976d7da35012e4e6f8f1d4 |
| SHA256 | 2657a1b1a648dd161d8d3ed50a75150d2dc010da365b30b7a3795fcb1daf19d8 |
| SHA512 | 9c8f38979f392f1b992869e4ca74bbf964e203e775e31879ef15724590f704e0e57e3157344250ce39807469b2b0c7b88f0fe314e1bd06187f5de3c3f57f7a8f |
C:\Windows\System\HPMUNiw.exe
| MD5 | 48ed09ccb47c2d0061d7ca0959599a3b |
| SHA1 | 4b5104633fa16dde0ac56661e256a89879c8cf87 |
| SHA256 | aebfbcd727c18a08d8507cc97ac1a07252b8a5f85826001453c4d02d64c1e68c |
| SHA512 | c985a47937a0f119b279a4b87098ceeb96c2a9c8c235254350044b804ce53b78d30413b79b2bd9c7ea52ebd67a5c66e7d1192c9339dcd5d950e15b1cc27150ec |
C:\Windows\System\rTafcKj.exe
| MD5 | 3dd3dcd306f0efc9bbfa800cbd31ae40 |
| SHA1 | d052cb1858658159c0105a89f05e8ea0bb515259 |
| SHA256 | 7c369ff01d831de8701c05e89e10baafecae898266eb16442fd298ec3ac4b304 |
| SHA512 | 59ad00f536a0bf367e7ffc9ae8487c3c876b694bdbdc9cbc067ae6fe30b5ea1fb628f6dff517baa30ac39f6a2825197d0473cb1892c86bc9e668a42a7b74d6a3 |
C:\Windows\System\rTafcKj.exe
| MD5 | 70ff90aa4744113bd0310fc0d9642696 |
| SHA1 | 4f02a897376e5e156044a81d440bc1b6f5e73eda |
| SHA256 | 850f0bbecc3dc6f48578257267b2dfc4dd032dd358202c0f6ec3920e2118bcf5 |
| SHA512 | bdc7f055358d137daf4d2e1f7011457331106547b4eec4e5f4ff35dd9f5890da8611a6c345a9ae884d95e4260252b884173921b0ceaa07cb5d1698fa0594012f |
C:\Windows\System\uVrHUux.exe
| MD5 | 8df1691dac6b60a816c236703f0cebf3 |
| SHA1 | 7c5445def5ef4c87096d307cb550b679518f0c1c |
| SHA256 | ec7edbcbd8a02b4a46d1e98b549c0731fb22e7b209ea8fa967bb4b803a4d0706 |
| SHA512 | 9543c1b74f90c0e5fac8971b09b5abef7826fb835ef0ec0dc13e134a1176bc1d17b6a787f0b1dd52eb2cd83f4898c2c6103f6424cd76620dc18c5f82dd00e432 |
C:\Windows\System\cZfnBgg.exe
| MD5 | 59495c785359918f39450f79bc21ec2e |
| SHA1 | 68661d4794b87ed1d5832f89a1706cc1a9c0b252 |
| SHA256 | d3c72a3bbb2798f34d61112e787411744212e3b0ede68f28e3e8f7827c8f9900 |
| SHA512 | 41f6d7811d3ab91c109025e4043b295171c28aa9a29d7cd3a4b579f28d1463d0a0157f2cc33a2ad0cb093046168635db4a0c9b7d628eec14a9174fdb50459a71 |
C:\Windows\System\pOKoUoT.exe
| MD5 | 3841d3131bdc70a1cf74942213460680 |
| SHA1 | e066ede4ce1cfdb2ea8111ae73f718eb8b157bd9 |
| SHA256 | b4d269eec56539100336c47edcf07ade25ee028ddd2f468b5ccafc2495eaa0a4 |
| SHA512 | 77b6c9843e542c6ef34515300b738e90e6b505a929acee13a482482161e043ddee1028dddba920c8c9ca07a42160a603ae89b3ec75270ab6e028949695a5b7fe |
C:\Windows\System\pOKoUoT.exe
| MD5 | e3a5ca072423a5bfa87fa861c2822136 |
| SHA1 | f2fee41c89e0bf3961ae79cf0298e1aa91af9cfd |
| SHA256 | b1103dfc01acf0daf78cdb2beae5dfea2f910fdfe954ecc3b4b3492ada1d33b0 |
| SHA512 | c0c8cf900da6a923a508180942d44bf9f0a2065ad664af3bc7f398840ac4dc072e4118f47692b93077b455a6ff33e370f59e3752b91104e5295ac54036059891 |
C:\Windows\System\vKaHgKK.exe
| MD5 | ec3c27800dac2a6b9b0ea96101a54f37 |
| SHA1 | ec0f43f00db33334d9e2bbac3cd5e14452a3fd80 |
| SHA256 | 094638fa7a18922d606c2dd53831db636d57cd51d19aa58509675349b8f291cd |
| SHA512 | 613419bfcf6184aa9eaf4596cf34b33658259b0e4b5fcf0053982e02c54e27373ab7ac9c0150c1cd6c04b0eb3b216d87578598152e058add9cb46617215927e8 |
C:\Windows\System\yIGtvEm.exe
| MD5 | fd6fecc5470792baa12718d604fb8033 |
| SHA1 | 696c0ab10e1d367a8ff4c2a89d76ac7de471254b |
| SHA256 | 82adf80733cc1f6ec234562b986ea9f1e7350181fa23bc505d58628a647d0c11 |
| SHA512 | 20634a64494ff4ce591628046255e1c5b668a743bb7f9e896ded0e6954111906d52e9aefd050b934f747e4d46527d55c0948e9cc240b7c30f73eb25d9d15e050 |
C:\Windows\System\gOrZmOi.exe
| MD5 | 78c4731e825585b10b6dd69a07c462fe |
| SHA1 | ef755bc025edf0463d7771f813dd31a0d0874302 |
| SHA256 | 0fc9ba59f78e87fb8b25ddc4218386717f52e43327524471fa7097be4c51b1ef |
| SHA512 | 43f5e316e91b590317baeacba2e1bc60734872d394bdca44c25f30e6887193f071e08a305c6cd23643dc4c51a4e42f62293484bba75ed9a3e72255b64dc98e58 |
memory/664-102-0x00007FF72F810000-0x00007FF72FB64000-memory.dmp
memory/2116-110-0x00007FF69A030000-0x00007FF69A384000-memory.dmp
memory/1988-112-0x00007FF6C2DA0000-0x00007FF6C30F4000-memory.dmp
memory/2488-117-0x00007FF70C8B0000-0x00007FF70CC04000-memory.dmp
memory/3540-121-0x00007FF76FF10000-0x00007FF770264000-memory.dmp
C:\Windows\System\qvTTBuY.exe
| MD5 | fe57f8188564cd40e581d657eb39a51c |
| SHA1 | a769db5a955895999e8cfad6f9c2156a7679ab61 |
| SHA256 | 509f676438e0a62ce998520d6b512997df34dab53b716afecb70fde12451e067 |
| SHA512 | bedc7b8c666d75b4b2a51cdf1cbb44229891d399ac024af5950af15345f2453cff67fc09503257cefbe1a68d8da92c49e28e020e981fdb43101104e23819a72e |
memory/3080-127-0x00007FF707250000-0x00007FF7075A4000-memory.dmp
memory/3104-126-0x00007FF717960000-0x00007FF717CB4000-memory.dmp
memory/3532-123-0x00007FF71B250000-0x00007FF71B5A4000-memory.dmp
memory/3676-122-0x00007FF7B4790000-0x00007FF7B4AE4000-memory.dmp
memory/3516-118-0x00007FF7BC0E0000-0x00007FF7BC434000-memory.dmp
C:\Windows\System\cnblRxE.exe
| MD5 | 2b9b2bef54472989cbeda5ceb4bcfc61 |
| SHA1 | f42c406c54d876b0104dd76a4bb7bd110ce3f1a8 |
| SHA256 | 3ce4061e372c35951e9e9715456a04701ca4649466006232b89c40b65a5677cf |
| SHA512 | 7e58e106ba007d63bcc9701f264c627e9c99994f16aa069598abaaf9e29af537d63a6c6991f5682135a651e8ebfdca5bf2d6fea7ba695c60cc36a15d44340337 |
memory/3416-114-0x00007FF725A60000-0x00007FF725DB4000-memory.dmp
C:\Windows\System\lcWDMzw.exe
| MD5 | cf1dfa3398fc7a5a3e4aa28a33021420 |
| SHA1 | 92ec7e1793049f05d8929127974c688764686f20 |
| SHA256 | 7641ca4766ae524c827c88f2ee88ac772b0e00345b34712c04fd3e150364b4d4 |
| SHA512 | a5e45e07e58dc3572cbc5d0ceafd19b3958197e95a20fae2b322066d7372fd3f608cbda4e832e690e9485a6db352f2dedacbdcd1bea9412fa871bbfb05f4fe6b |
memory/2500-111-0x00007FF774610000-0x00007FF774964000-memory.dmp
C:\Windows\System\lcWDMzw.exe
| MD5 | a25afbcddc0d441611a4c84ac85a2912 |
| SHA1 | 10edd9a79f03a65bdaf88bf3053112577b521f64 |
| SHA256 | 49181bc14ad9f5f572fa09159a9cb3e2ffa81e400593603e8554f2f3c7d027ca |
| SHA512 | 85a72a52481c675a3800d6a1b68ba79f9c4a554e83f76c8892e31b4b58d6168a93689f11765aad0636dafb8af887ec8ef9cb7ebc268a5bd7d448df1a1a8c8ae2 |
C:\Windows\System\cnblRxE.exe
| MD5 | 95b3d20946bea955069b7e2b7677e0e9 |
| SHA1 | 3e3a35812edae6365c21af8a0799068b8531b632 |
| SHA256 | 3d44b2ba9121cb6fcbc18df3c20c5d90b4073a02faf71e5c97bd9892579ea633 |
| SHA512 | 85b56acb1b96db30e696daaf608535b2683c13f8f4cc6ddad6157cffc3a7c0721f7a1490e2fd9049e534ec4677271a86032925210fd93e112efaa884bac90d5b |
memory/4748-107-0x00007FF67E0D0000-0x00007FF67E424000-memory.dmp
memory/4056-104-0x00007FF7C62F0000-0x00007FF7C6644000-memory.dmp
C:\Windows\System\QDNnArh.exe
| MD5 | caf2c55b56fb31072c5da51d5f8a3dd9 |
| SHA1 | 56b11365326369797aab916004e4c1754ecbbc3a |
| SHA256 | 7f54759979100b979e1411df1bd2dbb6e914939255b5660e8ee6497fb20055cb |
| SHA512 | 9245aee92500d53bc42cc37b163e0ae43441e31fef41cb95b6f608ae58a4640013108b42a2c5fcc16c0a0b4b9e2c1cce0beed889ada0e5a2675d3bf6c69eda26 |
memory/3284-129-0x00007FF798450000-0x00007FF7987A4000-memory.dmp
memory/1120-130-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp
memory/2912-131-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp
memory/4356-132-0x00007FF6713C0000-0x00007FF671714000-memory.dmp
memory/3104-133-0x00007FF717960000-0x00007FF717CB4000-memory.dmp
memory/3284-134-0x00007FF798450000-0x00007FF7987A4000-memory.dmp
memory/3296-135-0x00007FF7DB4F0000-0x00007FF7DB844000-memory.dmp
memory/1120-136-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp
memory/2144-137-0x00007FF6B8830000-0x00007FF6B8B84000-memory.dmp
memory/1292-138-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp
memory/2912-139-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp
memory/1724-140-0x00007FF76D730000-0x00007FF76DA84000-memory.dmp
memory/4356-141-0x00007FF6713C0000-0x00007FF671714000-memory.dmp
memory/664-142-0x00007FF72F810000-0x00007FF72FB64000-memory.dmp
memory/4056-143-0x00007FF7C62F0000-0x00007FF7C6644000-memory.dmp
memory/4748-144-0x00007FF67E0D0000-0x00007FF67E424000-memory.dmp
memory/2116-145-0x00007FF69A030000-0x00007FF69A384000-memory.dmp
memory/2500-146-0x00007FF774610000-0x00007FF774964000-memory.dmp
memory/1988-147-0x00007FF6C2DA0000-0x00007FF6C30F4000-memory.dmp
memory/3416-148-0x00007FF725A60000-0x00007FF725DB4000-memory.dmp
memory/2488-149-0x00007FF70C8B0000-0x00007FF70CC04000-memory.dmp
memory/3516-150-0x00007FF7BC0E0000-0x00007FF7BC434000-memory.dmp
memory/3540-151-0x00007FF76FF10000-0x00007FF770264000-memory.dmp
memory/3676-152-0x00007FF7B4790000-0x00007FF7B4AE4000-memory.dmp
memory/3080-153-0x00007FF707250000-0x00007FF7075A4000-memory.dmp
memory/3104-154-0x00007FF717960000-0x00007FF717CB4000-memory.dmp