Analysis Overview
SHA256
dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e
Threat Level: Known bad
The file dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
Cobaltstrike family
Cobaltstrike
xmrig
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 10:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 10:28
Reported
2024-06-01 10:31
Platform
win7-20240221-en
Max time kernel
125s
Max time network
139s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\VXZfuLw.exe | N/A |
| N/A | N/A | C:\Windows\System\WVaiwlM.exe | N/A |
| N/A | N/A | C:\Windows\System\QfJrFqy.exe | N/A |
| N/A | N/A | C:\Windows\System\hUHZzmT.exe | N/A |
| N/A | N/A | C:\Windows\System\LAoWqJc.exe | N/A |
| N/A | N/A | C:\Windows\System\GscKezA.exe | N/A |
| N/A | N/A | C:\Windows\System\AvSFvpT.exe | N/A |
| N/A | N/A | C:\Windows\System\gMdJBZn.exe | N/A |
| N/A | N/A | C:\Windows\System\jWlGbmB.exe | N/A |
| N/A | N/A | C:\Windows\System\UdrpbAQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ETUyPaU.exe | N/A |
| N/A | N/A | C:\Windows\System\izwNejn.exe | N/A |
| N/A | N/A | C:\Windows\System\zigtDOs.exe | N/A |
| N/A | N/A | C:\Windows\System\CLNdIKt.exe | N/A |
| N/A | N/A | C:\Windows\System\pxmQbiM.exe | N/A |
| N/A | N/A | C:\Windows\System\DKvVXtL.exe | N/A |
| N/A | N/A | C:\Windows\System\xYAHcDn.exe | N/A |
| N/A | N/A | C:\Windows\System\SIuvKXs.exe | N/A |
| N/A | N/A | C:\Windows\System\mnCsKJU.exe | N/A |
| N/A | N/A | C:\Windows\System\vUlgIpo.exe | N/A |
| N/A | N/A | C:\Windows\System\GPHUkpG.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe
"C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe"
C:\Windows\System\VXZfuLw.exe
C:\Windows\System\VXZfuLw.exe
C:\Windows\System\WVaiwlM.exe
C:\Windows\System\WVaiwlM.exe
C:\Windows\System\QfJrFqy.exe
C:\Windows\System\QfJrFqy.exe
C:\Windows\System\hUHZzmT.exe
C:\Windows\System\hUHZzmT.exe
C:\Windows\System\LAoWqJc.exe
C:\Windows\System\LAoWqJc.exe
C:\Windows\System\GscKezA.exe
C:\Windows\System\GscKezA.exe
C:\Windows\System\AvSFvpT.exe
C:\Windows\System\AvSFvpT.exe
C:\Windows\System\gMdJBZn.exe
C:\Windows\System\gMdJBZn.exe
C:\Windows\System\jWlGbmB.exe
C:\Windows\System\jWlGbmB.exe
C:\Windows\System\UdrpbAQ.exe
C:\Windows\System\UdrpbAQ.exe
C:\Windows\System\ETUyPaU.exe
C:\Windows\System\ETUyPaU.exe
C:\Windows\System\izwNejn.exe
C:\Windows\System\izwNejn.exe
C:\Windows\System\zigtDOs.exe
C:\Windows\System\zigtDOs.exe
C:\Windows\System\CLNdIKt.exe
C:\Windows\System\CLNdIKt.exe
C:\Windows\System\pxmQbiM.exe
C:\Windows\System\pxmQbiM.exe
C:\Windows\System\SIuvKXs.exe
C:\Windows\System\SIuvKXs.exe
C:\Windows\System\DKvVXtL.exe
C:\Windows\System\DKvVXtL.exe
C:\Windows\System\vUlgIpo.exe
C:\Windows\System\vUlgIpo.exe
C:\Windows\System\xYAHcDn.exe
C:\Windows\System\xYAHcDn.exe
C:\Windows\System\GPHUkpG.exe
C:\Windows\System\GPHUkpG.exe
C:\Windows\System\mnCsKJU.exe
C:\Windows\System\mnCsKJU.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2872-0-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2872-1-0x0000000000180000-0x0000000000190000-memory.dmp
C:\Windows\system\VXZfuLw.exe
| MD5 | c319a6c4c7a944e0d35c7248ceafdd77 |
| SHA1 | bdfe4be8ec8dd11d8e62392f4011470fbec1619a |
| SHA256 | 427e362efeb2228c78b14a07b0242343f89ec004e6bab492f9dbdb5b11a8eb71 |
| SHA512 | d78e4cc7cb33748f99ae1d6021aaeead67c118950c9738a771101cb50b5a0d30ee3dead1918c2db8518e429660f4686f434a65534898a6a795bb334f34193642 |
\Windows\system\WVaiwlM.exe
| MD5 | dc211f08aee421747c67659d91c98635 |
| SHA1 | 2b4eb15a6c112ac84f63858beaa36e7e2c12a460 |
| SHA256 | 6cec55821c1cd10a56397e17a76517acf4a9f5fc76c8e268e274b9e885e0119b |
| SHA512 | 36bb6d9523ed0a63492d36a42683779990abcb498fa41db6004d4ea6677936a4177b57d114f781e6f3d6f7f833751cbab83357029e79638f8c8fa107ffed7830 |
\Windows\system\QfJrFqy.exe
| MD5 | b7795fa9f9ef1fe55b145da62e859e8e |
| SHA1 | 57a15c78317c8d676165a5de6437331ea1b1fb6a |
| SHA256 | 4ebdfa76a303fde34f121a9181093e49167aa41a0d992ee5e70f95e8afc2de6d |
| SHA512 | ddd70a7d2dddbf25d16e36ef6566245b0539ffb37817f3e4c8d73ad5a8facf9c2f881d6a05694afd1d598d300e7478622eac1fcd31be239a6a92a7a46ed95064 |
memory/3028-15-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/3012-14-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\LAoWqJc.exe
| MD5 | 0ff67c67b6788015c4990d768034355c |
| SHA1 | 55e445dde9790fd000ac3aa74cadad6868709779 |
| SHA256 | 0672f6ad8a64f77b5923fe6f1c13b75b57e42fa17a4fd584f72dc4b80d73ff54 |
| SHA512 | d5fbc1fd5b19e0459f932063ce6e373333380404e25240674fbf5f3186ae33f19dbe1966e0491f2ba1e9679891e841e0a57a4b9648bb9c84cec201d7a49c6124 |
C:\Windows\system\GscKezA.exe
| MD5 | 3b7795f60c4fafdf1006ac46c70f4a5b |
| SHA1 | e93871d5eb7e7611cc86f451685d5cbda4fa34db |
| SHA256 | bf4f47180987f9fa63525be884f4a6806b31d8423bef0dd3062570bf1d7c991e |
| SHA512 | 235aadcc52b7d34c790e663a970b52549c68b867c3916d91c3d7ed8602817f68f4dcb88033c67243b8850e755677a01dfa51188892a1943a10ce07cf420b8b17 |
C:\Windows\system\jWlGbmB.exe
| MD5 | 4c41ad44add0a0effbb1f837005c5b1a |
| SHA1 | 4575dfa9d5ecbaa580acab5207ef29aba380eba5 |
| SHA256 | 341761406ac2a4df130624e679df2a9773779d902e3c2e147910783d419d7cc4 |
| SHA512 | 6c2093e519faae696387e294f9bb731e87203d647caea3f708755bdef83cd5ca5771fda08562bd62aeaf71378da329d4146338fe0a4fc7e358ec1309a2ab1b8c |
C:\Windows\system\UdrpbAQ.exe
| MD5 | 6389b007a95536dd30d8aa28dd26ae1b |
| SHA1 | 4fd043d4e288076a8445541c083211d1169b7481 |
| SHA256 | 0f5f3b0d67aae12d92ec6105645a7e332f71edb22f603e62db3f1d9b61d9bf55 |
| SHA512 | 263d2ed5623d02e0ceb008eaabae57e43f7084641924a01a550d84fcaacbdb50a3f1a4987b9341ed246a2d30c76a1544fdef7b3a8462862d5d822d18f20306e3 |
C:\Windows\system\izwNejn.exe
| MD5 | 722a1d2676670f592feb257bdb988152 |
| SHA1 | 43418f6a0e62fc421c99265eccc117fa3bd27ad9 |
| SHA256 | 6f88db252169c7442d3e00bd4f10433b743bd6af8a55709aa765f565764c2d37 |
| SHA512 | 2a3a300c4827649cb06873955dc1aa654a9c7419a1758cf473eca9b2fd4df7172a3a03e359be886a48e247d9d8be844555b1bd48d7b7d1222025e954b74496ff |
C:\Windows\system\CLNdIKt.exe
| MD5 | 69d024c8f8a19e95f61c016eacd90dca |
| SHA1 | 9e75bea271b788a010bd209f6ed3ffd92a00034b |
| SHA256 | fda85b67d6c354c599a4be717f4e45934797c7676a92c74e6df2373330efbc64 |
| SHA512 | 1cc84cc74c1b2626e97fd23d89ee2122930a1db9436122936c247304b2868d8978d6db195e83a68afe34466b960d216f365902a3433ea7a106d4d781179fc0e1 |
\Windows\system\SIuvKXs.exe
| MD5 | 9efc43fbc3256583b416675d8e4e1df3 |
| SHA1 | 67462d7b1026d015cbae8dab724dbee79d9ff743 |
| SHA256 | 188823f2d1786ecf2131146c3a6279fb25a0daad6bb604ae6d67e45d5dd0be06 |
| SHA512 | fecd2474f5a1efac1ca6113d40069d0f08c77d2e43f28ae098421980bf620c1c6e0adce23d1c8fe75993c284023b587fe24d7eb016f33400a09db978568f4f36 |
\Windows\system\GPHUkpG.exe
| MD5 | 15c28299442552678081ab7dcd5c80dc |
| SHA1 | 132e502ee1bccb55df38cc382edf74d8f42dc9b9 |
| SHA256 | cd8d71e5df1a7c95e592345e09f9fe519a79e78bd91fbfe8cdebfe55d5dfe6a6 |
| SHA512 | 1d85d6a02e58b3329297fb8bece305847d63b55c1e1aae4fafcbb44b0a007ac43e6fa6920ae80b767de585de452e309dae78c1d1337766beef88fc1e70349e9b |
C:\Windows\system\DKvVXtL.exe
| MD5 | 0ac8ac88862f61957baf5f13d093dcc1 |
| SHA1 | 74db6cc71936756edf0f35de8d2694d08a79ac59 |
| SHA256 | c4776ce95bac97af741f4bae4dbf377ecdce1fc56e732a4371d4be5b79c0d4f3 |
| SHA512 | 902fc5e1f0b9038c37d10f7af3825d51ee1e02c36f98ffc80dfc42f37a999a9ad461a3a50b9171447db34b871224978c11e12b9269caf33c7dafa7c91d60415d |
\Windows\system\vUlgIpo.exe
| MD5 | 9876c0284494ef5de6c405f6b8eabc76 |
| SHA1 | 40743f3e5e0f0ba4b5699541b38a8ebd407acce5 |
| SHA256 | 553a390f4f8cde3d900e1ad1180ca7b9c5c057f3b620047087a92d29c8dd5d06 |
| SHA512 | e20ae14cfb5c6801e11281be4bbfe9d3ab31a22fb9c88f0b88a3134c9a865517e4a47470d3bff258f56576469683e5408ca7264c45e1e53e1936b34e3ccc8faa |
C:\Windows\system\mnCsKJU.exe
| MD5 | c12c3d64019c78641be9abb924c28ee6 |
| SHA1 | 7444df942598b23c2066af202ff2bf67cf413508 |
| SHA256 | bfaeecb648908eaeeaee8544dfab89dfb22cfd9ad9594d27fb764561ccd6bf71 |
| SHA512 | 2eb029519f27c871c60ee2276d9fd7fc5968708743e14249b38cc03b657e1039ac388a07dfdbf6e9eb1b9b12c263bb070cff4e7a35f1073d35084625c9319cac |
C:\Windows\system\xYAHcDn.exe
| MD5 | cd1ffb051a368ec09806b6a34eff78c7 |
| SHA1 | 630038aa21b50d66bb0d73cea34f94ba290b9aaf |
| SHA256 | bcd512a3d3a2fcf94180a788a89f58555957056cd5a33f295ff32bc1a11e5a02 |
| SHA512 | 94246f09ce1aed71e8d0d378e44179e828b5e5288e5d6acaa7218e20b700a30b916c381e2391893560da9b0bca5da199e9ad51e789a269e83c594626ce9dcbcb |
C:\Windows\system\pxmQbiM.exe
| MD5 | b3abf8f6624c5edd5f48f517576ead45 |
| SHA1 | a55dd08d92af4024bdd488a257a67ef94def3a9b |
| SHA256 | 8427c2cffb61cd9d709510d1bbe834fe11cc28ef45be47bff5aee1ff608778f9 |
| SHA512 | 6020a2fe518f6d5d1415c8e23724e75ca56b9d2edfec8e1eda528e101ac20f28e23f4c9b4c2b2a768724171784d646efcbab3a72a51042cbae37b703f081195f |
C:\Windows\system\zigtDOs.exe
| MD5 | 064d7f0839ff5408e2b3f5184815d5aa |
| SHA1 | b99dfe95f63a4f2dde4a0dc2487b7318f4654e76 |
| SHA256 | 074267cf20b8127a5e0b9f4b8858f84d5f80be1600b6bdb2fdddc4c426575f32 |
| SHA512 | 668d36700ce809af59b55b7c403acefd809879b3f55b70965ebd1d156f79bd7a9408953ad6801fffcd4ddc34736b30387088732eaea0aa3f09e6f4c8ecc378e8 |
C:\Windows\system\ETUyPaU.exe
| MD5 | 7072b2ebd1d2c6f40c8cd518bb835730 |
| SHA1 | 574a3797466898f31c1b40fda44077b5ec3a4022 |
| SHA256 | 5b402ee032c1e688d7220c4ce5af1c804e0a2abb8dacc8bb6df4f1b09807ddb5 |
| SHA512 | 8a4e03f839f8a1ebabd8d8e8c3de18f91b8890454aa98570c7e166a4923c18a390256ddbd868a9c538f770c351e7b9669b512ff65c421a31f7726b3625208593 |
C:\Windows\system\gMdJBZn.exe
| MD5 | d3154cb5095bc66b2a51f4681f91ad57 |
| SHA1 | 3008c109a1231a2b33201c04dba3a30a2e63dcc6 |
| SHA256 | 7adbfe8b14681206229232290a63bc69a20cfc093f346d30a50a2aeec90df780 |
| SHA512 | b9d4c53c53580363974986c9e54021ffe9ae1e040e32d00687ea548ecebe0168116210c588896ef2c2921838c50f7ab401183061a576ff788e8efa61faba6a4d |
C:\Windows\system\AvSFvpT.exe
| MD5 | ce6d8d9f7940d7385867a04fa030e6de |
| SHA1 | 6a05e8d15383572bd30e7d1c5caf511482053adf |
| SHA256 | 525fe7dd6f14eaed8139b2ce71d617ba14e67aa0c691db802abf3532c4da08be |
| SHA512 | f87d2e18d7477221dfdeeef1ac770518976606f632812cc1dc565a7fd3b08b196f2d1201e40d8a7b06e05bba0b2b1137088ee899ee7c9303edc293aeee16b128 |
C:\Windows\system\hUHZzmT.exe
| MD5 | ac6a67013a5e02302d7d2f47c9996178 |
| SHA1 | b638a4b45d317fbf04e20838b3e53deef83bd264 |
| SHA256 | 4ed237a616027d8c444e78cc476d8d80100c5f0a6701f9a02e275159a34e9562 |
| SHA512 | eb92ebf2e6ba8653353f2103f79ddeeebdd7ecfa1ea4535d5aa47b4e3551ff7ea53026056944719805230babf0ff585e716e1115152fddb806ed210fdd4928e2 |
memory/2872-26-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2484-25-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2872-21-0x00000000022D0000-0x0000000002624000-memory.dmp
memory/2872-13-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2648-113-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2560-114-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2492-116-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2872-117-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2872-115-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2872-121-0x00000000022D0000-0x0000000002624000-memory.dmp
memory/2872-123-0x00000000022D0000-0x0000000002624000-memory.dmp
memory/920-124-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2496-126-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2872-133-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2872-134-0x00000000022D0000-0x0000000002624000-memory.dmp
memory/572-132-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2872-131-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/800-130-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2872-129-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2568-128-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2872-127-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2872-125-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2488-122-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2412-120-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2872-119-0x00000000022D0000-0x0000000002624000-memory.dmp
memory/2544-118-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2872-135-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2648-136-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/3028-137-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/3012-138-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2484-139-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2560-140-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2544-141-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2492-142-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2412-143-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/920-145-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2488-144-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2496-146-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2568-147-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/800-148-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/572-149-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2648-150-0x000000013FC60000-0x000000013FFB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 10:28
Reported
2024-06-01 10:31
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IxgCgIi.exe | N/A |
| N/A | N/A | C:\Windows\System\AdAbnIE.exe | N/A |
| N/A | N/A | C:\Windows\System\xMoXxsm.exe | N/A |
| N/A | N/A | C:\Windows\System\ZMkbUfR.exe | N/A |
| N/A | N/A | C:\Windows\System\ygIqRnp.exe | N/A |
| N/A | N/A | C:\Windows\System\xqKHSUD.exe | N/A |
| N/A | N/A | C:\Windows\System\MLlYjmy.exe | N/A |
| N/A | N/A | C:\Windows\System\KUbRFAp.exe | N/A |
| N/A | N/A | C:\Windows\System\jpDpuDu.exe | N/A |
| N/A | N/A | C:\Windows\System\ISizzjE.exe | N/A |
| N/A | N/A | C:\Windows\System\TIwTHCo.exe | N/A |
| N/A | N/A | C:\Windows\System\izWHqSx.exe | N/A |
| N/A | N/A | C:\Windows\System\hBLqSsg.exe | N/A |
| N/A | N/A | C:\Windows\System\thrKkxg.exe | N/A |
| N/A | N/A | C:\Windows\System\CoDiejo.exe | N/A |
| N/A | N/A | C:\Windows\System\iBwWZtp.exe | N/A |
| N/A | N/A | C:\Windows\System\ozIVfEi.exe | N/A |
| N/A | N/A | C:\Windows\System\yiaYTBJ.exe | N/A |
| N/A | N/A | C:\Windows\System\xKzIGhO.exe | N/A |
| N/A | N/A | C:\Windows\System\FRcNFDu.exe | N/A |
| N/A | N/A | C:\Windows\System\sNeMvRw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe
"C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe"
C:\Windows\System\IxgCgIi.exe
C:\Windows\System\IxgCgIi.exe
C:\Windows\System\AdAbnIE.exe
C:\Windows\System\AdAbnIE.exe
C:\Windows\System\xMoXxsm.exe
C:\Windows\System\xMoXxsm.exe
C:\Windows\System\ZMkbUfR.exe
C:\Windows\System\ZMkbUfR.exe
C:\Windows\System\ygIqRnp.exe
C:\Windows\System\ygIqRnp.exe
C:\Windows\System\xqKHSUD.exe
C:\Windows\System\xqKHSUD.exe
C:\Windows\System\MLlYjmy.exe
C:\Windows\System\MLlYjmy.exe
C:\Windows\System\KUbRFAp.exe
C:\Windows\System\KUbRFAp.exe
C:\Windows\System\jpDpuDu.exe
C:\Windows\System\jpDpuDu.exe
C:\Windows\System\ISizzjE.exe
C:\Windows\System\ISizzjE.exe
C:\Windows\System\TIwTHCo.exe
C:\Windows\System\TIwTHCo.exe
C:\Windows\System\izWHqSx.exe
C:\Windows\System\izWHqSx.exe
C:\Windows\System\hBLqSsg.exe
C:\Windows\System\hBLqSsg.exe
C:\Windows\System\thrKkxg.exe
C:\Windows\System\thrKkxg.exe
C:\Windows\System\CoDiejo.exe
C:\Windows\System\CoDiejo.exe
C:\Windows\System\iBwWZtp.exe
C:\Windows\System\iBwWZtp.exe
C:\Windows\System\ozIVfEi.exe
C:\Windows\System\ozIVfEi.exe
C:\Windows\System\yiaYTBJ.exe
C:\Windows\System\yiaYTBJ.exe
C:\Windows\System\xKzIGhO.exe
C:\Windows\System\xKzIGhO.exe
C:\Windows\System\FRcNFDu.exe
C:\Windows\System\FRcNFDu.exe
C:\Windows\System\sNeMvRw.exe
C:\Windows\System\sNeMvRw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3988-0-0x00007FF6B2C50000-0x00007FF6B2FA4000-memory.dmp
memory/3988-1-0x000001FF658D0000-0x000001FF658E0000-memory.dmp
C:\Windows\System\IxgCgIi.exe
| MD5 | 3b8b60da0b5d0f8531f3f9053092aa96 |
| SHA1 | cb120cd6bc751792c7b2a5fbbb3cf3e3b5a2114e |
| SHA256 | 4ac13dd1e29d483c31a79695895c922afdb166736fd59c29a06d8b4cf184b328 |
| SHA512 | 322b8c4e0bf9b4285daf19100105a67c1b404e9858ded7a53b19b9ac84720b15bac900c4ae96535934108801fea5532221bc240740ae784e3c74114b6989b823 |
C:\Windows\System\xMoXxsm.exe
| MD5 | 8b7e6caedb30249566d9f1e11e9d5e8f |
| SHA1 | 7265682604314c13b8f96ddbb359d3ef97183039 |
| SHA256 | 5222af1c9a6803b48d401eaba3116a42557df9e999873d2a1c287ab26dd91e10 |
| SHA512 | 35b89fb24ac9c7f1d927bf307953f4ac50d7904ec4fdd9fcd416c74099bce0df859783937428b46eb1317b47c78b8c0eaf6aeea28821233f7033b10f0c0bd129 |
C:\Windows\System\AdAbnIE.exe
| MD5 | 04410ef1cc8649a3b969323642332259 |
| SHA1 | e9baf50662498db9f2e39c034ade4f49da4252b2 |
| SHA256 | 37cd9de84fadada0a84d23c0bea3459c5e0a64aaad822a882f36927dd760ac02 |
| SHA512 | a166c0174f84c6f99e283340160efba3964e043b1c1aee7b4152182e6a40dc32faecb15e9ae7e08e27a9fe954fe917f295063f74aae560e5a65c2e97b2ef50c1 |
C:\Windows\System\ZMkbUfR.exe
| MD5 | d8195bddef2133ca6ec1d88267cf4a80 |
| SHA1 | 736c3fdbb8f4411abfa45290c002ebdd3528b326 |
| SHA256 | d4fcd42b555b96677c17a306f35b614ea5c6705552678ec012456ad09b4a7d04 |
| SHA512 | 8208cb1df391168afbe2b8d02630b9bae37ca350df1b5d502c6fa619ce75f6f33082fcf58c277e6c0eb8245c5c4976eff791a3179b97f7b9d2c3711777dfda03 |
memory/4928-19-0x00007FF71CD70000-0x00007FF71D0C4000-memory.dmp
memory/1548-14-0x00007FF7FC690000-0x00007FF7FC9E4000-memory.dmp
memory/1184-7-0x00007FF69B1D0000-0x00007FF69B524000-memory.dmp
memory/3620-34-0x00007FF711160000-0x00007FF7114B4000-memory.dmp
C:\Windows\System\xqKHSUD.exe
| MD5 | 1ffd5d718b79415dff4482720d443a6c |
| SHA1 | 14e2bb4d560e8b760ac68f8bc34461c41914ac21 |
| SHA256 | 60b5f488d5c5301e1c6477d78c5b6869f354a0bb73f1915ec604ac79068dda67 |
| SHA512 | 8b7def7991133ab31bac1c91076351a57e9a1cacbb5d42ce468f4aa9f74e2d656d2aa1e4852650f2272a42e5ca75888f7ded1b16000ee929924515a1d3ac7a7e |
C:\Windows\System\ygIqRnp.exe
| MD5 | d1d62c5e2aaba1c4587a81b04e74cabf |
| SHA1 | fab82e98dc91940c5446b4a8b39df74c506cf4d8 |
| SHA256 | 577ddfb8d20b08e6c2bb1ab89de5f5ece8053e3336e67b71d075e607dbff4564 |
| SHA512 | ed3dac5782906377936afe8c3fcb7d797c86901c34d6b2b96203c36d92dcf8de3d3bb9da5b78f8a0f364ff537aba3420b161aa43bb8e5db1212fbc563f88dd10 |
memory/3216-32-0x00007FF7033D0000-0x00007FF703724000-memory.dmp
memory/1564-31-0x00007FF73C930000-0x00007FF73CC84000-memory.dmp
C:\Windows\System\MLlYjmy.exe
| MD5 | ba41864637f0d93aa33010318af7f324 |
| SHA1 | f28c6af0f1fed9f5e8bc3e24b292dffe0aa16342 |
| SHA256 | 0370885b6460db7c62a9d68a14aba0152bc711018779d23ff1fc494f833a56e2 |
| SHA512 | 56fbc2172a5dc6bfb680ca552721c0e3e2f405880b798ce828c0dcfd9c3fe68623a21af5a32c476426cc2ac7ac017e29096b230fff916be17c9c6e9f277c207b |
memory/3412-44-0x00007FF7C21D0000-0x00007FF7C2524000-memory.dmp
C:\Windows\System\KUbRFAp.exe
| MD5 | c8969dcc8681b9d99451a1aa650a7388 |
| SHA1 | 95032fd127ec481be9104b63076d801650f95d44 |
| SHA256 | f6b94307c958f21ff5c932176d625bfe93251db36731cb0b50563d06d5053689 |
| SHA512 | be8fe0d99e8a772da9da2f5ea49d3fef456e2d9c80ee8e1a5be208e9594bec384051b234c180c463e783c924b3242529a760ccf462162ef265da3da98f51fd06 |
C:\Windows\System\jpDpuDu.exe
| MD5 | 0de2addabef8cab6f05f630e29197975 |
| SHA1 | 6bb2e5c80b1ddf755350a67afc3d3fab385b2e75 |
| SHA256 | ba8681a059eaaa045321c6a2bfdd444dcd758a76724210b20494cecaf7253bdb |
| SHA512 | 0fca65441ab3937d75ca954161540e465b455c7099e86bf9892351948c5d998ba1cb55c7de98fd1787ea1570aad2fb106c1253d5128acec731d494a141079fbd |
memory/2036-55-0x00007FF783930000-0x00007FF783C84000-memory.dmp
memory/2120-60-0x00007FF6EF110000-0x00007FF6EF464000-memory.dmp
C:\Windows\System\TIwTHCo.exe
| MD5 | 6a4a4042c2545ad5cf56e4d4b704ac11 |
| SHA1 | 48f550f586eb67e2cb10de75d8a293835ec4201a |
| SHA256 | cce36a2c84bef3cdd5f641707cac44c587782e606c5cb1c2b0f02299558d2a2f |
| SHA512 | d5dfc5831c4837f13964444805eb4ea6fa634dafba5e1a26e3e76bb963941a88d8a91a392391e307527e25b7a7eeea0edcd281f3ed3f9096e1ca5f44a42d2b0f |
C:\Windows\System\ISizzjE.exe
| MD5 | 8f7d51b30c77d3e9019609d289d16d83 |
| SHA1 | d97d8e43f1c04c5435d6df79c4854920e8c5db7f |
| SHA256 | 2b3a196512c4883f7eacb37dff554fc3ae79c86ccabe38c61266b9b4501a6c13 |
| SHA512 | fe2c676382ca953de744fd596003f2b8a35507818b6595fbadb61092c6fc2966aeb61fe4434ace3e5a1e8903cac84d57d28bc352380d3100411eeadbd45a10ee |
memory/4036-59-0x00007FF751810000-0x00007FF751B64000-memory.dmp
memory/2940-66-0x00007FF7BD0B0000-0x00007FF7BD404000-memory.dmp
C:\Windows\System\izWHqSx.exe
| MD5 | e65d82e1adeb355720f677e301725abe |
| SHA1 | 7f15166a213594d197153c19c6a3849fe0362e2d |
| SHA256 | f370e6500169c827c069e00fb0ded0d4034de279ed685008b4917ea8a679b171 |
| SHA512 | 57feb71f7b29e0f633e9b20f02084501e245879f62de2b7504dd0f79e2fc4a04afb072e3c0f8b219c95fdf2191a42879643e9da1c4349eb47e5b64910b2a01a3 |
memory/4972-73-0x00007FF61BD90000-0x00007FF61C0E4000-memory.dmp
memory/3988-72-0x00007FF6B2C50000-0x00007FF6B2FA4000-memory.dmp
memory/1184-84-0x00007FF69B1D0000-0x00007FF69B524000-memory.dmp
memory/4864-93-0x00007FF64AF20000-0x00007FF64B274000-memory.dmp
memory/4432-98-0x00007FF74AE90000-0x00007FF74B1E4000-memory.dmp
memory/1952-102-0x00007FF7AC170000-0x00007FF7AC4C4000-memory.dmp
C:\Windows\System\ozIVfEi.exe
| MD5 | 090372721cc5a735e3d9cf04589f47b6 |
| SHA1 | 51bff6f60861ae3340f650b071dd2eacbdf2f8e1 |
| SHA256 | dab1e0a54d6f449357abcdf0b694c7df1ef940ecb8d572ec542070ff7af607b3 |
| SHA512 | aafb451f991dfc2ba3e03c4b09ae74869d0d7ef8bc1a384866fea0772165c07f90073525e0f0c59ee56f0807bf85ccbea38855b01fa14700b25253702c54038d |
C:\Windows\System\iBwWZtp.exe
| MD5 | f15799e24e6e349da559a0627e4e7c5d |
| SHA1 | ffc58178bd4883afdd4d4b867baf4194f4b94bc0 |
| SHA256 | bad2047d1785e24bd6dd2f19a5d37f41fcd6df89d0a63ec3a85f6890154a8539 |
| SHA512 | 1cbbe77f99a106b6a07c360a1b3f21059bb0ad4a670d8e9e9ecbede8adbcd59e0f1f892a9c95666a0350e4aa8200865e50f37885e0e656d0cffbd4fff8870d02 |
memory/1564-101-0x00007FF73C930000-0x00007FF73CC84000-memory.dmp
memory/4928-99-0x00007FF71CD70000-0x00007FF71D0C4000-memory.dmp
C:\Windows\System\thrKkxg.exe
| MD5 | 680a2094e63699e5bbf6ad520c42c29c |
| SHA1 | 1b085be48deb0fc65ff92d82022ab5cea0218658 |
| SHA256 | dd01d09b4ddab29283c679f56239ad5133bfecf155a145f5baf028502bdc4c3c |
| SHA512 | 8c678b50759ba3754d93684a6ef089c0887fb9d98756f2938bc9d9e26f92d77685c06c3670fa7541ef492e6ef6c7db37ac54e3d2b8078fc72d085bf6a1b39502 |
memory/1548-94-0x00007FF7FC690000-0x00007FF7FC9E4000-memory.dmp
C:\Windows\System\CoDiejo.exe
| MD5 | 3024f85162113372ad24fa90d2412dbf |
| SHA1 | 9c3669900b37abdebeaed3ef941c9564f168d968 |
| SHA256 | 273397a77e4fea825921bf279c02a2f2f22d4a7079b6770746ed1ea36484f6b8 |
| SHA512 | 30c7063ee5476fb9addcb0c0e053f737a2c3ea2a4a8b25f21828e839e07220f03440e5273e0b2fdc1a606e9d1f43d0b2069104a81b5dc9c808d9acaaf95d60c1 |
C:\Windows\System\hBLqSsg.exe
| MD5 | 7d1a5737902851057ebadbcda6157bde |
| SHA1 | 42b4578ba0336acb8874aea8be240ff05266be2e |
| SHA256 | ba16e2c30a12fe8f6faaccf33e360c1695e19d8efaaab2351fad69ea369919c7 |
| SHA512 | 614c444c99be2182fa7b4751667900c9643deeffa0aeb386276d4f6ed21318f2a6c4574b8ed086c439167752087ffa271e5cea7a7cdf8f285cbef9c21fed5e24 |
memory/3600-85-0x00007FF72A5D0000-0x00007FF72A924000-memory.dmp
memory/3772-110-0x00007FF753EA0000-0x00007FF7541F4000-memory.dmp
C:\Windows\System\yiaYTBJ.exe
| MD5 | 5aea54a9fa3f3beaec07382a039ffa49 |
| SHA1 | 2c1c4964498ba0308a21020584d4e974b0ef669f |
| SHA256 | 7f967633730850e3dc0979c27eda4e7515c78dd1fe72e2b795dd02b72dd40f61 |
| SHA512 | 9c4ec7056ba2f5088200c2990cf5fe691e6bec7e5081f5e73d78e1e5b356fc57e9a89391e98b1dc6f46279da9028c43198de02ae791cc51d0da3d87a77f1aed5 |
memory/3216-109-0x00007FF7033D0000-0x00007FF703724000-memory.dmp
C:\Windows\System\xKzIGhO.exe
| MD5 | 121f79cc29303e7c5cf9ea6bd2254c52 |
| SHA1 | ea7e42e6b36493c594c26cce122a1a2d4a2bc19c |
| SHA256 | 1e71adf317d9e45ac8472ed13c61c19a7d51d583d3853b1dabfc059d7c1a7933 |
| SHA512 | 132d742ff56a35206da1371ba79d45497b7f928e63088a48e88e1a9874514ac3000984898d401fb60084b1ca20cf37657eb6fca335279eff0cfe8a2a12f0404b |
C:\Windows\System\FRcNFDu.exe
| MD5 | 225521f2e35165c16f8801fd1424332f |
| SHA1 | 19e6e5199c96fafd46a7a4f6d77fef69ae37f4aa |
| SHA256 | b405f763f86fe287216996605b3328e394e1732d54291733bd2b505a80710ebd |
| SHA512 | 1956d5cc8c0cf0521ced9126d4f23f375e71fe55e249939c1eb7e060a7aae9416d10c5d8721518a457858a9faf2874833e4fc3b9813c1902c0fe5d259759881e |
C:\Windows\System\sNeMvRw.exe
| MD5 | 0db59a3f478755767e5f5cc2293cf76f |
| SHA1 | ff496500aceff11f53a534cc1fff81c2c7956f23 |
| SHA256 | 5dd141fd8d557d1f76e52254c495a5896f886719aaa890702031109dfe42269b |
| SHA512 | ff5af015e2f8512f46b60bb1a559c4f9b0fbe4eacc36f4eb7291554591c3db49db33c8dc4d9ea7da4551d8cb99cc2846cc3bf1d113306672a272a2fab1d0bf22 |
memory/3620-121-0x00007FF711160000-0x00007FF7114B4000-memory.dmp
memory/3412-134-0x00007FF7C21D0000-0x00007FF7C2524000-memory.dmp
memory/3776-133-0x00007FF714910000-0x00007FF714C64000-memory.dmp
memory/2592-135-0x00007FF7F5D80000-0x00007FF7F60D4000-memory.dmp
memory/4216-132-0x00007FF662950000-0x00007FF662CA4000-memory.dmp
memory/1732-131-0x00007FF63C7F0000-0x00007FF63CB44000-memory.dmp
memory/2120-136-0x00007FF6EF110000-0x00007FF6EF464000-memory.dmp
memory/2940-137-0x00007FF7BD0B0000-0x00007FF7BD404000-memory.dmp
memory/4972-138-0x00007FF61BD90000-0x00007FF61C0E4000-memory.dmp
memory/4864-139-0x00007FF64AF20000-0x00007FF64B274000-memory.dmp
memory/3600-140-0x00007FF72A5D0000-0x00007FF72A924000-memory.dmp
memory/1952-141-0x00007FF7AC170000-0x00007FF7AC4C4000-memory.dmp
memory/1184-142-0x00007FF69B1D0000-0x00007FF69B524000-memory.dmp
memory/1548-143-0x00007FF7FC690000-0x00007FF7FC9E4000-memory.dmp
memory/4928-144-0x00007FF71CD70000-0x00007FF71D0C4000-memory.dmp
memory/1564-145-0x00007FF73C930000-0x00007FF73CC84000-memory.dmp
memory/3620-147-0x00007FF711160000-0x00007FF7114B4000-memory.dmp
memory/3216-146-0x00007FF7033D0000-0x00007FF703724000-memory.dmp
memory/3412-148-0x00007FF7C21D0000-0x00007FF7C2524000-memory.dmp
memory/2036-149-0x00007FF783930000-0x00007FF783C84000-memory.dmp
memory/4036-150-0x00007FF751810000-0x00007FF751B64000-memory.dmp
memory/2940-151-0x00007FF7BD0B0000-0x00007FF7BD404000-memory.dmp
memory/2120-152-0x00007FF6EF110000-0x00007FF6EF464000-memory.dmp
memory/4972-153-0x00007FF61BD90000-0x00007FF61C0E4000-memory.dmp
memory/3600-154-0x00007FF72A5D0000-0x00007FF72A924000-memory.dmp
memory/4432-155-0x00007FF74AE90000-0x00007FF74B1E4000-memory.dmp
memory/4864-156-0x00007FF64AF20000-0x00007FF64B274000-memory.dmp
memory/1952-157-0x00007FF7AC170000-0x00007FF7AC4C4000-memory.dmp
memory/3772-158-0x00007FF753EA0000-0x00007FF7541F4000-memory.dmp
memory/1732-159-0x00007FF63C7F0000-0x00007FF63CB44000-memory.dmp
memory/3776-160-0x00007FF714910000-0x00007FF714C64000-memory.dmp
memory/2592-161-0x00007FF7F5D80000-0x00007FF7F60D4000-memory.dmp
memory/4216-162-0x00007FF662950000-0x00007FF662CA4000-memory.dmp