Analysis Overview
SHA256
a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460
Threat Level: Known bad
The file 2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
XMRig Miner payload
Xmrig family
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
xmrig
UPX dump on OEP (original entry point)
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:55
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:55
Reported
2024-06-01 07:57
Platform
win7-20240221-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nwXurGG.exe | N/A |
| N/A | N/A | C:\Windows\System\vjfpiKj.exe | N/A |
| N/A | N/A | C:\Windows\System\lxmwTDG.exe | N/A |
| N/A | N/A | C:\Windows\System\pQCqbUI.exe | N/A |
| N/A | N/A | C:\Windows\System\EzPKnMd.exe | N/A |
| N/A | N/A | C:\Windows\System\spITKIO.exe | N/A |
| N/A | N/A | C:\Windows\System\xhhoTDZ.exe | N/A |
| N/A | N/A | C:\Windows\System\Dkwkpja.exe | N/A |
| N/A | N/A | C:\Windows\System\hyROmcJ.exe | N/A |
| N/A | N/A | C:\Windows\System\YifVxuv.exe | N/A |
| N/A | N/A | C:\Windows\System\NlMZJXD.exe | N/A |
| N/A | N/A | C:\Windows\System\ygnCTRw.exe | N/A |
| N/A | N/A | C:\Windows\System\VXteBTM.exe | N/A |
| N/A | N/A | C:\Windows\System\JaEGPYq.exe | N/A |
| N/A | N/A | C:\Windows\System\eIyTbXF.exe | N/A |
| N/A | N/A | C:\Windows\System\XmCidiP.exe | N/A |
| N/A | N/A | C:\Windows\System\crYhWcN.exe | N/A |
| N/A | N/A | C:\Windows\System\CvTGqli.exe | N/A |
| N/A | N/A | C:\Windows\System\rlYnjPy.exe | N/A |
| N/A | N/A | C:\Windows\System\SqxHQsW.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNbjOHL.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\nwXurGG.exe
C:\Windows\System\nwXurGG.exe
C:\Windows\System\vjfpiKj.exe
C:\Windows\System\vjfpiKj.exe
C:\Windows\System\lxmwTDG.exe
C:\Windows\System\lxmwTDG.exe
C:\Windows\System\xhhoTDZ.exe
C:\Windows\System\xhhoTDZ.exe
C:\Windows\System\pQCqbUI.exe
C:\Windows\System\pQCqbUI.exe
C:\Windows\System\JaEGPYq.exe
C:\Windows\System\JaEGPYq.exe
C:\Windows\System\EzPKnMd.exe
C:\Windows\System\EzPKnMd.exe
C:\Windows\System\eIyTbXF.exe
C:\Windows\System\eIyTbXF.exe
C:\Windows\System\spITKIO.exe
C:\Windows\System\spITKIO.exe
C:\Windows\System\XmCidiP.exe
C:\Windows\System\XmCidiP.exe
C:\Windows\System\Dkwkpja.exe
C:\Windows\System\Dkwkpja.exe
C:\Windows\System\crYhWcN.exe
C:\Windows\System\crYhWcN.exe
C:\Windows\System\hyROmcJ.exe
C:\Windows\System\hyROmcJ.exe
C:\Windows\System\CvTGqli.exe
C:\Windows\System\CvTGqli.exe
C:\Windows\System\YifVxuv.exe
C:\Windows\System\YifVxuv.exe
C:\Windows\System\rlYnjPy.exe
C:\Windows\System\rlYnjPy.exe
C:\Windows\System\NlMZJXD.exe
C:\Windows\System\NlMZJXD.exe
C:\Windows\System\SqxHQsW.exe
C:\Windows\System\SqxHQsW.exe
C:\Windows\System\ygnCTRw.exe
C:\Windows\System\ygnCTRw.exe
C:\Windows\System\ZNbjOHL.exe
C:\Windows\System\ZNbjOHL.exe
C:\Windows\System\VXteBTM.exe
C:\Windows\System\VXteBTM.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2168-0-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2168-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\nwXurGG.exe
| MD5 | 994522398ae191b66f69e51a7690acf2 |
| SHA1 | 9f6421dd86f7d7535b432ee22554ae82eccc1f1a |
| SHA256 | 3cf1b91646ff6b0668a8d609d921e2e2d230a147af7ee0ae2f339bbd2570fdde |
| SHA512 | a5c8cc8f02b354b986f4e3771da723d922f265c000d64a3fcc54fd6d8eb03db516a5dbbf4c676189d68704132c858fbdfe098a2b00b3e66e662ba327635327ef |
memory/2168-10-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\vjfpiKj.exe
| MD5 | 3f3646bfe6804464aeffa74775e6d467 |
| SHA1 | 4c8f52df72a0bfdf52532a6d07adfcabc1583f5d |
| SHA256 | e4e6a8963686dc5de0cae2391b34b83b769453705175767ee7f13f0891e5059a |
| SHA512 | 70df58226a7fa8e9f1bec50283aba087c17d6dfef0d3de579754b1a31482d1dd8934363521b5ee767677a33229cee66c159164e64ba639b824da08fd7dfa171b |
\Windows\system\lxmwTDG.exe
| MD5 | 00f15ea89575beddd36e4d7032fb3b71 |
| SHA1 | cc77865324d5b5279ee53aca63131421d443404c |
| SHA256 | 0981356f56551cf834ca7a0a45eef7de5bc75265bfcb9a452226b62b136cbdc8 |
| SHA512 | 3b1663ad125990cf3ca0eca7ae8ece82e27e2eaad5fa170880f2b9962454c3660e7cf0c7b5d2c3779e841c61fa0af9e141f58180256a50fafaf01222b30414cd |
\Windows\system\pQCqbUI.exe
| MD5 | deb3fcd767824dfd29dbf3980f4c3b87 |
| SHA1 | dca2a9de42993fe9db59bc487447d62b031d0b32 |
| SHA256 | 1a1f0cc23c07f93d40e7c338ad7d80813c5b930ad8c5893bf76e9ec03d86131a |
| SHA512 | 5442dbcc61d58043eb64eb4a9b18522f1cf25e5ef962f2dd5c3c7e57121633538e81720fcb268b66f2152a1cbe1599a3a101755f0001ab24fc0d271d829ae70c |
memory/2168-108-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2680-30-0x000000013F5B0000-0x000000013F904000-memory.dmp
\Windows\system\ZNbjOHL.exe
| MD5 | a37c6dbde1497148d9d27da5f7a6a362 |
| SHA1 | efd7a8bc3f9542577630fe280a00953ae6d85242 |
| SHA256 | 5341dbbb7afe6a3d77c32109e67d23f0e8d71c64dcb2c31eec77089882f9d971 |
| SHA512 | 8f78799fd2425755dbe57417bf8efaa47ef246f2e6cc454c301736cc4db2ec38287a4fc4000508ded071e4e5526f60529e098ac47b8742fa1ce3cdc95a53b1fe |
\Windows\system\SqxHQsW.exe
| MD5 | 6c68dd93ac8fefa088ef32305fa7d744 |
| SHA1 | 19c60962175b192978ab217e8e8cd1f7466b8250 |
| SHA256 | c93138d754424aa1f8c25b848c820c867393e96bb6fa89ba80d93b2b9d40e896 |
| SHA512 | 140ee9de2a67145ee76f4525f13c77ee1ad508b23fa3380c34138093bbb2c5a1e7e0ca636d40933815051a8b82b0666920fbdd11a5ef1d0cfd1acea4b099ab20 |
C:\Windows\system\YifVxuv.exe
| MD5 | db75e535a5027a7448365404dbb81e6f |
| SHA1 | e66f999d52a569d87c8336fe5184407065ef3251 |
| SHA256 | c5c096504677d7c004c11a5ec0c71b4438901748bcdd423dfb834b03272b91b5 |
| SHA512 | 716f703c0c1c92886fa189d44d661e0cec91da63c2c9a8b1373e66754b1f705be264915e8c5239306787041d527878ead6e59d82ec1bfb6cb0366a1e5b0e8849 |
memory/2168-84-0x00000000022F0000-0x0000000002644000-memory.dmp
\Windows\system\rlYnjPy.exe
| MD5 | 891addbc3c65ef8728a5516812fb4f09 |
| SHA1 | 92513288c85d09b90475e00f44dd0a802414b6bd |
| SHA256 | fe49342ff03d7d19a1ba468f0c11c6210c9f7ae3aabbc5d8183cf91026fc8df4 |
| SHA512 | 53cf714f3f9b7454ccae1d5a4e8534d8ba828ba45f040de03007d76a8dec7d41a91502dcd9d680c679a68721bbf027ffc00fe70363d51d5657c66474636b07b6 |
\Windows\system\CvTGqli.exe
| MD5 | 56232a305a5335e7d5ea74fe9c0cd5b3 |
| SHA1 | 195a7da44778fcfe6c70b8e5ee4916d30fba5733 |
| SHA256 | 8ddd4d599904fc01e5b11436a6ff05b55dd7fc6268a40acd8ec6b9c91ee37ad8 |
| SHA512 | a96da6436029c0d86408f3b7321b402eb255b1a14e3a011e2eeca81a1aed6cfb037cba0121e1b6d32653372f7ce62293062fca37cc6700ee3cdccfdfc1c2e170 |
memory/2916-69-0x000000013FA90000-0x000000013FDE4000-memory.dmp
\Windows\system\crYhWcN.exe
| MD5 | 572bb2d1d2eaf64d1f192f65b933571a |
| SHA1 | 0014628254d810159618ffe4b1a54aa4650df5d4 |
| SHA256 | 490a2d07c6c52c6f983e8ef24a7d78f91a516f645f02edbefdee9608188b7baa |
| SHA512 | f92653b101e8c9c884dd557f577eaa0ea5adc2ceb26dbff61cddd9acba27e1c5ce04e024ad4cadd132c7005a0dc0a2fdf946f2d44d404c95ff6cdad737e3b792 |
memory/2512-58-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2168-55-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2648-54-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2168-53-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2168-52-0x00000000022F0000-0x0000000002644000-memory.dmp
\Windows\system\XmCidiP.exe
| MD5 | 2304ced457c0d9188dedb06240724895 |
| SHA1 | e673a4c389cd038277a5ec3d696eba29538df0a8 |
| SHA256 | 4c9e9bf2f975d53ac6ee5ce8386630c27750c1f2a522d613fb3dc789619fea51 |
| SHA512 | 768226945e5e19e872d820d914daab5d63415816a53863ea3a894d84793ef1aae9f0e88c9cbce293badb313f4576e1dc0358a4922cd6abe5fc513a57fff90188 |
memory/2100-40-0x000000013F370000-0x000000013F6C4000-memory.dmp
\Windows\system\eIyTbXF.exe
| MD5 | c2f39a1b516d6fc28724409f181a0359 |
| SHA1 | 72b31ee42948e0eab80874552018a83dd820e527 |
| SHA256 | 36a10304b92f6a35db4055373bb317e402a784405581970f95ff801c58934f72 |
| SHA512 | 2d5fb231e28a8639bb671820b326081a5047a2eee8f0f145f78af5de8c02d5d88a38d00da181948011c99715421e40b0067ea53d2a28a9f172ca2958e810724f |
\Windows\system\JaEGPYq.exe
| MD5 | 366d8c39001f0baa6229236ee73b4928 |
| SHA1 | 020b695f9ae160c1fcd925fbdee4b133cb7cbc74 |
| SHA256 | 13d850de87da981a25db92e64f10801f7895599175e228dbe722a089023acc50 |
| SHA512 | 253d97f767649f82a33761aebfedafa563e9c476649dd9ef4f71359c329f4f857d110f2d85461af07005e8b3d25cd562deda481c40e67a113c0230b57497d35e |
memory/2168-111-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2168-110-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2516-109-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\VXteBTM.exe
| MD5 | 66abf6a354d18d4d35d5f97c25069766 |
| SHA1 | 7cb446acfe066b761e56fe44e638b1c5f0dc0182 |
| SHA256 | 96ff70003e45815518b15b49584d2cae1e65312d0edeb08171ea56663ffdc8be |
| SHA512 | d632391070e3d77a094780e4f9198f05347b48ed30ce75160abc14bca4394338dc62a6dd2b164e7eda1857fecf2170bd9d9d3adf8974075aee1a67ba5412e3c8 |
memory/2472-106-0x000000013F430000-0x000000013F784000-memory.dmp
memory/1048-100-0x000000013FD20000-0x0000000140074000-memory.dmp
C:\Windows\system\ygnCTRw.exe
| MD5 | 3a6d0c8e39f21cebba8e37a201f2ce2b |
| SHA1 | ce589f6ac472840d6691ae9655dd4b64a632f80a |
| SHA256 | 5447419736df3b37b75ce91e37f766c082d606d9cd51df6484d523083c8be060 |
| SHA512 | 886e6bfac764a43b548e5cad158a54d5d79b0e03ac9bc6b35c09629067fba09c2ba0447bdfa2f2710c05fa03cffbe0654b01216df692eba37546ad35692364dd |
memory/2168-92-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\NlMZJXD.exe
| MD5 | 5d75dc81af6e56c54d8135e7c7d929f9 |
| SHA1 | 59704ac4f7ac299dca734b3942ed571241f9878a |
| SHA256 | 3524b52172f1d81e55c049af1558fa2094c2b177f563ffa4a15c7d3e757679b1 |
| SHA512 | 98ba4ae7023b52ecef9c630a18539e02e4decc03a4911b66793fe8c5fdefb2b9cd228d42401d7165eb0f45fa54f82206001c452a97e32f279d2f22a72873ec11 |
C:\Windows\system\hyROmcJ.exe
| MD5 | 246f692d6d65696b5b6259c29ebed2d6 |
| SHA1 | 5cf0739b55bd741137f623b68126dec070629111 |
| SHA256 | 63ea67ad79ff7cd2cdf06353eab32f9589f1c0d9a3c0627c7f878e0acfb282ae |
| SHA512 | c7a103f29cdbefc4f1cfd7fd0848f76d3181e5824f99cd3245eb0e18eb51cf922a0a13aae48d441a0b9320a279d36bcebd81dee9fafff0392da6ad519747ba1d |
memory/2168-71-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2168-65-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2212-64-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2168-63-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\Dkwkpja.exe
| MD5 | 374d5bf070fcc8127008b4fc06ddac2c |
| SHA1 | 96d3430bce4b7bb4520d3bd74ca1560d270eb4c4 |
| SHA256 | 3e6aa417ba8939696e098b516f79a8adf6e10b2f7ae5f0ba9a106c91d646e70d |
| SHA512 | a767eb0b347e63b9bb2992df5d422f02125989680742fd9bb282704fbc06f4ee699ebcc1ffcdd00f0e66f61ce8711713f5b52348b4f467ed825d30ca03b4c6c3 |
memory/1680-50-0x000000013FE60000-0x00000001401B4000-memory.dmp
C:\Windows\system\xhhoTDZ.exe
| MD5 | bda0a571ed25ea208320140fa7090e2e |
| SHA1 | e2c39d13a0f703bb5344819f7ebca4c4e126825d |
| SHA256 | 5ce5ed8215ad02571321ef59e7c81cbcb2c940866ade19f705782fb1a7d6ad0f |
| SHA512 | da15383157a4579ac7dff48e9f8e936f4d0d8c1d39ae8c54a72c9f2885730af3c4d4a2b50165e9ff8df3f8e9bafbe4d7785c0ffbd8a50c233d7ef6c90591fda5 |
memory/2168-46-0x000000013FE60000-0x00000001401B4000-memory.dmp
C:\Windows\system\spITKIO.exe
| MD5 | 2a64e38fc0d1b28b61f1f8e6e33cc802 |
| SHA1 | c70dd255857bc46deeb51b17615b36ececacb7f1 |
| SHA256 | 6a3fcb06668d3c9c8d1d7d4c19dfbae67a0dc70a7d4cc943ca5cb21ee36f2d69 |
| SHA512 | 4fd8c5d7664ee4cb4c80ddc37d90ca0b8218905614f4abf5429a66cb99e6ac1a5fba68d817963450c5f11e62ba0d27b2d9134fdcefe600f27e37afc1f4c31e3f |
memory/1292-22-0x000000013F690000-0x000000013F9E4000-memory.dmp
C:\Windows\system\EzPKnMd.exe
| MD5 | dc7ae8bb90a816f0d08c56a046b3a990 |
| SHA1 | a955f5f5bad762a245383ce47582e0b988f8bfb3 |
| SHA256 | d1a809b025cb916668ca1fe8d6384ea763a8f9a81382d34ff01eb68fa672bb5c |
| SHA512 | 4423e99ed88a404d9e5f818004f3c730af67e478f77896ecd070a3c84e36fee406c6af0d0c60c277a02edc9c6c8f2b498e239926ca0230be075908b45460f38d |
memory/2168-34-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2168-132-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2212-133-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/1048-134-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2516-135-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2168-136-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/1292-137-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2680-138-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2100-140-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/1680-139-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2512-141-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2648-143-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2916-142-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2472-144-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2212-145-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/1048-147-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2516-146-0x000000013F1D0000-0x000000013F524000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:55
Reported
2024-06-01 07:57
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dzHwvll.exe | N/A |
| N/A | N/A | C:\Windows\System\tjyicQQ.exe | N/A |
| N/A | N/A | C:\Windows\System\sWBHcYw.exe | N/A |
| N/A | N/A | C:\Windows\System\HZoAJQJ.exe | N/A |
| N/A | N/A | C:\Windows\System\sXTFXnQ.exe | N/A |
| N/A | N/A | C:\Windows\System\upRrRbF.exe | N/A |
| N/A | N/A | C:\Windows\System\iAXOKzK.exe | N/A |
| N/A | N/A | C:\Windows\System\SfiYkIk.exe | N/A |
| N/A | N/A | C:\Windows\System\msZRRyQ.exe | N/A |
| N/A | N/A | C:\Windows\System\fKKBCVp.exe | N/A |
| N/A | N/A | C:\Windows\System\gtEeUGp.exe | N/A |
| N/A | N/A | C:\Windows\System\kZlSWlG.exe | N/A |
| N/A | N/A | C:\Windows\System\VXDSYDj.exe | N/A |
| N/A | N/A | C:\Windows\System\VYMfWLr.exe | N/A |
| N/A | N/A | C:\Windows\System\jxhkDLA.exe | N/A |
| N/A | N/A | C:\Windows\System\ICOTGVy.exe | N/A |
| N/A | N/A | C:\Windows\System\PbfQnDO.exe | N/A |
| N/A | N/A | C:\Windows\System\SBJAjdx.exe | N/A |
| N/A | N/A | C:\Windows\System\jzvQnFo.exe | N/A |
| N/A | N/A | C:\Windows\System\gAdxgSF.exe | N/A |
| N/A | N/A | C:\Windows\System\nreVmuG.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dzHwvll.exe
C:\Windows\System\dzHwvll.exe
C:\Windows\System\tjyicQQ.exe
C:\Windows\System\tjyicQQ.exe
C:\Windows\System\sWBHcYw.exe
C:\Windows\System\sWBHcYw.exe
C:\Windows\System\HZoAJQJ.exe
C:\Windows\System\HZoAJQJ.exe
C:\Windows\System\sXTFXnQ.exe
C:\Windows\System\sXTFXnQ.exe
C:\Windows\System\upRrRbF.exe
C:\Windows\System\upRrRbF.exe
C:\Windows\System\iAXOKzK.exe
C:\Windows\System\iAXOKzK.exe
C:\Windows\System\SfiYkIk.exe
C:\Windows\System\SfiYkIk.exe
C:\Windows\System\msZRRyQ.exe
C:\Windows\System\msZRRyQ.exe
C:\Windows\System\fKKBCVp.exe
C:\Windows\System\fKKBCVp.exe
C:\Windows\System\gtEeUGp.exe
C:\Windows\System\gtEeUGp.exe
C:\Windows\System\kZlSWlG.exe
C:\Windows\System\kZlSWlG.exe
C:\Windows\System\VYMfWLr.exe
C:\Windows\System\VYMfWLr.exe
C:\Windows\System\VXDSYDj.exe
C:\Windows\System\VXDSYDj.exe
C:\Windows\System\jxhkDLA.exe
C:\Windows\System\jxhkDLA.exe
C:\Windows\System\ICOTGVy.exe
C:\Windows\System\ICOTGVy.exe
C:\Windows\System\PbfQnDO.exe
C:\Windows\System\PbfQnDO.exe
C:\Windows\System\SBJAjdx.exe
C:\Windows\System\SBJAjdx.exe
C:\Windows\System\jzvQnFo.exe
C:\Windows\System\jzvQnFo.exe
C:\Windows\System\gAdxgSF.exe
C:\Windows\System\gAdxgSF.exe
C:\Windows\System\nreVmuG.exe
C:\Windows\System\nreVmuG.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/1264-0-0x00007FF6F9C70000-0x00007FF6F9FC4000-memory.dmp
memory/1264-1-0x0000022EC2340000-0x0000022EC2350000-memory.dmp
C:\Windows\System\dzHwvll.exe
| MD5 | a66b16604e11f10a297e926e59ce0d3b |
| SHA1 | da96f86381d8d90cb242322b7c519c3e03223359 |
| SHA256 | e8c5010b502d62aa2cae01e56a46e3f91a199bafdf7ca868dfaeb46ac8ab0b99 |
| SHA512 | 2a70722914c2fdbfb404973d3bb4669956d42c12d4445a95b8cca09661b95c3c81dd6d78cd78fdab7397c4aa41e4d3f5e18e5675a0d2961e48a96999f8daa689 |
memory/2160-8-0x00007FF7EF860000-0x00007FF7EFBB4000-memory.dmp
C:\Windows\System\tjyicQQ.exe
| MD5 | efa1b33ea63360d48a2068534ada84fa |
| SHA1 | 105cf9b2c0c9c4bfad8c5111b559a28a2b5b40d5 |
| SHA256 | c509934cc7cdaf6b145eeab2e8e2e4053d5571a7b88412e4fc5a36124cdbb830 |
| SHA512 | 719ca4f65eb058210fc2df797ca2e8cba4a1fe02cc34ff8d29a895bf424b9fdeafeb1e3b3ae941ac59fb73460af07e5daa747260e84a3f9befa118f037ec7927 |
C:\Windows\System\sWBHcYw.exe
| MD5 | 4d332f469dcf25e6c3f4c4a4ffeb9567 |
| SHA1 | 9105d90a1e3bfde4499d78bfbd5efc7b4f0113fe |
| SHA256 | 4121caad301ea8825719c190a274695ad7d5ea20270322e77e14718dd2777e80 |
| SHA512 | a153516cf870b88816939ef08f430479f7d2cbb6659eeef863cf3d6a821d4331d0381cb5830a916055a6eea413e80a1085291b353bfbbafe7aaf8a34591110d5 |
memory/4032-14-0x00007FF7ADBB0000-0x00007FF7ADF04000-memory.dmp
memory/1724-20-0x00007FF6F1AA0000-0x00007FF6F1DF4000-memory.dmp
memory/216-24-0x00007FF7A10A0000-0x00007FF7A13F4000-memory.dmp
C:\Windows\System\HZoAJQJ.exe
| MD5 | f99ec68f264cc8ae37cee8b6bb5b40ff |
| SHA1 | b32a2933a14135e32208d927e900293ef0ce512a |
| SHA256 | f18693b6b85c4d0b909450d9dc6436e35d6c32453c672a0e730fddbd8edb0a2b |
| SHA512 | 4c50f29e5e7acfb8fa10e1b86756f4adffca6c8a112c48fef047bcf80224dd5dd145938c068f60e6529e074888219c517e3d58e585c7a54d3049e9b29ca5e47a |
C:\Windows\System\sXTFXnQ.exe
| MD5 | 1efe67f13b56a98f47cb94ca65a711c2 |
| SHA1 | 80f43627a06848379b754ba4ce194eef72ff2521 |
| SHA256 | e1dfc099dd1a40a1172493c7fba447b288b7b310aefcddd070e7a8809a398ac2 |
| SHA512 | eb5082ca75ed291cc2f397f5fe18738df90262f4c6fa11dc09398c820512143918b2c346e1bba93fd9f36642c2befa4dfd45b1605ec4a7e313c0a1239a029b82 |
C:\Windows\System\upRrRbF.exe
| MD5 | 48d906119af73706e0b1c02974a86049 |
| SHA1 | 95c768ef439df97e8d30830a1742183800f00024 |
| SHA256 | f3c6b1fba19791dba6187b7e5db3b055c12f80f73bba894d4ecb55e994ed923a |
| SHA512 | 71ff00f00848d67986db7b11fa87ba8ced70b80bc1b5aa22317528073dcf68d6f582f491c61f4b4d519d69f6168a563e823d68b86195782fc08e4e74c9dc73fe |
C:\Windows\System\iAXOKzK.exe
| MD5 | b9f7c9d85d7a02f0c061ff11f5b0052d |
| SHA1 | 8951e0b1d146f464c62215f423bfb6e5a292d630 |
| SHA256 | cf86dd56a8921d61c1134e1d95413c665b552c4751d65d480c0c68bf4fe091ee |
| SHA512 | cf09d7ae91925fc3ac27879a18255566f2d89945c6ea349d094c4cbe56badf610ffe8f881ddf43c6c36fb653b4928e24b47d9f4d091e50f8c938b5b937901b61 |
memory/4964-36-0x00007FF65CD70000-0x00007FF65D0C4000-memory.dmp
memory/4844-32-0x00007FF792C20000-0x00007FF792F74000-memory.dmp
memory/1316-43-0x00007FF7299D0000-0x00007FF729D24000-memory.dmp
C:\Windows\System\SfiYkIk.exe
| MD5 | c18ed23b34a651f51def1292837b2bf1 |
| SHA1 | 61cdcf01f2722394c91cb8b7c19ef124d692e1e7 |
| SHA256 | 63d5a3bc4d742198bba97350f23f8e6f4b871b7be4a071a818e3c5b863d80213 |
| SHA512 | 8979fb39ad433d579f89980af17557987a2f87f02517c240776ca13c6da71aaa4fb920084917d943ada53fdbb5a4242f9b9b8e21982e80e135178bd32dfb3591 |
C:\Windows\System\msZRRyQ.exe
| MD5 | 8f3b3dfd82813cd0711da7b6a3b65d61 |
| SHA1 | 157ee6862c91191ae76291b766d220da230ff1c9 |
| SHA256 | 5797f90518f54a187754463ed2d893d12f9d5f6673b09eaba2177519a9cbd1e4 |
| SHA512 | 7c2bb15f0a3277357cb8b7454b4081b7f644834985e7c3285a913aacd20a3da0d73f63ace9fca3e39c1cfd246cfb660d3f723a61e4f81d3b6b7ac4926450ca21 |
C:\Windows\System\fKKBCVp.exe
| MD5 | 309a9650d9597dc481f9b7964946a114 |
| SHA1 | aa601cf994467f0b256b59901acf644266dae677 |
| SHA256 | 9034e348c9b5717b8ecc5c5e8ea64cb46002e8ee348903ff7efa4e552f3ca9fb |
| SHA512 | b708876c731f725b3b28e849a94d432c15d04d28443391e293252456a35ae9d83148f3d87989e55796e02c1c11b4a7e36254dddbbbba9bcf718e391c9e1cc283 |
memory/2356-54-0x00007FF7F8A60000-0x00007FF7F8DB4000-memory.dmp
memory/2344-48-0x00007FF69C5B0000-0x00007FF69C904000-memory.dmp
memory/2468-63-0x00007FF774050000-0x00007FF7743A4000-memory.dmp
memory/1264-62-0x00007FF6F9C70000-0x00007FF6F9FC4000-memory.dmp
C:\Windows\System\gtEeUGp.exe
| MD5 | 50f9747791af1d7163a981d2fc60bb9a |
| SHA1 | 3b2458481b2b7853433d9eb9780b65c88e4ce397 |
| SHA256 | b3d9f904f1ba42ee137b8512e2fbeb72b0de296c5949633c4cd20929473e98ab |
| SHA512 | b5a4829d0b55856220e479fd9b44b5b371591a261ba5f37876ad193dbe28d59d614cf80ae8c20292eeba49fd02fcf2124b8247088662936f936ab33d72fcc4cf |
C:\Windows\System\kZlSWlG.exe
| MD5 | dea2042370c36635650ead1894477de0 |
| SHA1 | 51b7bde4b15457d5d67df3abc835e82594a7274a |
| SHA256 | 5b83c798554aa4bbdbf49657e2ef5a1d9c9c5d029e258f17e43debb1569063d0 |
| SHA512 | fa671e3dbf2a2cee9737a4257dd66ffdd45eb42008316a4c3c255e9406f6f9857aff71249f475536319dd52c87662dd128f39ba29629641a43620b28337af3a2 |
memory/2232-71-0x00007FF7C63D0000-0x00007FF7C6724000-memory.dmp
memory/4032-77-0x00007FF7ADBB0000-0x00007FF7ADF04000-memory.dmp
memory/4948-80-0x00007FF641270000-0x00007FF6415C4000-memory.dmp
C:\Windows\System\VYMfWLr.exe
| MD5 | dd0f540e902474692a7fe7deea99cc1a |
| SHA1 | 8a7ddcd6c1e12bf95adb6a07d6f5353884d574cb |
| SHA256 | 8b45369fffea56a1a460e45362b1d23f9f980d17655a9c8abb4925b2e3f6d032 |
| SHA512 | 5ae4b8570eb0a2049a1709a86a55a2632a24ff035d008cdc538081e9983380c4ac6addcec5e115c42e632c5e44f8f11f23ee4b7c1255713bcdfe830bebef6ad2 |
C:\Windows\System\ICOTGVy.exe
| MD5 | 4985de1a490c03af26ab69d8920702d8 |
| SHA1 | ec533ebc98a757bb4fe2088a4cdd1e78f3dc473e |
| SHA256 | 966be6a9ffbb451bb8eccc070c48e1c8ce420333aabfe8f3762fbbfd6eec0781 |
| SHA512 | d66569a98534f29ce4e096511551ca5c7fc46f89bfdbd4a510072143700e24252877fa614b367c80eb561be2dda7cabd301822d6da3e02d58b50da285be94ffb |
memory/4728-100-0x00007FF6A1D70000-0x00007FF6A20C4000-memory.dmp
memory/4844-104-0x00007FF792C20000-0x00007FF792F74000-memory.dmp
C:\Windows\System\PbfQnDO.exe
| MD5 | 33ff1cc3ec63b99edf5029d00a755097 |
| SHA1 | d5a9b7b873dc10be1ebddd2ad6871758378af17e |
| SHA256 | c0b1ebf08d1c7a300a6a9b0472104efe17d6bc5b5f0dfa4cb6972e7a69c7ea4a |
| SHA512 | 8ba7d55beb6261924992dc9844f2e99478b721eda1f9005a65b8b32824220210a669478f7b2ae4b93ad342b36d6500a97440cfe363f3f24e541b95ee403303f0 |
memory/1448-105-0x00007FF6969E0000-0x00007FF696D34000-memory.dmp
memory/2192-103-0x00007FF6A4230000-0x00007FF6A4584000-memory.dmp
memory/3400-101-0x00007FF7EEA40000-0x00007FF7EED94000-memory.dmp
memory/216-96-0x00007FF7A10A0000-0x00007FF7A13F4000-memory.dmp
C:\Windows\System\jxhkDLA.exe
| MD5 | 7c0401dd3ac1f2e92aed56f4865d65bf |
| SHA1 | fe383aad72319c1d38262cf32085b5bc5c3ea6e1 |
| SHA256 | 95c4407e19e72b2a1ec154233211eb5131daacec2970e54fba51eaeacd6cc465 |
| SHA512 | 957bb2c979b401530e46c3b7fc37971974ffe3788a0dee2d9d8d0226e801191df58812b3c6cf880a9ae4a45e9418d00f68621690bbe31bb53ea69c1472b3b551 |
C:\Windows\System\VXDSYDj.exe
| MD5 | 5fdda00f07edd2647ac00ac9d159b61e |
| SHA1 | 70ad902433a6c4c5a10af363f9301bfdac897db9 |
| SHA256 | dbcfc505a7d0c0ac575de3309c16d72bce94e356fa7b8c2823ab8e8c36d4bd97 |
| SHA512 | 2509d0cacefde716b5a2e54090c0a46f3ae583d661e5fcbe26f8ccf7b18b86f13115e6d3fd04af90aed978def5f8720512f374c03d035e3577289546d413fa63 |
memory/5080-81-0x00007FF6CB2C0000-0x00007FF6CB614000-memory.dmp
memory/4964-114-0x00007FF65CD70000-0x00007FF65D0C4000-memory.dmp
C:\Windows\System\jzvQnFo.exe
| MD5 | 2ecbfda96457574ad0c30b081afd06f1 |
| SHA1 | d7bda12856ab55a6be5f494acf0048d767398336 |
| SHA256 | c8315429133fe0dfa75aa6ae45401df6ab7698352de43a770782ebcd8c1eb999 |
| SHA512 | b96e83b16ead708cc709a471623f8e0cf6c3b78eee7cb88a7803787294067e3465c2b7c8e074d6aad0a0b48b7dff4b2b7845714eb166fad396fd8ce91e569f13 |
memory/1100-119-0x00007FF6E9260000-0x00007FF6E95B4000-memory.dmp
memory/1436-115-0x00007FF7003E0000-0x00007FF700734000-memory.dmp
C:\Windows\System\SBJAjdx.exe
| MD5 | 63ed30d1e16279d00206bd6ce94fc5c4 |
| SHA1 | df9a433b4af7867bd1da3a55637d66cd28be74bb |
| SHA256 | d6e031f37a5def990eff82847c837bb62128e6109a7977fd46fd8640b72d1438 |
| SHA512 | bf705d5f6421ddee1d9d7c8263f27c8cd36e11a2a9f59e129696ccf95f9a1fbec21fea9395b982a2d284fea0e4f26258915c8190e42635a74d3575dc04990de1 |
C:\Windows\System\gAdxgSF.exe
| MD5 | aa29ee563798727ad3c237abd2a0cee5 |
| SHA1 | a0ffda18e599eb67db64f45d5bee8a248e8ab185 |
| SHA256 | 9f6ac87f1bc0c169d1f5e58c4d7069e4b5c6f065ea6c6669be1f0224059fc98c |
| SHA512 | 3dba8718271dea9472951e5a526b70fbc11bce0d5926a6ccac294470839a6e35aee93c87517423b8b13f912f815392bab6f3bb98500b430a59904a95060fccca |
memory/3572-128-0x00007FF7EA450000-0x00007FF7EA7A4000-memory.dmp
memory/2344-126-0x00007FF69C5B0000-0x00007FF69C904000-memory.dmp
C:\Windows\System\nreVmuG.exe
| MD5 | 320325f251515c77ad25a97a75ef049b |
| SHA1 | 363af2d0e1de7ebda16738c8d263dafd593b84ff |
| SHA256 | 3c00cee10b9093cc4621a7a99f81a0282cbb834f7461cfdaa7ec3c0c005dbc69 |
| SHA512 | 2fd00dabe1a18723f5ce747a2bc0097fe6f3dff38fb0c535ef8522afe6e7cadb0ef36ea2af7c6dcf880db53f5978d7893657f6de533233fdc502aca760b1fb8b |
memory/2356-133-0x00007FF7F8A60000-0x00007FF7F8DB4000-memory.dmp
memory/3184-134-0x00007FF682800000-0x00007FF682B54000-memory.dmp
memory/5080-135-0x00007FF6CB2C0000-0x00007FF6CB614000-memory.dmp
memory/2192-136-0x00007FF6A4230000-0x00007FF6A4584000-memory.dmp
memory/1448-137-0x00007FF6969E0000-0x00007FF696D34000-memory.dmp
memory/1100-138-0x00007FF6E9260000-0x00007FF6E95B4000-memory.dmp
memory/2160-139-0x00007FF7EF860000-0x00007FF7EFBB4000-memory.dmp
memory/4032-140-0x00007FF7ADBB0000-0x00007FF7ADF04000-memory.dmp
memory/1724-141-0x00007FF6F1AA0000-0x00007FF6F1DF4000-memory.dmp
memory/216-142-0x00007FF7A10A0000-0x00007FF7A13F4000-memory.dmp
memory/4844-143-0x00007FF792C20000-0x00007FF792F74000-memory.dmp
memory/4964-145-0x00007FF65CD70000-0x00007FF65D0C4000-memory.dmp
memory/1316-144-0x00007FF7299D0000-0x00007FF729D24000-memory.dmp
memory/2344-146-0x00007FF69C5B0000-0x00007FF69C904000-memory.dmp
memory/2468-147-0x00007FF774050000-0x00007FF7743A4000-memory.dmp
memory/2356-148-0x00007FF7F8A60000-0x00007FF7F8DB4000-memory.dmp
memory/2232-149-0x00007FF7C63D0000-0x00007FF7C6724000-memory.dmp
memory/4948-150-0x00007FF641270000-0x00007FF6415C4000-memory.dmp
memory/5080-152-0x00007FF6CB2C0000-0x00007FF6CB614000-memory.dmp
memory/4728-151-0x00007FF6A1D70000-0x00007FF6A20C4000-memory.dmp
memory/3400-153-0x00007FF7EEA40000-0x00007FF7EED94000-memory.dmp
memory/1448-154-0x00007FF6969E0000-0x00007FF696D34000-memory.dmp
memory/2192-155-0x00007FF6A4230000-0x00007FF6A4584000-memory.dmp
memory/1436-156-0x00007FF7003E0000-0x00007FF700734000-memory.dmp
memory/1100-157-0x00007FF6E9260000-0x00007FF6E95B4000-memory.dmp
memory/3572-158-0x00007FF7EA450000-0x00007FF7EA7A4000-memory.dmp
memory/3184-159-0x00007FF682800000-0x00007FF682B54000-memory.dmp