Analysis Overview
SHA256
43066b7f544a52df663693f265e6881bc8f5cafd7a7bea69bbc173bac4b695df
Threat Level: Known bad
The file 2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
XMRig Miner payload
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 12:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 12:46
Reported
2024-06-11 12:46
Platform
win7-20240508-en
Max time kernel
1s
Max time network
12s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mPVpEMm.exe | N/A |
| N/A | N/A | C:\Windows\System\kSxyeqC.exe | N/A |
| N/A | N/A | C:\Windows\System\XPwnHEX.exe | N/A |
| N/A | N/A | C:\Windows\System\VvnRmvp.exe | N/A |
| N/A | N/A | C:\Windows\System\dZYgrCf.exe | N/A |
| N/A | N/A | C:\Windows\System\KsJZKzU.exe | N/A |
| N/A | N/A | C:\Windows\System\ddVftjA.exe | N/A |
| N/A | N/A | C:\Windows\System\faiMdMM.exe | N/A |
| N/A | N/A | C:\Windows\System\VxvTIBn.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\mPVpEMm.exe
C:\Windows\System\mPVpEMm.exe
C:\Windows\System\kSxyeqC.exe
C:\Windows\System\kSxyeqC.exe
C:\Windows\System\XPwnHEX.exe
C:\Windows\System\XPwnHEX.exe
C:\Windows\System\VvnRmvp.exe
C:\Windows\System\VvnRmvp.exe
C:\Windows\System\dZYgrCf.exe
C:\Windows\System\dZYgrCf.exe
C:\Windows\System\KsJZKzU.exe
C:\Windows\System\KsJZKzU.exe
C:\Windows\System\ddVftjA.exe
C:\Windows\System\ddVftjA.exe
C:\Windows\System\faiMdMM.exe
C:\Windows\System\faiMdMM.exe
C:\Windows\System\VxvTIBn.exe
C:\Windows\System\VxvTIBn.exe
C:\Windows\System\dpyTbWW.exe
C:\Windows\System\dpyTbWW.exe
C:\Windows\System\xWnBNGX.exe
C:\Windows\System\xWnBNGX.exe
C:\Windows\System\dAduGsN.exe
C:\Windows\System\dAduGsN.exe
C:\Windows\System\fiNZxcD.exe
C:\Windows\System\fiNZxcD.exe
C:\Windows\System\gfsSJRG.exe
C:\Windows\System\gfsSJRG.exe
C:\Windows\System\THEskLN.exe
C:\Windows\System\THEskLN.exe
C:\Windows\System\UsBjEpW.exe
C:\Windows\System\UsBjEpW.exe
C:\Windows\System\lMmgjIT.exe
C:\Windows\System\lMmgjIT.exe
C:\Windows\System\qSUSWBZ.exe
C:\Windows\System\qSUSWBZ.exe
C:\Windows\System\CSarfgy.exe
C:\Windows\System\CSarfgy.exe
C:\Windows\System\YHVzPOl.exe
C:\Windows\System\YHVzPOl.exe
C:\Windows\System\KDLGjax.exe
C:\Windows\System\KDLGjax.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1944-0-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1944-1-0x00000000002F0000-0x0000000000300000-memory.dmp
C:\Windows\system\mPVpEMm.exe
| MD5 | 63290320b012ea9bb27129f54c581920 |
| SHA1 | 9341611f4683038c9546afef9d8154426472eca5 |
| SHA256 | 2c3a2ca2de059ce6ca130c9f1710ac2b341d52e2d22a5bdfb7fd8181aa340f8d |
| SHA512 | fad9d512f0395d6a63c972086c8bfe7a1ef67149eb3cfbdc123af9ec8f42720af72254e6085fb0582c894fa3881f4f7be441d266b95ba6999cb3dc3848d94a8a |
\Windows\system\kSxyeqC.exe
| MD5 | bd55c8a37850d0626737d11717469d79 |
| SHA1 | 53fb884c07b58454b3817a2512669857b9e86703 |
| SHA256 | 0eb0ec4dbf191a3181b21c1417c5a32b7f793d882da7f301a8ece452991bb9af |
| SHA512 | c1186a03a91b6f18a4443f429935f99a90a2866f36a83812558e86e5b67b26cc5da056c7727c190dd31a1adcb8fe79982985e6c2c66bfc39efa36d9c3a74a1e4 |
C:\Windows\system\kSxyeqC.exe
| MD5 | b59ae61a02cbd771b27fa4de50b0b851 |
| SHA1 | 15e75d2dbd628941b8c45e2acca77033724b1d7a |
| SHA256 | e9d1b939c2f5cb7e52df9b1745cbee643f356eea56de6ae754cae60555afaa12 |
| SHA512 | 75d6a41c5e1c646ce1f43276f6eda377a3b0309beb8f2ea6b6b92ecf2f94f1fc3578016d169014d6f120ede144e3de5182b2c8205ec59aaf9cfb48fef74e91c7 |
\Windows\system\mPVpEMm.exe
| MD5 | 98ddbea8b700025cfea6cdb4aa3e43e8 |
| SHA1 | 50ceb41fa98f8da019e896ed8b56fb815ade85c3 |
| SHA256 | f3d04b1b505bbd1edfc225f0ff843d2d6e124620e1863f1cebccc8fb38f1e763 |
| SHA512 | d10c79b9ffe04655d2ed28a606ef98f8550b5560c30acde63f1522d23a06ada25993e4c72d6366952d8876ac8ea72ef7e8996ba2e92abd973881f2d8a97c9a8a |
C:\Windows\system\XPwnHEX.exe
| MD5 | 4f0cb466323d60e5a42b8bbca13af789 |
| SHA1 | 0b0d1d7c3420f9b8951eedc6f694291aa6860683 |
| SHA256 | 14e8c6e62596f8ac3b95156893bec3348d06084f939b1ae4b0666ae0bbad22c1 |
| SHA512 | fe9b813ed2de6a08ddd4b2fb045773ce294012803d0eb1907aa77feef2f33d34b6606370f174e33cd257b2911bac027bcc9256c0387c11941a9dede8f4cf2c8a |
\Windows\system\XPwnHEX.exe
| MD5 | 8a8292e812bdde0355ced9f4650bcdf4 |
| SHA1 | 2e8a60c14fac2a9421b8650758842113f994675b |
| SHA256 | b6229523bd478efadedd62bb8def3190ebe0afe3abfeb1c62110c085d9a63200 |
| SHA512 | 4eff10d85ba3299f93aebab6233eea9b8e8ff0e8c82485e2d245ceaf447c799ae79b340ebc97ee5307eab71f3def8a3fb7701dabfd3d4d85b4031774dd0c46af |
C:\Windows\system\XPwnHEX.exe
| MD5 | 8761e24e350138657b894ef4abc022b3 |
| SHA1 | d8a472ab579a0a7730dc53b82141820743bf0add |
| SHA256 | 90ff928b10d3aa61f93e297a424adfd7de082491cedd004c49d1b3e6304001c5 |
| SHA512 | 0940ca6e284cc88f597e67d24689c2bd27279e29ac57b92c9a970374616a16847704e9659f2d243a69fbad09babbd862f84224ad7c3530cc8135c95bd2c72628 |
memory/2084-19-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/1944-18-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/1944-23-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/1944-21-0x000000013FEC0000-0x0000000140214000-memory.dmp
\Windows\system\VvnRmvp.exe
| MD5 | 04d51d193560bd7cbe3c1aa4176588ed |
| SHA1 | 50c403f2cdd24613871102930823a4077a309a84 |
| SHA256 | d2f2e6f71c7392c54365bfeba96646f1b48bfc2b35cee99399fabe8555745a79 |
| SHA512 | 16c84370d3456e4b479306cb1207e32853b3b3dacdc34ee2c06bac6f00e0ed99d27f6c49bc2894052479d03d45c8d3898044a71ee9425a44f4f5a31a42b6918a |
memory/2580-20-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2756-22-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2600-30-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/1944-28-0x000000013FB90000-0x000000013FEE4000-memory.dmp
\Windows\system\dZYgrCf.exe
| MD5 | 77dba91fb3c2cde72cb349d9f90ca79c |
| SHA1 | b84a9e63676a0ad38ca01ffd44702e7c9744ca69 |
| SHA256 | ed264866c0bae9fa9d4a16e9bcbd3d21ee672ee0eb5b22b64a5a0fa3926ac6d7 |
| SHA512 | 7688eeb8dd7644b0c13094022c2cf5cb3e8225b2176f2a6c3aa2c5fffd3842d1f2840ab41b990e0e98d17fd029498949a429fd63ec10fb6afac0d993f6b2e67c |
memory/1944-32-0x0000000002470000-0x00000000027C4000-memory.dmp
C:\Windows\system\VvnRmvp.exe
| MD5 | 79cb800fff47a06afebef72028461c94 |
| SHA1 | ff75505398b632020d3756d39d393f7d0d663647 |
| SHA256 | 2760b590a3c4c257a39f7b7571e6c124eaff33574997b2f854f74eb79aa5ddcd |
| SHA512 | 78f1927d2b050cb370b68ab097fb94c3e648811aa84b2fd62943b155b74ce09079cdacc50c8966802fcb433c83f629e8829ddc1d359fa6ac0fd803671d765d22 |
C:\Windows\system\dZYgrCf.exe
| MD5 | 76bf0466328f407fb8356697751e9d17 |
| SHA1 | ab6d60cc0022bd9fcb09a7b133772948f1b44e71 |
| SHA256 | bc9432097e5cf86f7734fcdba0e6bde844e37f3c7c22e1538d1d567922da9884 |
| SHA512 | 6cf2f8e6b124936088948bc61460f2c7dcf57e07e3b8a91ff6d8b8fbcfd1e6fcee7a878c2ad962cc9277cb4e28a8224410d0fb4788d1a0cedc18fa4f9e3db4a6 |
memory/2592-42-0x000000013F410000-0x000000013F764000-memory.dmp
C:\Windows\system\ddVftjA.exe
| MD5 | da49f1b1f2b96b49705866203751f59f |
| SHA1 | 1fb490e694febd4abb5609eba7058906c7c62fc1 |
| SHA256 | db17ce16538e3104d76c2865f6043929089867615332842fb4539363fa1e158f |
| SHA512 | 64230d121060a4ecf7e8546c8f3f841eea180c2377add458625a54155c0dd3d899c021538950ea3047fd426aed50dfc97cdf1f7e2bcab143f2777fd079bf8bf0 |
C:\Windows\system\faiMdMM.exe
| MD5 | 182702f8c189f2105671b3b193ea01bd |
| SHA1 | 5cbe4a492c7f661166b4ece7955c0ec73fadc31d |
| SHA256 | a26e7690e7bc3ea344b69a7055744b04ab0a6a6f5efc215cd98698c2786c3f7f |
| SHA512 | 81af6029078315813c434ae562db848bfccfd0ce021093ded729c0431bbbdfab770bb5cf5e5e10bac76b9afc8886a0732e92ae0912c9dff147628a2530f045d1 |
C:\Windows\system\CSarfgy.exe
| MD5 | b5d6c8b472f6137523570f20868f4041 |
| SHA1 | 61a520c4e5802e3278d223745c0d5b53798489c3 |
| SHA256 | df7d971e23b4ededa31b1693094cae103f35c8a092bea9c558c1e9bba9ccc324 |
| SHA512 | 310f2bca69858a022c70080fd06c881ff6459ee943f0afef48d3fc47591912fad27b5857e0c076a90ca0c03ab0f8ff278f0a7686305712014a6bb182fc4a4229 |
memory/2528-120-0x000000013F140000-0x000000013F494000-memory.dmp
C:\Windows\system\dAduGsN.exe
| MD5 | c5f33c208b8352c92ff94fbc2b599111 |
| SHA1 | 0842e8833ca026da14c777f19216ac8823767900 |
| SHA256 | 6fd2df6d3131682515e5fc159d81918ada218168622149be278bff78e6839f6f |
| SHA512 | 62f9100bcb029dacf5e5850ff2c364497a0db747c663dacd840839ef6bb501ef0b8fddc8b075af9a33043a07665b866db4f1c551c78513d6efa407abe8c56db5 |
memory/1944-129-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/1944-128-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/1944-127-0x000000013F2C0000-0x000000013F614000-memory.dmp
\Windows\system\YHVzPOl.exe
| MD5 | df43099f8ecf7fc7231104cc7906f346 |
| SHA1 | 3e71eb14c6e419a455fbd4a3234cbfb9f69fb428 |
| SHA256 | 2fee27d95d784896594fd4c402904f15f7b6e8d0448726197f29a8303072c9e7 |
| SHA512 | 0780e96102ed70b27cdcc7843ce59b45e8d687f99de38cd1f2d8f08d1be12d524f20b3d4f78294edd2ce2d1dc761badaaa437128842e8b787cbe7919b203b90d |
\Windows\system\qSUSWBZ.exe
| MD5 | 0c4fa25607b4370165ec346f1ab5cf33 |
| SHA1 | e793a93cf0e5f3e380ba686a46b04e292ac07498 |
| SHA256 | f680fd2e7e49c6829b698cc5e2e48b3f3ec8ee78dfde1c28c492f9f7a1d1aa8a |
| SHA512 | 57cf1299c34833ccdb24babcc7aeb948098cf922afcd315f5a5058d132d8d7c108e23a581403cea07290b7bffcfee0f7a4aa118bae4b90c90b7ccd5b4bd86e46 |
C:\Windows\system\YHVzPOl.exe
| MD5 | 1a0e1455de686b8158fbc1e4c92a2f9d |
| SHA1 | 29170fbafb064ea2f4235b38c121cb23ca398b78 |
| SHA256 | 751d7a519550296e44f729642a25deee57e02effc38513cfbd1634914ad4844e |
| SHA512 | 0c3cf17afd7417c22e0ca6141bcc86ad947d316dec4ac51bbf0cfbf64b1e1e9ff9d8ef71b04c70e0dce9d50c4cfc20ef43f31d0c81e2d8a56a7eec0800995807 |
memory/1944-123-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/1944-122-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/1944-121-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/2564-70-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/1944-119-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2596-118-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/1944-117-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/2496-116-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/1944-115-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/2208-114-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1944-113-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2640-112-0x000000013F7D0000-0x000000013FB24000-memory.dmp
C:\Windows\system\KDLGjax.exe
| MD5 | 4e77e5b0d3e1f7e95208469762b9de9f |
| SHA1 | 0a5a009be862764615777c1b707d36edbc11ff21 |
| SHA256 | f92c26d020b7221553156425eb37df2d0419664ed1b1dfec4bcc6dd4844b43e4 |
| SHA512 | dda02ecff4425b741e8db0fc2114ffa66fea763a1c1005abb22eb8a9df84cf46de8481047ea55594255e59f8002d15f025c5315e413a202ba4d0fe32fa539aee |
\Windows\system\KDLGjax.exe
| MD5 | f6ff13f5b74581b4d693140d7ed15d42 |
| SHA1 | b5f72d745d10b4b9c5938885364efade2590a6ab |
| SHA256 | 0632369166c9bc5c9b434ffd89ec9c9f265e35db5f9f6e8b7957c45b2c7683c7 |
| SHA512 | 39ddedcd48f0afefef8b6d9f4c6350246031d6adffaa23199754b30948665cbedbf8af674f3d181d1c85403f8709c1fd9ff92429b133ea7e8be126dcdcc115dd |
C:\Windows\system\lMmgjIT.exe
| MD5 | 3ee04f109da47a1ec064d84e674f1c93 |
| SHA1 | 644e873cc5a86065097d9d560d0304443e10d64c |
| SHA256 | 47d2b26167d01487e92054b74706d3bb25cfa0aef4e9803e369f3581631dce9f |
| SHA512 | 9c1889d4f1db6f15c9ccdb0cc3595e9e8bef5c6661b045295c1ca732b72cf3d8471e82ed02a643342a0e821733243b7d4452a48031e235b596a8367158163fa4 |
C:\Windows\system\THEskLN.exe
| MD5 | f505e9632fbd4a5d58adc9e4173d1271 |
| SHA1 | 1bde162a3fb4ccb17e2151f596876ce0481e68a3 |
| SHA256 | 470c9e84848117759613eb687b446759f7d07a7f41d04dc436b012f7f509e2e6 |
| SHA512 | e198372dce29bd351d9034837bc88bf336ab45518f945c233b0df8303eb7db6dfe81aa40e79300136ac6bc7ee0344b1f19f04eb515a02bbb33d814e047faaccf |
C:\Windows\system\fiNZxcD.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
\Windows\system\dpyTbWW.exe
| MD5 | 6fc1d2a6aa4e5fec1598640195150caa |
| SHA1 | 163971d08fea512c74e8dc6194438875b3a4e2dd |
| SHA256 | c7702a558c524dcd71e1b49a725b4d00424bcfa78922fa47fa3df7ad8780489b |
| SHA512 | 32242bb3972b6c84fe04251d691d74728217a6789799a7b9b70417f9c92fed40204f2a0597f504eb1e15f95e5fdd6bfa9b9cbc89671f004164b2844ac1ca4ae4 |
C:\Windows\system\xWnBNGX.exe
| MD5 | c640e7276248ae97642c2a7bf34e461f |
| SHA1 | c86ee302e90005334c41f03ad1020133e971ca75 |
| SHA256 | 487238a42789387dd63d77ce6301803af0e8b6b4838fe5e37fd3c7a1c6c8df9d |
| SHA512 | 39a62ff93da5786eb18c588fe52f317b9ac0af058cf8492aac9a86def4ed525a2902436231143b3b479d9567d6f9126d4bcd27fcc18427c127150dafae026ec6 |
\Windows\system\KsJZKzU.exe
| MD5 | 67d7d0c360c2defa9a36a47a23af7dd6 |
| SHA1 | efd9d2994e80ef40cbaab5f7ef02420aebe17206 |
| SHA256 | 0521cd0d1d60fc081a5e4d3f28f5a76a962e60920d871e29a2de526b0e72b791 |
| SHA512 | f5338aedc9e177da3d3af04e6946e9f03280307d40c8e1e2e21b270727d9ec57427c8f7861835c62a83f44226e722c786902eaaa4187cfaefc3a81305ca12e2b |
memory/1944-133-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1944-135-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2600-134-0x000000013FB90000-0x000000013FEE4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 12:46
Reported
2024-06-11 12:46
Platform
win10v2004-20240508-en
Max time kernel
25s
Max time network
32s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CZiydiA.exe | N/A |
| N/A | N/A | C:\Windows\System\TtROpCz.exe | N/A |
| N/A | N/A | C:\Windows\System\aasuYNv.exe | N/A |
| N/A | N/A | C:\Windows\System\LKoheel.exe | N/A |
| N/A | N/A | C:\Windows\System\OUBGmpU.exe | N/A |
| N/A | N/A | C:\Windows\System\eLGQkLl.exe | N/A |
| N/A | N/A | C:\Windows\System\aqHxGUe.exe | N/A |
| N/A | N/A | C:\Windows\System\dSUIXvf.exe | N/A |
| N/A | N/A | C:\Windows\System\XGNzVDo.exe | N/A |
| N/A | N/A | C:\Windows\System\IjYSNrL.exe | N/A |
| N/A | N/A | C:\Windows\System\NtrFIRx.exe | N/A |
| N/A | N/A | C:\Windows\System\USHqSrm.exe | N/A |
| N/A | N/A | C:\Windows\System\LQFfJMt.exe | N/A |
| N/A | N/A | C:\Windows\System\RVTPvJq.exe | N/A |
| N/A | N/A | C:\Windows\System\FoYYcYV.exe | N/A |
| N/A | N/A | C:\Windows\System\OefMECT.exe | N/A |
| N/A | N/A | C:\Windows\System\RXePwSb.exe | N/A |
| N/A | N/A | C:\Windows\System\kIKZTNS.exe | N/A |
| N/A | N/A | C:\Windows\System\nOTuAdo.exe | N/A |
| N/A | N/A | C:\Windows\System\oxisiwB.exe | N/A |
| N/A | N/A | C:\Windows\System\PfqBGVu.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\CZiydiA.exe
C:\Windows\System\CZiydiA.exe
C:\Windows\System\TtROpCz.exe
C:\Windows\System\TtROpCz.exe
C:\Windows\System\aasuYNv.exe
C:\Windows\System\aasuYNv.exe
C:\Windows\System\LKoheel.exe
C:\Windows\System\LKoheel.exe
C:\Windows\System\OUBGmpU.exe
C:\Windows\System\OUBGmpU.exe
C:\Windows\System\eLGQkLl.exe
C:\Windows\System\eLGQkLl.exe
C:\Windows\System\aqHxGUe.exe
C:\Windows\System\aqHxGUe.exe
C:\Windows\System\dSUIXvf.exe
C:\Windows\System\dSUIXvf.exe
C:\Windows\System\XGNzVDo.exe
C:\Windows\System\XGNzVDo.exe
C:\Windows\System\IjYSNrL.exe
C:\Windows\System\IjYSNrL.exe
C:\Windows\System\NtrFIRx.exe
C:\Windows\System\NtrFIRx.exe
C:\Windows\System\USHqSrm.exe
C:\Windows\System\USHqSrm.exe
C:\Windows\System\LQFfJMt.exe
C:\Windows\System\LQFfJMt.exe
C:\Windows\System\RVTPvJq.exe
C:\Windows\System\RVTPvJq.exe
C:\Windows\System\FoYYcYV.exe
C:\Windows\System\FoYYcYV.exe
C:\Windows\System\OefMECT.exe
C:\Windows\System\OefMECT.exe
C:\Windows\System\RXePwSb.exe
C:\Windows\System\RXePwSb.exe
C:\Windows\System\kIKZTNS.exe
C:\Windows\System\kIKZTNS.exe
C:\Windows\System\nOTuAdo.exe
C:\Windows\System\nOTuAdo.exe
C:\Windows\System\oxisiwB.exe
C:\Windows\System\oxisiwB.exe
C:\Windows\System\PfqBGVu.exe
C:\Windows\System\PfqBGVu.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/432-0-0x00007FF72E710000-0x00007FF72EA64000-memory.dmp
memory/432-1-0x0000019F3D180000-0x0000019F3D190000-memory.dmp
C:\Windows\System\CZiydiA.exe
| MD5 | 6297a49057d4675d581f8bbd70ea1e5f |
| SHA1 | 41fe622e441f7e5614b182ce7eaa51f2704737a2 |
| SHA256 | 0a626ac2c5c517c03426663694fecfa65c57fbd9670e7ea566f635701b460dac |
| SHA512 | 7a038a41e558e9181ca76dad7298156928366637a7f1bdbd2d511944a6b96b79e647898e745a0e3e18a0cc712b88ccec8b77ecbb97081e38afdd2d11d17b1c3c |
memory/4840-7-0x00007FF64C620000-0x00007FF64C974000-memory.dmp
C:\Windows\System\aasuYNv.exe
| MD5 | 0f4353c71002a58c5802643d840a8282 |
| SHA1 | bb3fbb79194d9e3029859ab38ef2ee4abfb47b26 |
| SHA256 | ee464261378697e4023999ba3181d662825c4bb57d1ce13214a8c5de104f7bdb |
| SHA512 | adfab5e7349e22eed80a0ce7f3c946b67369d9c5c384a691fe60c697eed3e67b5d3197724ef22230f49892578839a48975f440733ee18241a7443571088d970c |
memory/4500-13-0x00007FF6F4170000-0x00007FF6F44C4000-memory.dmp
C:\Windows\System\TtROpCz.exe
| MD5 | 23348ed5bd9d1239031a602ac5c89ccf |
| SHA1 | a98b1d4c0d49a79b52ee3884a5e3bc2bd107e462 |
| SHA256 | fd54a17aa3631f0f46100f1686157d1db466f87e89d10f2fe3ccae0e80740cd0 |
| SHA512 | 768d3b18d15aca589e88d214d2f5554290ee2411ad8f6d98cc656e3be29c631faf662b952113105b64c19e0a392825db77c5886915645e2abcbad4f4212e95c7 |
memory/3588-20-0x00007FF7F5950000-0x00007FF7F5CA4000-memory.dmp
C:\Windows\System\LKoheel.exe
| MD5 | 6ac061917e9c91a914733a840801cc48 |
| SHA1 | 13dc14e8a178f99d9dddb11642159a4740f81062 |
| SHA256 | 459abe7be5e50594e6b093b1d7c8aa5ee6549f422a5710f94c2970b52e742183 |
| SHA512 | fd376eeba9eda21dbf523819d70757ed59fe0de6f71e738bfe0006f5ac29f8233ba5195cc65241131801fe8cc35859a55995f0f56a56daa6befab87cd0513411 |
memory/3928-24-0x00007FF7C6530000-0x00007FF7C6884000-memory.dmp
memory/4380-31-0x00007FF6FF990000-0x00007FF6FFCE4000-memory.dmp
C:\Windows\System\eLGQkLl.exe
| MD5 | 4e447a70a8e5d26da7db3ca4ec4fbdfb |
| SHA1 | 5b376e351782558d97d1068f68da53a922e72f26 |
| SHA256 | 4290b59c03dfc425c06d254062bf8aae99a77dac6dcf43a411e88896c565e93b |
| SHA512 | df585be2382bff5058d129c074a436f6ad9955607d279c2ea77d22b5ed1651c8f91e9520b30770f197383f9f0c3f86069d91ce269cdae775d3dfe09c47c915a4 |
memory/4812-38-0x00007FF6C7AD0000-0x00007FF6C7E24000-memory.dmp
C:\Windows\System\OUBGmpU.exe
| MD5 | e4bf1f4f43f9fd41b7a0a640f8f74adf |
| SHA1 | cea912bc48608ed9cceca6d5cf4aa2c433ab0535 |
| SHA256 | 9f318d42f2d6773fc4d70421c11171e187d3826d8febe878645365b74d28073e |
| SHA512 | 3550027db0a1689943a761351bd92bc442807645c20e1e3d6118c3e8d0b81117ccb2726488eeefd0583a5e05160b03f910df44a8ac269d437f0f5d0cdd15aef6 |
C:\Windows\System\aqHxGUe.exe
| MD5 | 3968f3aec3cdde74e740864e0250a8b4 |
| SHA1 | b7b8e2df7d06993824709d1e6719f845014f5958 |
| SHA256 | 703733055f0e073cf676966ad247b2275bd0cbe74fc711095b797aa87af77539 |
| SHA512 | 019a2834e9bbb207261a0cf473b4b8157a954cbfa25e0baa53f7bf7e84ad7e0b4f4b0fabb3b4ee887f8338858ca6964f753fa481dac5e3f10b33c753e2838d0d |
memory/3916-44-0x00007FF608060000-0x00007FF6083B4000-memory.dmp
C:\Windows\System\dSUIXvf.exe
| MD5 | a19ac11af70ed5314bb9acf3b2a02764 |
| SHA1 | 52be4fe594efa4966245eac41818599b3c8e630f |
| SHA256 | 9a873a6bac68827ae0e13ea672455384371423239c1a246aadf30462fa0ed55c |
| SHA512 | 06bbad29cee7f67951c2d6c60b614447014666191d7b0fe25922a74206995763f0ab0a6d66a1f6d686a139fb5d2fcaa892c7edc260de16e67353f56c40744d15 |
C:\Windows\System\XGNzVDo.exe
| MD5 | b1caab1f80275fcf5c2c3d67b7d1cb77 |
| SHA1 | 3ab3db0f363b0e6cac1ab5cece4a1f18e633edcb |
| SHA256 | 694fe0cc54c2a6a2b7c000003fe58fce20eed5d4446e529d056f5f311e35365b |
| SHA512 | 05e710822869679005c5f6b37a4ed8c608c429031a1689a2766951b0a003cbf785a5c6c405b73a21086f960bcdbb958f58d3ef7ae8605596ed27036f3b977a08 |
memory/3976-52-0x00007FF64CBC0000-0x00007FF64CF14000-memory.dmp
C:\Windows\System\IjYSNrL.exe
| MD5 | 564c93b0b808653088ce25f11f43bb98 |
| SHA1 | d04ccb978c1a3a2c79ed0c51d0e8f5af479a9bc0 |
| SHA256 | 3d1f3c9c1497266a86b75829e83300b380a5a9ff76fffbc5264974c6900f1662 |
| SHA512 | 441e5059bf2008ff6ea230ff05a15f8c2cfc0baff9eefe68cbba23058649f16460f23ce232256ad3ad0f6c46285f890db97ee8bbb752a59f81685bb63a6be918 |
C:\Windows\System\NtrFIRx.exe
| MD5 | 0d17b67a58af11606dd9a399133725ba |
| SHA1 | ec46a85ed5d28dcebe83a1cb62c1b182e3afe882 |
| SHA256 | 7ad061a7f3fa3c27baa4243227af70eb425e00202383e6cb9cf20d6ee930c764 |
| SHA512 | 591624717c456c5650aff6b9e8c8d7d30b6075636c4eaa067015a6057f4986e0618bad8cb3a45e037ea03c50f3b3331f85b52ce44a382e68fc20c8830cd47d8f |
C:\Windows\System\USHqSrm.exe
| MD5 | 34a152b6ccfaff86f06314e37f82d538 |
| SHA1 | 24ebb5bd77553bc42c9b4a0e703ceb46d6da4d3c |
| SHA256 | 4ac8d3fcc18c6509f99653f8a8ead54982afd5aaa8027a7b97db4afacc7e7598 |
| SHA512 | 32f5832ebdf56527f28aa6fc217f2eddef70fa1e7475f7f2f23ee57467f040b7480c5c66e2e0d1c94309c1dd7bbc389a4ccb08e49af8243c1bb284c27d71e4eb |
memory/1492-72-0x00007FF6E35F0000-0x00007FF6E3944000-memory.dmp
memory/1712-75-0x00007FF747EF0000-0x00007FF748244000-memory.dmp
C:\Windows\System\LQFfJMt.exe
| MD5 | 38c58a49792c95b45b80241e1ec1e192 |
| SHA1 | 08579100e9608a573b7fb160bd5b69b785579b23 |
| SHA256 | 180810ca5b3b0378685c0b7a4ef2feafe198a705f474f3a25b21742f21d63b22 |
| SHA512 | adddf4c01ae6ef32ac5417487ef830c849aa65afd2ad0998f89e9569c145b19b5dc21ff15afe32f8d39774b73d0179a64c0f32c80846d7d875bdcf007e1f95ad |
memory/5388-78-0x00007FF676980000-0x00007FF676CD4000-memory.dmp
memory/4840-65-0x00007FF64C620000-0x00007FF64C974000-memory.dmp
memory/432-62-0x00007FF72E710000-0x00007FF72EA64000-memory.dmp
memory/1196-57-0x00007FF6354D0000-0x00007FF635824000-memory.dmp
memory/4500-82-0x00007FF6F4170000-0x00007FF6F44C4000-memory.dmp
memory/4984-83-0x00007FF728420000-0x00007FF728774000-memory.dmp
C:\Windows\System\RVTPvJq.exe
| MD5 | e034851e2588f9f8f7957a23a03d5469 |
| SHA1 | 783776a5098c76edd4630865f7cfb99c330e6c25 |
| SHA256 | 6425f50b9da7b7069472bb039b5640d37bb364bc73e8b50b0bc32e067f5d672d |
| SHA512 | a2134489ca5197f197c3c41c2d959f348bd74a68a86ff8cc94e708f5013c2bb5c5370cfeb921f1dc4b94f12af27325d1515a0069a9585a1d48398d42e8016b9f |
C:\Windows\System\FoYYcYV.exe
| MD5 | 1de61e91ce4bb062227baaaf745b83fa |
| SHA1 | a24fe48c1d4080b0a6a4d436b80eaed69694ba66 |
| SHA256 | caf5cfbce2293d19314bf4fc2867f3259f75d5ffc5623deaccbb98e232ecfb02 |
| SHA512 | 7c0a0a9ce4dd65fa965b6a91091cf593cdb5b5a1988f998e432c951a2d965453ec2b899f8ae17568681264758afb5a860f47a2ca9c69fab4eafaf41bf492e0c6 |
memory/3816-108-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp
C:\Windows\System\kIKZTNS.exe
| MD5 | 8cccf80dab2de66aab2f6ef304069090 |
| SHA1 | 14d4f3bf70916f6b259775f9c638e59488446940 |
| SHA256 | ba313ea7190d3491d11dae91ae5983cb835af2b8442fcff34302dd88b9b9abb0 |
| SHA512 | 94abdc9147a4ef3b4a11f9da280a3cd53d7a92c5ea807d28e8359e0d68fca65755a3326cacfef682c449c7bf1371b36c9a6ce42f5297735672230466ce79e21e |
C:\Windows\System\RXePwSb.exe
| MD5 | e3187403586c18e67d7e050edeaaefaf |
| SHA1 | 4c0ad72abe1ce9541aadfc4c7e3074a4089d5fc5 |
| SHA256 | b1195237b72b2676d2952f6010051ff9502699085c2db74832e5e4acee03e515 |
| SHA512 | 046f38ab11cceb3e90061bde6403e2634b47ec194389e3581c1bda24dcceda476ba00a8ea64fabf841c10534e16a003ddee40b1d415b037e2ea9c76340a63e53 |
memory/1900-116-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp
memory/4572-112-0x00007FF7BC130000-0x00007FF7BC484000-memory.dmp
memory/3916-110-0x00007FF608060000-0x00007FF6083B4000-memory.dmp
memory/4812-109-0x00007FF6C7AD0000-0x00007FF6C7E24000-memory.dmp
memory/4380-100-0x00007FF6FF990000-0x00007FF6FFCE4000-memory.dmp
C:\Windows\System\OefMECT.exe
| MD5 | cd132004629b1457970484e066139bcf |
| SHA1 | 5ba7e978fcee261f22d958d68f08887dd797db6d |
| SHA256 | 3e21b0e8d7ba2ea7f569d71ba1edec29a30ff8490dfa66f72f64cdc5187e6cc2 |
| SHA512 | 17639947d950d779c9a81ef6a12e3d2b8d56aff8121534549350a52dbc63ae6bb2b11d157b405d9249eb0d85fe63776b5a0dcea17280231a81a6559c2fcd3542 |
memory/2052-94-0x00007FF654E00000-0x00007FF655154000-memory.dmp
memory/3928-93-0x00007FF7C6530000-0x00007FF7C6884000-memory.dmp
memory/3904-92-0x00007FF782100000-0x00007FF782454000-memory.dmp
C:\Windows\System\nOTuAdo.exe
| MD5 | 3050ffb5ec991bae6bf47b22287a3771 |
| SHA1 | c89b0aceac23e09c367fade383c01109aab2cb0a |
| SHA256 | 482605298b4c576f137711542cb6bffe967c109cf1e407b8579b84dab88ec6db |
| SHA512 | 8238bc3347c78eeb8fa85caba929d30594b451a1d9626a09b563e69c7341f10b18d3c4cec70d845d469a2bc32242dd469976bd5870e03ad83136c96c4e4f6223 |
memory/5208-121-0x00007FF69ECF0000-0x00007FF69F044000-memory.dmp
C:\Windows\System\oxisiwB.exe
| MD5 | f601fc9d978f240f8cb8060a51b1154a |
| SHA1 | 0a700cf8d71aebf8b1423c2109f6e7aaee97379f |
| SHA256 | 40b81dc4ca72d11890a1b5135985a376bcc47a97f05acea30abfa8a92b3dc240 |
| SHA512 | 41fb45a78e2dd2229c26507241f5af5d1324720d0574411a646972720234496e9aa15985e3395cd8ab8bc15f2b47327c8101920867d571015d6d8122a3da2f8c |
C:\Windows\System\PfqBGVu.exe
| MD5 | f08813988d0b663d6a946936b6cb9e56 |
| SHA1 | 2caf4fe9af40c7f6a79ba8a1bbefe3042da30345 |
| SHA256 | 7f9265a842f08caca6e5772592a62414b3f557ce5a875d0f84b1d1b268559d84 |
| SHA512 | df6cf6e86f88400154c1e3227201b52990264a1c9152fff53234fbe5e62b01af5f14c3fe34d40fc3031f59e9a54805503a9e87923eaf2321674de4aeadd2826b |
memory/1712-134-0x00007FF747EF0000-0x00007FF748244000-memory.dmp
memory/1232-135-0x00007FF64BD00000-0x00007FF64C054000-memory.dmp
memory/2932-132-0x00007FF607AA0000-0x00007FF607DF4000-memory.dmp
memory/2052-136-0x00007FF654E00000-0x00007FF655154000-memory.dmp
memory/3816-137-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp
memory/4572-138-0x00007FF7BC130000-0x00007FF7BC484000-memory.dmp
memory/1900-141-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp
memory/5208-140-0x00007FF69ECF0000-0x00007FF69F044000-memory.dmp
memory/2932-139-0x00007FF607AA0000-0x00007FF607DF4000-memory.dmp
memory/432-142-0x00007FF72E710000-0x00007FF72EA64000-memory.dmp