Analysis Overview
SHA256
4eaf306a8b4688e5b8989235c9f6287cde6e0ced04608df11cea649cb68836c6
Threat Level: Known bad
The file 2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
xmrig
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 01:00
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 01:00
Reported
2024-06-10 01:02
Platform
win7-20240508-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ssydZOo.exe | N/A |
| N/A | N/A | C:\Windows\System\DBJrkgj.exe | N/A |
| N/A | N/A | C:\Windows\System\ByvVqGZ.exe | N/A |
| N/A | N/A | C:\Windows\System\EWDVPEa.exe | N/A |
| N/A | N/A | C:\Windows\System\xHyjyIb.exe | N/A |
| N/A | N/A | C:\Windows\System\VsMTImi.exe | N/A |
| N/A | N/A | C:\Windows\System\RZlwRsI.exe | N/A |
| N/A | N/A | C:\Windows\System\BzlFonk.exe | N/A |
| N/A | N/A | C:\Windows\System\HiZDbEu.exe | N/A |
| N/A | N/A | C:\Windows\System\FNGGQSJ.exe | N/A |
| N/A | N/A | C:\Windows\System\KPKQety.exe | N/A |
| N/A | N/A | C:\Windows\System\qtKCuFI.exe | N/A |
| N/A | N/A | C:\Windows\System\jiHcTlI.exe | N/A |
| N/A | N/A | C:\Windows\System\ezXDiok.exe | N/A |
| N/A | N/A | C:\Windows\System\VLyIBdm.exe | N/A |
| N/A | N/A | C:\Windows\System\iJkbyYG.exe | N/A |
| N/A | N/A | C:\Windows\System\fBKxEtW.exe | N/A |
| N/A | N/A | C:\Windows\System\xadsUhw.exe | N/A |
| N/A | N/A | C:\Windows\System\pfipOuZ.exe | N/A |
| N/A | N/A | C:\Windows\System\LdNvNXg.exe | N/A |
| N/A | N/A | C:\Windows\System\yAabasP.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ssydZOo.exe
C:\Windows\System\ssydZOo.exe
C:\Windows\System\DBJrkgj.exe
C:\Windows\System\DBJrkgj.exe
C:\Windows\System\ByvVqGZ.exe
C:\Windows\System\ByvVqGZ.exe
C:\Windows\System\EWDVPEa.exe
C:\Windows\System\EWDVPEa.exe
C:\Windows\System\xHyjyIb.exe
C:\Windows\System\xHyjyIb.exe
C:\Windows\System\VsMTImi.exe
C:\Windows\System\VsMTImi.exe
C:\Windows\System\RZlwRsI.exe
C:\Windows\System\RZlwRsI.exe
C:\Windows\System\BzlFonk.exe
C:\Windows\System\BzlFonk.exe
C:\Windows\System\HiZDbEu.exe
C:\Windows\System\HiZDbEu.exe
C:\Windows\System\FNGGQSJ.exe
C:\Windows\System\FNGGQSJ.exe
C:\Windows\System\KPKQety.exe
C:\Windows\System\KPKQety.exe
C:\Windows\System\qtKCuFI.exe
C:\Windows\System\qtKCuFI.exe
C:\Windows\System\jiHcTlI.exe
C:\Windows\System\jiHcTlI.exe
C:\Windows\System\ezXDiok.exe
C:\Windows\System\ezXDiok.exe
C:\Windows\System\VLyIBdm.exe
C:\Windows\System\VLyIBdm.exe
C:\Windows\System\iJkbyYG.exe
C:\Windows\System\iJkbyYG.exe
C:\Windows\System\fBKxEtW.exe
C:\Windows\System\fBKxEtW.exe
C:\Windows\System\xadsUhw.exe
C:\Windows\System\xadsUhw.exe
C:\Windows\System\pfipOuZ.exe
C:\Windows\System\pfipOuZ.exe
C:\Windows\System\LdNvNXg.exe
C:\Windows\System\LdNvNXg.exe
C:\Windows\System\yAabasP.exe
C:\Windows\System\yAabasP.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2576-0-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2576-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\ssydZOo.exe
| MD5 | 328d6d193bc21f5089f92ad82e93f0fc |
| SHA1 | 575a5b53ec09a38e28f39c98885c63d4d4335003 |
| SHA256 | efdf2ff42216c32fe0a7c86e0e1790ff3d18c83e9191a726f4f4d155cafe6a52 |
| SHA512 | 9da1a3ab3c85bc281cf3aeb9de978cf2fac74fdaf5b14e6cb90f8bba4f392a5c9bdc251de7ddf012cb7c17f04d7171fdd131d15ffd1a0d233b0a608f1cc6d744 |
\Windows\system\DBJrkgj.exe
| MD5 | b61144a591dc5935b292b52e11ea4beb |
| SHA1 | 493b48003dae6811678c52251fb3092258f1fb0a |
| SHA256 | 61adeff04079b166fee83eb25fe3268008c93579b49444ceb2af04ee696800ad |
| SHA512 | f54135054422f2370d2ace65a73b363076702813d19ca57d1b7a7dd0ca5eb72577af929b0a34557b82f0a6e5b48fd67a845b0f8b075b9761f019d0621a3a6e2e |
memory/1220-15-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2152-14-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2576-12-0x000000013F220000-0x000000013F574000-memory.dmp
C:\Windows\system\ByvVqGZ.exe
| MD5 | 8a010a0659226a6e923c45c4a3c92aad |
| SHA1 | 68b25daf689af7ff1de2e0a3647a5d8119748acb |
| SHA256 | f946fa3c6022c13340c563b50c30e3e993d894fee4af88dc7b2b6fb4683f395f |
| SHA512 | 48f33fb19929a96225cadd98ba85ac33c63400a27ab681484b644ef47431c29b81d26b0749212307c68d4c51838ea3ad72188357ace911fcc4097bc6dceb5109 |
C:\Windows\system\xHyjyIb.exe
| MD5 | 00b24965487368678135a26b97f09519 |
| SHA1 | 83aeca90850e1783d2147ac9d6bf6f5d32deffcd |
| SHA256 | 3c1b1857890888d422507684ee8bce805c21f207417c8707f69b93eb2bce6414 |
| SHA512 | 428e08ea54756ac43f55d0b1dba9dc02d31a298c46f1986f728384c62bc4a7eae63f9a89f1ee9754fcbe03a4d70f4a94e41c16fc47a6c538d964011b0acfc05f |
memory/2576-27-0x0000000002270000-0x00000000025C4000-memory.dmp
\Windows\system\VsMTImi.exe
| MD5 | 2aa72be440c0224d945e338232661504 |
| SHA1 | 05c9a07f76220c800baed91d59897249fbad04a8 |
| SHA256 | c8a371478f7832088c106afb390fceea5d7769e86c934e8291d1a724e6c23556 |
| SHA512 | 96c37287d8b8b5b1bb15dd4facdc2a4b74de4e788bda1e21467ca3d634b5e77ca71ddaaa1da2df256174d50d371c79532f8ab6465f0eee064dae4af227e7f1ad |
memory/2684-61-0x000000013FD90000-0x00000001400E4000-memory.dmp
C:\Windows\system\BzlFonk.exe
| MD5 | c29e44f38bb264d0fffc87e0f8b321b0 |
| SHA1 | cdbb47923edd8e5b4b1f63d269853f121bb8faed |
| SHA256 | fc8d7e7456f46933f5c7f943fdd03480d38f701466843b90c69f5267684642ea |
| SHA512 | 157deed46804ed7989582f9650a6dbd1b19026abd44608db9177a401c1667b09c741322a37d40b28b1939e30b5b0ae190bf478e0be1d8b14d780cf1a23558af8 |
memory/2192-78-0x000000013F590000-0x000000013F8E4000-memory.dmp
C:\Windows\system\ezXDiok.exe
| MD5 | 55870c7f111ba611e02f2eddec7b8ec5 |
| SHA1 | fb70993bada754d964c873a26f403b8cd7961f4e |
| SHA256 | cae93ae28553e95be7836406469ed25d3fdbe03b67d6484810bd8e0b2f6d4fa0 |
| SHA512 | 6109d3b5de74f9d41b0eb846d4df6598e19d334a7dd2d27ef5595e58d648591755211540867dd9c949122795ab08d914723d5ba6c40e57a2357899a803054898 |
\Windows\system\iJkbyYG.exe
| MD5 | 79e53b687d1079dbcd81cfebd9fae6aa |
| SHA1 | ab69a4b5c7759f62dcefbcc85094fb985b0fc625 |
| SHA256 | cec586d2b86e88aee5d46d6c828c198add68ee67986af89056c97fc3380720e6 |
| SHA512 | 6bdb20519772ac156568780f48b854d0a4c7da9083799a9507850251876ae91165d400779d9336874f6a0b9a97e2602355045ed11c9d1b436622f336535980fe |
C:\Windows\system\yAabasP.exe
| MD5 | a3e6616d5ceb2a256e0f624c27152d94 |
| SHA1 | 5642351dce30e501529634ebe260acb4cbe64cc1 |
| SHA256 | 87b07986a940f19d25564008ad2b5159c42d01baf42a9572fbd43350dfd8ee9a |
| SHA512 | 0c25c59651fd37e3ca164b092712aadbfe0013995de5a649ef6fc78533c5c92236253f5ceda7b98fb13f5d0d3b365f7d124fd7f7ff06bdca59b7229916e232ea |
C:\Windows\system\LdNvNXg.exe
| MD5 | 6efa1f99959e22e06372ac2cf6b1916e |
| SHA1 | f898b6ba298060372276c90845a84a95128d26cb |
| SHA256 | bf796935ab34729b8045c7a7684b53ecdefe0232588b64fc5b00e1534d3ec73a |
| SHA512 | 5e9cb15dc89d21abb34eb2bd48df702bad4c961aa44bcdd4e3668846ff6c819131cf9bcebfaa74630ec8f2af0b566c1b4287a2d74215874eb21fef8d90bb8543 |
C:\Windows\system\xadsUhw.exe
| MD5 | fd7945ba89193d5d414b3b7c9d474acd |
| SHA1 | 6bbb3471ae656765f2de3950cf04c12019fcfe0d |
| SHA256 | 879f08b43d6f8ad3374ab93e98a7dbe0561d49975abd1c5f929339daffd524ad |
| SHA512 | 0d4e3b39c98f0195620c61613e54277fac5db65cee4b5f65c2947e5940b0ce1fd42c79caa9c4a4ae9786f58b23e95dda78c7773ca7ff018e65a3cd508403bc83 |
C:\Windows\system\pfipOuZ.exe
| MD5 | cde11d0be2687d25dfc42480a3c4e04b |
| SHA1 | dd284567ff04a8192c067c1aa7102bfc8b8f8295 |
| SHA256 | 9243744c8ddc26071e84701fe8db53553ff6f091748b6449954a4f3681199c4a |
| SHA512 | 3a8dcdba6efe939900b188e85725a0c8be33a47e4846036a6b50c80e2bf1e613e14f20d4dd17fc2c4bddb01457c61ad8f96a6a9b5b6788382cba6374ee991cf9 |
C:\Windows\system\fBKxEtW.exe
| MD5 | d2c46ed1507e99855a0923efb7f240e7 |
| SHA1 | 2c0e758bb78dd47f1b24c702f947061351a4e2ba |
| SHA256 | 8f37eec8a5cd0b5e84bc12a0fc56ba3bd3ffe8a6b979f52d28e463ac8557228a |
| SHA512 | 440031a698cc04b21e69246064963a1af238bf8057017c7a196b3e2a5a11b1fe51f06639228d83e602b2f3cd100634ad370e9590ddc1c39c25ada9d9523d7b30 |
memory/2576-106-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2616-137-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2812-101-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2576-100-0x0000000002270000-0x00000000025C4000-memory.dmp
C:\Windows\system\VLyIBdm.exe
| MD5 | b35cb72e09688d7ca0c99d282f1bfcc5 |
| SHA1 | c97f43f840142652b0fcc6ec3bac25fdb491ea89 |
| SHA256 | 42f6a3ab67eaa84426582c02de973af380dc187268005cccd8acea8a479d731e |
| SHA512 | 3cb4d20ab4acdc2f2600012fa683d115ab87e2874f43041c3dae71ffb930122fd348d3d1c376f4406aa07acc4fed9799dee30234890fb3224abf640c33323485 |
memory/2560-94-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2576-93-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/2592-92-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/1180-91-0x000000013F560000-0x000000013F8B4000-memory.dmp
C:\Windows\system\jiHcTlI.exe
| MD5 | b97c239293c30d40ccf5616a346cc26a |
| SHA1 | ccbfa0dae0365a45ba2564dd270eb5653c72f8ca |
| SHA256 | b60988f664a8698a2788c3fe2311b8eb4c7c65a39c09fed94db6aa87aee3f367 |
| SHA512 | 40874d848dd25e56692ef402f846eb21b0ecfb63ff667217590c60e571f8786a82509ebbe5a9a18d7297ebf9dfdf01c56cbf886dbef0b33f3b22b487fe155079 |
memory/2256-85-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2576-84-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
C:\Windows\system\qtKCuFI.exe
| MD5 | eb5b2dcdbbd994ca1af69ad7e0e39b33 |
| SHA1 | c5ed281fef66a60f9d8a47ece967917740789587 |
| SHA256 | 495ad6c9e1437b461ecf2c5e92fcf998d01985da682f0ad4068c682bf6acd72f |
| SHA512 | 83d01f23485353e0e4555d19cc79168b50f84b697cfe602058f7410b829b7a6149f762fd963febeb4b02ead011131f9ba12faae9939d78cdc5dbae9589968da8 |
memory/2152-77-0x000000013F220000-0x000000013F574000-memory.dmp
C:\Windows\system\KPKQety.exe
| MD5 | d9337cfd29375c9f56f72ac2b53136de |
| SHA1 | ec3b0905f1c2c887db6f2ac1be053b190ed496ff |
| SHA256 | be25739053412942b5fd804288794eb582891f8a78018f1e726dc7af4a5cd211 |
| SHA512 | 827af2cc8761ac15cc5e126574217c305683226df2d78448ed50fe8308adf83458c8ccc4739cdb0ef5fb96254a6acc1a7b212720110169be85033fcd5a47b659 |
memory/2504-71-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2576-70-0x000000013F8F0000-0x000000013FC44000-memory.dmp
C:\Windows\system\FNGGQSJ.exe
| MD5 | 9b993a2f66c76122f00d4fd31fe8f091 |
| SHA1 | fe29f527456c64481694384a0be5634d73b87586 |
| SHA256 | 565a10a842c7f417c0f62146ce7f576c39d4e101aa04ad14321b6d3459195688 |
| SHA512 | 6410acc9a5fddfa8811447ecdf922b2a83352643cba46341263eda74734d862c535323319e5d1f15e9bb281b2d9132549d98fdd84db7f28247385c299939dd00 |
memory/2180-63-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2576-62-0x000000013F030000-0x000000013F384000-memory.dmp
C:\Windows\system\HiZDbEu.exe
| MD5 | 924545f1f4f1aaf7c62a2ecbbdd0a72f |
| SHA1 | 850ac3d6734053b69bb6942ab54db805b997e5fb |
| SHA256 | 98293a249162a38262068d49a6ce93c63e868232a1adceb46d77367d504bc501 |
| SHA512 | a4fde131ad371048b7fa86219d938055d06eeb9f78ea026d9d18961c8b2fd90ffce6d5575abda8a04b3e15cddbb391608445122c93dffd35aee4ff2304549903 |
memory/2576-59-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2868-50-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2576-49-0x000000013FD60000-0x00000001400B4000-memory.dmp
C:\Windows\system\RZlwRsI.exe
| MD5 | e34ddb39c569a92013236e7901b5bab5 |
| SHA1 | f95c6c35242c71f1f273027f924ce2da1f41f8df |
| SHA256 | 71c65dbaa7444c8d2da672104c4352d0ed8acd1be9efcdcf195c9b8fd5857e51 |
| SHA512 | 04a22a3fcf545fe8f73b1a2c014e3f9f14cad1171a562e992a5437a7edea33981de60d3fe370bac437ee1c0c155b726228ec02efc828919bd613de675397e27d |
memory/2616-41-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2576-39-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2728-38-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2576-37-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2592-28-0x000000013F910000-0x000000013FC64000-memory.dmp
C:\Windows\system\EWDVPEa.exe
| MD5 | 3a6e2467dcdc80756290176c9f380d03 |
| SHA1 | 332c1271c04429c7cfd0a4526ed6565c1b42189d |
| SHA256 | d114337a7bcceb67a44db29bc4e34956a1a6f3f924a0029d8327d3d0b696d4c1 |
| SHA512 | 9f7b34e34452ae945c44835bab4c8ad68fb62a20eb7ad3a08df58fa7bf2c63c03dbfaae4aeb1c29cc00e082c9d44003dac082bcc1fcc35b2acde5f60a1142fc9 |
memory/1180-22-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2576-20-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2180-138-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2576-139-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2576-140-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2576-141-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/2576-142-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/1220-143-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2152-144-0x000000013F220000-0x000000013F574000-memory.dmp
memory/1180-145-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2728-147-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2592-146-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2868-148-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2616-149-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2684-150-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2180-151-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2504-152-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2192-153-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2256-154-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2560-155-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2812-156-0x000000013F8D0000-0x000000013FC24000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 01:00
Reported
2024-06-10 01:02
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vUaJjph.exe | N/A |
| N/A | N/A | C:\Windows\System\XkDrmHY.exe | N/A |
| N/A | N/A | C:\Windows\System\kpWAzQc.exe | N/A |
| N/A | N/A | C:\Windows\System\mehfkgU.exe | N/A |
| N/A | N/A | C:\Windows\System\NiveUhW.exe | N/A |
| N/A | N/A | C:\Windows\System\YBqHWTv.exe | N/A |
| N/A | N/A | C:\Windows\System\aKagJaS.exe | N/A |
| N/A | N/A | C:\Windows\System\TOWJlpF.exe | N/A |
| N/A | N/A | C:\Windows\System\JSRSIWw.exe | N/A |
| N/A | N/A | C:\Windows\System\ZnPORWm.exe | N/A |
| N/A | N/A | C:\Windows\System\ojqoZot.exe | N/A |
| N/A | N/A | C:\Windows\System\qLGlanq.exe | N/A |
| N/A | N/A | C:\Windows\System\pqgnnqu.exe | N/A |
| N/A | N/A | C:\Windows\System\GMcioTy.exe | N/A |
| N/A | N/A | C:\Windows\System\MjjFwsW.exe | N/A |
| N/A | N/A | C:\Windows\System\rhYnOHA.exe | N/A |
| N/A | N/A | C:\Windows\System\oKYoaPJ.exe | N/A |
| N/A | N/A | C:\Windows\System\uWHscGB.exe | N/A |
| N/A | N/A | C:\Windows\System\aEjCMVy.exe | N/A |
| N/A | N/A | C:\Windows\System\aNvZCTk.exe | N/A |
| N/A | N/A | C:\Windows\System\KtiqiDg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\vUaJjph.exe
C:\Windows\System\vUaJjph.exe
C:\Windows\System\XkDrmHY.exe
C:\Windows\System\XkDrmHY.exe
C:\Windows\System\kpWAzQc.exe
C:\Windows\System\kpWAzQc.exe
C:\Windows\System\mehfkgU.exe
C:\Windows\System\mehfkgU.exe
C:\Windows\System\NiveUhW.exe
C:\Windows\System\NiveUhW.exe
C:\Windows\System\YBqHWTv.exe
C:\Windows\System\YBqHWTv.exe
C:\Windows\System\aKagJaS.exe
C:\Windows\System\aKagJaS.exe
C:\Windows\System\TOWJlpF.exe
C:\Windows\System\TOWJlpF.exe
C:\Windows\System\JSRSIWw.exe
C:\Windows\System\JSRSIWw.exe
C:\Windows\System\ZnPORWm.exe
C:\Windows\System\ZnPORWm.exe
C:\Windows\System\ojqoZot.exe
C:\Windows\System\ojqoZot.exe
C:\Windows\System\qLGlanq.exe
C:\Windows\System\qLGlanq.exe
C:\Windows\System\pqgnnqu.exe
C:\Windows\System\pqgnnqu.exe
C:\Windows\System\GMcioTy.exe
C:\Windows\System\GMcioTy.exe
C:\Windows\System\MjjFwsW.exe
C:\Windows\System\MjjFwsW.exe
C:\Windows\System\rhYnOHA.exe
C:\Windows\System\rhYnOHA.exe
C:\Windows\System\oKYoaPJ.exe
C:\Windows\System\oKYoaPJ.exe
C:\Windows\System\uWHscGB.exe
C:\Windows\System\uWHscGB.exe
C:\Windows\System\aEjCMVy.exe
C:\Windows\System\aEjCMVy.exe
C:\Windows\System\aNvZCTk.exe
C:\Windows\System\aNvZCTk.exe
C:\Windows\System\KtiqiDg.exe
C:\Windows\System\KtiqiDg.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
memory/4812-0-0x00007FF7CEFE0000-0x00007FF7CF334000-memory.dmp
memory/4812-1-0x00000150DA710000-0x00000150DA720000-memory.dmp
C:\Windows\System\vUaJjph.exe
| MD5 | e1e3f0424ca65c007cf1437d14e3286f |
| SHA1 | 139882ef7b0399a5b4f1566af22b40796f38cb19 |
| SHA256 | 85bc0e57730a335d6adb7de370acd084efcbc38accd54ee8f3a73ee5ceb5135b |
| SHA512 | aff670619ff747c2750cbee2df674d6e1df56731a7b6a9b1fc0952a378ab67a332d4f6993d072d492d0ea35f85d84c9c2f592b2e64cbe5ce4ca7358db41f230e |
memory/4076-8-0x00007FF6FCE70000-0x00007FF6FD1C4000-memory.dmp
C:\Windows\System\XkDrmHY.exe
| MD5 | 0f4faf0ff85216d8a75f2343353594ad |
| SHA1 | 35fa880e48d3650c1d368db2ba449a520f67cb60 |
| SHA256 | d09943cf36ab03a9a6cebf571e265f08d38a8dfa4bba557d02e364fd59eb6a61 |
| SHA512 | 20ff9c60a7b8d2b937acf0899159a5e17549d0e76cefbc86280d0c2b16315ad2e9df14e2025ba5e6d8667dc3675b7a114e00162b0899798ec322404fffbdba90 |
C:\Windows\System\kpWAzQc.exe
| MD5 | a1bd48055f1f0aecfa11f4c9ef5f8807 |
| SHA1 | 2872a70b4deed4223ee4dbb5f5b7283aee7322e3 |
| SHA256 | 93b90e7f70553632098fc202fcaeee4691cc6c7d650c3eebb6c3f3318739e977 |
| SHA512 | 4bf6b89a60694213546da3eb34a1f1033a47979ab608c09f735ca159026c5888b27bee760b785063cce810a5fc862f7c98bc8723769b47e79d1f3dc6ab7f03a8 |
memory/1636-14-0x00007FF612CF0000-0x00007FF613044000-memory.dmp
memory/760-18-0x00007FF6BC410000-0x00007FF6BC764000-memory.dmp
C:\Windows\System\mehfkgU.exe
| MD5 | e5809d8ed903d5706f2960e275129b1e |
| SHA1 | d5df1af9530e31e2bb44ce825bcaa19a6a1d06e1 |
| SHA256 | 1e08514c08b290a028914b16be2d4683550bb98dfa21dd5518edc48efdab8f49 |
| SHA512 | b17df123df0863220bc8f254b75663dcdf28aec3608691b143281279bd3a79f369a917f574c05f8130ae034c09381306323c0f1df6fab2745e12e9b213b2663f |
memory/3988-33-0x00007FF6FA820000-0x00007FF6FAB74000-memory.dmp
C:\Windows\System\YBqHWTv.exe
| MD5 | a23b7b4df42d9c3ace130799f88f3b90 |
| SHA1 | c3497a73a22bcba556859a0b147e1f758b728e2a |
| SHA256 | 75d9540f827d7dc6415298a8f2d0e41a7349bad2a6e7d4f605accb1759e21598 |
| SHA512 | 397b8242952223c5ec07bc5a912d881a997244c5db7c5f972a376d04e955e9cffbf945de59008b22eef42f2c15a3a95f9ce1ddf368d41ab64d91daad311c5768 |
memory/2280-37-0x00007FF7C07F0000-0x00007FF7C0B44000-memory.dmp
memory/4960-38-0x00007FF797F80000-0x00007FF7982D4000-memory.dmp
C:\Windows\System\NiveUhW.exe
| MD5 | 6220ad037bb5f069ffbc0bbf70397e8e |
| SHA1 | 0a0c1968cf326027672705f53e15a0315ef8650d |
| SHA256 | 99cb80322af2982813db3e1c040f3107d67865e8da04720e8b026cb21e72086b |
| SHA512 | 1388f26daaf4969c156f9a76949e3355bb5e49500c19aacdf2b31d82caa01db7ab3e93924383fb706dbe34c2086448052a8b21ab6b96f2fbeab1cdb639f0b3ca |
C:\Windows\System\aKagJaS.exe
| MD5 | e953ad18fb272fd4a1ecfda3b7095c41 |
| SHA1 | 337c5705191aa1e57ef10025525ec16d5b1485a9 |
| SHA256 | 2d77ae7a957be34eb0279a1200b770f52fed2fc6f517f62b90369d3cc1413546 |
| SHA512 | e9ef64357599c3e494892789356adcbda21b55ebbb7a99ca5ebf4f96d17d1b864c1073c29e1608a40a80e73deece0ddf937b71a46a17c24a512b3f5946dcb4eb |
memory/4380-42-0x00007FF7E0E50000-0x00007FF7E11A4000-memory.dmp
C:\Windows\System\TOWJlpF.exe
| MD5 | d72367c880a688b95e3fb359395bac29 |
| SHA1 | cf74ed87c1f992dd7a94d4457e04593ce72daa15 |
| SHA256 | 6fb5983fda33ebc7ea5981eae908bd4a7a4b027111c2e43ce36ecc348f4411b5 |
| SHA512 | 57798c016cfd0d930fd8ba6cb367b26033d45511b8306f87cec00c83985f4665bb33633c310f4ac5f520cc427a7765488a767efe2aa6e9a54bb2336d1dfcc688 |
memory/1540-48-0x00007FF703FE0000-0x00007FF704334000-memory.dmp
C:\Windows\System\JSRSIWw.exe
| MD5 | 9ac3f25ea16952269930fedd608af310 |
| SHA1 | 46f8a901fb099f4af655fd1335d6a2c09b207de9 |
| SHA256 | 326e8d8d4ef9e432ca88c39d3488a7808840918b1e35c5d73f11d60b64ff5264 |
| SHA512 | 7ba91bd9e6fccea4e22bce69f9ba8712cbadb060e6d7c7cfa6530bb2f391fa5e932838f6c0e0a3ef195b8095eed07bf1462e90f52e7ee1594e151618e57f4c89 |
memory/800-56-0x00007FF766B70000-0x00007FF766EC4000-memory.dmp
C:\Windows\System\ZnPORWm.exe
| MD5 | 007df26857e8239e37a3bf776bf7b5d6 |
| SHA1 | 03b584e1fc3b8192d86ddfba5b0cf4d4d2cca2cc |
| SHA256 | c9d2e425eb6fe381b1a5add56f404f83322cb681aea07b0cfb343f9bd95ff834 |
| SHA512 | 05c828343f1174d8d6529c708c84662b81bbd77bd870689814e0045d7af03ac5db48c5e50945b660096e8bef1afd52369b76638ac66b65fdac7d1e588053b5c7 |
memory/4832-60-0x00007FF699B20000-0x00007FF699E74000-memory.dmp
C:\Windows\System\ojqoZot.exe
| MD5 | a7f9df33761720f4cdcd08ebcad6eac4 |
| SHA1 | 2f1ed09a0f516fc0ea52246e6f51fc242bc3e115 |
| SHA256 | 1cc12942584559a20c77adecac3116ed56dde6de9ff47fe7004640e873b6fce1 |
| SHA512 | c2e847792a184735ce0337c8fee29e0572e127c2bd6bc441aa8431799c9dd4a26502149bb54a33ca3eb41737ec333844cb697d5e4259ff1418aec56dbe9f4550 |
memory/4732-69-0x00007FF675790000-0x00007FF675AE4000-memory.dmp
memory/4812-68-0x00007FF7CEFE0000-0x00007FF7CF334000-memory.dmp
memory/4076-73-0x00007FF6FCE70000-0x00007FF6FD1C4000-memory.dmp
C:\Windows\System\pqgnnqu.exe
| MD5 | e855f3c4c4fb630e180ae9af0b493483 |
| SHA1 | 32dcd3920c8bffea52452e66d9b4ef95a18a7954 |
| SHA256 | b41c65821613f2a3be30b8a7611c778cee713c5b85bae91d0cfd189a89d6c2fc |
| SHA512 | 5055f245284676447ec81d792639417631a93e95e3bd176b2e073eae866fdbea5a21dc92562705692dbee5db160d40dd5afa7cfc451d50165fed3e14501577fd |
C:\Windows\System\qLGlanq.exe
| MD5 | 387681543b895423ad767e90a79581db |
| SHA1 | 08ece7301019411b83bf80c77c7035b41e8f92e7 |
| SHA256 | 4a9f2153d935873d70db195afafce52524b476d53ed0375155871785469a0315 |
| SHA512 | 13824ce2367fbbe01f636ec8cafb8885ebf157975aab2c26f4b27e5cbd35305afa30356bfc97f9e6edc0db2bc8332ba533a8eceeed4cf3421e9274fd07bf19a0 |
memory/3732-74-0x00007FF6C1220000-0x00007FF6C1574000-memory.dmp
memory/4708-82-0x00007FF7CB9A0000-0x00007FF7CBCF4000-memory.dmp
C:\Windows\System\GMcioTy.exe
| MD5 | a444f96be2b81d1df6eaf7287327baf7 |
| SHA1 | 80462de37201ee7b55eca5cb600f455d5b384bfc |
| SHA256 | 5600e50c6feb446bae45ed4ce2fa0b4bef24e8e27d3ee6a7952d4b889bc32a0d |
| SHA512 | 00f6e99d63a8dc6fa890d5f167586c5060fa807f6fbb98abe6a52f5a617b33782434f1374edb8fbb4cf9490a8de3d986e87ba758c7d2e0105e882a6c64de5d04 |
C:\Windows\System\MjjFwsW.exe
| MD5 | 338c7b0a8edb5db83b1058b1ed880f9c |
| SHA1 | bb6ae1552aa3461ab541124c8e8c3e06f1cbac82 |
| SHA256 | 1d7717f6f1681c2a128854999578bf02e8a623c926fba160079c0c80c805f683 |
| SHA512 | 9651e493241a5871443aacf04e808f508b7b0af816f6a53c5b5334784030e95a7d5c3c3ab468ff788202afae872d71ece19c4ef9b95977e6ddb1f987a8a08c39 |
memory/2880-89-0x00007FF68D860000-0x00007FF68DBB4000-memory.dmp
memory/4380-107-0x00007FF7E0E50000-0x00007FF7E11A4000-memory.dmp
memory/1540-110-0x00007FF703FE0000-0x00007FF704334000-memory.dmp
memory/4208-109-0x00007FF6E7D80000-0x00007FF6E80D4000-memory.dmp
C:\Windows\System\uWHscGB.exe
| MD5 | 164638357b733ec4004109c858d9b7ca |
| SHA1 | f392e2c8df31ce3e5d64b917363e88d775740d92 |
| SHA256 | 6e68fba0e9d3e3cc5f03aaa4fee9e031b549972d9873210b81706a8f48eed24e |
| SHA512 | 35776b29c909cd8494f91f5647e67f171dbd75fca46314cbc3bef8eaad4acd0464f79dfe0906d401517445be9d3bf369bf4400aa2c3b29994597b7f6687352f4 |
memory/4680-106-0x00007FF7C3260000-0x00007FF7C35B4000-memory.dmp
C:\Windows\System\oKYoaPJ.exe
| MD5 | a097e30f6d825a8e428597af7e390918 |
| SHA1 | 9c59edf61f4fa7ac149d8968513fe4fa4e406f13 |
| SHA256 | 114ad7c93e3990387ddb047a31ef1d344a2013fae215b5ec704ca322ae0ff3d3 |
| SHA512 | aff6d81943ea3eb9cfb83a505201ecb451e78f04485cb8d73a4a8b071fd089f55dca60fdfe2bccb3aea47f31986aec4dee6375723b0c2d383c87432b38919a61 |
memory/800-122-0x00007FF766B70000-0x00007FF766EC4000-memory.dmp
C:\Windows\System\aNvZCTk.exe
| MD5 | 7a325b36da585f4d6b6dc230dc99d25b |
| SHA1 | 50cdb9749072e9f95487648ec3106622a1c01e8c |
| SHA256 | 8f6545cf1fe00517ee45f48fd24804d010f05cdd78b0105cb9f3a4d56bbe5311 |
| SHA512 | 7c20c3b0020c72f1b8632adf131f18367a0373c2f404e151ae7fd91343c8b431feebb1a82a157c7e2d6bfcc343846247dc15f5e2fbb49e980121e5d9e15329a4 |
C:\Windows\System\aEjCMVy.exe
| MD5 | a35b377bb272f24c1a188ffdfe16344d |
| SHA1 | 1d15d0ada2615a1b9b75047b764f42d793a86f81 |
| SHA256 | 6be7796ff869fb188b715a900dbf6539094687621a479343089e403a964d1af7 |
| SHA512 | b99da75f2e943092a045d44e4418c04349dca572473a082198db23c142dcb11b31d9b055e691b4afb4b1d7a3fd9f699867d7c959318d2557101b9c393cfdf447 |
memory/4472-121-0x00007FF738070000-0x00007FF7383C4000-memory.dmp
C:\Windows\System\KtiqiDg.exe
| MD5 | 3e52b333c25fde26f1eb4fabf262cfcd |
| SHA1 | b84b5a891843f87b0af14131f45778f138ae188d |
| SHA256 | fb14182fa41a8b33c51fc158738b3a0b65bb39e8840dfee96837ee2a917da252 |
| SHA512 | 827f2b48c10efafb9d31c48bb2d8fd0d28dc18df320a47d3c39dfcedc599af72848eb49a6ca18850cb5950efdebb54ffafa3dc5b4d5a62741f3ab7de27a26e28 |
memory/3648-123-0x00007FF6C3810000-0x00007FF6C3B64000-memory.dmp
C:\Windows\System\rhYnOHA.exe
| MD5 | 08ae979f96857a55b270ecf43cc9f94a |
| SHA1 | af94d132ca82d3b0138186b62588079eec1cc323 |
| SHA256 | fcf8368391e7c7f4e8c76f65634fdb0eb1c5ca7d6c1956478822a55fee6434fd |
| SHA512 | 52b6dd6e2020e9f96c9f55fce1a269dd2172bad60ff190ff02ec4445099b8aae8c983c5671e81e8f3d3eb32d6fe953270361982945a12845d9b4b04b58f7ce95 |
memory/2372-93-0x00007FF66BE60000-0x00007FF66C1B4000-memory.dmp
memory/760-88-0x00007FF6BC410000-0x00007FF6BC764000-memory.dmp
memory/4904-132-0x00007FF748CD0000-0x00007FF749024000-memory.dmp
memory/4820-134-0x00007FF721180000-0x00007FF7214D4000-memory.dmp
memory/4832-133-0x00007FF699B20000-0x00007FF699E74000-memory.dmp
memory/3732-135-0x00007FF6C1220000-0x00007FF6C1574000-memory.dmp
memory/2372-136-0x00007FF66BE60000-0x00007FF66C1B4000-memory.dmp
memory/4208-137-0x00007FF6E7D80000-0x00007FF6E80D4000-memory.dmp
memory/4904-138-0x00007FF748CD0000-0x00007FF749024000-memory.dmp
memory/3648-139-0x00007FF6C3810000-0x00007FF6C3B64000-memory.dmp
memory/4076-140-0x00007FF6FCE70000-0x00007FF6FD1C4000-memory.dmp
memory/1636-141-0x00007FF612CF0000-0x00007FF613044000-memory.dmp
memory/3988-142-0x00007FF6FA820000-0x00007FF6FAB74000-memory.dmp
memory/760-143-0x00007FF6BC410000-0x00007FF6BC764000-memory.dmp
memory/2280-144-0x00007FF7C07F0000-0x00007FF7C0B44000-memory.dmp
memory/4960-145-0x00007FF797F80000-0x00007FF7982D4000-memory.dmp
memory/4380-146-0x00007FF7E0E50000-0x00007FF7E11A4000-memory.dmp
memory/1540-147-0x00007FF703FE0000-0x00007FF704334000-memory.dmp
memory/800-148-0x00007FF766B70000-0x00007FF766EC4000-memory.dmp
memory/4832-149-0x00007FF699B20000-0x00007FF699E74000-memory.dmp
memory/4732-150-0x00007FF675790000-0x00007FF675AE4000-memory.dmp
memory/3732-151-0x00007FF6C1220000-0x00007FF6C1574000-memory.dmp
memory/4708-152-0x00007FF7CB9A0000-0x00007FF7CBCF4000-memory.dmp
memory/2880-153-0x00007FF68D860000-0x00007FF68DBB4000-memory.dmp
memory/2372-154-0x00007FF66BE60000-0x00007FF66C1B4000-memory.dmp
memory/4680-155-0x00007FF7C3260000-0x00007FF7C35B4000-memory.dmp
memory/4208-156-0x00007FF6E7D80000-0x00007FF6E80D4000-memory.dmp
memory/4472-157-0x00007FF738070000-0x00007FF7383C4000-memory.dmp
memory/4904-158-0x00007FF748CD0000-0x00007FF749024000-memory.dmp
memory/3648-159-0x00007FF6C3810000-0x00007FF6C3B64000-memory.dmp
memory/4820-160-0x00007FF721180000-0x00007FF7214D4000-memory.dmp