Analysis Overview
SHA256
6f363651bc0816e6207946884514f4777457a05222915859aa0da6ed4e939d99
Threat Level: Known bad
The file 2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 08:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 08:28
Reported
2024-06-11 08:31
Platform
win7-20240508-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NoAXlQA.exe | N/A |
| N/A | N/A | C:\Windows\System\oLkCJep.exe | N/A |
| N/A | N/A | C:\Windows\System\hgBAowV.exe | N/A |
| N/A | N/A | C:\Windows\System\xXzKgap.exe | N/A |
| N/A | N/A | C:\Windows\System\TcMCIKc.exe | N/A |
| N/A | N/A | C:\Windows\System\HCCGZda.exe | N/A |
| N/A | N/A | C:\Windows\System\KGUTYPX.exe | N/A |
| N/A | N/A | C:\Windows\System\MsFHdNY.exe | N/A |
| N/A | N/A | C:\Windows\System\plgELNO.exe | N/A |
| N/A | N/A | C:\Windows\System\BMISCkt.exe | N/A |
| N/A | N/A | C:\Windows\System\YdUKNlB.exe | N/A |
| N/A | N/A | C:\Windows\System\wShGKHA.exe | N/A |
| N/A | N/A | C:\Windows\System\FXlXucX.exe | N/A |
| N/A | N/A | C:\Windows\System\VSMhQdV.exe | N/A |
| N/A | N/A | C:\Windows\System\rkGFcaU.exe | N/A |
| N/A | N/A | C:\Windows\System\UGLTmwW.exe | N/A |
| N/A | N/A | C:\Windows\System\LMVgkiO.exe | N/A |
| N/A | N/A | C:\Windows\System\gRnWxPW.exe | N/A |
| N/A | N/A | C:\Windows\System\IiPpfPr.exe | N/A |
| N/A | N/A | C:\Windows\System\bTSkbeW.exe | N/A |
| N/A | N/A | C:\Windows\System\BtYKlAF.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\NoAXlQA.exe
C:\Windows\System\NoAXlQA.exe
C:\Windows\System\oLkCJep.exe
C:\Windows\System\oLkCJep.exe
C:\Windows\System\hgBAowV.exe
C:\Windows\System\hgBAowV.exe
C:\Windows\System\xXzKgap.exe
C:\Windows\System\xXzKgap.exe
C:\Windows\System\TcMCIKc.exe
C:\Windows\System\TcMCIKc.exe
C:\Windows\System\HCCGZda.exe
C:\Windows\System\HCCGZda.exe
C:\Windows\System\MsFHdNY.exe
C:\Windows\System\MsFHdNY.exe
C:\Windows\System\KGUTYPX.exe
C:\Windows\System\KGUTYPX.exe
C:\Windows\System\BMISCkt.exe
C:\Windows\System\BMISCkt.exe
C:\Windows\System\plgELNO.exe
C:\Windows\System\plgELNO.exe
C:\Windows\System\YdUKNlB.exe
C:\Windows\System\YdUKNlB.exe
C:\Windows\System\wShGKHA.exe
C:\Windows\System\wShGKHA.exe
C:\Windows\System\UGLTmwW.exe
C:\Windows\System\UGLTmwW.exe
C:\Windows\System\FXlXucX.exe
C:\Windows\System\FXlXucX.exe
C:\Windows\System\LMVgkiO.exe
C:\Windows\System\LMVgkiO.exe
C:\Windows\System\VSMhQdV.exe
C:\Windows\System\VSMhQdV.exe
C:\Windows\System\gRnWxPW.exe
C:\Windows\System\gRnWxPW.exe
C:\Windows\System\rkGFcaU.exe
C:\Windows\System\rkGFcaU.exe
C:\Windows\System\IiPpfPr.exe
C:\Windows\System\IiPpfPr.exe
C:\Windows\System\bTSkbeW.exe
C:\Windows\System\bTSkbeW.exe
C:\Windows\System\BtYKlAF.exe
C:\Windows\System\BtYKlAF.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1700-0-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/1700-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\NoAXlQA.exe
| MD5 | f2b7cd01f92f3fb09c1bc540a0997149 |
| SHA1 | 2a621f15643d38ddf6d1fc31993fd4f7ca675bd9 |
| SHA256 | ae3e85744f1fcaaf032ffe00dee3069e3c30da0d73f631ace5f0126be95d6655 |
| SHA512 | a31d7b05ccaeb720bb657fb073cc1ab576683e6e1514495f09198bf1599475d469279c6c844f3811b2d4b7e6854a514646dd5bc49801cc001b5038cdaee616cf |
memory/2284-7-0x000000013FE60000-0x00000001401B4000-memory.dmp
C:\Windows\system\oLkCJep.exe
| MD5 | 0c3d478dfc69a19e90ce3ec133455bdd |
| SHA1 | 35a06f09036c2f60af1483b58fcc9b52e1b8db55 |
| SHA256 | 6b4d8a74388fc64ae48673c2c2b3438adfc4ce1bf57166a2e845e02284e72763 |
| SHA512 | 059b41f3009368e10cab3229a5297eb9362d3f23a947af7229a774cab78eb78d4c48fb2fc423299cf232bc5a0a9060ff86264360d7f531ce30bc6dad78faab6a |
memory/1700-13-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2616-15-0x000000013F1D0000-0x000000013F524000-memory.dmp
\Windows\system\hgBAowV.exe
| MD5 | 88a9b623ea198052c5cbd710f473a3f7 |
| SHA1 | 20463b313994be7fb679544ecc1f8ba744c3f67b |
| SHA256 | 7cf56fb0c05b41401a27302810af1a950608dba64b232ffff2e3e58c6b306b66 |
| SHA512 | 4f3328d0ffcacaa8b5c94bd674c29979b1ee314484bf895515ec02c7dcd31be93e4ce1f3c581ee2724f84c1ac53bc3da1eee08e021105d5decd392f219947717 |
memory/1700-24-0x000000013FBD0000-0x000000013FF24000-memory.dmp
C:\Windows\system\xXzKgap.exe
| MD5 | afefd679d9a95db689bf745e1e9c3192 |
| SHA1 | 94ae5af3bb8cd546c3c3a7fb201a29930082e39a |
| SHA256 | d9fe01ca5e3dcf89e072f36221f03a7ccded08a33a80110892c2785158360855 |
| SHA512 | 127659ffbe56677b99d3e6376f06b02377dfd5622e2f47116f63975d881d66ec84f5a01aa2757e5f8204c2acd4c0789fe29c35a695bc45e5c469b8c6a1f2fbdd |
memory/2732-26-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/1700-19-0x000000013FBE0000-0x000000013FF34000-memory.dmp
C:\Windows\system\HCCGZda.exe
| MD5 | 4a3484ed38fd2c447a2784152d7777ae |
| SHA1 | 5534053d22737056c0f05fe323b505690b7bcb1e |
| SHA256 | a72596e9ed0731a81f2ed61443de1422e7d71d113cc4ded63849c7fcb4650829 |
| SHA512 | b1c7da43704932d75d4a3a82c7ee60c27a758fbc6cb51b22023e0bf077e824f9bd122703f868dd2ae042627c0a83fa40ea84d577264f6861d1f211aec9b22ec7 |
\Windows\system\YdUKNlB.exe
| MD5 | 523603c851b06e6cbafb9a93d56c4ef2 |
| SHA1 | d0f175f8d837b68a9b645c73086d0bbb3a7a2b7d |
| SHA256 | 0a3232563bf7264c554a77d13ef21177cf196a98285e42d6152bb18d24ab62df |
| SHA512 | 3a2ed0117e41a6bd9120d22083bf70f09f7a61ba5d5667ff371ec785e0e65c70d08c9d4d60b443544aa6ee1603926c07efadba87f792f313a81df9df32a13457 |
C:\Windows\system\plgELNO.exe
| MD5 | d4ed70814c1631499bf59a2ab6c1f2be |
| SHA1 | 8049402316e5fbd462b6ea9d467a5bc142f03a0e |
| SHA256 | e700c014d3d09fe099cba8d9083fc2800432fbc6bc098f628a15a643e7f46571 |
| SHA512 | ff7c1cdd36b83c094f9567dd4a6bac32ee80495387e086c6162e2ccdeb8678a8d8731c2499099a999094d747787f5ff36e063c585e682258c01c028b6c878de4 |
memory/1700-93-0x000000013F240000-0x000000013F594000-memory.dmp
memory/1700-98-0x0000000002320000-0x0000000002674000-memory.dmp
memory/1700-103-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2716-110-0x000000013F350000-0x000000013F6A4000-memory.dmp
C:\Windows\system\UGLTmwW.exe
| MD5 | 71ae28a010f30c9c6544cc51fde9fc6b |
| SHA1 | 9b521ed5defb6a9af6b65ca9c46b9fa3887d0214 |
| SHA256 | 25fd7f0244cd4eb772be3418f8764c4e8d9fd8a8e61a11fa09fd00470f60ad78 |
| SHA512 | 528c247882595c9b303618f04cd6af6d4e54bba081318fdc7f3617b5bfce414243e181638215477e7eb1abae27f84dcf1c9c28b4d1e419f476510831b8f0566d |
C:\Windows\system\IiPpfPr.exe
| MD5 | a6f5456b0f8c1317f69aee0e2b26c1ba |
| SHA1 | fef10ed230b6c9cb3f77c3feae0f13a47183b0a8 |
| SHA256 | d9eba2b4a590d2a77588bfae7171d47062c2e178db39871978814ea08efc0165 |
| SHA512 | b121de9810ee96513b8215a11dbc4ca0dc4ee45b86aa4488a013ad2c6c83c1e23dbbdce68f683b8daff7925ac2213d3fb7cb6f8b386ed967474454e05586ac36 |
\Windows\system\BtYKlAF.exe
| MD5 | 502288e5ec657baa76d0dae30edb0d54 |
| SHA1 | 38cb478428ebbcd029f48cd8447c6d57620ddfb7 |
| SHA256 | ee601c8a8c4a1f8704fed91725437dea0c054d002d42a7e9fbdc3b7e8bb0ae63 |
| SHA512 | c0840c8cd3e6e0226b0da546522badaaa22de9e9bbbedb9eae6d35fddcdf7bfbbda7921288454ec692083ee4635aa8e038cc23b6901e04ef7ccf5c6d46dbdeb8 |
C:\Windows\system\bTSkbeW.exe
| MD5 | 40a77d2fd59f5f2d827ff9e4e806528b |
| SHA1 | ab7209d84209b9bbcb13c475ceca4e98fe9bc262 |
| SHA256 | 5eb9b5d981a413a9e911a036b6929be340b8b0f039a6111ccbef4192364017c2 |
| SHA512 | 7cc76005749ed82f0d7f4299a645e82b19033d98d510d64ae11be12aa72bdf1eedfc60fc28989c1348cc798159482b3b414d8c2f9c50c6fa99d6ad73648c39b6 |
\Windows\system\gRnWxPW.exe
| MD5 | 9665d7afefb8e26089bef39f5ad0226f |
| SHA1 | f67c3bd76a6d1a8fb0aaac2232348a817d16abf1 |
| SHA256 | 00829da1893a220ac41ce7e917e370bf6176294e88f048b973f5be1461fef465 |
| SHA512 | a752bd0b6865c119c6f8965f339dff26055719db1b303d13557e941e2da363c3ef9b02d4d6282ee1bd1c572502472654c8f666a5be8c4bbc616473a1b4803401 |
\Windows\system\LMVgkiO.exe
| MD5 | 782d4f66a6945335683658667cd14b2b |
| SHA1 | ee0ddabb293b0dbb59a2d77f3dc61033714ec0e0 |
| SHA256 | 2a1d6a5933f57e0047e8e647bb5c137c09c870aa84e1c8f9bb5db8b507193040 |
| SHA512 | fed22ba9259ff101093c3ddc11d1f2cb3805c6fcef61cf6f0a73011c7c1de49a8dd47abf15cf2a894682c172af0423da44896d77be919547c666393558ad7ccb |
memory/2576-114-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2544-112-0x000000013F240000-0x000000013F594000-memory.dmp
memory/1700-111-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2744-109-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/1700-108-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1700-107-0x000000013F240000-0x000000013F594000-memory.dmp
memory/1700-101-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1700-100-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\rkGFcaU.exe
| MD5 | c23aa4e5d1a8404e439b0576e2f413d5 |
| SHA1 | 5b50be106fda5cc1e533826b48d67b5c64362534 |
| SHA256 | 83f0e236add33b0c1da4ba4c15d01e9c9aa225c7dabc44a932510184d853bf8a |
| SHA512 | 92972eadd73c027f1d20669f5204d343e2ac098ab4075320577df4f728c4a0d2b2efba4f783135b33f681dbed821a09610cf660d346955fe50aa27edca8e3173 |
C:\Windows\system\VSMhQdV.exe
| MD5 | fb6968ab069cdb7b3f9b79bef1af5f1d |
| SHA1 | e9362362c1a33c8049e953f2f25e80be22c914bf |
| SHA256 | 4111d6ad6a0bc17b52f12bff743fabfb78f5d84a0218fc40a489742b34d48f7d |
| SHA512 | 9b84e851d31ae8695d4caf4463d8eb2914bfeaa64405c1cf780ac5a2e7badbdfefedd47ee7a7f6bd39d6afee42ea813a59bb455f02a6d2a213c945df86e4edc1 |
C:\Windows\system\FXlXucX.exe
| MD5 | 93fa994ac424a9fc48b10787c57baec5 |
| SHA1 | 429e4ebbeceb3a31d4bbb658043dc9b1115f205b |
| SHA256 | c83f7889cea4624fc391476bf9c22ea4efa562b42b5e0b4e1d1195ea0f3847ce |
| SHA512 | 348e7590033fa34dabc30a601b715885e2f3676f14b0f84109904029e700a5cef85442495d6b82909cd5b19bfc599da3b3296b6e633ee97a6b0814289c8255e6 |
memory/2284-133-0x000000013FE60000-0x00000001401B4000-memory.dmp
C:\Windows\system\wShGKHA.exe
| MD5 | 0cc7c9a386237f1515618de02c8c8f64 |
| SHA1 | 63bd76d0ab7848006c2e08a9e4a5e6fdd81f78a8 |
| SHA256 | 667633788434ec0843441ed042ac96a38a5d177bde01001c8cc62750a2cebd06 |
| SHA512 | 1df5915c7452133f57fcc263856039b066e4b3f811baab6a26889b85cca4b6f5e7ea92a79d894a116eb560642ba44fea514d19b2f70ac77c65f53b24ec26fb0e |
memory/1700-91-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/1700-89-0x000000013F350000-0x000000013F6A4000-memory.dmp
C:\Windows\system\BMISCkt.exe
| MD5 | 043769397add040efc93d91ebe4c5e68 |
| SHA1 | aab58f2e4908b633dfbf4baf0b540f1d94b723e9 |
| SHA256 | 1c0f413c98cc1a1004745ebed8bd23d39b05d8944a6c771babd44e61b453d41d |
| SHA512 | b1bfa09b2dc4c525082e5a42e8cdddfc64d31b7bda027b98a8952f77ad1d4832b8bdce111742c2c604c8a2c5836da8e345d6d8d3feb3255c36e9f95aff9f47bd |
memory/1700-63-0x000000013F7C0000-0x000000013FB14000-memory.dmp
C:\Windows\system\MsFHdNY.exe
| MD5 | c804925dc0bc959a7fde989960a38289 |
| SHA1 | 4df88397aada73ea3ace10397decc3f51b69728b |
| SHA256 | 6915aa0681476865ac288af3b5a04525da1ba1144b0e5783d0e594b6fccc89b3 |
| SHA512 | 113be8b2c022e7c9a85f9dcd2cd15d694fc0bd2beeb9bc4bb524740c061346b3ee1a4067b0be8cdcd96dc1534ce4bf281fb745bb2789e6fe09cee12ab7f35823 |
memory/2768-57-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1700-54-0x000000013FD70000-0x00000001400C4000-memory.dmp
C:\Windows\system\KGUTYPX.exe
| MD5 | 8b67ea49e4d48225e558cd632c1a6f78 |
| SHA1 | f3446795da8b34c655c6871b4c8b791d5ed99499 |
| SHA256 | 6687b8b068147182bcfcbcdf41dce2cc7d473e2e930cccc2cc48d55c399423ac |
| SHA512 | 805f19838268d68001b5c51264970b6089b60a6cfc5423c9fe10cffae1d84ff7f9fd9da526df0f6e097b0123fc15ab2f3a68206c3359044cf8e1d1529936ec1d |
memory/2472-51-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/1700-46-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2776-38-0x000000013F230000-0x000000013F584000-memory.dmp
memory/1700-36-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2616-135-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/1700-134-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\TcMCIKc.exe
| MD5 | 0c2c23b6508576ecdeed8edcd4548977 |
| SHA1 | a3d548c9ac1d98e19bac9decbf2562be0702b46b |
| SHA256 | cf503f9da23456e06b6690db2066fd0290be56189591f7f9258ae4b30caca764 |
| SHA512 | 5faab8600456c4310886aadfb01ecbbb0330ee9573f7c9d79f35b386525c1f8c1770c7c21cc2285ec615a16799f5dabec2b10e8669680084cc0bd21a5678086d |
memory/2668-137-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/1700-138-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/1700-140-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2732-139-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2472-141-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/1700-143-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2768-142-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1700-144-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2284-145-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2616-146-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2668-147-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2732-148-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2776-149-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2472-150-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2768-151-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2716-152-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2544-153-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2744-154-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2576-155-0x000000013F620000-0x000000013F974000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 08:28
Reported
2024-06-11 08:31
Platform
win10v2004-20240508-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\QYVCDqs.exe | N/A |
| N/A | N/A | C:\Windows\System\ICeCLNe.exe | N/A |
| N/A | N/A | C:\Windows\System\PYkfFHY.exe | N/A |
| N/A | N/A | C:\Windows\System\ffddBCa.exe | N/A |
| N/A | N/A | C:\Windows\System\jLJxVrX.exe | N/A |
| N/A | N/A | C:\Windows\System\JUgunKm.exe | N/A |
| N/A | N/A | C:\Windows\System\WVCrVDZ.exe | N/A |
| N/A | N/A | C:\Windows\System\cVFPVZs.exe | N/A |
| N/A | N/A | C:\Windows\System\DxAhiKv.exe | N/A |
| N/A | N/A | C:\Windows\System\JMyNUSj.exe | N/A |
| N/A | N/A | C:\Windows\System\upAbAYw.exe | N/A |
| N/A | N/A | C:\Windows\System\wtcwyhj.exe | N/A |
| N/A | N/A | C:\Windows\System\bOjfOBI.exe | N/A |
| N/A | N/A | C:\Windows\System\ZlrCAHt.exe | N/A |
| N/A | N/A | C:\Windows\System\BsGWfwy.exe | N/A |
| N/A | N/A | C:\Windows\System\eqAlXMQ.exe | N/A |
| N/A | N/A | C:\Windows\System\xRBGTkJ.exe | N/A |
| N/A | N/A | C:\Windows\System\phcFkza.exe | N/A |
| N/A | N/A | C:\Windows\System\tHPCWhQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qDAOPab.exe | N/A |
| N/A | N/A | C:\Windows\System\NmghlLV.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\QYVCDqs.exe
C:\Windows\System\QYVCDqs.exe
C:\Windows\System\ICeCLNe.exe
C:\Windows\System\ICeCLNe.exe
C:\Windows\System\PYkfFHY.exe
C:\Windows\System\PYkfFHY.exe
C:\Windows\System\ffddBCa.exe
C:\Windows\System\ffddBCa.exe
C:\Windows\System\jLJxVrX.exe
C:\Windows\System\jLJxVrX.exe
C:\Windows\System\JUgunKm.exe
C:\Windows\System\JUgunKm.exe
C:\Windows\System\WVCrVDZ.exe
C:\Windows\System\WVCrVDZ.exe
C:\Windows\System\cVFPVZs.exe
C:\Windows\System\cVFPVZs.exe
C:\Windows\System\DxAhiKv.exe
C:\Windows\System\DxAhiKv.exe
C:\Windows\System\JMyNUSj.exe
C:\Windows\System\JMyNUSj.exe
C:\Windows\System\upAbAYw.exe
C:\Windows\System\upAbAYw.exe
C:\Windows\System\wtcwyhj.exe
C:\Windows\System\wtcwyhj.exe
C:\Windows\System\bOjfOBI.exe
C:\Windows\System\bOjfOBI.exe
C:\Windows\System\ZlrCAHt.exe
C:\Windows\System\ZlrCAHt.exe
C:\Windows\System\BsGWfwy.exe
C:\Windows\System\BsGWfwy.exe
C:\Windows\System\eqAlXMQ.exe
C:\Windows\System\eqAlXMQ.exe
C:\Windows\System\xRBGTkJ.exe
C:\Windows\System\xRBGTkJ.exe
C:\Windows\System\phcFkza.exe
C:\Windows\System\phcFkza.exe
C:\Windows\System\tHPCWhQ.exe
C:\Windows\System\tHPCWhQ.exe
C:\Windows\System\qDAOPab.exe
C:\Windows\System\qDAOPab.exe
C:\Windows\System\NmghlLV.exe
C:\Windows\System\NmghlLV.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2696-0-0x00007FF63C5B0000-0x00007FF63C904000-memory.dmp
memory/2696-1-0x000001D365AF0000-0x000001D365B00000-memory.dmp
C:\Windows\System\QYVCDqs.exe
| MD5 | 8875b2126ff80a083b02e744e2f9c3cd |
| SHA1 | a00f3ecec1e0cce2adfe8d3b83c3ff8a0147139d |
| SHA256 | d720430c4f8f2539e8a77da5d521f2e18fb8335c8cd3e2dce131d654fcb0ed93 |
| SHA512 | 2968fe821769af41e97b86ffcff3508bce554df289d3270f13b842fa72e49dfe485c1a39bfdd4537d1b430c306aaf879c251129b9b667a4e0563cb6cb43fb8d9 |
memory/4556-7-0x00007FF716B20000-0x00007FF716E74000-memory.dmp
C:\Windows\System\PYkfFHY.exe
| MD5 | 4d8d25c118c5bf98db667c8d50519ff2 |
| SHA1 | 5d70c35a98bc4533f58506c6a843069ec9aeeaef |
| SHA256 | 00d27e6867a81df0fde91dbc6e31529fe4db30faa8925f32962d0f0e23aeff3b |
| SHA512 | d3f63c5c23020179ab84f3c9db5b07d44792b49902b5143cc6e23906e3db77ef27bd8f320b42b3a282e3882140f6356b4991fa29f1e884afad3f6d6d75d4b592 |
memory/3020-12-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp
C:\Windows\System\ICeCLNe.exe
| MD5 | 3a0b111b8e1c40be242c79572987c0c5 |
| SHA1 | 1b5acae105f1369cdc12eb0dc4baeeb62c72a2e3 |
| SHA256 | b7d62f786a142044f8a04eb84219be0704e8d8e6197761d73034a505d551bc35 |
| SHA512 | c22122e619015a0670634bdc6cf7d400979d17268b2dc00eddb9c667a4b860a37dc6958c46cf56cec70157799e7fc2b286c894d6e6a6fe93cf846fd0c6029558 |
memory/4580-18-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp
C:\Windows\System\ffddBCa.exe
| MD5 | 4f88caa2d7b27725a76cf30e65be0eeb |
| SHA1 | 35968e289e3a212ea239e1c77be6b62ef78a3870 |
| SHA256 | c25c7b213dd8e1f69ef967895ea91088ae181fcb346661d51efacd89e602d812 |
| SHA512 | 6967bc85fc332d2882ffb0ab1428ba954166e81b389b6b32ff132a6d48675332c54ac39b432e9a1cb3421f85d96c0b51ee4bf28292898747df847f93ee16c578 |
memory/3372-26-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp
C:\Windows\System\jLJxVrX.exe
| MD5 | 1eadaab65f5595fa94dde7c7c9153474 |
| SHA1 | 21c98146a8c1c925dce9fe2c6cce48c72a4232cb |
| SHA256 | 9bca224c392feed092645b3c4c0293fb50429b2384195b37ce0d6e64ef547ec5 |
| SHA512 | 79094959a814614201f75a6bef961baefc4c7f1c06b30d4de17cd5f3bb1718f930e7d9f4b43c52cd37d3e80c870ade9d085d8fdbbfd6a19f021b78ae333c2b14 |
memory/5112-34-0x00007FF717510000-0x00007FF717864000-memory.dmp
C:\Windows\System\JUgunKm.exe
| MD5 | 1bb16a8a871e6b550090d673acdf8a31 |
| SHA1 | fe4609720369dc29941af0298041e09696a31938 |
| SHA256 | 827ac2514b8ec23d8d7f509d4f7b74b903748365f1c8931aaaa315af3a9894cd |
| SHA512 | 7e07a033d96f4a06865f95d2aaf13a44046dd4f9d6e176988004962b38ba3364b5dbe03a51770d335378b64f2a81cb3c1d5c11cef961d375ac03cbb9bff7896e |
C:\Windows\System\WVCrVDZ.exe
| MD5 | 657dc9950cb431fc56c529696ed84998 |
| SHA1 | 4f762d1c4ee8715002f977aaff385638849741ef |
| SHA256 | 4f2a0d56ad1ec96f6f18263c89046d107a058bed70b16795a64b2bc7e50a11c8 |
| SHA512 | 187d95574ddcbc06697dfbf8f6b78df6ba94f698232f5da20bd0eabb8f40ac6814aaad0595ac158ca01667336ea5a6659ffe6fa5ac1f8719413a9538ba38f2fa |
memory/1856-38-0x00007FF6D3460000-0x00007FF6D37B4000-memory.dmp
C:\Windows\System\cVFPVZs.exe
| MD5 | 3a02dbce0667ecf6da7b8db96967d8fb |
| SHA1 | 668cd9b36cf5b865aa230035d39d6280963c7877 |
| SHA256 | c7c23417f1676a27f8e189283131ffd991e2632b9c95bcc048b057a59f8a6838 |
| SHA512 | 0ec570dd4bedf04228a60a62ffa5bd26cbca396807b8ac838a9300d9fd781338a435a10e18de6b0b179923c7071e5f1fb84f0b434e31453275b48e6bc8caddf0 |
memory/3284-56-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp
C:\Windows\System\DxAhiKv.exe
| MD5 | 8ec64f9e15ec81a5330f821e5b281306 |
| SHA1 | 26f19d0aed88259f05fe11c145c7f94ab160ab8e |
| SHA256 | 3bfa05ddc4894c64c25332756d3358b50dfc9094ee65fafe01a1f672b5a1cb57 |
| SHA512 | 2a59a74fe8ee82cd429eede754e166bffc7aecced1dfc7c1c95542cf45737da3e12eda9c72e08ff9d03e6da2d742ab2f552307a1cd2908c5ebd9077550e9e162 |
C:\Windows\System\JMyNUSj.exe
| MD5 | 8c5f7feb26dd2365753725cc00f25633 |
| SHA1 | 1863979080324c34ef875999100d34fdc624b5ee |
| SHA256 | 14931023c87bfc4322b6f8068c54a6d40a590170aff363bd1a84a8f6b956c2a5 |
| SHA512 | 2e7a45c0cd1ee8d9b8f05cdad4a1c2345210875d54803f148dd5ba7a458462e65e2fc41d8fabb5469ed565748a393d21ff84e912c8af6cda628480f227116000 |
memory/2696-63-0x00007FF63C5B0000-0x00007FF63C904000-memory.dmp
memory/3756-67-0x00007FF6E41C0000-0x00007FF6E4514000-memory.dmp
memory/4556-69-0x00007FF716B20000-0x00007FF716E74000-memory.dmp
memory/4928-68-0x00007FF6A5540000-0x00007FF6A5894000-memory.dmp
C:\Windows\System\upAbAYw.exe
| MD5 | f05afb84152c4443d9751d6be4be244d |
| SHA1 | b13e6f2961b14144ecfdbe093801de566270f8a7 |
| SHA256 | 43dc37e3bde00c77d1021e743538be85efb476c50e47ead66d8d8cd0312aad99 |
| SHA512 | 3439986e8d14a150dddca6fb2dd18e82c4c8fa9a0ca3a287d9932d174beb77d5262000548b3e698fd3082f1f377cd56342b33b989c69d5fbe6079363b57ebcb4 |
memory/2232-51-0x00007FF784D00000-0x00007FF785054000-memory.dmp
memory/1772-45-0x00007FF7E60A0000-0x00007FF7E63F4000-memory.dmp
C:\Windows\System\wtcwyhj.exe
| MD5 | e65923a78a9a9d4ba1368409b08114b7 |
| SHA1 | 2936a6d0ac4ae937f7ad46828ac0d405282154e1 |
| SHA256 | 5b1472d49f1fff5d639c5b4cf3331ea3a138413fcb20cffc642d53f5f9d48ab0 |
| SHA512 | d4a0c4e36c27966ff4aaa6b870117232f2bf15bef664c914aeefda0588ec9dc418deb5108e14a2ebdc82e236304909c2d85d76910fa2db7d8c28e8ade94b1447 |
memory/3468-77-0x00007FF694EC0000-0x00007FF695214000-memory.dmp
memory/3020-75-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp
memory/4580-83-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp
C:\Windows\System\ZlrCAHt.exe
| MD5 | bb13da2c92094f38433e17f79892b533 |
| SHA1 | f031dc6143fcba595fe0e0ce8bc467d124cdd6b9 |
| SHA256 | acb00fae7c2ca5ff9c2fcb7ba3e45f3c29e9ea7cad299667030d802bdf8dc0bd |
| SHA512 | 882223592e7a9e8bdbd5c6d85b58617fc7325d047477690525c0e071a8f7cd95e5c45e3215187c0d20d3c5b5e607ba122e0645f1e03e50178f21736abe344d98 |
memory/1824-85-0x00007FF690040000-0x00007FF690394000-memory.dmp
memory/3372-90-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp
C:\Windows\System\BsGWfwy.exe
| MD5 | c15901a484b8058bb494adbef5b9f6e3 |
| SHA1 | 0521ab3b0fc78055e8fb59a8973f737a4c50e62f |
| SHA256 | 6cbefaf321dbec6d6f363605f9a8413a7c53ec94b773a04e5deb33cb394e9614 |
| SHA512 | 64606d1c1b1f3785b656710d4ec287b4a3455b3b30a98401ed3416d74cd8c6c7a8616923ea22a23befd30a38c10966ab4f7bb48bb60379c230faaef39b0103ff |
C:\Windows\System\eqAlXMQ.exe
| MD5 | 8a5cb4df9613f11ba90675ba6ffcb283 |
| SHA1 | 73ba4db5a2a55c7b15329667c4e9cf20da33bb09 |
| SHA256 | fde8d0751599cfde962a7617da60c9c11d6ac92d9d9466c3caf2f83a80da962e |
| SHA512 | 42ae14066167521c5d10d15c3a224550699d162a81e5582600d65e9913bf57d7962afcb195d76b9b7b67bc26f75f3d52a81e902e9d5eab87d0efa26fb10eb705 |
memory/4092-93-0x00007FF7C6A30000-0x00007FF7C6D84000-memory.dmp
C:\Windows\System\bOjfOBI.exe
| MD5 | e8d6519cfbd570ed7947ca662bff7d6f |
| SHA1 | db97158e44449ce44e6d53edd184ebb4deaf261d |
| SHA256 | 934a0070ec6569e5f159e14abd0da06f06d2c5c4f97e4def401e91c37db0574b |
| SHA512 | 2954729a2541a4dac83bc264cab273d135f8b766f62a2eb088ce014c6f6fd1ae8821d61c6e83bb9bb708c892066c2910c2fa0d3c0689e99363b78f970972da93 |
memory/628-102-0x00007FF73F320000-0x00007FF73F674000-memory.dmp
C:\Windows\System\phcFkza.exe
| MD5 | 673c7b79b37aa8e8505984383c26da8e |
| SHA1 | d40ff46f2ac4180de1405544b5b2b1607cd5a31d |
| SHA256 | 87292a7d7f24a776820e036c4d3162eade7a521981bb78f220ca51f6b27faadf |
| SHA512 | 1dd782835fde420b800dbc920bffabe7b2179ef89a7bf0cbae2af376ee270dcf9611b4cbf893cc758e477d62ccdfc9c1e8778d68ba2eef69ffb8639b7c51e994 |
memory/2232-116-0x00007FF784D00000-0x00007FF785054000-memory.dmp
memory/5076-123-0x00007FF7DBD80000-0x00007FF7DC0D4000-memory.dmp
C:\Windows\System\NmghlLV.exe
| MD5 | dc31e22fa3802cfc10460ec38efd8fee |
| SHA1 | 28e29199a9db6f11e1a818181269a3c09a53b25a |
| SHA256 | a37cf7c889370f3cfa30732111779148aabb2b3f5f740d0bcb659ee738fc3299 |
| SHA512 | be5fb5ab6cc0a03d386337dd3c537d67b26ae8ec7a0603d64398ab71d2786a99c8283d5ac321f1a9089523e1405642661424cb038e478182d50837b84a6a243e |
memory/3284-131-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp
memory/232-132-0x00007FF6EA1E0000-0x00007FF6EA534000-memory.dmp
memory/4260-130-0x00007FF678BA0000-0x00007FF678EF4000-memory.dmp
C:\Windows\System\qDAOPab.exe
| MD5 | 8d914b101384c4405c7cce93d31ef572 |
| SHA1 | 8663fba72553d6eed5fdd83ba27329d43c8d3514 |
| SHA256 | c18af714290781811f13ef005141bb2e73871034b17bc35f65cae9dbd4b93540 |
| SHA512 | c00b56b9b5a9d3259bca303113b6716c0744bc2120d6fc434bb36857340bc57338867adb2d92db08d0bca7af928ba8853088fd389a944cfac242f30e134f8555 |
memory/4220-125-0x00007FF7D9F40000-0x00007FF7DA294000-memory.dmp
memory/3636-120-0x00007FF734170000-0x00007FF7344C4000-memory.dmp
C:\Windows\System\tHPCWhQ.exe
| MD5 | 162b158a4e5616c127873188568a7c60 |
| SHA1 | d27ab524cc8046568360de634f5038e810e0ba9a |
| SHA256 | 76d8c784398b65d53739553c4149baf280b16b9eb89b6d78d54077160cf78776 |
| SHA512 | 0cbd243df0ea161c3a419da2cde7d236b019db81d55619d5b38517e9b0370258fa1bc9fb01b45ae095b8e30e9f31803174e752a1003089a6bf8ac6b009cc8c78 |
C:\Windows\System\xRBGTkJ.exe
| MD5 | 60dc21af09638006297c05bee0c2f730 |
| SHA1 | 13d19822931659b043b843bbdcecf4b22d49c17d |
| SHA256 | 034ee4738e42c648c4e67f95837c6380b135b8477c82e38a8e5eae7743873926 |
| SHA512 | 6c079cdfa9e01993fff2f10c0bac50f58475f78a330ac2a3b5d9715dcb5c0c37d1e5a8f361f2c9791a5199bc90ca043dfc38d0506c0361a602a53d8b492a980d |
memory/3608-105-0x00007FF7B9560000-0x00007FF7B98B4000-memory.dmp
memory/4928-135-0x00007FF6A5540000-0x00007FF6A5894000-memory.dmp
memory/3636-136-0x00007FF734170000-0x00007FF7344C4000-memory.dmp
memory/4260-137-0x00007FF678BA0000-0x00007FF678EF4000-memory.dmp
memory/232-138-0x00007FF6EA1E0000-0x00007FF6EA534000-memory.dmp
memory/4556-139-0x00007FF716B20000-0x00007FF716E74000-memory.dmp
memory/3020-140-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp
memory/4580-141-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp
memory/3372-142-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp
memory/5112-143-0x00007FF717510000-0x00007FF717864000-memory.dmp
memory/1856-144-0x00007FF6D3460000-0x00007FF6D37B4000-memory.dmp
memory/1772-145-0x00007FF7E60A0000-0x00007FF7E63F4000-memory.dmp
memory/2232-146-0x00007FF784D00000-0x00007FF785054000-memory.dmp
memory/3284-147-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp
memory/3756-148-0x00007FF6E41C0000-0x00007FF6E4514000-memory.dmp
memory/4928-149-0x00007FF6A5540000-0x00007FF6A5894000-memory.dmp
memory/3468-150-0x00007FF694EC0000-0x00007FF695214000-memory.dmp
memory/1824-151-0x00007FF690040000-0x00007FF690394000-memory.dmp
memory/4092-152-0x00007FF7C6A30000-0x00007FF7C6D84000-memory.dmp
memory/628-153-0x00007FF73F320000-0x00007FF73F674000-memory.dmp
memory/3608-154-0x00007FF7B9560000-0x00007FF7B98B4000-memory.dmp
memory/5076-155-0x00007FF7DBD80000-0x00007FF7DC0D4000-memory.dmp
memory/4220-156-0x00007FF7D9F40000-0x00007FF7DA294000-memory.dmp
memory/3636-157-0x00007FF734170000-0x00007FF7344C4000-memory.dmp
memory/4260-158-0x00007FF678BA0000-0x00007FF678EF4000-memory.dmp
memory/232-159-0x00007FF6EA1E0000-0x00007FF6EA534000-memory.dmp