Analysis Overview
SHA256
fda4225ef3187dd0071dc666fb894e5fefe10d6ad9278906b08850e85b8867b0
Threat Level: Known bad
The file 2024-05-25_1304348961947d4e925c09d9869ac9a2_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-25 15:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 15:45
Platform
win7-20240508-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CyewiOF.exe | N/A |
| N/A | N/A | C:\Windows\System\lDqXgDH.exe | N/A |
| N/A | N/A | C:\Windows\System\rSNGyOc.exe | N/A |
| N/A | N/A | C:\Windows\System\LTodHrD.exe | N/A |
| N/A | N/A | C:\Windows\System\uhllFsw.exe | N/A |
| N/A | N/A | C:\Windows\System\FGasiot.exe | N/A |
| N/A | N/A | C:\Windows\System\dgUaZoL.exe | N/A |
| N/A | N/A | C:\Windows\System\kMISiZL.exe | N/A |
| N/A | N/A | C:\Windows\System\rtGQIvg.exe | N/A |
| N/A | N/A | C:\Windows\System\LXHdFrW.exe | N/A |
| N/A | N/A | C:\Windows\System\hwwfCXL.exe | N/A |
| N/A | N/A | C:\Windows\System\nKbzOhd.exe | N/A |
| N/A | N/A | C:\Windows\System\Ntemgdn.exe | N/A |
| N/A | N/A | C:\Windows\System\IBSkpur.exe | N/A |
| N/A | N/A | C:\Windows\System\bpewYaw.exe | N/A |
| N/A | N/A | C:\Windows\System\TvDjbZM.exe | N/A |
| N/A | N/A | C:\Windows\System\zHqjFzl.exe | N/A |
| N/A | N/A | C:\Windows\System\vpCnVoz.exe | N/A |
| N/A | N/A | C:\Windows\System\nCbDqAf.exe | N/A |
| N/A | N/A | C:\Windows\System\ugyLYKe.exe | N/A |
| N/A | N/A | C:\Windows\System\diOJdJg.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_1304348961947d4e925c09d9869ac9a2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_1304348961947d4e925c09d9869ac9a2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_1304348961947d4e925c09d9869ac9a2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_1304348961947d4e925c09d9869ac9a2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\CyewiOF.exe
C:\Windows\System\CyewiOF.exe
C:\Windows\System\lDqXgDH.exe
C:\Windows\System\lDqXgDH.exe
C:\Windows\System\rSNGyOc.exe
C:\Windows\System\rSNGyOc.exe
C:\Windows\System\LTodHrD.exe
C:\Windows\System\LTodHrD.exe
C:\Windows\System\uhllFsw.exe
C:\Windows\System\uhllFsw.exe
C:\Windows\System\FGasiot.exe
C:\Windows\System\FGasiot.exe
C:\Windows\System\dgUaZoL.exe
C:\Windows\System\dgUaZoL.exe
C:\Windows\System\bpewYaw.exe
C:\Windows\System\bpewYaw.exe
C:\Windows\System\kMISiZL.exe
C:\Windows\System\kMISiZL.exe
C:\Windows\System\TvDjbZM.exe
C:\Windows\System\TvDjbZM.exe
C:\Windows\System\rtGQIvg.exe
C:\Windows\System\rtGQIvg.exe
C:\Windows\System\zHqjFzl.exe
C:\Windows\System\zHqjFzl.exe
C:\Windows\System\LXHdFrW.exe
C:\Windows\System\LXHdFrW.exe
C:\Windows\System\vpCnVoz.exe
C:\Windows\System\vpCnVoz.exe
C:\Windows\System\hwwfCXL.exe
C:\Windows\System\hwwfCXL.exe
C:\Windows\System\nCbDqAf.exe
C:\Windows\System\nCbDqAf.exe
C:\Windows\System\nKbzOhd.exe
C:\Windows\System\nKbzOhd.exe
C:\Windows\System\ugyLYKe.exe
C:\Windows\System\ugyLYKe.exe
C:\Windows\System\Ntemgdn.exe
C:\Windows\System\Ntemgdn.exe
C:\Windows\System\diOJdJg.exe
C:\Windows\System\diOJdJg.exe
C:\Windows\System\IBSkpur.exe
C:\Windows\System\IBSkpur.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2904-0-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2904-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\CyewiOF.exe
| MD5 | c546844b7df08e8e9f5735b8a0cf29e3 |
| SHA1 | 82f4adc665f564807b8e0340277865212c229fbb |
| SHA256 | 4ff4925c6d9622b1ca16eba3dd259da8e5ebb05b0793824a730bac8f6a6af6dc |
| SHA512 | 930eade2f4270687f7c5162f038c27f7a6ef114726670a097cf964ccf5d5d286f304d77313394600ba2da2f0bf3f5bd5372dc94fa2e75be40fc835c63c101633 |
\Windows\system\lDqXgDH.exe
| MD5 | f1c8b263802930fb03981be74d823512 |
| SHA1 | a5acc46b3751c7ef724685437639ae3045771d61 |
| SHA256 | f7bdc34fcd3118f38045a7f49ae2e7e164202ed694bf9fe1dfc2cabe2c9c387c |
| SHA512 | 8eb29de7ffb0f25e922c9b7bb99c4a6425c60078be9dd74fc8299bc1c5db9c862f3eadb24e30db4ceeb9f1da176e83c10ddd6dce439ef7789d816b58ecd1159c |
\Windows\system\rSNGyOc.exe
| MD5 | c3c51fedb297560e50fad3b7d8a842d6 |
| SHA1 | d4fdb992e6266b85767c24483b0c4429fcf4dbf3 |
| SHA256 | 945b8aeea07d84a9d981e8384d770b2fe80be25afee6a5feb43310308e7461c7 |
| SHA512 | dec084d65d835729b7167bd1179b56afd3614de442da2bd0446dec6ff25bd30fcc0cdf84d097597515ad9256fd260bcbb4af386600fefd4382a64c90200a7cdb |
memory/2904-15-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2928-13-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2992-12-0x000000013FF80000-0x00000001402D1000-memory.dmp
\Windows\system\uhllFsw.exe
| MD5 | eb945de83b37580671314203d6697eb8 |
| SHA1 | 20e075e7389ec0cbf115253095bab35d7f85e3dd |
| SHA256 | cb3d609e9fdad3f1d5867a04f7cb59dd8851e1663cad889a27b22aa2e640e57c |
| SHA512 | a8498d1ac08e27b0ad0a57c52cb4d4eca122b5854d5226a6c2fa5caf898877d3224a9415e1afbe76aea0c2edf0672fbde7f357365f0ea6aa858d7a9fd18621c9 |
memory/2904-27-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2904-31-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2732-28-0x000000013F270000-0x000000013F5C1000-memory.dmp
C:\Windows\system\LTodHrD.exe
| MD5 | f6e370d7349b5a250275ece341c23484 |
| SHA1 | 29bf6c855c49a2f276af7d393b1f7896d466ede4 |
| SHA256 | 4048f5989fce5c043e7daf84ca33ddf2193c14d765192868acd0cde234fb4485 |
| SHA512 | 4caa7909b520e4d1ca77c407909dfd30cba3c26b83064a1e13c493a7a9661b2167db01a16f7ff68c2ecc610ad61ee4cf27bb229de95e758c7d20d1d2a9452214 |
memory/2608-22-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2904-20-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2856-36-0x000000013FD80000-0x00000001400D1000-memory.dmp
\Windows\system\FGasiot.exe
| MD5 | 1763d6b430f6140e707b1eddf0087f71 |
| SHA1 | 5358132fe6d169fc6246f950a98f46f51974c924 |
| SHA256 | 3bc8a1fee33359fdd6dd2ff772dc75e6fa55ebe6096067d71d1b874d83cd48bc |
| SHA512 | 09e2b96a272d462369912fcfeaaf2f4a4c8feedfd4ae86c65dfd54ba234705284187e4d0c3fb8dc25d1a11c1e73bdb5f8d058da279619541fefbe9cd371fb11c |
memory/2496-41-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2480-114-0x000000013F880000-0x000000013FBD1000-memory.dmp
\Windows\system\bpewYaw.exe
| MD5 | 76d7ad40b753b62c00e8bc7f69d96c00 |
| SHA1 | bf4a17cb45070420f815b4ab40483370134761d7 |
| SHA256 | e3fe3690837081fb88b6839d93f96e0a385841f245f4070e5d52a22406c5c3b0 |
| SHA512 | c53cf5daf6425dc4985e2d9c16a81435f8ea16af2b8190a1b8838662406e82aaba349439577ccc10c4a73fc6a1f25d1f917d345019fac711b48429eba08b6e31 |
\Windows\system\diOJdJg.exe
| MD5 | fba8a9f649875e5fab53095d4f8b85a7 |
| SHA1 | 92e649e99a829079587c9814fb05e5c21f116945 |
| SHA256 | 55b2b02bda0c891b4fb0eaa842d28b1a94bb0392cb8d6a49ef0e85f500e5daa4 |
| SHA512 | 486c28c327ece0a7ba57d67f1df08a145129b4b9e045e354e98911efdd558dc1ef81f01a3a87eac33afa3bbcbc39444835609830f4e0f60cccbcf23862d1004b |
\Windows\system\ugyLYKe.exe
| MD5 | e34785db60d7f9a3347c21ed47940c9c |
| SHA1 | 5951604ec9701124307c394c7f21d366557a399e |
| SHA256 | 566facb98af0f843a63f387958e6c3274dfc723e6b31bb09ef0a8ef84fa84b66 |
| SHA512 | 880929736ed49fbdd4fc35f81168b1f1552cb56aa61b56a292bafe290dfab00b68bec7025dec753ec74494720bae8c0bd9aefde82b23be4f4f583fea970b6a5d |
C:\Windows\system\hwwfCXL.exe
| MD5 | 1a1b7cdf7d3e8f897aab6f4614b98b58 |
| SHA1 | 4002f21cd0f458b53d810330f9f094371995a1fa |
| SHA256 | 02880b79a326fd2c21544688fabd5a4024bc9e3bfc712b50e9fd039e6b2c4377 |
| SHA512 | e132a530f090be5b8775fc5b1f0de9ea15fca2cfa785791bf8fff796102cbfbf97c2f36e85acc19204cca3cc34c6e8cf1271ba6ed7bf6a50b56efc6a6e8986bd |
C:\Windows\system\LXHdFrW.exe
| MD5 | 6d1eea16fefb7b73780e933e5a977ba0 |
| SHA1 | 64066e97a8f3ea8c37b13b513dd1f6d6519666fb |
| SHA256 | 96098d42405625ccae5e7b0cc18a0d5190dd7e4acf2be7505498b466071fdec3 |
| SHA512 | e408b55a902f8a06b7e200a4b24873ad3dc0f163f29c911adb049e38029f9d2d531e1c3ed46a4a87407ad6f3ebb3e3b9d235140bad37bbc6ecf215675605a8c0 |
memory/2400-83-0x000000013FD30000-0x0000000140081000-memory.dmp
\Windows\system\nCbDqAf.exe
| MD5 | 5ee2034ae34629346a68d5d714451da8 |
| SHA1 | 37f89c3af4d7612cc902270e0692622a3f68bf37 |
| SHA256 | d15f4de9cc9c81de4836d5f29644e8e586587a01eaf999cd3b6e2f46007e66c7 |
| SHA512 | c589b637d820635bc8db9827b7454a118bde7f796e92474d253dac4d26fd8880cf799245211e4b2e7eb4f4d2a9c15b3bde9f0d687799f842169337e2d894b898 |
memory/2904-76-0x000000013FD30000-0x0000000140081000-memory.dmp
\Windows\system\vpCnVoz.exe
| MD5 | 0cddf3bc67dac57a372adb098115cf9b |
| SHA1 | 9e9f9abc4605ba093d6c7c0d7e2852daa78094d6 |
| SHA256 | 5be3aeec8d8ef7363554e3f9a4fbd7edb3f1257fe930bfecbea9b19882e860cf |
| SHA512 | 75c7eb3fdfac0677bd629f54bb7c72e81007158a6b455e8020f66baf8b70c003c46b2e9fb286d97be6847d2c90d05e8cc4be7b1b6df120e60f27572ece201d1a |
\Windows\system\zHqjFzl.exe
| MD5 | 2d9d510bd4b3878851d99fabdf8ea57d |
| SHA1 | 2ec5d95030192e8710981f27ac8cfe309068781d |
| SHA256 | eeea7ae040739f9ec4af8e6fae3207616de2c5d345bc1815b739720f23f0864b |
| SHA512 | 83f9fd12cd26d8413250c2a50e1d3e60523502bf85159ac1b2cc507eb9fde13b2c8114ac7ef3464d289e2ca12358942514f7cfe1c766fcf30bca65b1a3c6541e |
\Windows\system\TvDjbZM.exe
| MD5 | ba49e5c0c6c5aed590147a46e9b0b308 |
| SHA1 | 7bd460295d3c6d8d64ea74cde415d2db33a046fa |
| SHA256 | 58438aa957e96462585e43f1872d09180950f491388f987494bd1134fff2a504 |
| SHA512 | aa42a873871451643eab203eae5583f511aba3435c667e040c7de23f344169133cfe2525b112fdb8c62cf4e3f05071d0ad1100cb2cb0875083bacde34e346483 |
memory/1956-117-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2904-116-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2904-115-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2928-113-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2904-112-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2904-111-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2904-110-0x000000013F860000-0x000000013FBB1000-memory.dmp
C:\Windows\system\IBSkpur.exe
| MD5 | 57663db79162c7ed5fcb5bf0140ab28e |
| SHA1 | e6a8752ab1ae021a9a034f1c05915b4f5a6c3160 |
| SHA256 | ea6301be02035eeeaedae458a3024cd8ae0e295198684ee459bd773506ca1046 |
| SHA512 | 2ba1929108259b63e12e2155871b81d3951d675fc2464a9b35cb171f4ce567e7fdd983f2215301e21555e8acc034812e1ef9b91db7a9ac56c5d0b3b2fdbf83f2 |
C:\Windows\system\Ntemgdn.exe
| MD5 | 0d8f8d76b6990005f403a7118c8eb763 |
| SHA1 | d5dd59d87386a69120d8d330b073f6d6c3b50add |
| SHA256 | 48ea84f58eec07b49b2c45013476c69dd88cf39fa959c7ead127abb14a771e1f |
| SHA512 | f0c4f7df0abb7cfe3e5e62356df62a7d5e61d917ca76380d8c833ec4458dfce7fb186aabedcb7ed8456d9b9612bb84f79b376b062818d88e541bf409a6799bce |
C:\Windows\system\nKbzOhd.exe
| MD5 | 1725798e9024fa6d1e73875841933093 |
| SHA1 | ac2c974a0858da2b4ab2b2907e32d9507d4564fe |
| SHA256 | 1ed4e58d11ec88a7699f7ddbc6fecf3d47add0a2f839a9272c4a049605349a14 |
| SHA512 | 0c5bb3be37813c05beb806c38e48b8a2280c797f0eb089a03dcd8c697f360ccfc0b30374a2fe8912a31087ae8df651fa058fd232af90cfca6ead8988f7874db1 |
memory/2756-103-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2904-102-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2904-72-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2604-65-0x000000013FE20000-0x0000000140171000-memory.dmp
C:\Windows\system\rtGQIvg.exe
| MD5 | bac13e0903d0a3a8fa021c41d932d2b0 |
| SHA1 | d91c8b610c7ad3daede74f86499e516aed56f4ee |
| SHA256 | 07eaec97f2dc871fe9e1bee5947801e5a7a5f970a758f8dd65abc9e5a8e5004f |
| SHA512 | 5e0f395fb6ae8358e0024fb856af2a5e55631705b2eb7406acaee54d11d875796334cfdb05d65ee127d183a78eb068ead60a2142f3b93877ba182c4708ac93a0 |
C:\Windows\system\kMISiZL.exe
| MD5 | 3073309b2bf2e5dd23626e72ca46498b |
| SHA1 | 484350d2430b3de59be1fea6640fb7f3d19070dc |
| SHA256 | be74055e61153dedbc717bf0920ad35c4f010b1eb2baf646598fc8aee7d85e61 |
| SHA512 | 2204515aca43658a5d808e4d5082d5dd74a25239e31352464fcb3da23537ad6d90f147e81fc05cbb326ff9128eee50af67a9d04fd58658bfba1a86dfbc8e04a2 |
memory/2608-125-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2904-60-0x000000013F1E0000-0x000000013F531000-memory.dmp
C:\Windows\system\dgUaZoL.exe
| MD5 | 9b8beac340060b5dd5fdd6cffea3c2f6 |
| SHA1 | 7e5da47578bded9e2917c5836c8e4bc4460763da |
| SHA256 | 19be3228d2bf06b6b3e5841dffd9cf3c91f2f5a26eff43be404f893f4603cb4a |
| SHA512 | 11ae290e47af2b602e841a63e140af7e8f9ac5416b7424c66a0484ac310fe6d0e2781b5e5e17c25e906d1d2499adabf36956fc036e7ccf75469b496f0c64ae1a |
memory/2856-131-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2732-130-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2904-126-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2496-139-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/1296-150-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2796-149-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/2792-147-0x000000013F640000-0x000000013F991000-memory.dmp
memory/468-145-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2520-143-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2524-141-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/1284-153-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/1792-152-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/1036-151-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/1636-154-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2904-155-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2992-200-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2928-202-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2608-204-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2732-206-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2856-210-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2496-212-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2604-214-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2400-216-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2480-218-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2756-220-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/1956-222-0x000000013F060000-0x000000013F3B1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 15:45
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CyewiOF.exe | N/A |
| N/A | N/A | C:\Windows\System\lDqXgDH.exe | N/A |
| N/A | N/A | C:\Windows\System\rSNGyOc.exe | N/A |
| N/A | N/A | C:\Windows\System\LTodHrD.exe | N/A |
| N/A | N/A | C:\Windows\System\uhllFsw.exe | N/A |
| N/A | N/A | C:\Windows\System\FGasiot.exe | N/A |
| N/A | N/A | C:\Windows\System\bpewYaw.exe | N/A |
| N/A | N/A | C:\Windows\System\dgUaZoL.exe | N/A |
| N/A | N/A | C:\Windows\System\kMISiZL.exe | N/A |
| N/A | N/A | C:\Windows\System\TvDjbZM.exe | N/A |
| N/A | N/A | C:\Windows\System\rtGQIvg.exe | N/A |
| N/A | N/A | C:\Windows\System\zHqjFzl.exe | N/A |
| N/A | N/A | C:\Windows\System\LXHdFrW.exe | N/A |
| N/A | N/A | C:\Windows\System\vpCnVoz.exe | N/A |
| N/A | N/A | C:\Windows\System\hwwfCXL.exe | N/A |
| N/A | N/A | C:\Windows\System\nCbDqAf.exe | N/A |
| N/A | N/A | C:\Windows\System\nKbzOhd.exe | N/A |
| N/A | N/A | C:\Windows\System\ugyLYKe.exe | N/A |
| N/A | N/A | C:\Windows\System\Ntemgdn.exe | N/A |
| N/A | N/A | C:\Windows\System\diOJdJg.exe | N/A |
| N/A | N/A | C:\Windows\System\IBSkpur.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_1304348961947d4e925c09d9869ac9a2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_1304348961947d4e925c09d9869ac9a2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_1304348961947d4e925c09d9869ac9a2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_1304348961947d4e925c09d9869ac9a2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\CyewiOF.exe
C:\Windows\System\CyewiOF.exe
C:\Windows\System\lDqXgDH.exe
C:\Windows\System\lDqXgDH.exe
C:\Windows\System\rSNGyOc.exe
C:\Windows\System\rSNGyOc.exe
C:\Windows\System\LTodHrD.exe
C:\Windows\System\LTodHrD.exe
C:\Windows\System\uhllFsw.exe
C:\Windows\System\uhllFsw.exe
C:\Windows\System\FGasiot.exe
C:\Windows\System\FGasiot.exe
C:\Windows\System\dgUaZoL.exe
C:\Windows\System\dgUaZoL.exe
C:\Windows\System\bpewYaw.exe
C:\Windows\System\bpewYaw.exe
C:\Windows\System\kMISiZL.exe
C:\Windows\System\kMISiZL.exe
C:\Windows\System\TvDjbZM.exe
C:\Windows\System\TvDjbZM.exe
C:\Windows\System\rtGQIvg.exe
C:\Windows\System\rtGQIvg.exe
C:\Windows\System\zHqjFzl.exe
C:\Windows\System\zHqjFzl.exe
C:\Windows\System\LXHdFrW.exe
C:\Windows\System\LXHdFrW.exe
C:\Windows\System\vpCnVoz.exe
C:\Windows\System\vpCnVoz.exe
C:\Windows\System\hwwfCXL.exe
C:\Windows\System\hwwfCXL.exe
C:\Windows\System\nCbDqAf.exe
C:\Windows\System\nCbDqAf.exe
C:\Windows\System\nKbzOhd.exe
C:\Windows\System\nKbzOhd.exe
C:\Windows\System\ugyLYKe.exe
C:\Windows\System\ugyLYKe.exe
C:\Windows\System\Ntemgdn.exe
C:\Windows\System\Ntemgdn.exe
C:\Windows\System\diOJdJg.exe
C:\Windows\System\diOJdJg.exe
C:\Windows\System\IBSkpur.exe
C:\Windows\System\IBSkpur.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3268-0-0x00007FF66A090000-0x00007FF66A3E1000-memory.dmp
memory/3268-1-0x000001E4EAA60000-0x000001E4EAA70000-memory.dmp
C:\Windows\System\CyewiOF.exe
| MD5 | c546844b7df08e8e9f5735b8a0cf29e3 |
| SHA1 | 82f4adc665f564807b8e0340277865212c229fbb |
| SHA256 | 4ff4925c6d9622b1ca16eba3dd259da8e5ebb05b0793824a730bac8f6a6af6dc |
| SHA512 | 930eade2f4270687f7c5162f038c27f7a6ef114726670a097cf964ccf5d5d286f304d77313394600ba2da2f0bf3f5bd5372dc94fa2e75be40fc835c63c101633 |
memory/5100-8-0x00007FF6C4E50000-0x00007FF6C51A1000-memory.dmp
C:\Windows\System\lDqXgDH.exe
| MD5 | f1c8b263802930fb03981be74d823512 |
| SHA1 | a5acc46b3751c7ef724685437639ae3045771d61 |
| SHA256 | f7bdc34fcd3118f38045a7f49ae2e7e164202ed694bf9fe1dfc2cabe2c9c387c |
| SHA512 | 8eb29de7ffb0f25e922c9b7bb99c4a6425c60078be9dd74fc8299bc1c5db9c862f3eadb24e30db4ceeb9f1da176e83c10ddd6dce439ef7789d816b58ecd1159c |
C:\Windows\System\rSNGyOc.exe
| MD5 | c3c51fedb297560e50fad3b7d8a842d6 |
| SHA1 | d4fdb992e6266b85767c24483b0c4429fcf4dbf3 |
| SHA256 | 945b8aeea07d84a9d981e8384d770b2fe80be25afee6a5feb43310308e7461c7 |
| SHA512 | dec084d65d835729b7167bd1179b56afd3614de442da2bd0446dec6ff25bd30fcc0cdf84d097597515ad9256fd260bcbb4af386600fefd4382a64c90200a7cdb |
C:\Windows\System\uhllFsw.exe
| MD5 | eb945de83b37580671314203d6697eb8 |
| SHA1 | 20e075e7389ec0cbf115253095bab35d7f85e3dd |
| SHA256 | cb3d609e9fdad3f1d5867a04f7cb59dd8851e1663cad889a27b22aa2e640e57c |
| SHA512 | a8498d1ac08e27b0ad0a57c52cb4d4eca122b5854d5226a6c2fa5caf898877d3224a9415e1afbe76aea0c2edf0672fbde7f357365f0ea6aa858d7a9fd18621c9 |
C:\Windows\System\LTodHrD.exe
| MD5 | f6e370d7349b5a250275ece341c23484 |
| SHA1 | 29bf6c855c49a2f276af7d393b1f7896d466ede4 |
| SHA256 | 4048f5989fce5c043e7daf84ca33ddf2193c14d765192868acd0cde234fb4485 |
| SHA512 | 4caa7909b520e4d1ca77c407909dfd30cba3c26b83064a1e13c493a7a9661b2167db01a16f7ff68c2ecc610ad61ee4cf27bb229de95e758c7d20d1d2a9452214 |
memory/4964-19-0x00007FF731770000-0x00007FF731AC1000-memory.dmp
memory/3960-31-0x00007FF7E39F0000-0x00007FF7E3D41000-memory.dmp
C:\Windows\System\bpewYaw.exe
| MD5 | 76d7ad40b753b62c00e8bc7f69d96c00 |
| SHA1 | bf4a17cb45070420f815b4ab40483370134761d7 |
| SHA256 | e3fe3690837081fb88b6839d93f96e0a385841f245f4070e5d52a22406c5c3b0 |
| SHA512 | c53cf5daf6425dc4985e2d9c16a81435f8ea16af2b8190a1b8838662406e82aaba349439577ccc10c4a73fc6a1f25d1f917d345019fac711b48429eba08b6e31 |
C:\Windows\System\rtGQIvg.exe
| MD5 | bac13e0903d0a3a8fa021c41d932d2b0 |
| SHA1 | d91c8b610c7ad3daede74f86499e516aed56f4ee |
| SHA256 | 07eaec97f2dc871fe9e1bee5947801e5a7a5f970a758f8dd65abc9e5a8e5004f |
| SHA512 | 5e0f395fb6ae8358e0024fb856af2a5e55631705b2eb7406acaee54d11d875796334cfdb05d65ee127d183a78eb068ead60a2142f3b93877ba182c4708ac93a0 |
C:\Windows\System\nCbDqAf.exe
| MD5 | 5ee2034ae34629346a68d5d714451da8 |
| SHA1 | 37f89c3af4d7612cc902270e0692622a3f68bf37 |
| SHA256 | d15f4de9cc9c81de4836d5f29644e8e586587a01eaf999cd3b6e2f46007e66c7 |
| SHA512 | c589b637d820635bc8db9827b7454a118bde7f796e92474d253dac4d26fd8880cf799245211e4b2e7eb4f4d2a9c15b3bde9f0d687799f842169337e2d894b898 |
C:\Windows\System\nKbzOhd.exe
| MD5 | 1725798e9024fa6d1e73875841933093 |
| SHA1 | ac2c974a0858da2b4ab2b2907e32d9507d4564fe |
| SHA256 | 1ed4e58d11ec88a7699f7ddbc6fecf3d47add0a2f839a9272c4a049605349a14 |
| SHA512 | 0c5bb3be37813c05beb806c38e48b8a2280c797f0eb089a03dcd8c697f360ccfc0b30374a2fe8912a31087ae8df651fa058fd232af90cfca6ead8988f7874db1 |
memory/1212-112-0x00007FF6C2DD0000-0x00007FF6C3121000-memory.dmp
memory/3068-120-0x00007FF7D3020000-0x00007FF7D3371000-memory.dmp
memory/3284-125-0x00007FF7F8F00000-0x00007FF7F9251000-memory.dmp
memory/2816-126-0x00007FF6DCB90000-0x00007FF6DCEE1000-memory.dmp
memory/4344-124-0x00007FF739DB0000-0x00007FF73A101000-memory.dmp
memory/2416-123-0x00007FF7E0F70000-0x00007FF7E12C1000-memory.dmp
memory/5020-122-0x00007FF7BFAA0000-0x00007FF7BFDF1000-memory.dmp
memory/1996-121-0x00007FF7A1AF0000-0x00007FF7A1E41000-memory.dmp
C:\Windows\System\IBSkpur.exe
| MD5 | 57663db79162c7ed5fcb5bf0140ab28e |
| SHA1 | e6a8752ab1ae021a9a034f1c05915b4f5a6c3160 |
| SHA256 | ea6301be02035eeeaedae458a3024cd8ae0e295198684ee459bd773506ca1046 |
| SHA512 | 2ba1929108259b63e12e2155871b81d3951d675fc2464a9b35cb171f4ce567e7fdd983f2215301e21555e8acc034812e1ef9b91db7a9ac56c5d0b3b2fdbf83f2 |
C:\Windows\System\Ntemgdn.exe
| MD5 | 0d8f8d76b6990005f403a7118c8eb763 |
| SHA1 | d5dd59d87386a69120d8d330b073f6d6c3b50add |
| SHA256 | 48ea84f58eec07b49b2c45013476c69dd88cf39fa959c7ead127abb14a771e1f |
| SHA512 | f0c4f7df0abb7cfe3e5e62356df62a7d5e61d917ca76380d8c833ec4458dfce7fb186aabedcb7ed8456d9b9612bb84f79b376b062818d88e541bf409a6799bce |
C:\Windows\System\diOJdJg.exe
| MD5 | fba8a9f649875e5fab53095d4f8b85a7 |
| SHA1 | 92e649e99a829079587c9814fb05e5c21f116945 |
| SHA256 | 55b2b02bda0c891b4fb0eaa842d28b1a94bb0392cb8d6a49ef0e85f500e5daa4 |
| SHA512 | 486c28c327ece0a7ba57d67f1df08a145129b4b9e045e354e98911efdd558dc1ef81f01a3a87eac33afa3bbcbc39444835609830f4e0f60cccbcf23862d1004b |
memory/1900-113-0x00007FF6FC850000-0x00007FF6FCBA1000-memory.dmp
C:\Windows\System\ugyLYKe.exe
| MD5 | e34785db60d7f9a3347c21ed47940c9c |
| SHA1 | 5951604ec9701124307c394c7f21d366557a399e |
| SHA256 | 566facb98af0f843a63f387958e6c3274dfc723e6b31bb09ef0a8ef84fa84b66 |
| SHA512 | 880929736ed49fbdd4fc35f81168b1f1552cb56aa61b56a292bafe290dfab00b68bec7025dec753ec74494720bae8c0bd9aefde82b23be4f4f583fea970b6a5d |
memory/5116-109-0x00007FF76E970000-0x00007FF76ECC1000-memory.dmp
C:\Windows\System\LXHdFrW.exe
| MD5 | 6d1eea16fefb7b73780e933e5a977ba0 |
| SHA1 | 64066e97a8f3ea8c37b13b513dd1f6d6519666fb |
| SHA256 | 96098d42405625ccae5e7b0cc18a0d5190dd7e4acf2be7505498b466071fdec3 |
| SHA512 | e408b55a902f8a06b7e200a4b24873ad3dc0f163f29c911adb049e38029f9d2d531e1c3ed46a4a87407ad6f3ebb3e3b9d235140bad37bbc6ecf215675605a8c0 |
memory/2184-99-0x00007FF77FF60000-0x00007FF7802B1000-memory.dmp
C:\Windows\System\vpCnVoz.exe
| MD5 | 0cddf3bc67dac57a372adb098115cf9b |
| SHA1 | 9e9f9abc4605ba093d6c7c0d7e2852daa78094d6 |
| SHA256 | 5be3aeec8d8ef7363554e3f9a4fbd7edb3f1257fe930bfecbea9b19882e860cf |
| SHA512 | 75c7eb3fdfac0677bd629f54bb7c72e81007158a6b455e8020f66baf8b70c003c46b2e9fb286d97be6847d2c90d05e8cc4be7b1b6df120e60f27572ece201d1a |
memory/1044-91-0x00007FF6DFC70000-0x00007FF6DFFC1000-memory.dmp
C:\Windows\System\zHqjFzl.exe
| MD5 | 2d9d510bd4b3878851d99fabdf8ea57d |
| SHA1 | 2ec5d95030192e8710981f27ac8cfe309068781d |
| SHA256 | eeea7ae040739f9ec4af8e6fae3207616de2c5d345bc1815b739720f23f0864b |
| SHA512 | 83f9fd12cd26d8413250c2a50e1d3e60523502bf85159ac1b2cc507eb9fde13b2c8114ac7ef3464d289e2ca12358942514f7cfe1c766fcf30bca65b1a3c6541e |
C:\Windows\System\hwwfCXL.exe
| MD5 | 1a1b7cdf7d3e8f897aab6f4614b98b58 |
| SHA1 | 4002f21cd0f458b53d810330f9f094371995a1fa |
| SHA256 | 02880b79a326fd2c21544688fabd5a4024bc9e3bfc712b50e9fd039e6b2c4377 |
| SHA512 | e132a530f090be5b8775fc5b1f0de9ea15fca2cfa785791bf8fff796102cbfbf97c2f36e85acc19204cca3cc34c6e8cf1271ba6ed7bf6a50b56efc6a6e8986bd |
memory/4656-80-0x00007FF6985F0000-0x00007FF698941000-memory.dmp
memory/4140-77-0x00007FF7950A0000-0x00007FF7953F1000-memory.dmp
C:\Windows\System\TvDjbZM.exe
| MD5 | ba49e5c0c6c5aed590147a46e9b0b308 |
| SHA1 | 7bd460295d3c6d8d64ea74cde415d2db33a046fa |
| SHA256 | 58438aa957e96462585e43f1872d09180950f491388f987494bd1134fff2a504 |
| SHA512 | aa42a873871451643eab203eae5583f511aba3435c667e040c7de23f344169133cfe2525b112fdb8c62cf4e3f05071d0ad1100cb2cb0875083bacde34e346483 |
C:\Windows\System\kMISiZL.exe
| MD5 | 3073309b2bf2e5dd23626e72ca46498b |
| SHA1 | 484350d2430b3de59be1fea6640fb7f3d19070dc |
| SHA256 | be74055e61153dedbc717bf0920ad35c4f010b1eb2baf646598fc8aee7d85e61 |
| SHA512 | 2204515aca43658a5d808e4d5082d5dd74a25239e31352464fcb3da23537ad6d90f147e81fc05cbb326ff9128eee50af67a9d04fd58658bfba1a86dfbc8e04a2 |
memory/2608-61-0x00007FF6B9A20000-0x00007FF6B9D71000-memory.dmp
memory/4772-55-0x00007FF6E9570000-0x00007FF6E98C1000-memory.dmp
C:\Windows\System\dgUaZoL.exe
| MD5 | 9b8beac340060b5dd5fdd6cffea3c2f6 |
| SHA1 | 7e5da47578bded9e2917c5836c8e4bc4460763da |
| SHA256 | 19be3228d2bf06b6b3e5841dffd9cf3c91f2f5a26eff43be404f893f4603cb4a |
| SHA512 | 11ae290e47af2b602e841a63e140af7e8f9ac5416b7424c66a0484ac310fe6d0e2781b5e5e17c25e906d1d2499adabf36956fc036e7ccf75469b496f0c64ae1a |
memory/3480-45-0x00007FF7AE710000-0x00007FF7AEA61000-memory.dmp
memory/2732-42-0x00007FF634400000-0x00007FF634751000-memory.dmp
C:\Windows\System\FGasiot.exe
| MD5 | 1763d6b430f6140e707b1eddf0087f71 |
| SHA1 | 5358132fe6d169fc6246f950a98f46f51974c924 |
| SHA256 | 3bc8a1fee33359fdd6dd2ff772dc75e6fa55ebe6096067d71d1b874d83cd48bc |
| SHA512 | 09e2b96a272d462369912fcfeaaf2f4a4c8feedfd4ae86c65dfd54ba234705284187e4d0c3fb8dc25d1a11c1e73bdb5f8d058da279619541fefbe9cd371fb11c |
memory/3268-128-0x00007FF66A090000-0x00007FF66A3E1000-memory.dmp
memory/5100-129-0x00007FF6C4E50000-0x00007FF6C51A1000-memory.dmp
memory/2184-144-0x00007FF77FF60000-0x00007FF7802B1000-memory.dmp
memory/1900-149-0x00007FF6FC850000-0x00007FF6FCBA1000-memory.dmp
memory/1212-146-0x00007FF6C2DD0000-0x00007FF6C3121000-memory.dmp
memory/5116-145-0x00007FF76E970000-0x00007FF76ECC1000-memory.dmp
memory/1044-143-0x00007FF6DFC70000-0x00007FF6DFFC1000-memory.dmp
memory/4656-140-0x00007FF6985F0000-0x00007FF698941000-memory.dmp
memory/4140-139-0x00007FF7950A0000-0x00007FF7953F1000-memory.dmp
memory/4772-136-0x00007FF6E9570000-0x00007FF6E98C1000-memory.dmp
memory/3268-150-0x00007FF66A090000-0x00007FF66A3E1000-memory.dmp
memory/3268-172-0x00007FF66A090000-0x00007FF66A3E1000-memory.dmp
memory/5100-196-0x00007FF6C4E50000-0x00007FF6C51A1000-memory.dmp
memory/4964-198-0x00007FF731770000-0x00007FF731AC1000-memory.dmp
memory/3960-200-0x00007FF7E39F0000-0x00007FF7E3D41000-memory.dmp
memory/2732-202-0x00007FF634400000-0x00007FF634751000-memory.dmp
memory/3480-204-0x00007FF7AE710000-0x00007FF7AEA61000-memory.dmp
memory/2608-207-0x00007FF6B9A20000-0x00007FF6B9D71000-memory.dmp
memory/3068-210-0x00007FF7D3020000-0x00007FF7D3371000-memory.dmp
memory/4772-209-0x00007FF6E9570000-0x00007FF6E98C1000-memory.dmp
memory/1996-212-0x00007FF7A1AF0000-0x00007FF7A1E41000-memory.dmp
memory/5020-214-0x00007FF7BFAA0000-0x00007FF7BFDF1000-memory.dmp
memory/4656-218-0x00007FF6985F0000-0x00007FF698941000-memory.dmp
memory/4140-217-0x00007FF7950A0000-0x00007FF7953F1000-memory.dmp
memory/1044-220-0x00007FF6DFC70000-0x00007FF6DFFC1000-memory.dmp
memory/4344-231-0x00007FF739DB0000-0x00007FF73A101000-memory.dmp
memory/3284-232-0x00007FF7F8F00000-0x00007FF7F9251000-memory.dmp
memory/1900-234-0x00007FF6FC850000-0x00007FF6FCBA1000-memory.dmp
memory/5116-228-0x00007FF76E970000-0x00007FF76ECC1000-memory.dmp
memory/2184-224-0x00007FF77FF60000-0x00007FF7802B1000-memory.dmp
memory/2416-223-0x00007FF7E0F70000-0x00007FF7E12C1000-memory.dmp
memory/2816-227-0x00007FF6DCB90000-0x00007FF6DCEE1000-memory.dmp
memory/1212-240-0x00007FF6C2DD0000-0x00007FF6C3121000-memory.dmp