Analysis Overview
SHA256
a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460
Threat Level: Known bad
The file a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460 was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
Xmrig family
Cobaltstrike
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:58
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:58
Reported
2024-06-01 08:01
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XhMEMJV.exe | N/A |
| N/A | N/A | C:\Windows\System\LynGdmX.exe | N/A |
| N/A | N/A | C:\Windows\System\CGDpPTk.exe | N/A |
| N/A | N/A | C:\Windows\System\ZxWEQRG.exe | N/A |
| N/A | N/A | C:\Windows\System\kGiVVCD.exe | N/A |
| N/A | N/A | C:\Windows\System\TfoqopQ.exe | N/A |
| N/A | N/A | C:\Windows\System\oxhFMXU.exe | N/A |
| N/A | N/A | C:\Windows\System\xUnMnxQ.exe | N/A |
| N/A | N/A | C:\Windows\System\YCEzDDb.exe | N/A |
| N/A | N/A | C:\Windows\System\DynDPzK.exe | N/A |
| N/A | N/A | C:\Windows\System\jMwJUqd.exe | N/A |
| N/A | N/A | C:\Windows\System\WqmfZcN.exe | N/A |
| N/A | N/A | C:\Windows\System\cLMbUKI.exe | N/A |
| N/A | N/A | C:\Windows\System\fCTcsmk.exe | N/A |
| N/A | N/A | C:\Windows\System\uYTPwmv.exe | N/A |
| N/A | N/A | C:\Windows\System\fqkorfq.exe | N/A |
| N/A | N/A | C:\Windows\System\hIcwodA.exe | N/A |
| N/A | N/A | C:\Windows\System\lUKebSW.exe | N/A |
| N/A | N/A | C:\Windows\System\zZEjaHp.exe | N/A |
| N/A | N/A | C:\Windows\System\pSGjtXk.exe | N/A |
| N/A | N/A | C:\Windows\System\LIrHUfP.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe
"C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe"
C:\Windows\System\XhMEMJV.exe
C:\Windows\System\XhMEMJV.exe
C:\Windows\System\LynGdmX.exe
C:\Windows\System\LynGdmX.exe
C:\Windows\System\CGDpPTk.exe
C:\Windows\System\CGDpPTk.exe
C:\Windows\System\ZxWEQRG.exe
C:\Windows\System\ZxWEQRG.exe
C:\Windows\System\kGiVVCD.exe
C:\Windows\System\kGiVVCD.exe
C:\Windows\System\TfoqopQ.exe
C:\Windows\System\TfoqopQ.exe
C:\Windows\System\oxhFMXU.exe
C:\Windows\System\oxhFMXU.exe
C:\Windows\System\xUnMnxQ.exe
C:\Windows\System\xUnMnxQ.exe
C:\Windows\System\YCEzDDb.exe
C:\Windows\System\YCEzDDb.exe
C:\Windows\System\DynDPzK.exe
C:\Windows\System\DynDPzK.exe
C:\Windows\System\jMwJUqd.exe
C:\Windows\System\jMwJUqd.exe
C:\Windows\System\WqmfZcN.exe
C:\Windows\System\WqmfZcN.exe
C:\Windows\System\cLMbUKI.exe
C:\Windows\System\cLMbUKI.exe
C:\Windows\System\fCTcsmk.exe
C:\Windows\System\fCTcsmk.exe
C:\Windows\System\uYTPwmv.exe
C:\Windows\System\uYTPwmv.exe
C:\Windows\System\fqkorfq.exe
C:\Windows\System\fqkorfq.exe
C:\Windows\System\hIcwodA.exe
C:\Windows\System\hIcwodA.exe
C:\Windows\System\lUKebSW.exe
C:\Windows\System\lUKebSW.exe
C:\Windows\System\zZEjaHp.exe
C:\Windows\System\zZEjaHp.exe
C:\Windows\System\pSGjtXk.exe
C:\Windows\System\pSGjtXk.exe
C:\Windows\System\LIrHUfP.exe
C:\Windows\System\LIrHUfP.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/668-0-0x00007FF722AC0000-0x00007FF722E14000-memory.dmp
memory/668-1-0x000001EE271E0000-0x000001EE271F0000-memory.dmp
C:\Windows\System\XhMEMJV.exe
| MD5 | 4428f349f3bcfedd5c226f186649c0a4 |
| SHA1 | 0ea3ceacd4f4bb562d756ef160593b0780cf2b3a |
| SHA256 | a1a3ba87266187c08e13c09b3fea11186f6d615c09d02a06b2f592bcb92e22f2 |
| SHA512 | d6d4ff8168089ad223845247f618902c18d2dcf653673b433ad4fdc9ac7cfd0528568dc3e1fd461741dc087023b7a55d226df9154b744efe36bd83f50ce99d65 |
memory/3016-8-0x00007FF623E90000-0x00007FF6241E4000-memory.dmp
C:\Windows\System\LynGdmX.exe
| MD5 | 6e98bf200e05462e4fb227966a54ae33 |
| SHA1 | 2f6e4a5e71caf24cb6d57b7ad9a9f613641411c1 |
| SHA256 | fcbd5f34186b6f419b64f6eeedf3d375edd41760b5cce1f5c0687b58c3e51655 |
| SHA512 | 6fc1019df906e5103b1b54c1d1bd29110675891e72dc08f74dbb771e035ada355b8e807aa3de5ea467ce222d7e1a4f57d99671798825ca61dd03c6b438601af2 |
C:\Windows\System\ZxWEQRG.exe
| MD5 | 666f1d6fc6dda484be31704c47c36377 |
| SHA1 | 95a6f93e57befbab3c5440f7586a61def51e7458 |
| SHA256 | 72e0bc9e0c92813164a7c19049a986ce4ead1fd4b45f5b3345ac7913034c5ead |
| SHA512 | b3078d7979a8ade5bca8385c676b5e52e84e5903c984a382028b1b2fd4eb07b461fc13a3980062c01290d16c1c91b09d2282f0e316b7e721bbe31294a7d00486 |
C:\Windows\System\CGDpPTk.exe
| MD5 | ec455ec3b40e55f3d70d4942674bd6d8 |
| SHA1 | 3c1e8c13cb1807620efb1c23b9c8208919fbe211 |
| SHA256 | e8cf8ab5a07a28da8bd64bb88c95b20fa8cafa9f340ce0e53dcaeb438ab9dae2 |
| SHA512 | 40ce553526e46dcff0d7ea0e685ae5d98370662c39ce30b74423b0eae2f1ef7383dc2f45202d3d05cb201ecc431c92f59b8b4bcb9f5edfc8eb391b50db673b28 |
C:\Windows\System\kGiVVCD.exe
| MD5 | cdb4080aaf9494288fee03408a925579 |
| SHA1 | b6c13b6911822e46db15998984d2644ce0e9f167 |
| SHA256 | 359d63827d05bbd34e46b5c281c3112dfcc59818c84f9b0c11f2116b69eee76e |
| SHA512 | f0f06e1923fa01e9f3e136937c50f606fd3d723b83b859b0940ad41172d715198d72e4aeb4b31f2c84fb49cd92fbbb1eae68c4f2bc5622b8f5205cff5260a0e3 |
C:\Windows\System\TfoqopQ.exe
| MD5 | fe026ddb0b7fb81db7711c607c432017 |
| SHA1 | 8785c191f6573542bef299ea6f6048c61996847b |
| SHA256 | 48655dc68912813f7a378ebfcf131e3517383ee845fb9b228b1fc7b0eac3d5c7 |
| SHA512 | 436c1913eb4a677aedfa6a1c8305191ec516468eefaa840a1f02bc69b4f995ae6294f4093cb7b8140e1d722aa1ceb9b8db3c57b2ef1d99aa60e240ca1614c835 |
memory/1484-36-0x00007FF729180000-0x00007FF7294D4000-memory.dmp
memory/2324-30-0x00007FF721070000-0x00007FF7213C4000-memory.dmp
memory/5064-26-0x00007FF756040000-0x00007FF756394000-memory.dmp
memory/4472-21-0x00007FF662010000-0x00007FF662364000-memory.dmp
memory/224-19-0x00007FF787AF0000-0x00007FF787E44000-memory.dmp
C:\Windows\System\oxhFMXU.exe
| MD5 | 02bb371e4611d92839ba11bbc71fa784 |
| SHA1 | 80940dec226b824384d1eac61dd3530e863079a2 |
| SHA256 | 24c844ffa9d7e1e252da1d3abffc8722093c57c00dd98df166bc24ed174150f2 |
| SHA512 | e72e6168fcba211a35b6215686d329779e45d38e3d39ae98ee0be276c0939a6627b7562faf93d1563840ce9528823104197463baf67074198cefbdeef8fcf680 |
memory/2428-42-0x00007FF62D800000-0x00007FF62DB54000-memory.dmp
C:\Windows\System\YCEzDDb.exe
| MD5 | b62914619d5ab29baf65e2a1212538d1 |
| SHA1 | 3e68e7161288bac100ed9ec31884e55e19a8ef72 |
| SHA256 | 0ea5b35dbd7bc5e1d9ab62fdb20a6a72dd62c054071a74b9ed28455a4d18b1bf |
| SHA512 | 62cf7edaba0432c4fc0a6a8a3b88fcb09eac56a728307d4f99e194daa93dfd93b71e003b21df460708bf3d63f92bc22cb15c7643ffbacf4723f1ff5ae311de39 |
C:\Windows\System\DynDPzK.exe
| MD5 | 24ce87b5923640e79dbcd4b8aa7dc379 |
| SHA1 | 855c0373a285b148cb755998983894c7927a3a0d |
| SHA256 | 798a9a0ab38d38b431d9a35b3f9adac36b13df43f33c7550002de94b59cbfad9 |
| SHA512 | 4141efccc0d173a27bba5db8373da0c8bb929a778e7f08da9a8ee761784e53842a30b76c397f75013bf604830435c4fe2885f90dd5e20e02931151cf104bad05 |
C:\Windows\System\jMwJUqd.exe
| MD5 | 6aceb2771342f021992ca96096ab92f2 |
| SHA1 | 32081b5960cd8b909be9b419f869a30815de79dc |
| SHA256 | 7399a16ad6cf5666ba3791105ad0c8c9fa5c5795522eb71d490e6d9016239417 |
| SHA512 | a62a933de21126d4a9ed4088f95707735ac5b3ba8a62fa9567fdecf4b8ca5b72e30e366d2e18a92be0cb1d21d7b9ad400af4fad6310de273bfb7a03902003288 |
C:\Windows\System\WqmfZcN.exe
| MD5 | ef6e82236ef21f40ba20666d1070d608 |
| SHA1 | e1ec607b93707573e20393d419e83aad020c90b5 |
| SHA256 | 5f83f7ac9998012d5b59d574b213c8ea9528428361e969d6570b8f1c56a5c6a8 |
| SHA512 | c66dca47943b7b3a85551b80612339493865c9ce01eb3dea6120466e330508746616af40be161c204e6e4747db6f4d69d0f14599a210db3b5040474aa6e542b5 |
C:\Windows\System\cLMbUKI.exe
| MD5 | 0db7ef6680f114486bf65c650935b849 |
| SHA1 | c7a2018863d03bea1b8cdb81e1501c8b842269a6 |
| SHA256 | bc79a5759be2392229febd8103faa3f37926d59973c1fea028c737cd02dfcf4e |
| SHA512 | f5dcc2346d89748b67b15f76a50f0cfb0276038b53bb7bb1b465852f2f8de27843420ce8e6a5a1495a24f1e4c441a918b73aff3f46818db5da83d98dd602879e |
memory/5044-93-0x00007FF74F2E0000-0x00007FF74F634000-memory.dmp
C:\Windows\System\pSGjtXk.exe
| MD5 | 7a7334045611d10b5fce873a5c3bba3e |
| SHA1 | b4556c66abf9164730920950378de11fd5b21b7c |
| SHA256 | 2083af36f9e1b0ebbb40c87f679cd6e9c8a9f314a0a83528909e7aa05560e402 |
| SHA512 | 6de66b8f3668afd543c3d4d865fb884543926860a8b6aa441c723f767bffb1fb3cdc33801f8404e4fd46b1058e380a550aae3afe95feeb626f1f757c42467337 |
C:\Windows\System\zZEjaHp.exe
| MD5 | a05194d4cfcf7d4a611424f66040f8f4 |
| SHA1 | 783c42097e7da37e428045712378b1bf1e62c566 |
| SHA256 | 0a30bb4363276ab4c49aaf577b3cf82f06e9235ef4789c66386f9dc65c15028f |
| SHA512 | c4e7ba1424a54a7718f6a858ee0ad8eb02ac10aadd3e33b88bd3a2496129ca665a696e3054d0c5de37af449b5cd7e2dee16c337f9c3011716ae96a0af06a8e3a |
memory/668-121-0x00007FF722AC0000-0x00007FF722E14000-memory.dmp
memory/1184-127-0x00007FF6F9100000-0x00007FF6F9454000-memory.dmp
memory/1956-128-0x00007FF6A0D10000-0x00007FF6A1064000-memory.dmp
memory/1036-126-0x00007FF6193B0000-0x00007FF619704000-memory.dmp
C:\Windows\System\LIrHUfP.exe
| MD5 | 24e2159a1eef3e310502ae3b89b6dd7c |
| SHA1 | de8d78d51c3a882bf430ef33c4a2237efa2000e8 |
| SHA256 | 764f6b3aa7f7278f1e0b9b532261221c770834be1729c1e73d5e39abb100e655 |
| SHA512 | f58e392fd1ea29625766b731508b534eabec4640358c17e760107633941ffaddcc204d806a6de897b1aaf5e8ff5c9649dd1a66d693801273ead70b501effe69e |
memory/5092-123-0x00007FF623E20000-0x00007FF624174000-memory.dmp
memory/2904-122-0x00007FF61AD40000-0x00007FF61B094000-memory.dmp
memory/4868-120-0x00007FF6DD460000-0x00007FF6DD7B4000-memory.dmp
memory/1600-119-0x00007FF659770000-0x00007FF659AC4000-memory.dmp
memory/2580-114-0x00007FF6788F0000-0x00007FF678C44000-memory.dmp
C:\Windows\System\lUKebSW.exe
| MD5 | 19fc56cef76b96919e1e12a7ec97f7a5 |
| SHA1 | b3ac2cf72bc3d6d260ad21dde57e87e6dde70975 |
| SHA256 | 43938a27c3b94497444f7375360d96e76d7fca4933280757f1727c83f53e2581 |
| SHA512 | cfa5f3d972f916a77959e7ef14724d4bf3e4cdb1e170191e958b65765bf78f8c1a9576b391597f04b167280762dfb4383ad02d34166b2fe1ccca87e0b6a57feb |
C:\Windows\System\hIcwodA.exe
| MD5 | c27d55378fc58597e9acb56da42de778 |
| SHA1 | 6881944afebec77921f574ef62d04c6bad085446 |
| SHA256 | 80fe67420ab8ec0ea3e1b659e67e43be1584771d1ea8cd2542b49b052d88e811 |
| SHA512 | 73fba597ab599176604b62a16fafd447af505b991c783506b16d88facf652876e82cf5c49a93241908be3e96ad61e8fac53d7442346a0aaf1231bdf469c2f962 |
memory/4532-108-0x00007FF7960A0000-0x00007FF7963F4000-memory.dmp
memory/4792-105-0x00007FF62A920000-0x00007FF62AC74000-memory.dmp
C:\Windows\System\uYTPwmv.exe
| MD5 | 060c9fa9836472850a909aff1d76dde1 |
| SHA1 | 8e1203ccf6096e6130cf1d83238fc863af42757a |
| SHA256 | 9abbcb4d80a907d4c5b8830234be778081a7051c8f7f6a1c1566206a525d263a |
| SHA512 | 836a60c75bca3094b7a2d93c1d4efa3d77c7ffb5899a85cae3b58d16a608d4bfaa414e4732138c361852b20ac1242809f87b7e61a7f992917b8fa3c0113d396a |
C:\Windows\System\fqkorfq.exe
| MD5 | 6bd4d13159c29a7faa0c2359ab927a6b |
| SHA1 | e0428936b74d28e56d5d707d174601675815c2b7 |
| SHA256 | 6176682cf03468860e96b52b72dfd69654f680809cbc851fb25419531ccaf358 |
| SHA512 | 9f81a3f989087396f7135dba0d23352cf8dd1a2061a568c414d159e43ba0af159990611762520363f92a11b58bed2564c6028b7711264b4be34c66825af9b109 |
C:\Windows\System\fCTcsmk.exe
| MD5 | f04ba567b1415b9dbdec3800233092df |
| SHA1 | aee37f14150d3c35b04b2381f64527562da79a9c |
| SHA256 | 657d2e359936495484b39285123555f2201ca04bd0f0a9a4cbde6500cd6e2d70 |
| SHA512 | c33e81becac34347f628eb6b83246af9bd29b0992cfc7bad975ca62fd471bbad52bb99f086423ce2b5ff5db2805cd6c98da627d36958ac79aa39cb2d5654500f |
memory/2568-64-0x00007FF764960000-0x00007FF764CB4000-memory.dmp
memory/1060-59-0x00007FF6309A0000-0x00007FF630CF4000-memory.dmp
memory/4776-57-0x00007FF7423D0000-0x00007FF742724000-memory.dmp
C:\Windows\System\xUnMnxQ.exe
| MD5 | 136b53e90352f9ec74d1bf6dd7fb053f |
| SHA1 | b38a5e587afc62c387de4280c19a6d8447c40aad |
| SHA256 | 7bdc1ba3103eab5d39c17d5d18edb9dee1d93e5fe18ba1230857b6cafe23a2b3 |
| SHA512 | fee5df384e77d78fe9f9998b38f3f7a2c83dc60aabf7053ed468e6548c570b880651d15ed10e6989c0d5381a7b15ab85281eb7ae36de76732461e194477798ad |
memory/224-129-0x00007FF787AF0000-0x00007FF787E44000-memory.dmp
memory/4472-130-0x00007FF662010000-0x00007FF662364000-memory.dmp
memory/5064-131-0x00007FF756040000-0x00007FF756394000-memory.dmp
memory/2324-132-0x00007FF721070000-0x00007FF7213C4000-memory.dmp
memory/1484-133-0x00007FF729180000-0x00007FF7294D4000-memory.dmp
memory/2428-134-0x00007FF62D800000-0x00007FF62DB54000-memory.dmp
memory/2568-135-0x00007FF764960000-0x00007FF764CB4000-memory.dmp
memory/5044-136-0x00007FF74F2E0000-0x00007FF74F634000-memory.dmp
memory/1600-137-0x00007FF659770000-0x00007FF659AC4000-memory.dmp
memory/3016-138-0x00007FF623E90000-0x00007FF6241E4000-memory.dmp
memory/224-139-0x00007FF787AF0000-0x00007FF787E44000-memory.dmp
memory/4472-140-0x00007FF662010000-0x00007FF662364000-memory.dmp
memory/5064-141-0x00007FF756040000-0x00007FF756394000-memory.dmp
memory/2324-142-0x00007FF721070000-0x00007FF7213C4000-memory.dmp
memory/1484-143-0x00007FF729180000-0x00007FF7294D4000-memory.dmp
memory/2428-144-0x00007FF62D800000-0x00007FF62DB54000-memory.dmp
memory/4776-145-0x00007FF7423D0000-0x00007FF742724000-memory.dmp
memory/1060-146-0x00007FF6309A0000-0x00007FF630CF4000-memory.dmp
memory/2568-147-0x00007FF764960000-0x00007FF764CB4000-memory.dmp
memory/2904-148-0x00007FF61AD40000-0x00007FF61B094000-memory.dmp
memory/5044-149-0x00007FF74F2E0000-0x00007FF74F634000-memory.dmp
memory/5092-150-0x00007FF623E20000-0x00007FF624174000-memory.dmp
memory/4792-151-0x00007FF62A920000-0x00007FF62AC74000-memory.dmp
memory/2580-153-0x00007FF6788F0000-0x00007FF678C44000-memory.dmp
memory/4532-152-0x00007FF7960A0000-0x00007FF7963F4000-memory.dmp
memory/1036-155-0x00007FF6193B0000-0x00007FF619704000-memory.dmp
memory/4868-156-0x00007FF6DD460000-0x00007FF6DD7B4000-memory.dmp
memory/1600-154-0x00007FF659770000-0x00007FF659AC4000-memory.dmp
memory/1184-157-0x00007FF6F9100000-0x00007FF6F9454000-memory.dmp
memory/1956-158-0x00007FF6A0D10000-0x00007FF6A1064000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:58
Reported
2024-06-01 08:01
Platform
win7-20240221-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\geluIlq.exe | N/A |
| N/A | N/A | C:\Windows\System\NHTOjgq.exe | N/A |
| N/A | N/A | C:\Windows\System\vZpePyu.exe | N/A |
| N/A | N/A | C:\Windows\System\HFPsaFX.exe | N/A |
| N/A | N/A | C:\Windows\System\prZFhqv.exe | N/A |
| N/A | N/A | C:\Windows\System\iYbGemJ.exe | N/A |
| N/A | N/A | C:\Windows\System\SoRBpko.exe | N/A |
| N/A | N/A | C:\Windows\System\JxDIeUs.exe | N/A |
| N/A | N/A | C:\Windows\System\XznAENg.exe | N/A |
| N/A | N/A | C:\Windows\System\DafljTl.exe | N/A |
| N/A | N/A | C:\Windows\System\yEpYpLO.exe | N/A |
| N/A | N/A | C:\Windows\System\WQZuZSV.exe | N/A |
| N/A | N/A | C:\Windows\System\nkRKkaa.exe | N/A |
| N/A | N/A | C:\Windows\System\EajQLTr.exe | N/A |
| N/A | N/A | C:\Windows\System\iAazqWr.exe | N/A |
| N/A | N/A | C:\Windows\System\ORtAdhq.exe | N/A |
| N/A | N/A | C:\Windows\System\fKCOKpq.exe | N/A |
| N/A | N/A | C:\Windows\System\dJrlzhv.exe | N/A |
| N/A | N/A | C:\Windows\System\GNxVNTw.exe | N/A |
| N/A | N/A | C:\Windows\System\afLUbMr.exe | N/A |
| N/A | N/A | C:\Windows\System\lxOQjEW.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe
"C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe"
C:\Windows\System\geluIlq.exe
C:\Windows\System\geluIlq.exe
C:\Windows\System\NHTOjgq.exe
C:\Windows\System\NHTOjgq.exe
C:\Windows\System\vZpePyu.exe
C:\Windows\System\vZpePyu.exe
C:\Windows\System\HFPsaFX.exe
C:\Windows\System\HFPsaFX.exe
C:\Windows\System\prZFhqv.exe
C:\Windows\System\prZFhqv.exe
C:\Windows\System\iYbGemJ.exe
C:\Windows\System\iYbGemJ.exe
C:\Windows\System\SoRBpko.exe
C:\Windows\System\SoRBpko.exe
C:\Windows\System\JxDIeUs.exe
C:\Windows\System\JxDIeUs.exe
C:\Windows\System\XznAENg.exe
C:\Windows\System\XznAENg.exe
C:\Windows\System\DafljTl.exe
C:\Windows\System\DafljTl.exe
C:\Windows\System\yEpYpLO.exe
C:\Windows\System\yEpYpLO.exe
C:\Windows\System\WQZuZSV.exe
C:\Windows\System\WQZuZSV.exe
C:\Windows\System\nkRKkaa.exe
C:\Windows\System\nkRKkaa.exe
C:\Windows\System\EajQLTr.exe
C:\Windows\System\EajQLTr.exe
C:\Windows\System\iAazqWr.exe
C:\Windows\System\iAazqWr.exe
C:\Windows\System\ORtAdhq.exe
C:\Windows\System\ORtAdhq.exe
C:\Windows\System\fKCOKpq.exe
C:\Windows\System\fKCOKpq.exe
C:\Windows\System\dJrlzhv.exe
C:\Windows\System\dJrlzhv.exe
C:\Windows\System\GNxVNTw.exe
C:\Windows\System\GNxVNTw.exe
C:\Windows\System\afLUbMr.exe
C:\Windows\System\afLUbMr.exe
C:\Windows\System\lxOQjEW.exe
C:\Windows\System\lxOQjEW.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1288-0-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/1288-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\geluIlq.exe
| MD5 | f9ddcf1402f320c28bbfa6e3ff0f6e01 |
| SHA1 | 08d3538dd07d4f6a57041673509b8e246c572bf0 |
| SHA256 | b8f4a7d83a27a71fb92f1db14014f1dd79c6bef5bf7babd3296eddd275a144fa |
| SHA512 | 853af82f127af753f98eefd05046db3b593d7cdb98de69853cba6f17ea14a06f9aceb1d4145b216d377e5cdc544e7d7adf651bfdb5f005a7b20e1d118ebd0c1a |
memory/112-8-0x000000013F4E0000-0x000000013F834000-memory.dmp
\Windows\system\NHTOjgq.exe
| MD5 | fc6115a909d50504d71e22e0aedf2e62 |
| SHA1 | e3e3d6d0d3bb5ec74d1833133e51525ba96d0d8f |
| SHA256 | de3f4678c05705ba3c7a9ac20fc5dfc016080b42b24cf127a42f431ee7d4fac6 |
| SHA512 | 58cfcff56a51b589cde9ec35f382a6a68e4d305fbbc61fd461649062ff7fcdf3c8ff7e3ee596c75b4b301e8f8283a72d02de38c70271cb9d471d5d93a240a8d0 |
memory/1288-13-0x0000000002590000-0x00000000028E4000-memory.dmp
C:\Windows\system\vZpePyu.exe
| MD5 | 78acbc1600a562158969ca08c73dfbc5 |
| SHA1 | 187f275b59f8b4c170c8f94a4cb11b03793de13e |
| SHA256 | e0cb0ffba5cc54907e5258cddb32d11cde2fb8ccef78e139619388ad88990f17 |
| SHA512 | d4f6e702f41ab138f1c116b8363dfc8a1d27b095be2a48a6674d2950df0c04270158c59e101eb8215be1025ce0747401538823731f6cde41ddcea3be0b3b6547 |
memory/2972-19-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/1288-22-0x0000000002590000-0x00000000028E4000-memory.dmp
memory/2580-21-0x000000013FF40000-0x0000000140294000-memory.dmp
\Windows\system\HFPsaFX.exe
| MD5 | 2e1e2ac82db572cb049958c36faeacd3 |
| SHA1 | 1422ffa93a823825841ae4563fcc560ffe9cafdd |
| SHA256 | baad3482075ad0e29654e9c843dbc837f227238b556a8505e01830e6dd52fe32 |
| SHA512 | 15e22a367cdcc3d4df8f346110efcd27acc8d38f9f399b8b9f5d1e8dd1eca4821464d539fd47fda1599d600f9755dea37e3d5205f7e5367813fab1be70e06ac6 |
memory/1288-28-0x0000000002590000-0x00000000028E4000-memory.dmp
C:\Windows\system\prZFhqv.exe
| MD5 | 58fc3055fb119721853684905caa3531 |
| SHA1 | b315e46a7a9d5f3894475b0afac3dd39f46db67b |
| SHA256 | 448cf9acca4e77352ac8ba3b702e617099b913206e127ccfbcfc287e4264b9df |
| SHA512 | 495b545c5c3267faff6e783d06ef4ea9456e730703682e772857d159845e2617f7f8430487fe15ada56b4f638650c7e0312c42acb0a2455fe4142c2fd80b11f1 |
memory/1288-33-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
C:\Windows\system\iYbGemJ.exe
| MD5 | e49f0b69b21debbf5cb90a2d2f129db9 |
| SHA1 | cc86447eb346f623bd40182dc5cd010a865d774b |
| SHA256 | 19aa09095ecc4efea439e3388d7cca0a9287e14c795e8d31617610d3ce34efac |
| SHA512 | 8c6f7897235c076a001fd6d447f8b3e349232aab606a5c07140703971e1de37cc3b3d05a5e4131b469615e988a8b215d015ac224114107bc8e9c0a064e9fa716 |
memory/1288-41-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2584-42-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2556-35-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2728-30-0x000000013FEE0000-0x0000000140234000-memory.dmp
\Windows\system\JxDIeUs.exe
| MD5 | 0bdfd2ebf4c802ff3227d81ecf9d7bbd |
| SHA1 | 27334b0834125bdf9816db0eedefe5fd51d0c4e0 |
| SHA256 | 3c81ee233bb311577d320cb7ffa31e2aa9b7cd04384d4ca6a8089c13f7cdafb6 |
| SHA512 | 7ad3beabc642a08e29c61603cf7b4b710b6c62294390792d6abc684d0a4d69bbba7f85e60d450b8c1589deb2ad8ac91e94fad7126fa35057058f670e4a8ed761 |
memory/2600-54-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/112-55-0x000000013F4E0000-0x000000013F834000-memory.dmp
\Windows\system\SoRBpko.exe
| MD5 | d0acf1e23c76eddc4a0b8eff410d5aed |
| SHA1 | 295515574c3e43dae33d62b7c5a1e6e027577382 |
| SHA256 | 4c072371b9bd818840fa4fa4ae63f57397913411e75702599f5cf29671f0b40d |
| SHA512 | bbc420a4620799c6951d2c1f946dafc4778f665773ffdcb2fe26f60071959050b431acd3e5afb09e136a8c68f015be0c1c6ae42825a7d687b7eea79b8d76492f |
memory/1288-46-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\XznAENg.exe
| MD5 | 59a21a1a8cdae00cb1d441f8e4a487c2 |
| SHA1 | 8ed713e0563ef966f498a143af7641252eab765f |
| SHA256 | a75661e80c45191dba3e0d87e06c32b199ea90edceaba7766fa6f06f8c47fe8a |
| SHA512 | 7d8314477bcbfdc258dddc80dd787054e6f32738633f39d6dc87ed8c6475b2b867dc5912806fa440da37196a15f0e2711cee90feda563960f7f419ce4a03a6c4 |
memory/2420-62-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2500-70-0x000000013F170000-0x000000013F4C4000-memory.dmp
\Windows\system\WQZuZSV.exe
| MD5 | 5328eda9e00a8e19fef5108aa50e2e25 |
| SHA1 | 58ac03687ef3c7c609804519138efd626b8393a4 |
| SHA256 | beee53996ca892a884380270c71ca403b35a1123eaba6a6984cef5c8032c7583 |
| SHA512 | 389988add923a06176006457621d81d29c317066f74e403b9359f31814232d734bb87cfb26fb0785d92b1aa65fe2db9da57aa16180916fd33fa91d7739c7ebfe |
memory/240-84-0x000000013FA30000-0x000000013FD84000-memory.dmp
\Windows\system\lxOQjEW.exe
| MD5 | fe724e4de76d02341b5bcd42aead1c6b |
| SHA1 | 85d4ea75500b73e70a2fee6e0176a218fec3dfd3 |
| SHA256 | ec7f6a1f01c571d9b41836c228537256396e8edda2cd077d47408db6a064653e |
| SHA512 | 8758a48efd285bd57cc9999b62ddd0bdbbfe360c4cf2c43251027f0105cc79112ae46b758be410ea59f6eef8ef42030476a9a959aa716a492cfca303bd943d50 |
C:\Windows\system\afLUbMr.exe
| MD5 | edb17b8afa57d5faad271692b9a15bcf |
| SHA1 | 25eee526146e8bf374734060ebf5f1c70563c523 |
| SHA256 | 530bc547d10b5188354e0b92166b8509f4d86fcbf14cc20996800eb35376572c |
| SHA512 | 15d5a348295fb58b6b57da96822d34aa52f76b0a146652c25753b1d1f51bd1df530043aa216b74d16e2fed2c1d99acb77fe3e8e6c64f7691306a30e1bee94a19 |
C:\Windows\system\GNxVNTw.exe
| MD5 | 1c072a24cd15bda13a47a27bf73509c3 |
| SHA1 | 9fb7a4c68cfec91566762d1d7d112400c01c0d48 |
| SHA256 | b5b41ef1292fb8f6a14773dec92db2e932e9d818dcf1e30521819034335b04dd |
| SHA512 | a04206736f7e4f007e67d65c2206af90a25573ef96c8baa3983e5f265008ef08703ceb73914edb163cdd8a1543f20e7a6abf0b9abb53323423c85eb3946c1a98 |
C:\Windows\system\dJrlzhv.exe
| MD5 | 7189debec6d1ddbd027205217343fa63 |
| SHA1 | 100aeec594252e29ee65479cdc980c3e5c9d72e3 |
| SHA256 | 7ab8e042e1d96baaecaab2a91c496cbc9186e130c88340472fa9e736407f5ba4 |
| SHA512 | 15a50f6525d8e1aa555e4b80bdcba9d1469b20340de4cefff4faa14f196659d1a4e67b228812f8e396f2632d773ac82a9c77db6881f189fc73f78ca3b2b95559 |
C:\Windows\system\fKCOKpq.exe
| MD5 | 301eb6b43de6e45be1e40f8632811873 |
| SHA1 | 7538474183d1bf0b2ae835e4dcb2203b27283b28 |
| SHA256 | 01da1896e648e310f9615356f1e776dbb6406e4094a8639f56a97ae161122021 |
| SHA512 | 4c4b4e9dea549cb910ff8fbff377d1ab7da9547fa782302fcb6ee9a8daa05cbd607952b819baa2527aabc0c69f42e02c6e8ce5e47c5561cd9ebb341ec91acad2 |
memory/2600-135-0x000000013FAE0000-0x000000013FE34000-memory.dmp
C:\Windows\system\ORtAdhq.exe
| MD5 | 7c0a506e02ef0dff5f6252200cae92a3 |
| SHA1 | a8d2ce39ed2696d2407e03e96c7d9a9f695c2853 |
| SHA256 | d6ec5145250b726445ccf1bb8e01617485c9cfc9fec9e4427ffeecdae2e348fa |
| SHA512 | b03c7c0ff833bd79aecddd316e075796d7dc187672ba5fdda20e94aa2a984c616523cc6604b4e626900f23db1e2300362e353b7304653352fbf7c5a44bc77f3e |
memory/1288-104-0x0000000002590000-0x00000000028E4000-memory.dmp
C:\Windows\system\iAazqWr.exe
| MD5 | 2f648cb2ca74ff2169a99ccb89555706 |
| SHA1 | a0e649133ad1bab143cee8c5f1d8bc80ee98172e |
| SHA256 | d06997edd768dce340617b95cf2e8e828778612a36f9c26c0d1fa6a04913e70a |
| SHA512 | 34452691912d407fc0a826241b30d37b9d27fd950abec86f34244507f27742fd5d87c7e3713d5487b4b4a18fa6d21d7ba70e91532b387e0158e91138bf237b26 |
memory/2360-97-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1288-96-0x0000000002590000-0x00000000028E4000-memory.dmp
C:\Windows\system\EajQLTr.exe
| MD5 | e747c151eb1c0ed322aac376ac211908 |
| SHA1 | d0fa23450ec2ad586c8d5ed460f1ca054a783472 |
| SHA256 | f593dd08d99e1a039543f3f14d388c1a3390a3dde6811cef3ccb3db259b972fa |
| SHA512 | 645d26994a1754d381bcefe3eec6f2267684a49eb1c4103c770d7c4717919198f71648f121fa6154f1c8b600891c63ada4e7639f6386d9c1a329907dfa363030 |
memory/1544-91-0x000000013F190000-0x000000013F4E4000-memory.dmp
C:\Windows\system\nkRKkaa.exe
| MD5 | 93db8804ef22d5573206ef0443d0cc5e |
| SHA1 | 6b06f430ec044d9ce2f6b28a05cdc932090d288f |
| SHA256 | e35e6db1cca73ffd4325b4ce329ce74c977c8852309ad5087449d38786cd6c54 |
| SHA512 | c8398a0cb350ee97d68cdad110063dbbaec0629ae72d43abff9d8c3b5b9060b905a2b57e47fd84feb99e4ea14eaaba8c8f27339291b12c8ab4a13715eea52aae |
memory/3040-76-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1288-75-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2556-83-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/1288-80-0x0000000002590000-0x00000000028E4000-memory.dmp
C:\Windows\system\yEpYpLO.exe
| MD5 | 7e92e954a24e0753252e45584ed8842c |
| SHA1 | d57c637b8eca30a573ef55e0d6efe7a83039fca7 |
| SHA256 | b8cae56b8e4e32500a183a8f9b76a0cf15b362403c56039af954b1bbf62f122f |
| SHA512 | cb7be0d8269e4fa7228c6407a04279a9250186d234bbe1112b9c2fe5287aa1b96972a26afc89b77a055831ebaf527eaa063a1641ac7c0d401a7607443d24d904 |
memory/1288-61-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1288-69-0x000000013F170000-0x000000013F4C4000-memory.dmp
C:\Windows\system\DafljTl.exe
| MD5 | b741662cd8e6fde7e1e9196980765e87 |
| SHA1 | 8a421ea71f1f600be3b9aa5ec8aa3862240753b0 |
| SHA256 | 79db05f8f65d2d05783f29bb03a7dc3adfc7ce9d41f0cee53e099f8c382231de |
| SHA512 | f598fc9d537a96540c744fdd0f55588f201449ad6ae2976183e077e84885ed0fd356bf5a432481f9c8438062fe3bfee5f1cebda86309f8c73197dfdb13a0c2e7 |
memory/2560-57-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2420-137-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1288-136-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1288-138-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2500-139-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/1288-140-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/3040-141-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1288-142-0x0000000002590000-0x00000000028E4000-memory.dmp
memory/240-143-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/1544-144-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1288-145-0x0000000002590000-0x00000000028E4000-memory.dmp
memory/2360-146-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/112-147-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2972-148-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2580-149-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2728-150-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2584-151-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2560-152-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2556-154-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2600-153-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2420-155-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2500-156-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/3040-157-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/240-158-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/1544-159-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2360-160-0x000000013FF20000-0x0000000140274000-memory.dmp