Analysis Overview
SHA256
12257de66964e2675ff29adb54eb651be4aaacbc09c88d9a100a6aefbf309cc9
Threat Level: Known bad
The file 2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
xmrig
Cobaltstrike
Xmrig family
Detects Reflective DLL injection artifacts
XMRig Miner payload
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 19:00
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 19:00
Reported
2024-06-08 19:02
Platform
win10v2004-20240226-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 216.58.215.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.215.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
memory/3404-0-0x00007FF653B20000-0x00007FF653E74000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 19:00
Reported
2024-06-08 19:02
Platform
win7-20240508-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rDOptzm.exe | N/A |
| N/A | N/A | C:\Windows\System\UrGzXYJ.exe | N/A |
| N/A | N/A | C:\Windows\System\gBzxhlJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jjqJTZt.exe | N/A |
| N/A | N/A | C:\Windows\System\PebxNfs.exe | N/A |
| N/A | N/A | C:\Windows\System\PiVFsRg.exe | N/A |
| N/A | N/A | C:\Windows\System\LMKnYUz.exe | N/A |
| N/A | N/A | C:\Windows\System\hhEGjdy.exe | N/A |
| N/A | N/A | C:\Windows\System\NtwUCkw.exe | N/A |
| N/A | N/A | C:\Windows\System\HYGsSap.exe | N/A |
| N/A | N/A | C:\Windows\System\vbfGWoA.exe | N/A |
| N/A | N/A | C:\Windows\System\CmtdfJa.exe | N/A |
| N/A | N/A | C:\Windows\System\skmpPLz.exe | N/A |
| N/A | N/A | C:\Windows\System\NIEsfgM.exe | N/A |
| N/A | N/A | C:\Windows\System\qhkvjXQ.exe | N/A |
| N/A | N/A | C:\Windows\System\TFaaLOh.exe | N/A |
| N/A | N/A | C:\Windows\System\hRTdNUb.exe | N/A |
| N/A | N/A | C:\Windows\System\wwlKWFK.exe | N/A |
| N/A | N/A | C:\Windows\System\krjnZZN.exe | N/A |
| N/A | N/A | C:\Windows\System\JMWUmev.exe | N/A |
| N/A | N/A | C:\Windows\System\xFSXunD.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\rDOptzm.exe
C:\Windows\System\rDOptzm.exe
C:\Windows\System\UrGzXYJ.exe
C:\Windows\System\UrGzXYJ.exe
C:\Windows\System\jjqJTZt.exe
C:\Windows\System\jjqJTZt.exe
C:\Windows\System\gBzxhlJ.exe
C:\Windows\System\gBzxhlJ.exe
C:\Windows\System\PebxNfs.exe
C:\Windows\System\PebxNfs.exe
C:\Windows\System\PiVFsRg.exe
C:\Windows\System\PiVFsRg.exe
C:\Windows\System\LMKnYUz.exe
C:\Windows\System\LMKnYUz.exe
C:\Windows\System\hhEGjdy.exe
C:\Windows\System\hhEGjdy.exe
C:\Windows\System\NtwUCkw.exe
C:\Windows\System\NtwUCkw.exe
C:\Windows\System\HYGsSap.exe
C:\Windows\System\HYGsSap.exe
C:\Windows\System\CmtdfJa.exe
C:\Windows\System\CmtdfJa.exe
C:\Windows\System\vbfGWoA.exe
C:\Windows\System\vbfGWoA.exe
C:\Windows\System\skmpPLz.exe
C:\Windows\System\skmpPLz.exe
C:\Windows\System\NIEsfgM.exe
C:\Windows\System\NIEsfgM.exe
C:\Windows\System\qhkvjXQ.exe
C:\Windows\System\qhkvjXQ.exe
C:\Windows\System\TFaaLOh.exe
C:\Windows\System\TFaaLOh.exe
C:\Windows\System\hRTdNUb.exe
C:\Windows\System\hRTdNUb.exe
C:\Windows\System\wwlKWFK.exe
C:\Windows\System\wwlKWFK.exe
C:\Windows\System\krjnZZN.exe
C:\Windows\System\krjnZZN.exe
C:\Windows\System\JMWUmev.exe
C:\Windows\System\JMWUmev.exe
C:\Windows\System\xFSXunD.exe
C:\Windows\System\xFSXunD.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2848-0-0x00000000002F0000-0x0000000000300000-memory.dmp
memory/2848-1-0x000000013FE60000-0x00000001401B4000-memory.dmp
\Windows\system\rDOptzm.exe
| MD5 | 0d5458fca48281934eb0de0bd2169055 |
| SHA1 | 325f8cfa7aafaa73df5556396678be3b85d71239 |
| SHA256 | 98949dd6858e7ccb9b4000ec5fa87eaca36f93ec523966763feb1de815930e70 |
| SHA512 | 3d3424bf58d8748d7222a10bdee2d9aef0f12b19718130b3027b461730791035480135ffaffe776b98b30cfe3c19d6227397864e136ca149098caa163364d139 |
memory/2848-6-0x00000000022B0000-0x0000000002604000-memory.dmp
\Windows\system\UrGzXYJ.exe
| MD5 | 8f512e81b951b00f5d246f9eb81fba84 |
| SHA1 | 300e494ab3115d80bc2fdfe4707af1ba8758c664 |
| SHA256 | 7c7843c264b6f24eb55c4ff51a526f76bcb35f99867363737fc7c15fb921613e |
| SHA512 | 99d584ed25c20962c55f43918d8762c884d85b0c5790883d965fb91c362254b3a50876a93594c73124a0ade70bf86aba969317b22736f0c7445e333fb1c7ed44 |
\Windows\system\gBzxhlJ.exe
| MD5 | 11f4e2b53f1dfe769e7f36003192a29e |
| SHA1 | 5e0f986ec279b1d73574a17ac55ef3ff18008561 |
| SHA256 | 33d920e7191edd3144c4c9577a3e4a900acc84dc10d2082c71deabfae3f225d4 |
| SHA512 | b7c695f497a42de00c0ac5ddc69cfaa09a9ea24da0805fbb96d76151ac508a0b32b01ab2871844ea0d162673e8a768ef948513f86f7f320fb0eeeb24555855af |
memory/2848-23-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2136-20-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/3036-14-0x000000013FEF0000-0x0000000140244000-memory.dmp
C:\Windows\system\jjqJTZt.exe
| MD5 | 386e21ed08ad6ea65e0c4fd0d71bcc89 |
| SHA1 | ff40c78b6a9a4b10583ae73584d0b1df5b07eec3 |
| SHA256 | 244027ae4859d906ac9b6a7ba1816d4b543c0b319d76df8bf16e6d0c826fc246 |
| SHA512 | 6375c58301c18b3ae23a22b6793f2d0745feee06107769f0fcbdaa1c7c436cddd8df96ac637af810a87f76d7150d7c77510abb71c34fca0f419cf23f41f9ab4a |
memory/2848-18-0x00000000022B0000-0x0000000002604000-memory.dmp
memory/2732-34-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/3048-32-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\PebxNfs.exe
| MD5 | 4c1ca2f3218882be36aecae98274ef07 |
| SHA1 | 999620ef11221658ec04732efb897d6429d6d4a5 |
| SHA256 | b8a8be9f648d0ed0d29a21d1ef4ec8b4f36874813f087a83c5351de8aead2c88 |
| SHA512 | 0122f136ba4efe7559d6893ffd2d1dffe590c5a8e0f6286791db3ec5f7e4f584136031f9ccadf01e53bb9faee78639b02fd6b4ed3f4496877db44c6824060252 |
memory/2664-28-0x000000013FC30000-0x000000013FF84000-memory.dmp
C:\Windows\system\PiVFsRg.exe
| MD5 | 17749cbe0be35298386793058fd8b7c6 |
| SHA1 | 8e78a3c4c9951c5e242fa3e6a6d1b27cbcad0df4 |
| SHA256 | 7d416ae913167ab64a8effee84336b4bfd1bb69f056f59d9c63f08ee70305f64 |
| SHA512 | 4060dbdef16a4b1c1daf927061fae3e35c69d1169c50c0c233c5e9b6378d9f126b95068986b270b816d131795196eade8a7b4580f86c838c9a8698039e1a9629 |
memory/2848-39-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2792-40-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2656-51-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2848-52-0x000000013F3D0000-0x000000013F724000-memory.dmp
\Windows\system\LMKnYUz.exe
| MD5 | 62d06c8678afb4ea9aaab3dadc931aab |
| SHA1 | 72bb386cf5d8b08818ad86990270993fba410314 |
| SHA256 | 668ee1ce76eda9d3dc5a1439266b747101766b11f901bf9a7bbba118ff312018 |
| SHA512 | 0d851eee759aac7ec4a2ced78ce56e02c1ca72df5562478ef6fc7b96d6aa3d97835400a131076d4e4ca93394cef60fa2870ddd3aa523fbed438f2175865d8ab1 |
memory/2572-53-0x000000013F3D0000-0x000000013F724000-memory.dmp
C:\Windows\system\hhEGjdy.exe
| MD5 | 212b38c6bbb6eacb39df0c1bf13b55d0 |
| SHA1 | ac6d4861eb4ea1040638e34db54b431d44281e4d |
| SHA256 | f891b1b268ad41e0fb3607e909bee04e6be6c81258cef635b0ee5e5bfbd4cc8c |
| SHA512 | 68467d8d2a7af9460f6f3d4d2462ee238fcf516a9e45253571b69f19ea5f34c2e06a3e95814390ec9e9d2f87afad3322b9d693e7f3a39ed19eb0dbfe6299a655 |
C:\Windows\system\HYGsSap.exe
| MD5 | 8316d07967304388ba63e05c1a36cda3 |
| SHA1 | 409dcfe6b696040084bea7c988ac2fc858f6d3a9 |
| SHA256 | 05db63b2994e06bba477940aef82865dae03a3162295c34a3ec1f54540061092 |
| SHA512 | df0c2f28f7f0118ba26962d198e51143d2f8c5b16fb8ab82d8196681771640a5eac1891561a0f4525d4f56fe88a40a98d4c4f81a155b9ae15d07275fd882b1dd |
memory/3036-69-0x000000013FEF0000-0x0000000140244000-memory.dmp
\Windows\system\vbfGWoA.exe
| MD5 | 199e82d3ecee840e5b1e24aa1d4a65de |
| SHA1 | 10e001f84a72fe011dda92edda7cda3705c26cd3 |
| SHA256 | 8c5ed86738e2ad230990ea632129646c574e066d629116f86dfa5d48c638a8c1 |
| SHA512 | 9726cd954e8c8eab48ff6f0cf63af159b0e11180b15795b561abc93996c111896bb404bd1f9a534f84e62aace8d769024103054f67fa8de6d98ebc5abfa73b5d |
\Windows\system\NtwUCkw.exe
| MD5 | 52ae4b6dd4f8e570ea9d5345e4267a6e |
| SHA1 | b075bfa919cdffbeb4d45f8ebd3473745c90a548 |
| SHA256 | 7ca9bd19daa28e9bd57bf4bb54d250951c47f98dcc6307f715e8d09c3151412b |
| SHA512 | 1748f24256ac7a32d55ebfa069231d400e4c2c6fcfc4f571cdc0f95d88f8c43ee55b2e8191568bc9f120a78addaeb2bc2a4ad8c6d7e829641902dececb6257b5 |
C:\Windows\system\skmpPLz.exe
| MD5 | cca4361e561f3313ad8df4125c1cc024 |
| SHA1 | e81748e430f0ec6d95ae3d5041a74439b19ec17a |
| SHA256 | d6054165207a82e1e118364843594b500497315f542fe8ac774a4caad04cf8fd |
| SHA512 | 99bd04ffa3a4818c73f74e5a80156ff6b0cacb1fbc9565ac001a428cb1ac8a03a27d227748fb7ca6e61c46438e9fa863a1a382f3319e27634e30b58f6ff94f7f |
\Windows\system\NIEsfgM.exe
| MD5 | 49054d0cb25c2173cde387aa2d876d11 |
| SHA1 | 98e1ddba9d996b3de8c7388c0c3e4d029b777b72 |
| SHA256 | de39a2d3f0667d8830aecc1fe1caa364947ed49d254c99970cf3b3d58cc1d684 |
| SHA512 | 3da48309b48e7b8daf6d22c5c978dd3f3201981b8b0e9d14f65a66f271e677fb3ad0377ad078521105c7f86feb2fb905cce3599a2492ecd488d1fb30d77f0116 |
memory/3032-98-0x000000013F370000-0x000000013F6C4000-memory.dmp
\Windows\system\wwlKWFK.exe
| MD5 | ccf2072afdd666349c7a5470951a86e0 |
| SHA1 | 09d5c9be7ee46c59da268a78f2c6bb797310a98e |
| SHA256 | 12a9a2b4d87bd776011cc6d58da190b5656cd09b0ca448a7cd7dba3881de5ec6 |
| SHA512 | 8eee66b2560aa52bc0dc3b793ef9bbdb6f63874ad6ab2c4990ca6afcbb03b6b651d2a18de7cd3a57a48bb7faa6482958b1e833c3eed22f9a6b4e6df30b7300a4 |
C:\Windows\system\JMWUmev.exe
| MD5 | a4b0a880151d24ab8004cd072b6551ce |
| SHA1 | 7f5c77750e62921f6877d51fbf88f7df64b77ac0 |
| SHA256 | 7126300f2a8572ead04245c15d1ae249ff30be416849c96919a2f2cfb12ef55f |
| SHA512 | daa6361529f4eb127847b49ac8c441de9d8d5ee84241b7b951df5096480551446d84249d92a94b996f8589bdf69fe49097766091b42fd95fd68537e2ade9853b |
\Windows\system\xFSXunD.exe
| MD5 | 9f135d16b62bc068c7c1cb82f8e80740 |
| SHA1 | 7b18ced1bb904cceb18e65e3557b7d8d18b24774 |
| SHA256 | d48ad0d1a570d6707c0a44260fbae8b6fb06aed7d810e57c1f214fe46f4b919f |
| SHA512 | 18489db84b19111f0d8db5c28e614b9aa2e92bdb37c998bd7ac429a3c076f139af16858ed6fe1ad981f6ccdab2e19c1806c0af83435d18ebbfc32c140bbd353d |
C:\Windows\system\krjnZZN.exe
| MD5 | 48c08412a84c439194515dd3e800b2ca |
| SHA1 | aaec3de3bc519b1265f05d4bbd972098d4c5a0cb |
| SHA256 | 233adfae46f0b3ed2b2d160f164056781be18f8a780e5f62f4f7b3520837780e |
| SHA512 | 4bad19dad39d849efb2ea38a0cdd9afa09b10298db6dc19dcc7a5014652ef99d44205c145cf6abb601e415b5774ae112c7afadc76106b9d431d4a36688a7521e |
C:\Windows\system\hRTdNUb.exe
| MD5 | 2c0de3a6766dd05dd94eba3682507b33 |
| SHA1 | ab953e1f03acf897637b23b1b9cdd4fbffc16047 |
| SHA256 | 35ff3b846c11913bf41c80cd88448feb46596204c6fd32e91ee11a8647c054b6 |
| SHA512 | ab2b407047df32b57c8b8afac7aa910fa3777737417c0e13535bafb5d8f6ed53c17e193ff550dad9e0d02453e2be21ba86b6af1b74bef94b952a5c6feaa3ce4a |
C:\Windows\system\TFaaLOh.exe
| MD5 | 56b55e5f0c1f98c939d3bbe210cc4683 |
| SHA1 | 8fcc92e30be4271482b814d6bc2113e232d07ce6 |
| SHA256 | 65ffd7002d671d517e58f0c17c078ec18971d807cd3df6d8644e3ee503293cf5 |
| SHA512 | a614785a511cff19873439829b90ab929f084860a224f09a55cc120d35bf714af129170eed405138f9d5a477f0220e590c00bab982e66f0c29c1b28098776fb9 |
memory/2848-105-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2792-104-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
C:\Windows\system\qhkvjXQ.exe
| MD5 | eb6920c560d0ade2a115d34015efd85a |
| SHA1 | c7bebe4f7a236d2918862d4203909ef26a5192ed |
| SHA256 | 9b0a3ceff7fbfcf526ff741f87897a0456d347969da27b6169b1a4bb644cdf44 |
| SHA512 | 8889c72a6bac557523d5194add122595ecf8ed928f91ef51d91c82f73186de1e588ceee7814a3cf87f13f268a06418111988c40d166f572c346cd2f3e3d43aa6 |
memory/2848-97-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2732-96-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/3048-95-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2512-88-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/1644-87-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2664-86-0x000000013FC30000-0x000000013FF84000-memory.dmp
C:\Windows\system\CmtdfJa.exe
| MD5 | 04803263de6a98ec8bdf94551c738ed6 |
| SHA1 | a012aeee601d22e3e90cb6af75bc2a8e3bde51bd |
| SHA256 | 741e0197fae9d26fcfca09f09ab25788bc170e6f5c2477c8dd1a056d470ae985 |
| SHA512 | 48f6701ff59e0d01fe89dfa3a79ae07ae97f93b685dac1a98214b566d334ae3a8aae787d547f7f750a0923c187861a4bcbe1daf92fbbe30a613fbf90a091ebb7 |
memory/2848-81-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2848-80-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2500-79-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2940-71-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2848-61-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2848-67-0x00000000022B0000-0x0000000002604000-memory.dmp
memory/2568-63-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2572-138-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2656-137-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2848-139-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2848-140-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2500-141-0x000000013F540000-0x000000013F894000-memory.dmp
memory/1644-142-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2512-143-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2848-144-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/3032-145-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2848-146-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2136-147-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/3036-148-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2664-149-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2732-150-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/3048-151-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2792-152-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2572-153-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2656-154-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2568-155-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2940-156-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2500-157-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2512-158-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/1644-159-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/3032-160-0x000000013F370000-0x000000013F6C4000-memory.dmp