Analysis Overview
SHA256
f1309518287aa8a382d365feaa0119802e679d8d45126cc2ad6ff7fa180f9498
Threat Level: Known bad
The file 2024-05-27_69aa1b678637578c28b026fc142bed53_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobaltstrike family
UPX dump on OEP (original entry point)
xmrig
Detects Reflective DLL injection artifacts
Xmrig family
XMRig Miner payload
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-27 03:51
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 03:51
Reported
2024-05-27 03:53
Platform
win7-20240221-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BLzSxtl.exe | N/A |
| N/A | N/A | C:\Windows\System\aANTiwf.exe | N/A |
| N/A | N/A | C:\Windows\System\WMfeLAa.exe | N/A |
| N/A | N/A | C:\Windows\System\nTPvPlE.exe | N/A |
| N/A | N/A | C:\Windows\System\GIXhzfR.exe | N/A |
| N/A | N/A | C:\Windows\System\tQswNbh.exe | N/A |
| N/A | N/A | C:\Windows\System\gSlRLAn.exe | N/A |
| N/A | N/A | C:\Windows\System\YSXGSar.exe | N/A |
| N/A | N/A | C:\Windows\System\qEHEnAp.exe | N/A |
| N/A | N/A | C:\Windows\System\YouTmGi.exe | N/A |
| N/A | N/A | C:\Windows\System\SAxNavL.exe | N/A |
| N/A | N/A | C:\Windows\System\lSKYrxp.exe | N/A |
| N/A | N/A | C:\Windows\System\ctKxrGF.exe | N/A |
| N/A | N/A | C:\Windows\System\czxwAJm.exe | N/A |
| N/A | N/A | C:\Windows\System\lLWdcLJ.exe | N/A |
| N/A | N/A | C:\Windows\System\fXhYzSt.exe | N/A |
| N/A | N/A | C:\Windows\System\XtNqFyx.exe | N/A |
| N/A | N/A | C:\Windows\System\GWCziHN.exe | N/A |
| N/A | N/A | C:\Windows\System\QWCDoHg.exe | N/A |
| N/A | N/A | C:\Windows\System\pAOSQBz.exe | N/A |
| N/A | N/A | C:\Windows\System\xXNWANy.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_69aa1b678637578c28b026fc142bed53_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_69aa1b678637578c28b026fc142bed53_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_69aa1b678637578c28b026fc142bed53_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_69aa1b678637578c28b026fc142bed53_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\BLzSxtl.exe
C:\Windows\System\BLzSxtl.exe
C:\Windows\System\aANTiwf.exe
C:\Windows\System\aANTiwf.exe
C:\Windows\System\WMfeLAa.exe
C:\Windows\System\WMfeLAa.exe
C:\Windows\System\nTPvPlE.exe
C:\Windows\System\nTPvPlE.exe
C:\Windows\System\GIXhzfR.exe
C:\Windows\System\GIXhzfR.exe
C:\Windows\System\tQswNbh.exe
C:\Windows\System\tQswNbh.exe
C:\Windows\System\gSlRLAn.exe
C:\Windows\System\gSlRLAn.exe
C:\Windows\System\YSXGSar.exe
C:\Windows\System\YSXGSar.exe
C:\Windows\System\qEHEnAp.exe
C:\Windows\System\qEHEnAp.exe
C:\Windows\System\YouTmGi.exe
C:\Windows\System\YouTmGi.exe
C:\Windows\System\SAxNavL.exe
C:\Windows\System\SAxNavL.exe
C:\Windows\System\lSKYrxp.exe
C:\Windows\System\lSKYrxp.exe
C:\Windows\System\ctKxrGF.exe
C:\Windows\System\ctKxrGF.exe
C:\Windows\System\czxwAJm.exe
C:\Windows\System\czxwAJm.exe
C:\Windows\System\lLWdcLJ.exe
C:\Windows\System\lLWdcLJ.exe
C:\Windows\System\fXhYzSt.exe
C:\Windows\System\fXhYzSt.exe
C:\Windows\System\XtNqFyx.exe
C:\Windows\System\XtNqFyx.exe
C:\Windows\System\GWCziHN.exe
C:\Windows\System\GWCziHN.exe
C:\Windows\System\QWCDoHg.exe
C:\Windows\System\QWCDoHg.exe
C:\Windows\System\pAOSQBz.exe
C:\Windows\System\pAOSQBz.exe
C:\Windows\System\xXNWANy.exe
C:\Windows\System\xXNWANy.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2972-0-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2972-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\BLzSxtl.exe
| MD5 | 7119c19ec6ad843cbbc15aafa59c4af0 |
| SHA1 | 13bfa2b7d5fa0ea54309cddbc57faf79d8eb5fc3 |
| SHA256 | dd72c84729b30cddf286bfc9c3505711c59a368e3c627581afd8b2ecca5cd33a |
| SHA512 | aeeeb269e664770921ede082158c0911c7a4ac8f5349189e45799cc2c7476a1f881acbe2567e3424af5944e0a5b5512adb1ffbab180ce97284f0836bdfd841b6 |
C:\Windows\system\aANTiwf.exe
| MD5 | 55bb7c102f5ce2b8ada5b3f9ebe01d6b |
| SHA1 | 071dcbf0f70f2bf18eedc07d1b0b9bcba20aa325 |
| SHA256 | e979675f6e1698027283e5f08388ba5a2f22f9213ea9fbd334f669b13eeb5a9e |
| SHA512 | ec54e194ce3072138810c617cb154728b271dadba463a21e15189217e8b1036d3be3d907631caabef40b2f50291ad988b41571e21728fbfab41936f2f5c99276 |
C:\Windows\system\WMfeLAa.exe
| MD5 | 8d451d40ae8ac3fcd87cf257d55c3d0e |
| SHA1 | dbaeda648506c91034d9cce8d62bff1e2848ec25 |
| SHA256 | d9ddde77cd3a02fbed9b8115075117c526e7a275ecbcbb297ad4bd8574652fef |
| SHA512 | a0c850ebce0178a9d60b9f8ee325dd7d06fe4ab901cb2469417f9e04ae710044f58be3c20d1553519a740581e9c1b582b45a8c2cc0d414f1f1b1e85b8fcc0bde |
memory/2972-10-0x000000013F5F0000-0x000000013F944000-memory.dmp
C:\Windows\system\nTPvPlE.exe
| MD5 | e4d9263df3d8a85e5716ae6809a4b8a3 |
| SHA1 | b16d6d6500a5da9065a05a6df4ad42210512bd31 |
| SHA256 | 4451b093a51f122aa3a4ed642d9f50500de7c38fb542e06514ac275145877cf5 |
| SHA512 | 99d54699a48f9dc83f4fb3a9fc4cd10aa27cf77379136d29eb87e876d1546070f4a8c7c33a1e388d8ccdffd9059eaf0d04152324ef789298977c3f616d650bf7 |
C:\Windows\system\GIXhzfR.exe
| MD5 | d592ed76db2ee8a63357a43a2dcd5951 |
| SHA1 | 5f4c62ec4c881a461435a1878e67aafb14d10546 |
| SHA256 | a35d748a77f54298c25d226405f605ce04593eb7e43630562d88bd5b7597d1c9 |
| SHA512 | 75c76cc4ec250dfbaa926bdd527a971479fb573e217a765aae6707c8a1c35a65d5df8cbc4cc01ffb0bfec3bbe979d291161449380766fe46e274a8963c257924 |
C:\Windows\system\tQswNbh.exe
| MD5 | 21d387edc4f38838ba21bf029767a124 |
| SHA1 | b04aad8d10e38bfb3e9dbb0a726edacffb290ecf |
| SHA256 | 2362cb16175e580ddf792dfa862f50e51c30f598143d49ec6de473a96dfde18b |
| SHA512 | 34e59348cc968d8e9fda4f933f19fb040db23810c7e2d82d4022b2c21df130ab66b668528ef63a5180f8ede1f26d67dd565157819173c16a54c40468bcdb2f64 |
C:\Windows\system\gSlRLAn.exe
| MD5 | 928badd3d0aa11ddfe1b7d1c4456c402 |
| SHA1 | 07464dd6d832d8688ae2cd937b94d15e64c26ca6 |
| SHA256 | 938471901b2a7a7c0e0a15d9de86a8502ddb2ab373a412d82833b0406b9c3eb5 |
| SHA512 | 9eccf263265aa4358307ae41aac3b12aa6ef88ada28bf55822c82b564c4f37644a0c0dc79156aef7ffc3a95b29e2615f505d5dd8952b0619ef922143350cde1e |
C:\Windows\system\YouTmGi.exe
| MD5 | 83e644f7597db9eb55af7d44605e08d9 |
| SHA1 | 70f6ea583d57da221edcf57a49a4626bf678ad31 |
| SHA256 | 03e9eda159a369d498b138da69d283fb92ec3d2cc96b08bd1fc08b26d1f2ce2e |
| SHA512 | 570d5cb0f6774df720c7b28b8cce2f56910133b56ba125a7db4f1fd3736b5515dc3c688d3166116cb8cd8651c6a6110736eef3010cc9ced7ae11c1bec0fe0f07 |
C:\Windows\system\ctKxrGF.exe
| MD5 | 57156a7c17643d957d4dbb1368d778f7 |
| SHA1 | df35014170bb6b41de36ebb217b28fa101f99a67 |
| SHA256 | f0176a3994e793d6de4b2e1a34c77b4dd7feb0a7902a6c8859d4d2db8c971aaa |
| SHA512 | efa03977f7bf6a52de0788be155a48f5dd4a251787eaba9ed4ebfb4670f41b90ab0af913ecaf7201bea407ec58b8bfb89383146c6a90d96f6bfb0a4c7969cc78 |
C:\Windows\system\czxwAJm.exe
| MD5 | 98a0d0d2b4602e0fa8b99e1c3c711edd |
| SHA1 | c3bdd5bb08298abd27e49cfbac3465771fb388c8 |
| SHA256 | 60f50809b3e12ca1d8947734aeb8921696d44fdfdfc6bafff2d9ff1cc9b8eda1 |
| SHA512 | c50aa8298c7b23d660804fab320533ef8720cc383de422fba65801df564a4decba9152d10f51124139603ccc5a56eb2c158f18629749e816de60c47063cd3724 |
C:\Windows\system\QWCDoHg.exe
| MD5 | 41e0b9c775a2994b62fb5abb39ed09b4 |
| SHA1 | 03ab405e8fcee64f6b26c14b576dd6ec6a58c7b3 |
| SHA256 | f03c7e83ceb1e61eed64dadf66401b50b5cd982a725fef395ce16e04a1926bfb |
| SHA512 | c104bb344dea0c3aa5efd9b11f15a1a2890ff4ce29879abb97a70c990b6bd62a7adcde6c676fa19c6c1ab3560991409704fa5e4e7f02e1340b06450878b53403 |
\Windows\system\xXNWANy.exe
| MD5 | 246eaddb0759745a2a07fcf3a2fc7702 |
| SHA1 | e4a3cb7fcea8cd49cd534e2ca9feeac6ce8c181b |
| SHA256 | 401cf35efce5fb8e65714926dea3dcb34de83699d5f86c9776f451ed8072543e |
| SHA512 | dffeb7ef3a48874406fa906bf684a15c4fd7a78f7389f223ad2e2bf3de508e2728f2ae949de0d81bcd2bda68b078cff7dcb177af7c172be162539befc1109566 |
C:\Windows\system\pAOSQBz.exe
| MD5 | f8e8bd1062c26a1220e12e9e098baab6 |
| SHA1 | a4d3481f1d12d693937a79c849c0d9457f094fbc |
| SHA256 | 23918855da4f909b342939be7dadb603a7d80a0a6eb96431b2cc623e05bb95e1 |
| SHA512 | 38a68d860c806ae1f499bd0cb9400edb0f2d73fdbd933a7e014a25cedf6dd027be87045085a55cdc6086a3a55f761925a86ed97a64cfb11edfbde6c60b394f3b |
C:\Windows\system\GWCziHN.exe
| MD5 | 732b6d5fd17a2519b264eb3a7aef3a0c |
| SHA1 | 455ddd3af4de89858ef8812766698755bd7e9226 |
| SHA256 | 52b17363bb6e92a88de4e3e899722f552ee22e408be40e9715fe95ddac0c8bac |
| SHA512 | 6d253839f72ea7a6f97f284fa14a5fb90e14a9910fac25381d7f6f080d1f88b201941ed39fa9bdf1013e25ed202b4859398914f8115e2057f04bcf6e671a2a12 |
C:\Windows\system\XtNqFyx.exe
| MD5 | 0f4651496b77d9ffd48bcc7235e64015 |
| SHA1 | e3d85daef7ea8e2826b2f4eb401d2c1594ec0391 |
| SHA256 | 944533a21c7bd3d0c94bc88294a82aaddd012244b752dbfc50dce36072300283 |
| SHA512 | c37e1f62be234ddde0e686f2bd7dc70c4b50df3264c13320a198128a86d9b702ed257ab14db666f3fef8156a0550c8e999659fbb6ee4bbe8fe42037841185af6 |
C:\Windows\system\fXhYzSt.exe
| MD5 | 6ff7bb24d366272e3a8e7b6ddfa02f1f |
| SHA1 | 3f47f7d13958c578a319e3adfd777aeefe3bce0f |
| SHA256 | 219af7eeee3d32196a24de7e1912d39bc91ecd9e17de39f754623e239eef2ea5 |
| SHA512 | 1890c0e1d13d57befb30829c9313debd736558b312c95b05fbeb38033bed2a3470c96df8f748f872b9cf26251b910f4771ceb3fc74b612804bd1180043ea94cb |
C:\Windows\system\lLWdcLJ.exe
| MD5 | 8f03e70aff8ff475677dec588b886c4c |
| SHA1 | 163299d8278302932f60f13b55b0f0e037d451e4 |
| SHA256 | 04b1a066870e7e765055698d18fa4f481d54e0253ee4d48977a82cd4b7ec92ea |
| SHA512 | e6eb0c1bb7955e66fda169f46f66dbdae5b3c3685fa17449ee18434d857c49b70e1a567a6839a2da08a11966ec73fbecaaada67e8ed5121da507ccd37fe898a3 |
memory/2640-110-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2972-112-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2544-113-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2568-111-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2972-109-0x0000000002340000-0x0000000002694000-memory.dmp
memory/2504-108-0x000000013F5F0000-0x000000013F944000-memory.dmp
C:\Windows\system\lSKYrxp.exe
| MD5 | 62c29844e3cb1cc85a8aa2889913c877 |
| SHA1 | 48afddf280fb64ffe89c3170c44e69475348f411 |
| SHA256 | d3cb1802d6a875d176ce111f6bcf302ebd9abb5dfc767b9286d43cbcfd223b64 |
| SHA512 | de949c41c8117166dc82a23b4ad839c8eefa7b464738853cbe1ef3b8d823f76d6f902a01a49651f01f8f2011cfc0367bd15244ef408a02e0341c0d9647381789 |
C:\Windows\system\SAxNavL.exe
| MD5 | 3020ed23cbcca24cc8bfd5d406f02269 |
| SHA1 | 2ee91cf9a6fecb6ae319402f1cd5062bd9779cdd |
| SHA256 | 684948450d6611c6c2d1a2ed00edceb0c4a4f36fc8c10c7d85ce2110a804008f |
| SHA512 | 7563b5650eddfaef08d30d9ca01957ee84c4d326c2734882501ad1128fbb74c2713f637d43f1ca37f9f33f5ed2dbe2512bf02f290fef3ced4e3663341f1ff2b5 |
C:\Windows\system\qEHEnAp.exe
| MD5 | 2212ab3c878623e87a39a9ecc0c755ea |
| SHA1 | 5d8accfb5ff59be60de56c16c0de6c7910939d28 |
| SHA256 | 8abca1adb1ccf38b970f510ad9f73703715900b06dcaf59d69e1d0b0f5dade26 |
| SHA512 | f3f4785d6df3da11846c1f75412ab7fd68af199d4c3fa16ab0418ab3b88faf54f3d8d344e630da5521223abe12073ffc766f9947e396e99206d3b35ff187034f |
C:\Windows\system\YSXGSar.exe
| MD5 | 5a7c253479e7e0cb52f27e321e8fd5af |
| SHA1 | d1cbe64f5c8fec20afa031c7ed34840708f959ae |
| SHA256 | de8ec7c30190994e042c4113ae0468e8b703bda137c012fa24becf4b7e008fb1 |
| SHA512 | 14e39e2184b12bcaf1dde6c0bf60d4c77e706f4e35ea00d3af3cb5640887933134990c0560131e0bdab72f5731dba4de7024286a58c54de6f6cdb38a47735fe8 |
memory/2948-117-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2460-118-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2972-121-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2296-125-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2552-127-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2972-126-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2972-124-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2916-123-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2484-120-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2908-122-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2408-119-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2724-116-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2972-115-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2824-114-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2972-128-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2504-129-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2640-130-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2552-131-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2568-132-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2544-133-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2824-134-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2724-135-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2460-136-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2948-137-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2484-139-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2408-138-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2908-141-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2916-140-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2296-142-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2504-143-0x000000013F5F0000-0x000000013F944000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 03:51
Reported
2024-05-27 03:53
Platform
win10v2004-20240426-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KIXIsVO.exe | N/A |
| N/A | N/A | C:\Windows\System\cBubopG.exe | N/A |
| N/A | N/A | C:\Windows\System\PnRTCnk.exe | N/A |
| N/A | N/A | C:\Windows\System\VaAiaQU.exe | N/A |
| N/A | N/A | C:\Windows\System\LtOKLTJ.exe | N/A |
| N/A | N/A | C:\Windows\System\IIgMMQS.exe | N/A |
| N/A | N/A | C:\Windows\System\JIUVgNG.exe | N/A |
| N/A | N/A | C:\Windows\System\kwmCJxM.exe | N/A |
| N/A | N/A | C:\Windows\System\wBqGgKn.exe | N/A |
| N/A | N/A | C:\Windows\System\PQmBFTR.exe | N/A |
| N/A | N/A | C:\Windows\System\prqcnQw.exe | N/A |
| N/A | N/A | C:\Windows\System\ltxnrow.exe | N/A |
| N/A | N/A | C:\Windows\System\oKOgIfW.exe | N/A |
| N/A | N/A | C:\Windows\System\JXNlayt.exe | N/A |
| N/A | N/A | C:\Windows\System\iwcOVuF.exe | N/A |
| N/A | N/A | C:\Windows\System\yMiyGWm.exe | N/A |
| N/A | N/A | C:\Windows\System\GyqldMu.exe | N/A |
| N/A | N/A | C:\Windows\System\VvmzbRn.exe | N/A |
| N/A | N/A | C:\Windows\System\fLvpTLo.exe | N/A |
| N/A | N/A | C:\Windows\System\iNMDxqF.exe | N/A |
| N/A | N/A | C:\Windows\System\XElfPmE.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_69aa1b678637578c28b026fc142bed53_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_69aa1b678637578c28b026fc142bed53_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_69aa1b678637578c28b026fc142bed53_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_69aa1b678637578c28b026fc142bed53_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KIXIsVO.exe
C:\Windows\System\KIXIsVO.exe
C:\Windows\System\cBubopG.exe
C:\Windows\System\cBubopG.exe
C:\Windows\System\PnRTCnk.exe
C:\Windows\System\PnRTCnk.exe
C:\Windows\System\VaAiaQU.exe
C:\Windows\System\VaAiaQU.exe
C:\Windows\System\LtOKLTJ.exe
C:\Windows\System\LtOKLTJ.exe
C:\Windows\System\IIgMMQS.exe
C:\Windows\System\IIgMMQS.exe
C:\Windows\System\JIUVgNG.exe
C:\Windows\System\JIUVgNG.exe
C:\Windows\System\kwmCJxM.exe
C:\Windows\System\kwmCJxM.exe
C:\Windows\System\wBqGgKn.exe
C:\Windows\System\wBqGgKn.exe
C:\Windows\System\PQmBFTR.exe
C:\Windows\System\PQmBFTR.exe
C:\Windows\System\prqcnQw.exe
C:\Windows\System\prqcnQw.exe
C:\Windows\System\ltxnrow.exe
C:\Windows\System\ltxnrow.exe
C:\Windows\System\oKOgIfW.exe
C:\Windows\System\oKOgIfW.exe
C:\Windows\System\JXNlayt.exe
C:\Windows\System\JXNlayt.exe
C:\Windows\System\iwcOVuF.exe
C:\Windows\System\iwcOVuF.exe
C:\Windows\System\GyqldMu.exe
C:\Windows\System\GyqldMu.exe
C:\Windows\System\VvmzbRn.exe
C:\Windows\System\VvmzbRn.exe
C:\Windows\System\yMiyGWm.exe
C:\Windows\System\yMiyGWm.exe
C:\Windows\System\fLvpTLo.exe
C:\Windows\System\fLvpTLo.exe
C:\Windows\System\iNMDxqF.exe
C:\Windows\System\iNMDxqF.exe
C:\Windows\System\XElfPmE.exe
C:\Windows\System\XElfPmE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4776-0-0x00007FF6759B0000-0x00007FF675D04000-memory.dmp
memory/4776-1-0x0000016AFE0A0000-0x0000016AFE0B0000-memory.dmp
C:\Windows\System\KIXIsVO.exe
| MD5 | 053d6e89157e09dc79e380a35a38c2d3 |
| SHA1 | 1d387b2385c3533b0d495006e8954adbc01776c7 |
| SHA256 | 283c1ba04431fecf16a0f4814d7981452b5b97ad48359d038427ae3550e8b866 |
| SHA512 | 85758bc59056c0a7315e2295317cfd45fce86c49f6840411947f5caf15642e94ccd55c2ad767711a5acc53a269cd604f6295cda17adb64fa90c24bcc57bba430 |
memory/4884-8-0x00007FF607020000-0x00007FF607374000-memory.dmp
C:\Windows\System\PnRTCnk.exe
| MD5 | 8edbbbb7cd395a096ceccff7da53dec3 |
| SHA1 | 1dcccca096995544dfb7954be0d877d4393238a8 |
| SHA256 | 10897004dbd732263c7d8a2e176b8e03619f95d4d10ca00317149847bcbeb015 |
| SHA512 | 3749b7456c179c709be6eeca21d366d23335a27119be8bcfea67c98474ceccce5ba4246d3d93723a5ffd4f927dbe1e0209aa47ba8e5e3812326be999aecb6c38 |
memory/544-12-0x00007FF732C60000-0x00007FF732FB4000-memory.dmp
C:\Windows\System\cBubopG.exe
| MD5 | b6d4e5f550d87612cda6eb9e1309d501 |
| SHA1 | 8dca5e0d391d0f818dc0560275e1b3ab92971629 |
| SHA256 | 61c44ba6cb777be3c04aaa64cd7a44dfaac5c18f1f73ac0b6b11020acf3e02d5 |
| SHA512 | 34e26132c979f0d99da3a44a5208dc53b9f7bb4f7ad0661492c385debb4b083840dbbc1854786c84d7d1c5f334cccb7096580092ff2455a2ccfe9c8947056310 |
C:\Windows\System\VaAiaQU.exe
| MD5 | c8d8a0a32f1b35e492c93ee8e55f907f |
| SHA1 | 18d50ff3eb76ba7e74bad4b02ee3fa9f6f744ab8 |
| SHA256 | b1107647e92db2a4ca1ae4377ff3fc02bee57cac645f07b4486b6501482785a3 |
| SHA512 | b24a5ef688fa0be89bf146f6e63ef6df7159eaa2a1a6c48ca698a21652af70a1b73468e1c0d0b63e1b20b5938a5c24ddb1a6c351ed71a74786693c7fc479e932 |
memory/3452-20-0x00007FF6E9F20000-0x00007FF6EA274000-memory.dmp
memory/2780-25-0x00007FF6825F0000-0x00007FF682944000-memory.dmp
C:\Windows\System\LtOKLTJ.exe
| MD5 | e320d433187e0e6694638ebd2cab7087 |
| SHA1 | 97a9c2fe97a01bac6c8458d826c11640bc020e98 |
| SHA256 | 1a045f6204a305d9467d77041bb7dee66b2dd1663bb01b08973acf11e98f2111 |
| SHA512 | d16a52a5f9d15daa693d17b6ad9caa245f779be72cf66ebaaf368e2d8e990579fb2c6e24a398cb9ee1062eac89c468117af2692a2e2c0e24142ecbf4d46d1dd4 |
memory/2108-30-0x00007FF6140D0000-0x00007FF614424000-memory.dmp
C:\Windows\System\IIgMMQS.exe
| MD5 | b48b2201e1af7b9ae94b71901466ab7b |
| SHA1 | f5eceea203a763aec9f0708f568477ac21a5162b |
| SHA256 | 58532ccf753cff699c32db6fc9999c98fcb479ac4472aa407f2be549b638c651 |
| SHA512 | 051d075e9981247705c2ffaea10f4abdc1a06c4256a049e164ebbd0cd92f66cea66b0632c93aaa2c0d4e6c23badd19aa44374e7f9c83e793c650b4e65c645696 |
C:\Windows\System\JIUVgNG.exe
| MD5 | a16ceecb91fac1deeda6c846d8acf32d |
| SHA1 | 516c6b1a30bb053168d31f9c5227596743c357f5 |
| SHA256 | 9292ea2f27fe23dbaf2a5503b741a19c3da5c8f64d2eaaf1abc79be35292a31c |
| SHA512 | 256397c9dedcde651af42f17963780a1e310c4b8f634785b74b59355573358f85ffb9b6ab939b63421636148d45264851f954871a3e55e8989476466e0c90d4b |
memory/2292-42-0x00007FF601250000-0x00007FF6015A4000-memory.dmp
C:\Windows\System\kwmCJxM.exe
| MD5 | 4fa5ddf48d3a6906ec4ea7264a776cb1 |
| SHA1 | 18d1725316bfc898e20ec4839538119e57519b40 |
| SHA256 | 3b71770c59350cfe818b36e67f47d8ce837958a50a2fa6b381d0fbb82183a847 |
| SHA512 | 92b8dd76f0032bfe1170b0db04d5aa96c83c0eb133be571d9e94edcb6bad0e06f81df61b33985eeea994ba7bedb982d2e9f62173e34a726457a4653cc4d4e7a9 |
memory/2980-36-0x00007FF68A680000-0x00007FF68A9D4000-memory.dmp
C:\Windows\System\wBqGgKn.exe
| MD5 | d31ff11c99391985f7cbe4f5d6874dfe |
| SHA1 | b24dfb0efeb896358e4cca867d8cd79ec0f4698e |
| SHA256 | 6f94cdfb93a9562fdc66a64f8a6d8777a53eb4d99cb22ce60a882345da9efe10 |
| SHA512 | 045266eecf5e85ca7f469df3c1e3265d896a1dc6636626345ab9ac9e2913334c4ccd2be974d01e23e1120ba74a9ce1787f214f902ae31e422258300848f07b76 |
C:\Windows\System\PQmBFTR.exe
| MD5 | 6eb3192e80e2cde0d01ad7217f722766 |
| SHA1 | b5590ffdd656bc969f4c297cb47d632ea6312dec |
| SHA256 | 1ef1cd6a3864084308fac6f473a939fb3552d646d928b1ec6dfa7ec78a3c31cb |
| SHA512 | b0d67f1ae714bd7ef61877759bdbc835ced75e552ba799f7f5e7e347f971d5414ee0736a4ac374be0ea40783f31f090f461aad030f485046d75006a2d2408ffb |
memory/2648-61-0x00007FF7CADA0000-0x00007FF7CB0F4000-memory.dmp
C:\Windows\System\prqcnQw.exe
| MD5 | cb5d65c6b1b21143f84df18f05621ba4 |
| SHA1 | d9e14ffb683dd946262f1e10d044cbdea30dfda6 |
| SHA256 | 2f21d05a80ae3cad4ff3a35abc4f000a67eedba32fa31ad9ba39708ed1be277a |
| SHA512 | c7a28f7a1c35c72914618ad1ad3622ece117f7ec4292f24195e55f5f5367e6330d8c458ffd0124f759cc99f9f50e68981ce45cc11ef510c56a25f5d5a078a432 |
memory/3428-69-0x00007FF672CA0000-0x00007FF672FF4000-memory.dmp
memory/4776-66-0x00007FF6759B0000-0x00007FF675D04000-memory.dmp
memory/4984-59-0x00007FF71B640000-0x00007FF71B994000-memory.dmp
memory/5108-50-0x00007FF7CAF70000-0x00007FF7CB2C4000-memory.dmp
C:\Windows\System\ltxnrow.exe
| MD5 | 1ec7bf50d2d52e338e524af772947a8b |
| SHA1 | eaa7523d18b003afa99323e1afbab1f37d0eefd2 |
| SHA256 | 6576c6030d9f685435e2da3e2d26092fab0ed6766fb390e85f46b81ccee60612 |
| SHA512 | e642ca45c05572a47c4920438f5d876ff352aa8c7f4018883b6298285b41ab02c2e787f563d00124007c1d2203830b02344263c7df9f3a60d293d7f0bad55faf |
memory/456-76-0x00007FF6F8160000-0x00007FF6F84B4000-memory.dmp
memory/4884-73-0x00007FF607020000-0x00007FF607374000-memory.dmp
C:\Windows\System\oKOgIfW.exe
| MD5 | a6b6fb837147f9bcd31188c7ea5f5805 |
| SHA1 | 641173e9d10b33176eee92bd3fec9009ea20aa7f |
| SHA256 | 6214c9becb552e376844e2cef2cf9fd7a152bcd3c6459278abcc79223851957a |
| SHA512 | 8b37fcfd73db4a445fd949803bf3d6a8cd89ee111a7c25a20e8cda16aa1a0e8e925adb020b2fef2b715ed2738d1fabb1e57191f5af8ba672f945468318fb39b3 |
C:\Windows\System\JXNlayt.exe
| MD5 | aec960fa9f46800e97fcb3f0bf30e026 |
| SHA1 | 7d852b5851b64ddf6ce29dc38caaaa0c151f525c |
| SHA256 | 99f139bfca4023790f9171a1764f0e4412c544a1a8fd32c00dbff7d1badae919 |
| SHA512 | c5ed4adb536de5bd0a01809092e40cad89c5f9e76fe514ee725f71f6fbc4b3d5bfe9b622cdeab297c92436fcc846a71e8732212219105a32a8da607a7097ca5d |
memory/544-81-0x00007FF732C60000-0x00007FF732FB4000-memory.dmp
C:\Windows\System\iwcOVuF.exe
| MD5 | 56251fcaefdca2d60920158e18b8d29e |
| SHA1 | b1914a9e6526797c3f08951d8a39b73e249834cc |
| SHA256 | cbbf321ac36b90f5b24b7d8238b3289a12027543657d7b06112f31fa90982704 |
| SHA512 | e68a51f6ee47aa63ebf1e0c8ff158ee21a20021ba5aa9f4887bbc13431ed60bc5e5a932aa2c38ef9f0d32c64bccced7cc4f994f422cc948c68a4b1792950d56e |
memory/4068-101-0x00007FF737870000-0x00007FF737BC4000-memory.dmp
C:\Windows\System\GyqldMu.exe
| MD5 | cafef5eae02b4ac3f551db1f9f1db9cc |
| SHA1 | 9046b4eb41de9c908060b6232a8dd96dc2f5efe9 |
| SHA256 | fccda9474d5a517adf0b40a1a6b14dd846153ff621fcefdec5291ecce02cd781 |
| SHA512 | 9ebf35517b263a1b64a2c5efb6c0cbaee3b09b3f04af14b7fb51bf25c84fe4dc95728cf40324e5d2f59aa7bcdb501ad1baee2a16ebf3c3f1614f4e47b34cdc63 |
memory/1396-109-0x00007FF63B8A0000-0x00007FF63BBF4000-memory.dmp
memory/2108-116-0x00007FF6140D0000-0x00007FF614424000-memory.dmp
C:\Windows\System\iNMDxqF.exe
| MD5 | d15315b72201f6d0abe312a2c1377b1c |
| SHA1 | b4c509b73b88f1dc67b19af8f0c02501f4ba92ad |
| SHA256 | 2443560737188de4ec3cd154b2d4b4eb2dd2712752fb17bdf7408cfc2d40c49d |
| SHA512 | 47374fc98c7f1661d2b6d58de5d0a64b97ab7e0f91b0d27db59dd25cb276a02de2af40a763222630126433464d4dceb53b66058eba790cbe2ba0e82e247facf1 |
C:\Windows\System\fLvpTLo.exe
| MD5 | 9fbe8cc2ef19debc72c39947532d6358 |
| SHA1 | 9f4e57aad8a0ed4249dc39842ec7860b19645e6b |
| SHA256 | 235090a16e45ca20b377b5bff075ce494a3cf29d190a01a606b73b5a1a4b6e6e |
| SHA512 | 0ea7730359d24a8dbce6b0f963567f96cb10579852288ab9d7ae9de1f95ae3abd9231c607b490c82370758fec6ada317a6f9ebcae70e215642beb2d8effea865 |
memory/3808-121-0x00007FF62DF20000-0x00007FF62E274000-memory.dmp
C:\Windows\System\VvmzbRn.exe
| MD5 | 448c54cd4a733aae29bbb0fc6c7ab0cb |
| SHA1 | dd93d50598032a3d949cce032b08ed3dc102a81b |
| SHA256 | 4cf6ff8f38c478eb2949ac5c107db50593d35d38d1bd21eb09bc7ed0cce91d56 |
| SHA512 | 81f65ecc8e475ba9c145dc74c130295963f37cbf7f57828506ec670412dbb20860ab25642cbba291aa081de0117f6bc6e71822b30a697dc14272cfd02f032ade |
memory/4920-115-0x00007FF752160000-0x00007FF7524B4000-memory.dmp
C:\Windows\System\yMiyGWm.exe
| MD5 | 0608b4c6b27832eb27ca188402609ec5 |
| SHA1 | b1215ca32c2e64171a1f8f3a986dcbe83c1a48f8 |
| SHA256 | cbdbb5a7cc11e6b55a8e9d74d94dbb1faa3ffde83b84707b1f575aaba17d6156 |
| SHA512 | 94bfd8aa6a37f528cf59ce29cbc7b275b1c9f72fc5a10b2412e032dc07c1f026003dc8a47dc9a4e267d8b4b334dc182c10e59d961644c2e03ca1fca7416b9ac6 |
memory/3868-104-0x00007FF6229A0000-0x00007FF622CF4000-memory.dmp
memory/760-100-0x00007FF784C20000-0x00007FF784F74000-memory.dmp
memory/2780-98-0x00007FF6825F0000-0x00007FF682944000-memory.dmp
memory/3904-95-0x00007FF671F10000-0x00007FF672264000-memory.dmp
memory/2980-130-0x00007FF68A680000-0x00007FF68A9D4000-memory.dmp
C:\Windows\System\XElfPmE.exe
| MD5 | b8ef2fd886cb4203bc36c8fd7d5d1efc |
| SHA1 | 1c27c3a411de4164d2da4cb14582efcd4329ab71 |
| SHA256 | 8d6dab8182e832b012744d678b9e234a9646ec5cf4977e4d3eab5742d5f2ad69 |
| SHA512 | 08b478fcc85b8b9b80556e67f6b8b8fe7f0dcfc3f3e8d06a4720ed7226a598cb35f018fd318012178fe10a245004b975d4e64a8867e2a2fee684eeb15b984792 |
memory/752-132-0x00007FF63B3A0000-0x00007FF63B6F4000-memory.dmp
memory/4424-133-0x00007FF733EE0000-0x00007FF734234000-memory.dmp
memory/2292-134-0x00007FF601250000-0x00007FF6015A4000-memory.dmp
memory/2648-135-0x00007FF7CADA0000-0x00007FF7CB0F4000-memory.dmp
memory/456-136-0x00007FF6F8160000-0x00007FF6F84B4000-memory.dmp
memory/3868-137-0x00007FF6229A0000-0x00007FF622CF4000-memory.dmp
memory/1396-138-0x00007FF63B8A0000-0x00007FF63BBF4000-memory.dmp
memory/4920-139-0x00007FF752160000-0x00007FF7524B4000-memory.dmp
memory/4884-140-0x00007FF607020000-0x00007FF607374000-memory.dmp
memory/544-141-0x00007FF732C60000-0x00007FF732FB4000-memory.dmp
memory/3452-142-0x00007FF6E9F20000-0x00007FF6EA274000-memory.dmp
memory/2780-143-0x00007FF6825F0000-0x00007FF682944000-memory.dmp
memory/2108-144-0x00007FF6140D0000-0x00007FF614424000-memory.dmp
memory/2980-145-0x00007FF68A680000-0x00007FF68A9D4000-memory.dmp
memory/2292-146-0x00007FF601250000-0x00007FF6015A4000-memory.dmp
memory/5108-147-0x00007FF7CAF70000-0x00007FF7CB2C4000-memory.dmp
memory/4984-148-0x00007FF71B640000-0x00007FF71B994000-memory.dmp
memory/2648-149-0x00007FF7CADA0000-0x00007FF7CB0F4000-memory.dmp
memory/3428-150-0x00007FF672CA0000-0x00007FF672FF4000-memory.dmp
memory/456-151-0x00007FF6F8160000-0x00007FF6F84B4000-memory.dmp
memory/3904-152-0x00007FF671F10000-0x00007FF672264000-memory.dmp
memory/760-153-0x00007FF784C20000-0x00007FF784F74000-memory.dmp
memory/4068-154-0x00007FF737870000-0x00007FF737BC4000-memory.dmp
memory/3808-156-0x00007FF62DF20000-0x00007FF62E274000-memory.dmp
memory/3868-155-0x00007FF6229A0000-0x00007FF622CF4000-memory.dmp
memory/1396-157-0x00007FF63B8A0000-0x00007FF63BBF4000-memory.dmp
memory/4920-158-0x00007FF752160000-0x00007FF7524B4000-memory.dmp
memory/752-159-0x00007FF63B3A0000-0x00007FF63B6F4000-memory.dmp
memory/4424-160-0x00007FF733EE0000-0x00007FF734234000-memory.dmp