Analysis Overview
SHA256
4dfd92a55eac8ea306b9c7927b6c5dc995e0ceafe794bc57d06073f4b5cc52c5
Threat Level: Known bad
The file 2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
Xmrig family
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 06:04
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 06:04
Reported
2024-06-08 06:06
Platform
win7-20231129-en
Max time kernel
136s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SkqBvTB.exe | N/A |
| N/A | N/A | C:\Windows\System\FchxZct.exe | N/A |
| N/A | N/A | C:\Windows\System\spzJwKW.exe | N/A |
| N/A | N/A | C:\Windows\System\bMWYaTm.exe | N/A |
| N/A | N/A | C:\Windows\System\sRsrnYP.exe | N/A |
| N/A | N/A | C:\Windows\System\PBkHohF.exe | N/A |
| N/A | N/A | C:\Windows\System\nEhtEFy.exe | N/A |
| N/A | N/A | C:\Windows\System\jwLXAGy.exe | N/A |
| N/A | N/A | C:\Windows\System\DSvPgHE.exe | N/A |
| N/A | N/A | C:\Windows\System\xNzeUrI.exe | N/A |
| N/A | N/A | C:\Windows\System\LRVfIDs.exe | N/A |
| N/A | N/A | C:\Windows\System\kDDATMa.exe | N/A |
| N/A | N/A | C:\Windows\System\icWZrGh.exe | N/A |
| N/A | N/A | C:\Windows\System\NkDvgOW.exe | N/A |
| N/A | N/A | C:\Windows\System\kXgbDsm.exe | N/A |
| N/A | N/A | C:\Windows\System\ElMcmSa.exe | N/A |
| N/A | N/A | C:\Windows\System\BlJlSfJ.exe | N/A |
| N/A | N/A | C:\Windows\System\GupLWpW.exe | N/A |
| N/A | N/A | C:\Windows\System\wCuNEVN.exe | N/A |
| N/A | N/A | C:\Windows\System\mfsqTiT.exe | N/A |
| N/A | N/A | C:\Windows\System\kVOWQjr.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\SkqBvTB.exe
C:\Windows\System\SkqBvTB.exe
C:\Windows\System\FchxZct.exe
C:\Windows\System\FchxZct.exe
C:\Windows\System\spzJwKW.exe
C:\Windows\System\spzJwKW.exe
C:\Windows\System\bMWYaTm.exe
C:\Windows\System\bMWYaTm.exe
C:\Windows\System\sRsrnYP.exe
C:\Windows\System\sRsrnYP.exe
C:\Windows\System\PBkHohF.exe
C:\Windows\System\PBkHohF.exe
C:\Windows\System\nEhtEFy.exe
C:\Windows\System\nEhtEFy.exe
C:\Windows\System\jwLXAGy.exe
C:\Windows\System\jwLXAGy.exe
C:\Windows\System\DSvPgHE.exe
C:\Windows\System\DSvPgHE.exe
C:\Windows\System\xNzeUrI.exe
C:\Windows\System\xNzeUrI.exe
C:\Windows\System\kDDATMa.exe
C:\Windows\System\kDDATMa.exe
C:\Windows\System\LRVfIDs.exe
C:\Windows\System\LRVfIDs.exe
C:\Windows\System\NkDvgOW.exe
C:\Windows\System\NkDvgOW.exe
C:\Windows\System\icWZrGh.exe
C:\Windows\System\icWZrGh.exe
C:\Windows\System\BlJlSfJ.exe
C:\Windows\System\BlJlSfJ.exe
C:\Windows\System\kXgbDsm.exe
C:\Windows\System\kXgbDsm.exe
C:\Windows\System\GupLWpW.exe
C:\Windows\System\GupLWpW.exe
C:\Windows\System\ElMcmSa.exe
C:\Windows\System\ElMcmSa.exe
C:\Windows\System\wCuNEVN.exe
C:\Windows\System\wCuNEVN.exe
C:\Windows\System\mfsqTiT.exe
C:\Windows\System\mfsqTiT.exe
C:\Windows\System\kVOWQjr.exe
C:\Windows\System\kVOWQjr.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1372-0-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1372-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\SkqBvTB.exe
| MD5 | 3b53248ba8c70e5d77f81f1db49d9a99 |
| SHA1 | aebf0b8f45b29d1103100807ac33351acb945165 |
| SHA256 | 70bc8fbada8f0ee7291b59d0610f5fa5d61729ec9576e7dcffe46035d94b7083 |
| SHA512 | 7f0cdd9dd2f1a8fc9487a4e827832c3c86e7ce76b05820e4a3bc0a7cfa10378064d2b0027412e540375d50c6fdbfe530e0ecad9dfd4e95b3120e164c9a5727a5 |
memory/1372-8-0x000000013F7E0000-0x000000013FB34000-memory.dmp
C:\Windows\system\FchxZct.exe
| MD5 | 3c80dcc88cc1ba2276555f99f3e17134 |
| SHA1 | 279a6a4da31c7fea94b1a5e127d1ed56047c9589 |
| SHA256 | 909d3de24927b36fd03bc6a9ae63058f013170b78a5f51b21d361a0d025825ec |
| SHA512 | 7161318da75618902a68aaf63c89448077ee1f20ea71691c8911a52730b454627eb39ee6752c7d4ccb41808978bb573707b2e583693ea3e0730844fa04799bc3 |
memory/2992-11-0x000000013F7E0000-0x000000013FB34000-memory.dmp
C:\Windows\system\spzJwKW.exe
| MD5 | 33f5a01ff9d2d0a7c15ce3a09908cb5f |
| SHA1 | fe352ba4dad3c751c0e46e0d508576132b074bde |
| SHA256 | 6f92e7b62ac0b75ba40a2824189a07479f74fdff0b0c17369302035a001addfc |
| SHA512 | cc30f5cb8a2d6033b888bb039925fdcb73db838441128a7e6846b4329d9b0608fce5f1ce2169cd538d38da88b5e6f40968d7f0227519bdabb6193ad900a7c152 |
memory/3056-20-0x000000013F940000-0x000000013FC94000-memory.dmp
C:\Windows\system\bMWYaTm.exe
| MD5 | 7fa25992288e4f5c38c68e3933d74561 |
| SHA1 | f4b960eb849248e2fdc2bea6cc0e86a8bc3bd2fc |
| SHA256 | f9760f908a931843ce4a198889f795a3a30109e9e9424ce4fd0c013ff1d97ee0 |
| SHA512 | c27c03d2d6365d26185391993ffcb8428b750ed38af73eea83ac1023d8af0c4636fd1c8063d6858703aea134bcafde98f80bc9218c7617ad0c1fcb9c1194329d |
memory/2928-29-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/1372-28-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/1372-26-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/1372-24-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/2668-23-0x000000013F1D0000-0x000000013F524000-memory.dmp
\Windows\system\sRsrnYP.exe
| MD5 | b77a66d41ca8a668a5ed185e4e990917 |
| SHA1 | 019210efbef1a351240e50296aa3fd30f8fae7f1 |
| SHA256 | 7252d80400f91fdfb9eda1772231ebdba1b63b7458be06640d03729443a81bca |
| SHA512 | 4295ebca6d833f1317dbb1c7b77b247d0caed2f6b0883b1a172b0e5ed5d3c0c402661ff7057a0f3ea4bb5adcd1998866176eb78c8b52146fce390bc6d5f96383 |
memory/2656-36-0x000000013F330000-0x000000013F684000-memory.dmp
memory/1372-34-0x000000013F330000-0x000000013F684000-memory.dmp
C:\Windows\system\PBkHohF.exe
| MD5 | 4e5ad1f07e4ecf6eff54cbf41dfdedd3 |
| SHA1 | cbe5a8fb0c7a104364c0b7f6903c65eee8613737 |
| SHA256 | d45b50891e988d120c74da28d4c6cc6a4a8bb7cc455ea11007a42f2743a212e0 |
| SHA512 | b1bf1efb9778e484669e6232534aeff73045114c6bfd2ef5dcea907b0f719ba6b9a33678779b23fafc35c40734f7f6e8e4a5f914ce9a82813d8258e16ba20317 |
memory/2612-44-0x000000013FA10000-0x000000013FD64000-memory.dmp
C:\Windows\system\nEhtEFy.exe
| MD5 | d2bc4986b5900b2496fe583033fa1b61 |
| SHA1 | 4ec7b284bb4b56f17dddf098c07b637a03fbf9b9 |
| SHA256 | c886018d965b6c293a42b2ac84445ac56a034cb575910b8c12fe9e7b71983d65 |
| SHA512 | 2642b1138ab9c5310ecfdc90320ecd40800d4b38e3cbc3894f50d7ce9196b13e8c7bb6b54caba4375b545022284de5f7fbb466f3150c84c1e9f9399cc05b5323 |
memory/2572-50-0x000000013FDE0000-0x0000000140134000-memory.dmp
C:\Windows\system\jwLXAGy.exe
| MD5 | f48d42e39cde0ed5646565c975d15400 |
| SHA1 | 528be1164902c0b405cf620b9b93e6ba921294b6 |
| SHA256 | d72000aa611688e33d81475b5fead0d833743d063e693b4dd14616205567d49a |
| SHA512 | 22c4fa9307b4ff653c81e942493940972153be7ddcafb41a4100e3ea0167999c62bab976022354505eb3695aa20d3945258e7653e42112cddea715b7cfd1ca4d |
memory/2736-57-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/1372-56-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/1372-43-0x000000013FA10000-0x000000013FD64000-memory.dmp
C:\Windows\system\DSvPgHE.exe
| MD5 | 622c96c822566f074ec2625dea1d4e97 |
| SHA1 | 97c08e2cefbcc85c393d307e8e8e8918f536bbea |
| SHA256 | 89b34158465eb40671cc6c53c11161f4f35d8c10febb225b787cbeae1cf2ca36 |
| SHA512 | 4c765e0c4c3a70ddf8b8c7a9d75a6a64eafadb5ae4b5cfad2f0f1c6e8609b9e5264f299e869d76ca2e5a09c70bb08ea089377d0dfe07ba19da3317035d3c8433 |
C:\Windows\system\xNzeUrI.exe
| MD5 | bfba51f2fd3e4f8f2c1a47fe748d073f |
| SHA1 | 94992f8bf2b650dffcbf9c1bd4175f9bf1492b34 |
| SHA256 | a343e2fdf4a2757fbf6a14743377d0e52873679764a0720252a85c37fe0ec857 |
| SHA512 | 218080a5136411bc3ddbabe7d3c7059cb1dcbef45f6789e72b407bc99f03e24087b34c75c9deb3058d8b3c524104cb57f5472cba6ee6417d4e7fbaa8199015df |
memory/3056-70-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2516-71-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1372-69-0x000000013FE40000-0x0000000140194000-memory.dmp
\Windows\system\icWZrGh.exe
| MD5 | 73f1015adb8fc89e0cc6aadb0d15b57d |
| SHA1 | dd5d5d642353ff7cced16bb0d518a657fac70bf3 |
| SHA256 | f26238445aa10a530048ffd0a90bc0e5fc0c09bc6b9899fe176c8b8eafc00504 |
| SHA512 | ad384529042c8f6d851568b3db0a4070fddcabbf2378962173730473176f25bc9619b571b84206dcb6a008fa7f5778b7f2e2c3d832a115e123c808ddcf776198 |
C:\Windows\system\NkDvgOW.exe
| MD5 | 852376b91d06738a116d4acc676da2df |
| SHA1 | 21981bd518d4d4981f92c1c1dbd3a7883506589c |
| SHA256 | d4ef1a4038bc7ae3bad99f6449542485bd9292e9404e82699277c2afca4aff39 |
| SHA512 | acac0578091e5bc5a4bebabbab8e6075bbc5e65ffdbd29e00fd0172383e8075f42aed3e58d8f1650ad95819965ecd725b21c6a01e823760562912b4cecffa9a0 |
memory/1372-94-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1372-95-0x000000013F8B0000-0x000000013FC04000-memory.dmp
\Windows\system\kXgbDsm.exe
| MD5 | 9bedd372e3e63f88aaee31df21b4a15a |
| SHA1 | 30673c8afab952b32ade1b4974248102a3cec3a5 |
| SHA256 | 194f4815c9cf46bd8967ed35e7d5c550a457210a0b30418627e40975da82f277 |
| SHA512 | 9c4377d880d59c21ccd0a763c4ed9bb1c4ed5b19bde3351d23bf18f541a462e23d7665e82e3ce5ef0dbd21c54f85cc962120122c498d45b48d222fa9f66ae482 |
C:\Windows\system\ElMcmSa.exe
| MD5 | d0e8738baf71d1d89326d9ad54094127 |
| SHA1 | 696793693aaaf1f6eac01a24408cda676230fb2e |
| SHA256 | 8d2c8d3ca0f226d73be8d08e3b75199e50d5eab6396f1149c1e65d9d6f6b3be9 |
| SHA512 | 456afff01590badfc1cfd853a33911a85447eee6be2848b7d27457f7a6c932580c5d7922261bf0e0a73428b97b6d456a2fe002ab18a90601b82fd56f17f9ca74 |
\Windows\system\kVOWQjr.exe
| MD5 | 720480bede1f55d724b2a4a752190e2e |
| SHA1 | 5cba1bf30ebb3bd592a2a314d290c641fc6870e6 |
| SHA256 | f7a22a9e742b1cd5cf9d5f059daff36bf962317601f54afeddf22ec66e3047b1 |
| SHA512 | fb62701c55f5a1c254290bc8e0c4628b3545c1a1297a566448cb100532bf0a14a7602777e4eba5e8792a23f04b0267bab186e5322d9acdf72f0674823a55d428 |
C:\Windows\system\wCuNEVN.exe
| MD5 | 35dfc89b9df80b180107e5efd3c95991 |
| SHA1 | 30af2369691dfca28199ea623be9efb59027e0ca |
| SHA256 | 8b59cf3dfb198fd377608ef81e9a7a1d3996949a90b287dc2b51d1fb30ade3f8 |
| SHA512 | 478e0dffbd1377e8c59427f782b1eca9f9c7a3d3d5b1c05b949bd428eedcd4b9a4551483d6443789db167c1891d782041fa7ec440591cb2f9f84c8ec80e0b3de |
C:\Windows\system\GupLWpW.exe
| MD5 | 17ee2d62482477147e0134c9d41e7c5b |
| SHA1 | 56fb257132e9caf0e07ac64a315517f37cae4fb3 |
| SHA256 | ecf57e75f4db9b7ad3180a67e3ceb6aee35ef66e571470ca77ba937b38bf7fea |
| SHA512 | 59cb0a658323a67891eb698efd68d5580bf16610f944aae26fed7cea0f1ceaee13847d41143fa2be888e765ce05b1eb00a0de03864f3ba99163fa2f51cf2e71e |
memory/2928-107-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2064-99-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
C:\Windows\system\mfsqTiT.exe
| MD5 | b5979aabb373ddcb320e8fb2b686f212 |
| SHA1 | b5d077deb052141c251bbf611cfbf4a9325bd978 |
| SHA256 | 252e9f051861ac6da0de291954a743d52c68e9873ee48c5e188cc5697e5dfabb |
| SHA512 | 9cfe89af89b991a2a25bb640977bb81c1850e6bc78469cb9ccdec62f24a211f9abcb1406f07cbad50ceb2e027b77e7e63b23761d0f9a8b4d294579796adf513a |
C:\Windows\system\BlJlSfJ.exe
| MD5 | 087441ee4e8a869c06f93b88c7504867 |
| SHA1 | 6693c95c20ae7f71131abfdf229ba01ea33d344f |
| SHA256 | 020990ab014cbee0b8d40180f2c56f73c4f4cbf0235a477b7f965a977f64adb7 |
| SHA512 | f23423d6f02d995f85d4f38261d16765398cc87c8796f509e3c9edd6248ec2eff4e3c0f45b8317ace3f061ff543ec836eaf67be292569765336ba0928940b8ac |
memory/1372-112-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/3036-103-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2680-92-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/3024-88-0x000000013F7F0000-0x000000013FB44000-memory.dmp
C:\Windows\system\kDDATMa.exe
| MD5 | 969d429537ed4e62fae32ed737a839b0 |
| SHA1 | 00e3a23082f084936dc45b0d31584baa053e79b0 |
| SHA256 | eb794d94970d0afb70bd3d612813cbc1d3839a761f53649389b2a1847ccce853 |
| SHA512 | 25d5cc33e0cc61e07a762a8601f9bea9816d3090a29af0d3b5cf371b49f34e3842113af02bcaf2c66ab0a3edc3eae418ca1d6a5efb505dac92d07ae17203510e |
C:\Windows\system\LRVfIDs.exe
| MD5 | 79094faeee44e3092c1ce8051be98c81 |
| SHA1 | a84ebfcc5dfdb26da04f0dd68b368ae11d463291 |
| SHA256 | 23195053fce27d7966060633582064f113534a5978886addda89327b49473565 |
| SHA512 | 707f42636841f4ce43e3570b6e6265f962611f863deac2c8245cf37a8d3dac9ae6a6278bbb541fdf3a22f5966cba7454c617ea51df3a59fce3792233cc3efda4 |
memory/1372-62-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/2656-134-0x000000013F330000-0x000000013F684000-memory.dmp
memory/1372-135-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/1372-136-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/2592-137-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/3024-138-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/1372-139-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/1372-140-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2992-141-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2668-142-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/3056-143-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2928-144-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2656-145-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2612-146-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2572-147-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2736-148-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2592-149-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2516-150-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2064-151-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2680-153-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/3024-152-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/3036-154-0x000000013F8B0000-0x000000013FC04000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 06:04
Reported
2024-06-08 06:06
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SkqBvTB.exe | N/A |
| N/A | N/A | C:\Windows\System\FchxZct.exe | N/A |
| N/A | N/A | C:\Windows\System\spzJwKW.exe | N/A |
| N/A | N/A | C:\Windows\System\bMWYaTm.exe | N/A |
| N/A | N/A | C:\Windows\System\sRsrnYP.exe | N/A |
| N/A | N/A | C:\Windows\System\PBkHohF.exe | N/A |
| N/A | N/A | C:\Windows\System\nEhtEFy.exe | N/A |
| N/A | N/A | C:\Windows\System\jwLXAGy.exe | N/A |
| N/A | N/A | C:\Windows\System\DSvPgHE.exe | N/A |
| N/A | N/A | C:\Windows\System\xNzeUrI.exe | N/A |
| N/A | N/A | C:\Windows\System\kDDATMa.exe | N/A |
| N/A | N/A | C:\Windows\System\LRVfIDs.exe | N/A |
| N/A | N/A | C:\Windows\System\NkDvgOW.exe | N/A |
| N/A | N/A | C:\Windows\System\icWZrGh.exe | N/A |
| N/A | N/A | C:\Windows\System\kXgbDsm.exe | N/A |
| N/A | N/A | C:\Windows\System\BlJlSfJ.exe | N/A |
| N/A | N/A | C:\Windows\System\GupLWpW.exe | N/A |
| N/A | N/A | C:\Windows\System\ElMcmSa.exe | N/A |
| N/A | N/A | C:\Windows\System\wCuNEVN.exe | N/A |
| N/A | N/A | C:\Windows\System\mfsqTiT.exe | N/A |
| N/A | N/A | C:\Windows\System\kVOWQjr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\SkqBvTB.exe
C:\Windows\System\SkqBvTB.exe
C:\Windows\System\FchxZct.exe
C:\Windows\System\FchxZct.exe
C:\Windows\System\spzJwKW.exe
C:\Windows\System\spzJwKW.exe
C:\Windows\System\bMWYaTm.exe
C:\Windows\System\bMWYaTm.exe
C:\Windows\System\sRsrnYP.exe
C:\Windows\System\sRsrnYP.exe
C:\Windows\System\PBkHohF.exe
C:\Windows\System\PBkHohF.exe
C:\Windows\System\nEhtEFy.exe
C:\Windows\System\nEhtEFy.exe
C:\Windows\System\jwLXAGy.exe
C:\Windows\System\jwLXAGy.exe
C:\Windows\System\DSvPgHE.exe
C:\Windows\System\DSvPgHE.exe
C:\Windows\System\xNzeUrI.exe
C:\Windows\System\xNzeUrI.exe
C:\Windows\System\kDDATMa.exe
C:\Windows\System\kDDATMa.exe
C:\Windows\System\LRVfIDs.exe
C:\Windows\System\LRVfIDs.exe
C:\Windows\System\NkDvgOW.exe
C:\Windows\System\NkDvgOW.exe
C:\Windows\System\icWZrGh.exe
C:\Windows\System\icWZrGh.exe
C:\Windows\System\BlJlSfJ.exe
C:\Windows\System\BlJlSfJ.exe
C:\Windows\System\kXgbDsm.exe
C:\Windows\System\kXgbDsm.exe
C:\Windows\System\GupLWpW.exe
C:\Windows\System\GupLWpW.exe
C:\Windows\System\ElMcmSa.exe
C:\Windows\System\ElMcmSa.exe
C:\Windows\System\wCuNEVN.exe
C:\Windows\System\wCuNEVN.exe
C:\Windows\System\mfsqTiT.exe
C:\Windows\System\mfsqTiT.exe
C:\Windows\System\kVOWQjr.exe
C:\Windows\System\kVOWQjr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
memory/4016-0-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp
memory/4016-1-0x00000299BAD60000-0x00000299BAD70000-memory.dmp
C:\Windows\System\SkqBvTB.exe
| MD5 | 3b53248ba8c70e5d77f81f1db49d9a99 |
| SHA1 | aebf0b8f45b29d1103100807ac33351acb945165 |
| SHA256 | 70bc8fbada8f0ee7291b59d0610f5fa5d61729ec9576e7dcffe46035d94b7083 |
| SHA512 | 7f0cdd9dd2f1a8fc9487a4e827832c3c86e7ce76b05820e4a3bc0a7cfa10378064d2b0027412e540375d50c6fdbfe530e0ecad9dfd4e95b3120e164c9a5727a5 |
C:\Windows\System\spzJwKW.exe
| MD5 | 33f5a01ff9d2d0a7c15ce3a09908cb5f |
| SHA1 | fe352ba4dad3c751c0e46e0d508576132b074bde |
| SHA256 | 6f92e7b62ac0b75ba40a2824189a07479f74fdff0b0c17369302035a001addfc |
| SHA512 | cc30f5cb8a2d6033b888bb039925fdcb73db838441128a7e6846b4329d9b0608fce5f1ce2169cd538d38da88b5e6f40968d7f0227519bdabb6193ad900a7c152 |
C:\Windows\System\FchxZct.exe
| MD5 | 3c80dcc88cc1ba2276555f99f3e17134 |
| SHA1 | 279a6a4da31c7fea94b1a5e127d1ed56047c9589 |
| SHA256 | 909d3de24927b36fd03bc6a9ae63058f013170b78a5f51b21d361a0d025825ec |
| SHA512 | 7161318da75618902a68aaf63c89448077ee1f20ea71691c8911a52730b454627eb39ee6752c7d4ccb41808978bb573707b2e583693ea3e0730844fa04799bc3 |
C:\Windows\System\sRsrnYP.exe
| MD5 | b77a66d41ca8a668a5ed185e4e990917 |
| SHA1 | 019210efbef1a351240e50296aa3fd30f8fae7f1 |
| SHA256 | 7252d80400f91fdfb9eda1772231ebdba1b63b7458be06640d03729443a81bca |
| SHA512 | 4295ebca6d833f1317dbb1c7b77b247d0caed2f6b0883b1a172b0e5ed5d3c0c402661ff7057a0f3ea4bb5adcd1998866176eb78c8b52146fce390bc6d5f96383 |
C:\Windows\System\PBkHohF.exe
| MD5 | 4e5ad1f07e4ecf6eff54cbf41dfdedd3 |
| SHA1 | cbe5a8fb0c7a104364c0b7f6903c65eee8613737 |
| SHA256 | d45b50891e988d120c74da28d4c6cc6a4a8bb7cc455ea11007a42f2743a212e0 |
| SHA512 | b1bf1efb9778e484669e6232534aeff73045114c6bfd2ef5dcea907b0f719ba6b9a33678779b23fafc35c40734f7f6e8e4a5f914ce9a82813d8258e16ba20317 |
C:\Windows\System\nEhtEFy.exe
| MD5 | d2bc4986b5900b2496fe583033fa1b61 |
| SHA1 | 4ec7b284bb4b56f17dddf098c07b637a03fbf9b9 |
| SHA256 | c886018d965b6c293a42b2ac84445ac56a034cb575910b8c12fe9e7b71983d65 |
| SHA512 | 2642b1138ab9c5310ecfdc90320ecd40800d4b38e3cbc3894f50d7ce9196b13e8c7bb6b54caba4375b545022284de5f7fbb466f3150c84c1e9f9399cc05b5323 |
memory/900-51-0x00007FF7EF8F0000-0x00007FF7EFC44000-memory.dmp
C:\Windows\System\DSvPgHE.exe
| MD5 | 622c96c822566f074ec2625dea1d4e97 |
| SHA1 | 97c08e2cefbcc85c393d307e8e8e8918f536bbea |
| SHA256 | 89b34158465eb40671cc6c53c11161f4f35d8c10febb225b787cbeae1cf2ca36 |
| SHA512 | 4c765e0c4c3a70ddf8b8c7a9d75a6a64eafadb5ae4b5cfad2f0f1c6e8609b9e5264f299e869d76ca2e5a09c70bb08ea089377d0dfe07ba19da3317035d3c8433 |
C:\Windows\System\xNzeUrI.exe
| MD5 | bfba51f2fd3e4f8f2c1a47fe748d073f |
| SHA1 | 94992f8bf2b650dffcbf9c1bd4175f9bf1492b34 |
| SHA256 | a343e2fdf4a2757fbf6a14743377d0e52873679764a0720252a85c37fe0ec857 |
| SHA512 | 218080a5136411bc3ddbabe7d3c7059cb1dcbef45f6789e72b407bc99f03e24087b34c75c9deb3058d8b3c524104cb57f5472cba6ee6417d4e7fbaa8199015df |
memory/2264-60-0x00007FF623050000-0x00007FF6233A4000-memory.dmp
memory/1312-54-0x00007FF76A920000-0x00007FF76AC74000-memory.dmp
C:\Windows\System\jwLXAGy.exe
| MD5 | f48d42e39cde0ed5646565c975d15400 |
| SHA1 | 528be1164902c0b405cf620b9b93e6ba921294b6 |
| SHA256 | d72000aa611688e33d81475b5fead0d833743d063e693b4dd14616205567d49a |
| SHA512 | 22c4fa9307b4ff653c81e942493940972153be7ddcafb41a4100e3ea0167999c62bab976022354505eb3695aa20d3945258e7653e42112cddea715b7cfd1ca4d |
memory/4516-49-0x00007FF7E81F0000-0x00007FF7E8544000-memory.dmp
memory/4064-38-0x00007FF7FB730000-0x00007FF7FBA84000-memory.dmp
C:\Windows\System\bMWYaTm.exe
| MD5 | 7fa25992288e4f5c38c68e3933d74561 |
| SHA1 | f4b960eb849248e2fdc2bea6cc0e86a8bc3bd2fc |
| SHA256 | f9760f908a931843ce4a198889f795a3a30109e9e9424ce4fd0c013ff1d97ee0 |
| SHA512 | c27c03d2d6365d26185391993ffcb8428b750ed38af73eea83ac1023d8af0c4636fd1c8063d6858703aea134bcafde98f80bc9218c7617ad0c1fcb9c1194329d |
memory/2888-27-0x00007FF64DA10000-0x00007FF64DD64000-memory.dmp
memory/1080-26-0x00007FF6B29F0000-0x00007FF6B2D44000-memory.dmp
memory/1076-23-0x00007FF6C93D0000-0x00007FF6C9724000-memory.dmp
memory/2800-21-0x00007FF6B6DF0000-0x00007FF6B7144000-memory.dmp
memory/2832-11-0x00007FF74A300000-0x00007FF74A654000-memory.dmp
C:\Windows\System\kDDATMa.exe
| MD5 | 969d429537ed4e62fae32ed737a839b0 |
| SHA1 | 00e3a23082f084936dc45b0d31584baa053e79b0 |
| SHA256 | eb794d94970d0afb70bd3d612813cbc1d3839a761f53649389b2a1847ccce853 |
| SHA512 | 25d5cc33e0cc61e07a762a8601f9bea9816d3090a29af0d3b5cf371b49f34e3842113af02bcaf2c66ab0a3edc3eae418ca1d6a5efb505dac92d07ae17203510e |
memory/4040-68-0x00007FF6150A0000-0x00007FF6153F4000-memory.dmp
C:\Windows\System\LRVfIDs.exe
| MD5 | 79094faeee44e3092c1ce8051be98c81 |
| SHA1 | a84ebfcc5dfdb26da04f0dd68b368ae11d463291 |
| SHA256 | 23195053fce27d7966060633582064f113534a5978886addda89327b49473565 |
| SHA512 | 707f42636841f4ce43e3570b6e6265f962611f863deac2c8245cf37a8d3dac9ae6a6278bbb541fdf3a22f5966cba7454c617ea51df3a59fce3792233cc3efda4 |
C:\Windows\System\BlJlSfJ.exe
| MD5 | 087441ee4e8a869c06f93b88c7504867 |
| SHA1 | 6693c95c20ae7f71131abfdf229ba01ea33d344f |
| SHA256 | 020990ab014cbee0b8d40180f2c56f73c4f4cbf0235a477b7f965a977f64adb7 |
| SHA512 | f23423d6f02d995f85d4f38261d16765398cc87c8796f509e3c9edd6248ec2eff4e3c0f45b8317ace3f061ff543ec836eaf67be292569765336ba0928940b8ac |
C:\Windows\System\NkDvgOW.exe
| MD5 | 852376b91d06738a116d4acc676da2df |
| SHA1 | 21981bd518d4d4981f92c1c1dbd3a7883506589c |
| SHA256 | d4ef1a4038bc7ae3bad99f6449542485bd9292e9404e82699277c2afca4aff39 |
| SHA512 | acac0578091e5bc5a4bebabbab8e6075bbc5e65ffdbd29e00fd0172383e8075f42aed3e58d8f1650ad95819965ecd725b21c6a01e823760562912b4cecffa9a0 |
C:\Windows\System\kXgbDsm.exe
| MD5 | 9bedd372e3e63f88aaee31df21b4a15a |
| SHA1 | 30673c8afab952b32ade1b4974248102a3cec3a5 |
| SHA256 | 194f4815c9cf46bd8967ed35e7d5c550a457210a0b30418627e40975da82f277 |
| SHA512 | 9c4377d880d59c21ccd0a763c4ed9bb1c4ed5b19bde3351d23bf18f541a462e23d7665e82e3ce5ef0dbd21c54f85cc962120122c498d45b48d222fa9f66ae482 |
memory/4740-112-0x00007FF7A62A0000-0x00007FF7A65F4000-memory.dmp
memory/2500-118-0x00007FF662C20000-0x00007FF662F74000-memory.dmp
C:\Windows\System\kVOWQjr.exe
| MD5 | 720480bede1f55d724b2a4a752190e2e |
| SHA1 | 5cba1bf30ebb3bd592a2a314d290c641fc6870e6 |
| SHA256 | f7a22a9e742b1cd5cf9d5f059daff36bf962317601f54afeddf22ec66e3047b1 |
| SHA512 | fb62701c55f5a1c254290bc8e0c4628b3545c1a1297a566448cb100532bf0a14a7602777e4eba5e8792a23f04b0267bab186e5322d9acdf72f0674823a55d428 |
memory/1260-130-0x00007FF737C20000-0x00007FF737F74000-memory.dmp
C:\Windows\System\mfsqTiT.exe
| MD5 | b5979aabb373ddcb320e8fb2b686f212 |
| SHA1 | b5d077deb052141c251bbf611cfbf4a9325bd978 |
| SHA256 | 252e9f051861ac6da0de291954a743d52c68e9873ee48c5e188cc5697e5dfabb |
| SHA512 | 9cfe89af89b991a2a25bb640977bb81c1850e6bc78469cb9ccdec62f24a211f9abcb1406f07cbad50ceb2e027b77e7e63b23761d0f9a8b4d294579796adf513a |
memory/2888-129-0x00007FF64DA10000-0x00007FF64DD64000-memory.dmp
memory/2808-128-0x00007FF6E5EF0000-0x00007FF6E6244000-memory.dmp
memory/4904-125-0x00007FF60E680000-0x00007FF60E9D4000-memory.dmp
memory/2804-124-0x00007FF762F90000-0x00007FF7632E4000-memory.dmp
C:\Windows\System\ElMcmSa.exe
| MD5 | d0e8738baf71d1d89326d9ad54094127 |
| SHA1 | 696793693aaaf1f6eac01a24408cda676230fb2e |
| SHA256 | 8d2c8d3ca0f226d73be8d08e3b75199e50d5eab6396f1149c1e65d9d6f6b3be9 |
| SHA512 | 456afff01590badfc1cfd853a33911a85447eee6be2848b7d27457f7a6c932580c5d7922261bf0e0a73428b97b6d456a2fe002ab18a90601b82fd56f17f9ca74 |
C:\Windows\System\wCuNEVN.exe
| MD5 | 35dfc89b9df80b180107e5efd3c95991 |
| SHA1 | 30af2369691dfca28199ea623be9efb59027e0ca |
| SHA256 | 8b59cf3dfb198fd377608ef81e9a7a1d3996949a90b287dc2b51d1fb30ade3f8 |
| SHA512 | 478e0dffbd1377e8c59427f782b1eca9f9c7a3d3d5b1c05b949bd428eedcd4b9a4551483d6443789db167c1891d782041fa7ec440591cb2f9f84c8ec80e0b3de |
C:\Windows\System\GupLWpW.exe
| MD5 | 17ee2d62482477147e0134c9d41e7c5b |
| SHA1 | 56fb257132e9caf0e07ac64a315517f37cae4fb3 |
| SHA256 | ecf57e75f4db9b7ad3180a67e3ceb6aee35ef66e571470ca77ba937b38bf7fea |
| SHA512 | 59cb0a658323a67891eb698efd68d5580bf16610f944aae26fed7cea0f1ceaee13847d41143fa2be888e765ce05b1eb00a0de03864f3ba99163fa2f51cf2e71e |
memory/1080-102-0x00007FF6B29F0000-0x00007FF6B2D44000-memory.dmp
C:\Windows\System\icWZrGh.exe
| MD5 | 73f1015adb8fc89e0cc6aadb0d15b57d |
| SHA1 | dd5d5d642353ff7cced16bb0d518a657fac70bf3 |
| SHA256 | f26238445aa10a530048ffd0a90bc0e5fc0c09bc6b9899fe176c8b8eafc00504 |
| SHA512 | ad384529042c8f6d851568b3db0a4070fddcabbf2378962173730473176f25bc9619b571b84206dcb6a008fa7f5778b7f2e2c3d832a115e123c808ddcf776198 |
memory/2084-103-0x00007FF791560000-0x00007FF7918B4000-memory.dmp
memory/2400-92-0x00007FF6B48A0000-0x00007FF6B4BF4000-memory.dmp
memory/1076-91-0x00007FF6C93D0000-0x00007FF6C9724000-memory.dmp
memory/3328-85-0x00007FF66B540000-0x00007FF66B894000-memory.dmp
memory/2800-84-0x00007FF6B6DF0000-0x00007FF6B7144000-memory.dmp
memory/1364-78-0x00007FF7BFFD0000-0x00007FF7C0324000-memory.dmp
memory/4016-74-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp
memory/4064-133-0x00007FF7FB730000-0x00007FF7FBA84000-memory.dmp
memory/900-134-0x00007FF7EF8F0000-0x00007FF7EFC44000-memory.dmp
memory/1312-135-0x00007FF76A920000-0x00007FF76AC74000-memory.dmp
memory/2264-136-0x00007FF623050000-0x00007FF6233A4000-memory.dmp
memory/4040-137-0x00007FF6150A0000-0x00007FF6153F4000-memory.dmp
memory/1364-138-0x00007FF7BFFD0000-0x00007FF7C0324000-memory.dmp
memory/3328-139-0x00007FF66B540000-0x00007FF66B894000-memory.dmp
memory/4740-140-0x00007FF7A62A0000-0x00007FF7A65F4000-memory.dmp
memory/2400-141-0x00007FF6B48A0000-0x00007FF6B4BF4000-memory.dmp
memory/2084-142-0x00007FF791560000-0x00007FF7918B4000-memory.dmp
memory/1260-143-0x00007FF737C20000-0x00007FF737F74000-memory.dmp
memory/2832-144-0x00007FF74A300000-0x00007FF74A654000-memory.dmp
memory/2800-145-0x00007FF6B6DF0000-0x00007FF6B7144000-memory.dmp
memory/1076-146-0x00007FF6C93D0000-0x00007FF6C9724000-memory.dmp
memory/1080-147-0x00007FF6B29F0000-0x00007FF6B2D44000-memory.dmp
memory/2888-148-0x00007FF64DA10000-0x00007FF64DD64000-memory.dmp
memory/1312-149-0x00007FF76A920000-0x00007FF76AC74000-memory.dmp
memory/4516-152-0x00007FF7E81F0000-0x00007FF7E8544000-memory.dmp
memory/4064-151-0x00007FF7FB730000-0x00007FF7FBA84000-memory.dmp
memory/900-150-0x00007FF7EF8F0000-0x00007FF7EFC44000-memory.dmp
memory/2264-153-0x00007FF623050000-0x00007FF6233A4000-memory.dmp
memory/4040-154-0x00007FF6150A0000-0x00007FF6153F4000-memory.dmp
memory/1364-155-0x00007FF7BFFD0000-0x00007FF7C0324000-memory.dmp
memory/2400-156-0x00007FF6B48A0000-0x00007FF6B4BF4000-memory.dmp
memory/3328-157-0x00007FF66B540000-0x00007FF66B894000-memory.dmp
memory/2804-159-0x00007FF762F90000-0x00007FF7632E4000-memory.dmp
memory/2500-160-0x00007FF662C20000-0x00007FF662F74000-memory.dmp
memory/4740-162-0x00007FF7A62A0000-0x00007FF7A65F4000-memory.dmp
memory/2808-163-0x00007FF6E5EF0000-0x00007FF6E6244000-memory.dmp
memory/4904-161-0x00007FF60E680000-0x00007FF60E9D4000-memory.dmp
memory/2084-158-0x00007FF791560000-0x00007FF7918B4000-memory.dmp
memory/1260-164-0x00007FF737C20000-0x00007FF737F74000-memory.dmp