Analysis Overview
SHA256
ea5d21cbfc480e93ee72f0f14792230db0a0380c0235eb82f1bf8f97bd96b9aa
Threat Level: Known bad
The file 2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
Cobaltstrike family
Xmrig family
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 19:23
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 19:23
Reported
2024-05-22 19:25
Platform
win7-20240221-en
Max time kernel
140s
Max time network
138s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xNhgJfJ.exe | N/A |
| N/A | N/A | C:\Windows\System\TrMYMBb.exe | N/A |
| N/A | N/A | C:\Windows\System\ebPkSIe.exe | N/A |
| N/A | N/A | C:\Windows\System\UsrgmHT.exe | N/A |
| N/A | N/A | C:\Windows\System\phmxJzv.exe | N/A |
| N/A | N/A | C:\Windows\System\lCEhEvE.exe | N/A |
| N/A | N/A | C:\Windows\System\wVARfeK.exe | N/A |
| N/A | N/A | C:\Windows\System\RgUjrOj.exe | N/A |
| N/A | N/A | C:\Windows\System\NgjUaxl.exe | N/A |
| N/A | N/A | C:\Windows\System\TTHkwKH.exe | N/A |
| N/A | N/A | C:\Windows\System\noHFaGs.exe | N/A |
| N/A | N/A | C:\Windows\System\SDSfRlT.exe | N/A |
| N/A | N/A | C:\Windows\System\UbOVhgh.exe | N/A |
| N/A | N/A | C:\Windows\System\ytjMomt.exe | N/A |
| N/A | N/A | C:\Windows\System\kanVcJK.exe | N/A |
| N/A | N/A | C:\Windows\System\eghLfht.exe | N/A |
| N/A | N/A | C:\Windows\System\SPFbiPb.exe | N/A |
| N/A | N/A | C:\Windows\System\FQEebuv.exe | N/A |
| N/A | N/A | C:\Windows\System\xKPNjiG.exe | N/A |
| N/A | N/A | C:\Windows\System\TzXnxZM.exe | N/A |
| N/A | N/A | C:\Windows\System\DSdSIZF.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe"
C:\Windows\System\xNhgJfJ.exe
C:\Windows\System\xNhgJfJ.exe
C:\Windows\System\TrMYMBb.exe
C:\Windows\System\TrMYMBb.exe
C:\Windows\System\ebPkSIe.exe
C:\Windows\System\ebPkSIe.exe
C:\Windows\System\UsrgmHT.exe
C:\Windows\System\UsrgmHT.exe
C:\Windows\System\phmxJzv.exe
C:\Windows\System\phmxJzv.exe
C:\Windows\System\wVARfeK.exe
C:\Windows\System\wVARfeK.exe
C:\Windows\System\lCEhEvE.exe
C:\Windows\System\lCEhEvE.exe
C:\Windows\System\RgUjrOj.exe
C:\Windows\System\RgUjrOj.exe
C:\Windows\System\NgjUaxl.exe
C:\Windows\System\NgjUaxl.exe
C:\Windows\System\ytjMomt.exe
C:\Windows\System\ytjMomt.exe
C:\Windows\System\TTHkwKH.exe
C:\Windows\System\TTHkwKH.exe
C:\Windows\System\SPFbiPb.exe
C:\Windows\System\SPFbiPb.exe
C:\Windows\System\noHFaGs.exe
C:\Windows\System\noHFaGs.exe
C:\Windows\System\FQEebuv.exe
C:\Windows\System\FQEebuv.exe
C:\Windows\System\SDSfRlT.exe
C:\Windows\System\SDSfRlT.exe
C:\Windows\System\xKPNjiG.exe
C:\Windows\System\xKPNjiG.exe
C:\Windows\System\UbOVhgh.exe
C:\Windows\System\UbOVhgh.exe
C:\Windows\System\TzXnxZM.exe
C:\Windows\System\TzXnxZM.exe
C:\Windows\System\kanVcJK.exe
C:\Windows\System\kanVcJK.exe
C:\Windows\System\DSdSIZF.exe
C:\Windows\System\DSdSIZF.exe
C:\Windows\System\eghLfht.exe
C:\Windows\System\eghLfht.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1760-0-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/1760-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\xNhgJfJ.exe
| MD5 | 224623c7e5f842809727ba84b4b9b171 |
| SHA1 | bf44a47c2c2a64c5924b25eec4481858c58b55e2 |
| SHA256 | fc99bffa75e5c38982dcec85f11104288bf9bcc46d2e9b4886b80ee6e0f6ed2d |
| SHA512 | 3eab44edc71df325e1bfa267794530dc3ca60eb837fee7e6cd157cf7572d0a3f84dfa32a78bb8709c6c98e705907de7eeb9042b9bd2d43f41df2bededef355bc |
C:\Windows\system\TrMYMBb.exe
| MD5 | 5b4236cb6038b8aaaf1f8b3e1b01144a |
| SHA1 | 2c1e58c89b4c356551ef3f9425e8b22fa8381b54 |
| SHA256 | 87e547371611edbbe834dc42ed7d02ccb9d40574a4baed33ff23b30f2fb37772 |
| SHA512 | bcf4b336312c9b190f5f808342284bb179db12131012b535b3233c8198a702c39f69fc0113889000a0d040f248eeb61d5f4d0d4674ce7a20053d195bdc5693cb |
memory/1760-8-0x000000013FFC0000-0x0000000140311000-memory.dmp
C:\Windows\system\ebPkSIe.exe
| MD5 | b7080c711d06d01caffebe266c2d881b |
| SHA1 | 4b6e8faf3ac3abeba638444d51e6d6289c7050f0 |
| SHA256 | 6294f6316895ff597684ace69d2ad60535acb7a1e6ed8056dd58f053a47fd6e7 |
| SHA512 | dd439570dbffc3b42630aa2b9ead00235974fcd61560868f5f4e2b41496bc68bbc079e3208d9f2424080b9f6ce45f6bf556ad3e97d67ceea7ce4c3c87f90c1ef |
memory/2736-37-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2564-45-0x000000013F030000-0x000000013F381000-memory.dmp
memory/1760-31-0x000000013F560000-0x000000013F8B1000-memory.dmp
\Windows\system\ytjMomt.exe
| MD5 | 45dc8c2832599f7e6facccc1a69a0777 |
| SHA1 | c791e1ea45196d7982011bac6fb9721cab9bb2db |
| SHA256 | 7816cd31d0972c8040147ed9a39245799d5ff86cd19050539b3437b98f22c91b |
| SHA512 | fcdbd9d6f77b3d7cfb48363af4b9c715dc03d35057653ca1ae10583c1e508d8f8f5147e29e1a4e554360c06da8097290ffb0f1349be6d4e2bbf77ecac2aa30b7 |
\Windows\system\SDSfRlT.exe
| MD5 | 5d43ef702b8660eb5c284cef85a1c7de |
| SHA1 | eaae2a9d498a0822d05edbaa8d68d39f4632ce4e |
| SHA256 | d17438e9504215e0a51eb402613e5b2cc510d8150616a23db8481efa391347e4 |
| SHA512 | f67359256134490e64c903c61d5c9136f57c35121108619e694f57bfe995a6b97d5da69d4fe87e7bfa6e6ab823ae8a507e82f254c63eed231d49e5b7c5cead3e |
C:\Windows\system\TzXnxZM.exe
| MD5 | 57b891be85ddf3510505e86f211ea578 |
| SHA1 | 2d6be9cbb2a3c32032b13177b562096c772f0d91 |
| SHA256 | f9eb963cf04ecbaf4ac9f482514df7b7f5de4880c91f099c81b968690697a21f |
| SHA512 | 275c72f0ef34250ae37e4dc72d034aaaec6858a7b03c5192586d9db783e38f5d5945f6fd8601c4d9ff1ee1d49ca56efa16767ecbdda7d11e0cd37e04be347626 |
memory/1760-111-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/1760-110-0x000000013F1B0000-0x000000013F501000-memory.dmp
C:\Windows\system\kanVcJK.exe
| MD5 | 372d05c044bb7fe0082a64db5556a6e4 |
| SHA1 | 921e4abfab7843924e947098755c67aae380880c |
| SHA256 | 109111a18851e7476795f1640a332773a31523a93954847123e8f87f80bd6040 |
| SHA512 | 4766181ba5dbae860621adbf42fe5a0a691fb0a9901f6dad20abd19b6336dfa3c9b8db406fc7b148516687c2382ddfd660b9098e12b36e41786da82f18525b94 |
memory/1760-106-0x0000000002310000-0x0000000002661000-memory.dmp
\Windows\system\DSdSIZF.exe
| MD5 | e4f69a4880c79500017b32b09d58f435 |
| SHA1 | 60d9d0596f496921315d9a42c1eb10a47396a1c1 |
| SHA256 | bb319b26f1aef9a362d3c2012d3e6c91db0198acb1abf4804e012f3598a5ce19 |
| SHA512 | 5167097f784452eb0943dc4631a696eece7a4b59dd49d50dc57750cf021e6266547868b26c53c240262fcdf761815907d54e43bf9b604f6d4861bb2a69764b2e |
\Windows\system\xKPNjiG.exe
| MD5 | fa46ae9fa2d2418cc98f9c383283a4b7 |
| SHA1 | f8369e7dfb3380a918e501c7b686bfb27a703bcd |
| SHA256 | 35a51b38119e0c13a91de68cd3820917b156303c9f484e1023bc12d5c4d8514b |
| SHA512 | 7f320c3e267ced2ee958fc132310d3a69a55a93aca2c8f7baf6e624d953d0c9b6233103bd2ba5324445f81307b6793de4f0d14076c3933156d7af6c02761f71b |
C:\Windows\system\noHFaGs.exe
| MD5 | 9156460a082bbbf2934c6c41cfd77e84 |
| SHA1 | c360907491223128f4317df3367c770b83cd7ba6 |
| SHA256 | 2392aefc165e9527866e8cfafafee0545d08077471c4b53b4bc0ec02938a737a |
| SHA512 | 2bdc76e14ec840534a0e000fa913ffa3c03e6d5825700699ddf58cb9fafc039cece68f17bad623301e30c534d6cda3ab0006c3baf4c9cbd5c4e2cb2d925a0e6f |
\Windows\system\FQEebuv.exe
| MD5 | 2b6f4dd4ad6384241afc3b32d933bde0 |
| SHA1 | 3c8103c531acc261b6fbdd1cd6018bba6152ff3b |
| SHA256 | cb4bec76c471242de68ed140ddc0f8befaf6dfcfaf6c3a5ddd62e0034db69e6e |
| SHA512 | d79b035e90cb9b592c883b22a864ee50f9e797f4ed01ae34086e2e5964e2597612d93846d16208a35351e6d47dcf9a837c7768cc16ea2e701cd253eb3b6992ca |
memory/1760-73-0x0000000002310000-0x0000000002661000-memory.dmp
C:\Windows\system\TTHkwKH.exe
| MD5 | 022653d523f30f08622c89cbe122438b |
| SHA1 | 74fc8f8034b1bcdbb20989e4257a7ad08454dd32 |
| SHA256 | af58bad0014fc26e10de640e037b820eac356243d15c62279bc829f90305faac |
| SHA512 | cee03e0b39ce9955fb4ce7b1946bb6d4abfa2021fce162345fdb94e030d6e5ddaef3bd5553f20afba6cba48df83fc66952d41c258676d97b41e8e780bc8d2a74 |
\Windows\system\SPFbiPb.exe
| MD5 | 69451b896ee845d0696cde6ea3a80596 |
| SHA1 | 2626e3e038a304b1b072a2ba39e0a12f496015cc |
| SHA256 | 5fff24ed4941bfe485756c9bd51a1663b83383cf9410acaf5bf0a2d78e0fd0d8 |
| SHA512 | 4d6debdb88e216a7c899401f241602d7787be1fc9bb8dcc6d6c9fda46cecd868ab5092f17d6c9c23004e6ed4c5786655206a177f5a4e63842fe9085910939707 |
memory/1760-134-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/2432-55-0x000000013F230000-0x000000013F581000-memory.dmp
C:\Windows\system\RgUjrOj.exe
| MD5 | 2b6e236446923f3ad4f571dfed2f35cd |
| SHA1 | d0688ab486cfa669fc2ae6619426634766bcbe67 |
| SHA256 | 4094dff074f9a9afdcd879fb989f779ec599629c885788cd22a8011e940afab5 |
| SHA512 | 4e552c6e556de59b041ff5a6e9c1cd3b010d3d79af881994add4ac89fe471210a3e7867ca07b11bf577b83e87b357256a7bc6b6021c8b102a06302fe01b59fe5 |
memory/1384-121-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/1352-120-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/1760-119-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/472-118-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/1760-117-0x000000013F240000-0x000000013F591000-memory.dmp
memory/1760-116-0x0000000002310000-0x0000000002661000-memory.dmp
C:\Windows\system\eghLfht.exe
| MD5 | 023875ae52556c233510c302a29b4bf2 |
| SHA1 | 94de6877233bce01f5694ffb1b481a936c44dba0 |
| SHA256 | 92b890e0b27def3377f030affcb7cc0df06745035d72505889a669058d347a4b |
| SHA512 | c3990e26819412be9e6f00387e308840ca952a2a8467746572a3d8732e043a5a1087d542011b7b9337dc46a0f77e82e68cf63086e3d30924592496aa1a7627d0 |
C:\Windows\system\UbOVhgh.exe
| MD5 | 9d9339eaeb70bf3f851e7fae5a42ecab |
| SHA1 | 539b65f62c46cb3b5155977b839206e66990129e |
| SHA256 | 6fa3ebcc9bba605399e6cb3b76e52ea3dbf669780502800be8f55bbf490f5104 |
| SHA512 | 93253d6a41673eeeec35c31abcd787081a5734751dab8e9d9b0c46a06a0dc7c638d6a2a8a932ca198a4f101c8a7828369adcfd6a9828f4f210289129d5e4ef9f |
memory/1760-94-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/1760-85-0x0000000002310000-0x0000000002661000-memory.dmp
memory/1760-52-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2580-51-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/1760-50-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/1760-48-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/1488-77-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2432-143-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2580-141-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/1716-149-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/1944-147-0x000000013F240000-0x000000013F591000-memory.dmp
memory/592-145-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2324-156-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2644-155-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2076-154-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2952-153-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2800-152-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2732-151-0x000000013F1B0000-0x000000013F501000-memory.dmp
C:\Windows\system\NgjUaxl.exe
| MD5 | 35cfd2843bd48bdf4c77509457000d33 |
| SHA1 | a6d77302f0726f6b0d66c6eaf8bf9994aafc93e2 |
| SHA256 | 6294b875dc2cb90cd39753d10c3f145a43a00c4d61eb390ee68214a95cc39781 |
| SHA512 | 88300363018f6158838d8886f54583bd2710c8fefde2725350be5f3d12a6aa259c3905d265bbe7c21b00cfc83d9992ad99c3ddfef3043dd0acc2ea7b121cfd37 |
C:\Windows\system\phmxJzv.exe
| MD5 | c34650c4759e97c20f0aef37fe05e2e6 |
| SHA1 | 48b7ae7b62ed6b5e17ce98b4958f645b5fb9e451 |
| SHA256 | cbe14dc2bbdeaf53573eff416125952bc8beb131ce185c1cc0e5801bc16d5872 |
| SHA512 | 09058826aa276be5094fcc87b37e270ba5946233bfee6e16c35dc91a1f6710cd1ba5cfe5596c8f4a34ce80aff661078df6fb18fb6df59e01908d9bfab75a5934 |
C:\Windows\system\UsrgmHT.exe
| MD5 | 250bf4828ae5ec65dfda1d2326e52e1e |
| SHA1 | 880d8bd99b80925c6164ca06ea8096a1feee4f22 |
| SHA256 | 9b67826a4b4bc09a2c5937ce21f4db378b3205170b9c07060a16f493edabcbff |
| SHA512 | f9366712860c717814beab327a54076b1422d69d13b044931f60bcdb9b5333a76a1487d2aa66d01f58de3023653599573debeab456cfc0c108d21a90d9b16bb0 |
\Windows\system\wVARfeK.exe
| MD5 | 559ecea3700015e775f54803330aaf2d |
| SHA1 | 658470b042cbbf0cb42c0aa68e2b4b907050883c |
| SHA256 | 81da1b47a0731885521cb34980d4492a760ebd4ffc15be072fc66488dfaa54f0 |
| SHA512 | 4372fa9431933dcb6ca695e12bcfeaacdfc28bff184c10654607e5e59e99e8eb9d726c94de8130414d61165c5b0e931d69e347a585f410545fc67bbf37cc0dd1 |
memory/3012-21-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2804-44-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2768-43-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/2576-42-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/1760-38-0x0000000002310000-0x0000000002661000-memory.dmp
C:\Windows\system\lCEhEvE.exe
| MD5 | 85e737480a975810386eea9bdc4cf711 |
| SHA1 | eaaad2efd66ec01c37426054b563065c6efd1bd4 |
| SHA256 | 00512603c6a7ecd0a080c5ae030f60e1c8f28403f88f4a2a116979d47382e75a |
| SHA512 | 4219d53f53b3e452e9f9f69e6ae6fe1f4e03dbb2994be865771a1e19e4f72c8e5e536030266d8f6f979bc8858f5d4addebdd4535a99547196e466ee90ab368fa |
memory/1760-157-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/3012-208-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2564-212-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2736-211-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2804-216-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2576-218-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2768-214-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/2432-220-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2580-222-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/472-226-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/1488-224-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/1384-228-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/1352-230-0x000000013F850000-0x000000013FBA1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 19:23
Reported
2024-05-22 19:25
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tdFtyEQ.exe | N/A |
| N/A | N/A | C:\Windows\System\HITYKSm.exe | N/A |
| N/A | N/A | C:\Windows\System\DkgFByb.exe | N/A |
| N/A | N/A | C:\Windows\System\usFVRfh.exe | N/A |
| N/A | N/A | C:\Windows\System\QGpCoRB.exe | N/A |
| N/A | N/A | C:\Windows\System\uLVdQEy.exe | N/A |
| N/A | N/A | C:\Windows\System\cRHxMFv.exe | N/A |
| N/A | N/A | C:\Windows\System\yYjnmMO.exe | N/A |
| N/A | N/A | C:\Windows\System\LwrFufj.exe | N/A |
| N/A | N/A | C:\Windows\System\mSSDfiY.exe | N/A |
| N/A | N/A | C:\Windows\System\xITUJPM.exe | N/A |
| N/A | N/A | C:\Windows\System\SpJkuot.exe | N/A |
| N/A | N/A | C:\Windows\System\ggrtGAG.exe | N/A |
| N/A | N/A | C:\Windows\System\dLyzVXg.exe | N/A |
| N/A | N/A | C:\Windows\System\TfiiOXk.exe | N/A |
| N/A | N/A | C:\Windows\System\oeaJczD.exe | N/A |
| N/A | N/A | C:\Windows\System\LbImLLu.exe | N/A |
| N/A | N/A | C:\Windows\System\ODsnpAG.exe | N/A |
| N/A | N/A | C:\Windows\System\zAnIdit.exe | N/A |
| N/A | N/A | C:\Windows\System\oivoLcB.exe | N/A |
| N/A | N/A | C:\Windows\System\TnZoXWc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe"
C:\Windows\System\tdFtyEQ.exe
C:\Windows\System\tdFtyEQ.exe
C:\Windows\System\HITYKSm.exe
C:\Windows\System\HITYKSm.exe
C:\Windows\System\DkgFByb.exe
C:\Windows\System\DkgFByb.exe
C:\Windows\System\usFVRfh.exe
C:\Windows\System\usFVRfh.exe
C:\Windows\System\QGpCoRB.exe
C:\Windows\System\QGpCoRB.exe
C:\Windows\System\uLVdQEy.exe
C:\Windows\System\uLVdQEy.exe
C:\Windows\System\cRHxMFv.exe
C:\Windows\System\cRHxMFv.exe
C:\Windows\System\yYjnmMO.exe
C:\Windows\System\yYjnmMO.exe
C:\Windows\System\LwrFufj.exe
C:\Windows\System\LwrFufj.exe
C:\Windows\System\mSSDfiY.exe
C:\Windows\System\mSSDfiY.exe
C:\Windows\System\xITUJPM.exe
C:\Windows\System\xITUJPM.exe
C:\Windows\System\SpJkuot.exe
C:\Windows\System\SpJkuot.exe
C:\Windows\System\ggrtGAG.exe
C:\Windows\System\ggrtGAG.exe
C:\Windows\System\dLyzVXg.exe
C:\Windows\System\dLyzVXg.exe
C:\Windows\System\TfiiOXk.exe
C:\Windows\System\TfiiOXk.exe
C:\Windows\System\oeaJczD.exe
C:\Windows\System\oeaJczD.exe
C:\Windows\System\LbImLLu.exe
C:\Windows\System\LbImLLu.exe
C:\Windows\System\ODsnpAG.exe
C:\Windows\System\ODsnpAG.exe
C:\Windows\System\zAnIdit.exe
C:\Windows\System\zAnIdit.exe
C:\Windows\System\oivoLcB.exe
C:\Windows\System\oivoLcB.exe
C:\Windows\System\TnZoXWc.exe
C:\Windows\System\TnZoXWc.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3856-0-0x00007FF7FE610000-0x00007FF7FE961000-memory.dmp
memory/3856-1-0x000002789C960000-0x000002789C970000-memory.dmp
C:\Windows\System\tdFtyEQ.exe
| MD5 | 6d5bf3a898be0514afc179f2d3bcff2c |
| SHA1 | 5dd441cee79956ca8af232696407f5b0650b5c8e |
| SHA256 | 1e40e10f290aff0be4def06a73d952c6b04033f613790f4ae5e05f7d4a79b1bf |
| SHA512 | 12b28a200761f4b3c836075e081da72e178c36ae78be42e4557bdfc10c2f420e9224012308211e1f7671af02948b0dc176bec44b944d230300245596c9a24c49 |
memory/4808-11-0x00007FF7E4B70000-0x00007FF7E4EC1000-memory.dmp
C:\Windows\System\DkgFByb.exe
| MD5 | 95b4e331bf40000dd082f0f8bd41072d |
| SHA1 | 591dbbedadb46d8368005eddb804dd8532620df0 |
| SHA256 | a6bda6cb9b63987c5a04a656aa17cd3e503c5b78ff0eaa9b5e344697e48dcd90 |
| SHA512 | acfa0aa173625b9fe69cb3f61f10de220f528133f0188c5789fc596f8ff6c112ad66fd154021b4edff8b916f97df2e5aa23195c454c2e200e55fda404fce23e4 |
C:\Windows\System\QGpCoRB.exe
| MD5 | dac8499b1382a5d36acb37315e10f504 |
| SHA1 | f36bed4cc7923e7950078c7c023528506284ccef |
| SHA256 | 14bcdc8a409842c7450d9fdd697fdf157d013d8f896cef32b201ba45b6a0a164 |
| SHA512 | 23af2706f4ad2e8e5993edbf3554a213c6f34ee8b13dc05f757dcaf870556120a57de2012103d5a5a5088c569fa08ad862ba9a0c7ba547092f323bde14e9a493 |
C:\Windows\System\uLVdQEy.exe
| MD5 | 24aa8ddb413535943a20988702c3172e |
| SHA1 | 721fbc4d3ebe76bd6f1adfedc5a0409d9a4562f7 |
| SHA256 | 6e268ae20037588f4675e621cb09f021b9cfda585a12cbebafb8b09625ad5f21 |
| SHA512 | 298b4afc35d84bc012216b6609c040f535bd5b8098eedcb4019cc1b5e63655d2f9441bb08318ede18f2ab0273cf66f19b9aa8ab29755f9a5cb47cb9cba442596 |
C:\Windows\System\mSSDfiY.exe
| MD5 | 05612b6374be4cb2c86d6024b03f6f24 |
| SHA1 | aaf2d6a5feb493e53ab9f461a344b3f14145e0d6 |
| SHA256 | 21ba9473579a15f6cf1506fa53850e136f5c96f2e4f1723bed5d4c489c4c170d |
| SHA512 | 046880484b92b23405e9d2eea590eae8c28dec9d9e258330ccaaf4c850f2a455fceac51b0837b17b348a93ce222adaeae8865e427f8d07e483f0cf4a12ca32c4 |
memory/3356-67-0x00007FF6C5BA0000-0x00007FF6C5EF1000-memory.dmp
C:\Windows\System\ggrtGAG.exe
| MD5 | ee8e117b7e775cff6f1104e18f47887b |
| SHA1 | 80e1faed0a9913f53a7e6aaf42bc69cc13d2652e |
| SHA256 | 7f84608c7d3d96166ad51add6ccf40fc366a6b18535a20c9ef7e584028cb35bd |
| SHA512 | d0d783f335f24ec153906344d11bbeb0e0caa4f6c37b7a4ad90adfa1640050817514786ef010562b243056a27053d3eee18812b4b327e683c5fec14ae588e735 |
C:\Windows\System\SpJkuot.exe
| MD5 | 9f4bfde4fd9b6953da78bf725fadd579 |
| SHA1 | c93a8e6fb705c0d27cdbdac88826012b6a687435 |
| SHA256 | 92b1bb7afe38ef9d072cf7e6e3441e8a4ce9b8bcdcbbbc7881b4ae5ad574210d |
| SHA512 | b7e1302dbe2366fa8c83095e5268ba3b668e72b5578f4aa55e93ea9f6c6c39b6b2f568a4f138af0fffe82b451a0d08a3f25fda83924a49c3c23116ed24af2755 |
C:\Windows\System\xITUJPM.exe
| MD5 | 8940f1433651066307c9b7c9428647df |
| SHA1 | 719788cc2f07f5a6ab1cbf74294f045d25263799 |
| SHA256 | fd9ba68517d5ba3a2b29e3ce53a84fc0692dc3eef1d4e7cf3f3c0f3bf0324c9e |
| SHA512 | b019778306cc1717b6ebf3d95a8bc8a0e7fa8aa4ba533df37f3c4bfb75d9748ea1efdb292d5d713239e838efb051df2547df78c1d4a703594d55f5ef71b99a11 |
memory/4912-63-0x00007FF6EA170000-0x00007FF6EA4C1000-memory.dmp
memory/4312-60-0x00007FF649250000-0x00007FF6495A1000-memory.dmp
C:\Windows\System\yYjnmMO.exe
| MD5 | c81ee9c812b044d23c53d05d5a14663a |
| SHA1 | 1850df7992e7df646fbf191a27b06604dcd44de8 |
| SHA256 | 8707401a469a6c3e41b2ca8f904bfa6f4d3e75f32c5bb0977c670c86b2646712 |
| SHA512 | 1f47d89b895736607399205f4c7f3b652e22f9d2bcaf60e7fcaf54f7fe8cc3acbdac99b786597eeb17d74fd091c42bc248eeff750d58c0ed48488737a573d208 |
C:\Windows\System\cRHxMFv.exe
| MD5 | 8c8a9a5213745085deb91f37557d0daf |
| SHA1 | 88e0cdd334d52492b465753f2598cc31589db6ac |
| SHA256 | e9be2809a1cfc1a2db1b17fde7458beacf51878f4ab5430286287a9ba143ba09 |
| SHA512 | d684b2688cc4dcb56c2f99cdbc66aef6fe116e789e179ba67698fd23b9d5a3f8321351f3f874c6c012a58c0cf2fe0523e6a08775f4a34e7cb3364c857a503d58 |
memory/760-42-0x00007FF7A24F0000-0x00007FF7A2841000-memory.dmp
C:\Windows\System\LwrFufj.exe
| MD5 | 6e8dc1d1503ee84540fd97a4698529e6 |
| SHA1 | a92150f8e324b56865a454635de807b93a54f037 |
| SHA256 | b97389ea79ad3217c43860d6f53fb33ce75092fc045c72bb53b0d6f919edae49 |
| SHA512 | a229a29f7b745c06e4f1c4ea51ec76c403ae6f3bdc8803d1914c8f2df4f6ba1e899159dd4a93053bf49af4e1808e97416a1cd837cd2f4efb9d22913fbc1a3c22 |
memory/4044-34-0x00007FF70F540000-0x00007FF70F891000-memory.dmp
memory/3672-27-0x00007FF648A30000-0x00007FF648D81000-memory.dmp
C:\Windows\System\usFVRfh.exe
| MD5 | e99aa5b370f0b3c303753c1bb1e7f171 |
| SHA1 | 523773d3447fbb1aa85599854eaa1366b945ec3a |
| SHA256 | a07cce2c4923a025a6a222968fd17f1f8939f7cd05dde3f52e8ca0511a9764de |
| SHA512 | e71aff1ce87e837e9a93ae08aaa741a24987c48d770264168541804c054a8e907b6033c2265ac77befd13bf46c31bb79a30c24cbe5e7d82d0a795e6be36e213e |
C:\Windows\System\HITYKSm.exe
| MD5 | 49fbbec3eed76e2f95e6508c79ab1759 |
| SHA1 | 19a16cd2a79ffa753c5c81ccead4c9eb156d820a |
| SHA256 | c2fe9d5731b692df7357e05ad3af66512a6b1207215716dd310d112588b863ca |
| SHA512 | 72ccd3ec4324716720a134f5c49c3d4f5c463faa01d92a5890cf82c40a44823987774cb3d665b8c6494d4554561cf60d590c217814cf7a1b522bef4deaaae1e8 |
memory/3848-18-0x00007FF65DCA0000-0x00007FF65DFF1000-memory.dmp
C:\Windows\System\dLyzVXg.exe
| MD5 | b5b53e5c6feb994e720bc894ca353bc0 |
| SHA1 | fbee6daf9857a2a715edcb038ed3363af2ef8ce6 |
| SHA256 | 1c700c41f399d02af5603447b6d8f56b90d7fce33561966c7dc6be60d4604a25 |
| SHA512 | 5b1592dabfe52bc90718be4cc4cc89470019ac08240be9638e5c75fdb91ee29ce1666191369ce2e3ca2b2bb7b0087ba04fd3e2de699d6464c61c8542d71baf52 |
memory/3728-95-0x00007FF682220000-0x00007FF682571000-memory.dmp
memory/664-107-0x00007FF6C83D0000-0x00007FF6C8721000-memory.dmp
C:\Windows\System\oivoLcB.exe
| MD5 | dde0c2f767323a7fefdfccd46c2136f5 |
| SHA1 | 4a3c35ef49d6ec4de95cffd10e811e6ee6ac7aac |
| SHA256 | 93eb7277b305f4c62a5cfd6a9ebfeb9b3ad719ceb0fec0d4be3b46862c7a8aa4 |
| SHA512 | b84f5b90eef453d1ba53b65ac0df5e93c3000167b9899338e4dea4d13d7fe4c2c023119637e13ae06e2d1a88b6c62fb2be79cd7a90456354f82fff7d7f8aabbd |
C:\Windows\System\TnZoXWc.exe
| MD5 | f8b501722181d2d82e0ab6e396a4b950 |
| SHA1 | ab87433053d9f37218c62d0dfda120350a604918 |
| SHA256 | 3c41ae16766bd489526af680eaeb4099ae1ce2f7ac41ecfd9212c3d912c49334 |
| SHA512 | 29295c3e8cafe17f0f05fb13a2aafce981d29376c57fd95782cf7d80a1b7eb589dd869ef61657ac1ab5bb84bd48680609e6c2cc106dc7c67af0fc80f1e5fa249 |
memory/2404-127-0x00007FF721B50000-0x00007FF721EA1000-memory.dmp
memory/2468-126-0x00007FF79D2C0000-0x00007FF79D611000-memory.dmp
memory/4380-125-0x00007FF76F650000-0x00007FF76F9A1000-memory.dmp
C:\Windows\System\zAnIdit.exe
| MD5 | 8a3e587f4f81a49db2d25115618f037e |
| SHA1 | 8bb35b33318fce1d16a010cf712e692ee5b6221a |
| SHA256 | 8332fbc127ecdde43fc3af7e955e152b1f9fd8edb31f71fdf330dae42099b900 |
| SHA512 | f6a7d8ef3941d80b32e9540bcd51edcc5695340e6d918b6fb4f525832d751798d667ecf886384aab44352c1433307433eb3a76eb51928c284a3e62267cd52856 |
memory/1796-118-0x00007FF7D89A0000-0x00007FF7D8CF1000-memory.dmp
memory/4692-117-0x00007FF734480000-0x00007FF7347D1000-memory.dmp
memory/2452-114-0x00007FF766610000-0x00007FF766961000-memory.dmp
memory/1248-109-0x00007FF799480000-0x00007FF7997D1000-memory.dmp
C:\Windows\System\ODsnpAG.exe
| MD5 | f1fab0a1f8ab73c585fa3af58b0a29ed |
| SHA1 | 7bdebe58da60a2663f5df79022ed6fc388a1e9dc |
| SHA256 | c3f7e90017d06c56ffdcd18a193b843aa5d39a8ad54a9af680b4aebdf42f999a |
| SHA512 | 7e6e5504f374f5eadca2835eb0036f089d02fb0d7a9d6d6c734c75a936e5ccf663cecd8303d2f0ffd4952e974b8ca8d63e221a9f26edae964c4015b0ad742922 |
C:\Windows\System\LbImLLu.exe
| MD5 | b304e4160148fb7d6222442bb4d09370 |
| SHA1 | 76696104b29c8c07d6e3941a5e5c41a2cb34150c |
| SHA256 | 79aec2606c2aa9296d3d5f4c776db5b8a666df29bb12110faf17ca30d4c8c457 |
| SHA512 | a97b40dfe313223128f5d48932a7789e0b23154af1883cabcb11a686319c752f488cba31f95061b9b213265dda29f24a894738aad7bae5ce74e55d65515e5fa3 |
C:\Windows\System\oeaJczD.exe
| MD5 | 4a5b3edcd1934f806f6db0741219ced7 |
| SHA1 | b983da17ddb0fd75d7ca0de212c48c7f1fafe7af |
| SHA256 | fb7d19451fb222c0aa87afc697bc1a33e61bcbf7c27349423c4201433b8795ad |
| SHA512 | ef15dec89eac3e74041d19e273d2b414042ad080dffadde7744936f9fb9ead2461c0625b6fd8c560e0c192971e20b9951b29e1a4a2586aa92df639c2542ec42b |
C:\Windows\System\TfiiOXk.exe
| MD5 | c5c558977945249f136b091e73cecef6 |
| SHA1 | a71c53deeba35351c14b17f9928034cdb32222df |
| SHA256 | 2da54da6f89f8da72b2aab929c63837d4cbb6f5b50f52f693b2a3e66e2eb5723 |
| SHA512 | b7b44053c5ecf3927982a45e9307b081f4e7c28749292fab649552bd33b313a05eabc35abbdedff480032a249664ad348ebda74515ec68256a6a6638448caa49 |
memory/2596-91-0x00007FF676580000-0x00007FF6768D1000-memory.dmp
memory/1080-81-0x00007FF7D39B0000-0x00007FF7D3D01000-memory.dmp
memory/4836-80-0x00007FF642900000-0x00007FF642C51000-memory.dmp
memory/824-70-0x00007FF7791C0000-0x00007FF779511000-memory.dmp
memory/3848-130-0x00007FF65DCA0000-0x00007FF65DFF1000-memory.dmp
memory/760-134-0x00007FF7A24F0000-0x00007FF7A2841000-memory.dmp
memory/4312-135-0x00007FF649250000-0x00007FF6495A1000-memory.dmp
memory/824-141-0x00007FF7791C0000-0x00007FF779511000-memory.dmp
memory/4380-147-0x00007FF76F650000-0x00007FF76F9A1000-memory.dmp
memory/664-143-0x00007FF6C83D0000-0x00007FF6C8721000-memory.dmp
memory/3356-140-0x00007FF6C5BA0000-0x00007FF6C5EF1000-memory.dmp
memory/3672-132-0x00007FF648A30000-0x00007FF648D81000-memory.dmp
memory/4808-129-0x00007FF7E4B70000-0x00007FF7E4EC1000-memory.dmp
memory/3856-128-0x00007FF7FE610000-0x00007FF7FE961000-memory.dmp
memory/3856-150-0x00007FF7FE610000-0x00007FF7FE961000-memory.dmp
memory/4808-208-0x00007FF7E4B70000-0x00007FF7E4EC1000-memory.dmp
memory/4044-210-0x00007FF70F540000-0x00007FF70F891000-memory.dmp
memory/3672-212-0x00007FF648A30000-0x00007FF648D81000-memory.dmp
memory/3848-214-0x00007FF65DCA0000-0x00007FF65DFF1000-memory.dmp
memory/4836-216-0x00007FF642900000-0x00007FF642C51000-memory.dmp
memory/4312-218-0x00007FF649250000-0x00007FF6495A1000-memory.dmp
memory/2596-222-0x00007FF676580000-0x00007FF6768D1000-memory.dmp
memory/4912-221-0x00007FF6EA170000-0x00007FF6EA4C1000-memory.dmp
memory/760-226-0x00007FF7A24F0000-0x00007FF7A2841000-memory.dmp
memory/1080-225-0x00007FF7D39B0000-0x00007FF7D3D01000-memory.dmp
memory/3728-230-0x00007FF682220000-0x00007FF682571000-memory.dmp
memory/3356-229-0x00007FF6C5BA0000-0x00007FF6C5EF1000-memory.dmp
memory/824-232-0x00007FF7791C0000-0x00007FF779511000-memory.dmp
memory/4692-239-0x00007FF734480000-0x00007FF7347D1000-memory.dmp
memory/1248-242-0x00007FF799480000-0x00007FF7997D1000-memory.dmp
memory/2452-240-0x00007FF766610000-0x00007FF766961000-memory.dmp
memory/664-236-0x00007FF6C83D0000-0x00007FF6C8721000-memory.dmp
memory/1796-235-0x00007FF7D89A0000-0x00007FF7D8CF1000-memory.dmp
memory/2468-245-0x00007FF79D2C0000-0x00007FF79D611000-memory.dmp
memory/2404-246-0x00007FF721B50000-0x00007FF721EA1000-memory.dmp
memory/4380-248-0x00007FF76F650000-0x00007FF76F9A1000-memory.dmp