Analysis Overview
SHA256
07a71a44ac6d0e79258d875c25fe96f5fc1d40cfcaa7eff91f4627c511fc8d08
Threat Level: Known bad
The file 2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
Xmrig family
Cobaltstrike
UPX dump on OEP (original entry point)
xmrig
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 11:27
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 11:27
Reported
2024-06-01 11:29
Platform
win7-20240220-en
Max time kernel
134s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TugnGLU.exe | N/A |
| N/A | N/A | C:\Windows\System\CRIdGVV.exe | N/A |
| N/A | N/A | C:\Windows\System\hZSjwfI.exe | N/A |
| N/A | N/A | C:\Windows\System\QoGSQZO.exe | N/A |
| N/A | N/A | C:\Windows\System\dIggINH.exe | N/A |
| N/A | N/A | C:\Windows\System\TthRaGg.exe | N/A |
| N/A | N/A | C:\Windows\System\yYrAGzG.exe | N/A |
| N/A | N/A | C:\Windows\System\QXjNdxx.exe | N/A |
| N/A | N/A | C:\Windows\System\rPzvBpA.exe | N/A |
| N/A | N/A | C:\Windows\System\UZYeqVs.exe | N/A |
| N/A | N/A | C:\Windows\System\wxkhTXQ.exe | N/A |
| N/A | N/A | C:\Windows\System\lvFEbYA.exe | N/A |
| N/A | N/A | C:\Windows\System\bUEZgHK.exe | N/A |
| N/A | N/A | C:\Windows\System\LavJcMB.exe | N/A |
| N/A | N/A | C:\Windows\System\tyDScNr.exe | N/A |
| N/A | N/A | C:\Windows\System\HydZuKC.exe | N/A |
| N/A | N/A | C:\Windows\System\axqrRii.exe | N/A |
| N/A | N/A | C:\Windows\System\TdNdCvN.exe | N/A |
| N/A | N/A | C:\Windows\System\OLIfnCC.exe | N/A |
| N/A | N/A | C:\Windows\System\rOGsccr.exe | N/A |
| N/A | N/A | C:\Windows\System\thvABMC.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\TugnGLU.exe
C:\Windows\System\TugnGLU.exe
C:\Windows\System\CRIdGVV.exe
C:\Windows\System\CRIdGVV.exe
C:\Windows\System\hZSjwfI.exe
C:\Windows\System\hZSjwfI.exe
C:\Windows\System\QoGSQZO.exe
C:\Windows\System\QoGSQZO.exe
C:\Windows\System\dIggINH.exe
C:\Windows\System\dIggINH.exe
C:\Windows\System\TthRaGg.exe
C:\Windows\System\TthRaGg.exe
C:\Windows\System\yYrAGzG.exe
C:\Windows\System\yYrAGzG.exe
C:\Windows\System\QXjNdxx.exe
C:\Windows\System\QXjNdxx.exe
C:\Windows\System\rPzvBpA.exe
C:\Windows\System\rPzvBpA.exe
C:\Windows\System\UZYeqVs.exe
C:\Windows\System\UZYeqVs.exe
C:\Windows\System\wxkhTXQ.exe
C:\Windows\System\wxkhTXQ.exe
C:\Windows\System\lvFEbYA.exe
C:\Windows\System\lvFEbYA.exe
C:\Windows\System\bUEZgHK.exe
C:\Windows\System\bUEZgHK.exe
C:\Windows\System\LavJcMB.exe
C:\Windows\System\LavJcMB.exe
C:\Windows\System\tyDScNr.exe
C:\Windows\System\tyDScNr.exe
C:\Windows\System\HydZuKC.exe
C:\Windows\System\HydZuKC.exe
C:\Windows\System\axqrRii.exe
C:\Windows\System\axqrRii.exe
C:\Windows\System\TdNdCvN.exe
C:\Windows\System\TdNdCvN.exe
C:\Windows\System\OLIfnCC.exe
C:\Windows\System\OLIfnCC.exe
C:\Windows\System\rOGsccr.exe
C:\Windows\System\rOGsccr.exe
C:\Windows\System\thvABMC.exe
C:\Windows\System\thvABMC.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3036-0-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/3036-1-0x00000000002F0000-0x0000000000300000-memory.dmp
C:\Windows\system\TugnGLU.exe
| MD5 | d295c664e594819dd242bfe1c2bbc6d4 |
| SHA1 | 47e2de39ea8332be0f06ac955099182b60023bb8 |
| SHA256 | cf504450a75773f8afef653134fc5be2403519fbcc03f62eddf5db97ad28e50b |
| SHA512 | 89ab0216eceda84befe8cb7d5d3115d16a5fb926e5aa304f9be4adaa531f409ba644411d84e03fd79fd6f63d0f07c29512fda2c0b2d5cb5519eeabc88b3fc7e1 |
C:\Windows\system\CRIdGVV.exe
| MD5 | 4f64455d59961a6cce53a66ce0e13360 |
| SHA1 | a7f15cb96508aac7a007101bb32048e3d1ae06f9 |
| SHA256 | f53532bc7ff870030bfb84f45a21b0459ca714809154b84ec84fa1119d3b6978 |
| SHA512 | 696d82d58e1026ae9520452b9a6770517d7fa9b576667ef532dd360a023db447f2dd59370caafd85352784afad71bc66e91403e1e2aa939ada1a041b6fb070c1 |
\Windows\system\dIggINH.exe
| MD5 | 95add4c03dc89d2f5c2a0fdd0ecb9d72 |
| SHA1 | ec237bf3b7373e3b285fb900a18bd96d829f73f1 |
| SHA256 | fe8202ec79cddd3ad7bdd594c3930bfa09998eaba1f95df4ce7697d440f9183c |
| SHA512 | 8d0b2d0524e49c25158b33ef3aa82c236e898d5827f4172fa0a150d3056d82a5dc06c8dcf6faa58367a0edb11f884fb98da8be51ea394c69b249f3d76dd293db |
C:\Windows\system\QoGSQZO.exe
| MD5 | 53098ad70ad11d5afb40bbb12a07f29b |
| SHA1 | 4f6eccbae4b814dde489a945ae7b0f2d9e1b51b1 |
| SHA256 | d5cd86f7c71d14d3fbe5c835418c74a8eec0456c35c09df28dbe26a17184cc4d |
| SHA512 | 0aba081f031fb1f2dcea4a690f7a9fa18b05514e73401bcbbfabeb9abb7ba2df1e6497cd73edfc1994ac691471ff636a590ec46b04d897d7e746e92df5dbcd3c |
C:\Windows\system\hZSjwfI.exe
| MD5 | 209f9007dddcbffc0e2d947861b58403 |
| SHA1 | e3857f9cbe3c7c6d4160771e5569973346875063 |
| SHA256 | dd7201391289d76d16f2445829fc0a58ca38149ea66edf0dc5395db350a3c775 |
| SHA512 | 4eead90fea2947bbac0a90a384d45efe9275488bb46aea6cf28dd48019257ede246ce4111f6cb60c7848a2c8ebb4200a7c8f17abd408ebd51f249d998cd22992 |
C:\Windows\system\TthRaGg.exe
| MD5 | 95512b2cb32fd1ce0e2b0bd0a154bab5 |
| SHA1 | 36e80d6657a89e12fde8a6b5c97ae637e429a958 |
| SHA256 | 036a2805e682d5d173bbf2d97e6ed460a59acee80207fe97a1cd04d2c9946a7f |
| SHA512 | 78ea515ea67d7e0a1b2ddc8fda7ab315f3065d2a06004c148024c6bcba2f01b400efeaeba8e99c2f346da6830aeacf83d94fa8eb053e25481a84f7a09cee4622 |
C:\Windows\system\yYrAGzG.exe
| MD5 | c28d442b15be2493b67131cba044a95b |
| SHA1 | 09a6fb11006d2cd036c8e6e668a63f5b856f30fd |
| SHA256 | 004aa02824fa74bbb1a2d52a58d673f83a10268c9fb87b84775ca347ea79a55a |
| SHA512 | 1c5cc6e418ba22a37790310a4cbf0e04a9aa8c16d891d8ebb3bf4b75683dd9f3d88f0b4f2e192ee7a1425b7bb009dde884947c42bfc23828bf3b5067953d56b9 |
C:\Windows\system\QXjNdxx.exe
| MD5 | 073f26ae4312221b0fc6aac18f63e761 |
| SHA1 | e5b9d91b4c50aa6f7b8024ec4ee7cc6e6cc76a6a |
| SHA256 | 4f4c48d62ca78121900853955c62792e0c6d02120825c4e0fed108226cdd3761 |
| SHA512 | 37fa149ad0513a0bf9b8a68e97b8e3bf9d303643db1f9e7074fd11abe1f412feb6d5f12a4bf04d43e5fc1406119ca2bf7c217d72f69762d873a223712961b479 |
C:\Windows\system\rPzvBpA.exe
| MD5 | f987b60c33fb97f450219a14f1f9e15a |
| SHA1 | c40f0c852d5b22ec3fcc734cd68a6db077abf22b |
| SHA256 | b411e689251f00bec1b655985f608f97318496366c48e3127f623dfc026fca24 |
| SHA512 | c36a5241b85ae99d88b4f68a1beafb046ab4ec15c340d0006fce1b5fc34ad8a8ccb13b57bf6a3b1880169f70281934ace242ea723ead4a665a33d251d9b1486e |
C:\Windows\system\UZYeqVs.exe
| MD5 | 04dffc6dff2656c2d36a576dc30c6989 |
| SHA1 | 903635599ee9ec89936eab1d41cfc4d5075a7fda |
| SHA256 | f447fc8b990e1e5a7e140f6f67a6b2c53df57873239d64b368186dd02b53bfbe |
| SHA512 | c4c0a21d6f8f61494586817abad44cf50af7fd87c80cae76cee6ec108789b7f2dbc349d1bbb47951c74b12a2e3f06faa2f536fbde757efe65a88e231ce5d271c |
C:\Windows\system\wxkhTXQ.exe
| MD5 | ea81047b63fff40875f77ac4f25b6fff |
| SHA1 | defb286e12fed5c149534a92ef47b59cb559fd89 |
| SHA256 | f8224033f02effe5d6a787c08d6843da9932ddfefb9792dc80f8556961672ac8 |
| SHA512 | 4d20041fef8bc985982e5311febf9c5f588b6ecb138e1461fbd69e19cab3a44740ec5d8ac08531664cb4763a8d87b7339b01c8c10a1d140908d4b69eb6262f27 |
C:\Windows\system\HydZuKC.exe
| MD5 | b5ba7183005798bb0a32829eeef8071a |
| SHA1 | c84c175d0bdbfc59aa80e1a8605f91536d970c4a |
| SHA256 | be31a07dad253c91078b3668f2124b59a8ad25f91f0d8da2b711b9f847085803 |
| SHA512 | 4b640798afbfc0a3971f43e4f3ff2b0e4d43c6a7423b24ef570fb5e66b1cf8c889fac4a32d63ef6f9d826bb39ddc04898303d5f3cbe9dd71f63054676e50ed02 |
C:\Windows\system\thvABMC.exe
| MD5 | 128659a6a2c0969d09062ca133bd29e3 |
| SHA1 | 62c7c93add6161db974321042875e298db72f32c |
| SHA256 | 67193311c5261858f01d17bc08473a6b6cc8469a4a6113ba6bb61d6fb6912ba9 |
| SHA512 | 7146a25ad81f6824f34f1d8fe7fabd75289a8a5dfd882449e73697ff9a37e8f8169013418c5d78e36af9920fe8e4f527f952792f60b38d4fe2df195aa3dbc011 |
C:\Windows\system\rOGsccr.exe
| MD5 | 5d74f2cc5a9b862fc1e49429364cfdcf |
| SHA1 | ff135688a23f99613afde575f0380df938665660 |
| SHA256 | 255a4666dcbe040c50926ba5f052c6d09ede3704f75a3e27ebebc386418b1003 |
| SHA512 | 42775695c613c334239c54c17653472f86da99ea42a357a1b79f38d77a70cb3f5cb534fbd74c95d2ea8a6941ed87391260e05902fb44286dc04066be85a9ec90 |
C:\Windows\system\OLIfnCC.exe
| MD5 | 11e26bc5ebf308fd3832750da9115b04 |
| SHA1 | e06f67c2c83f54117117719ed785f4a81fec23d0 |
| SHA256 | b683038fbbc32e9d1b51e1488a125f9de565c43fa6ff64db33942a79a7c247c2 |
| SHA512 | 41b0f7c5bb077ff60a73378a8ecb96c1cb5305a6da8dfaa430bf6ca9c74ab66c57ef4b2a514bd37e068fcd7f504fd1196873b8619d50d758f58f4381a536ec57 |
C:\Windows\system\TdNdCvN.exe
| MD5 | 707ab656d802923133e1afbe4c3fb284 |
| SHA1 | 6ad77a80d51fa5ccd293d24b32f9265384c50606 |
| SHA256 | 61af4c8faee620c604dc086594011c17d2171ff03a1f454b8883f7c10d437f27 |
| SHA512 | 5691071a58ad32de463672498b44b4679bdd2f80b6ffcb3b11cbff3d4dafd01baf48c5773612063c3aec0767ca5aaea6c62a91841151f57bebad19e6b43eeaac |
memory/3036-91-0x000000013F150000-0x000000013F4A4000-memory.dmp
C:\Windows\system\axqrRii.exe
| MD5 | 679d9938d1e8550118c79dc001d568e7 |
| SHA1 | 5282519f378122d883077d99ebec0fde6b8cae5f |
| SHA256 | b0eb8768635fa29dd3fff27aec80ce01b018353b47ac8b5f5f559679c3d7bda6 |
| SHA512 | 9dbea5e79732406eddbfeb17e8cf80377ae9b76fb9ca177e9b0920346838aae9c64507284ce1d6849945848f249f3a27eccb0e35cd9a745621550ac809f1a7e4 |
memory/3036-118-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2560-117-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2640-125-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2388-127-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/3036-133-0x000000013F110000-0x000000013F464000-memory.dmp
memory/3036-132-0x000000013F220000-0x000000013F574000-memory.dmp
memory/3008-131-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2860-130-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/3036-129-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2440-128-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/3036-126-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/3036-124-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2516-123-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/3036-122-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2624-121-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/3036-120-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2496-119-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/3036-116-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2504-115-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/3036-114-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2628-113-0x000000013F310000-0x000000013F664000-memory.dmp
memory/3036-112-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2564-111-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/3036-110-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2484-108-0x000000013F110000-0x000000013F464000-memory.dmp
memory/3052-107-0x000000013F150000-0x000000013F4A4000-memory.dmp
C:\Windows\system\tyDScNr.exe
| MD5 | 7cdc1b563d148e9afc849b9a3f6faff6 |
| SHA1 | 2fe183496682a90e8829103a8c7e072eecb19ba3 |
| SHA256 | 86d9dbb177f34c1a6f39c42d1ed0e009cfb212b5f5c67972538e505c12d4ca49 |
| SHA512 | 8d86a03f17500f36d0875b420ecf45f31a3cc737dcb5fb86c42bd5db97ffe0bf5e9d5c6ca6ac34a463561b0d7f56379de582aab1f7029cc7d7e0edd7f343eedb |
C:\Windows\system\LavJcMB.exe
| MD5 | 6f8a893db128a22fdb60c4d2eb1d7f88 |
| SHA1 | e29ca41481f430a2084b2ba2f4276a10cea91c1c |
| SHA256 | 94c79ecddbe854830f1fefeaf7a569e590348b61b5bc78f1d13f68b353132359 |
| SHA512 | 549650c4ace503b26f35b5527947065ef983b4b69fe45e63e2e79c19aeee6e0f0b9ee64fe03537eb3a934cae1a8f2fe30c532eed4788574dcf1269eef5f77778 |
C:\Windows\system\bUEZgHK.exe
| MD5 | abe8b66d90493c677ec1d7d8c45af26a |
| SHA1 | f1224c1828034d613f4d513f11204f1986a15a9d |
| SHA256 | 3159e9819c2417803ae5d90fe0aab269d617b75557b98f1df62fff1fecebeb07 |
| SHA512 | c86119fe47fb7cde7f3a13df267eddb01e26242fcefdb43383d16563743a2c2f5766f4ab342d9625f159cfe422d180516c948aa72df92443e9a898448dd3ad7b |
C:\Windows\system\lvFEbYA.exe
| MD5 | 3a817f66e3f090338ca36f6eb2297c70 |
| SHA1 | eaa77e748f18613aa27ac523d63e5d2531febe83 |
| SHA256 | f586da9931eeabf3040640e3ac332adbc12c3d3a0f0340e63c384969e49eb295 |
| SHA512 | 61450131a7108c9ff256be3db7fde08cab4629718bd430a890036cd1063abbafa9f1c5e3654bb4749ad521f56a19a1333153afea6689320133779bc8f302dded |
memory/3036-134-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/3052-135-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2564-138-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2628-137-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2484-136-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2504-139-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2496-141-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2560-140-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2860-142-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2516-146-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/3008-145-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2388-144-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2440-143-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2624-148-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2640-147-0x000000013F1E0000-0x000000013F534000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 11:27
Reported
2024-06-01 11:29
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XeJSRmM.exe | N/A |
| N/A | N/A | C:\Windows\System\PAClIwK.exe | N/A |
| N/A | N/A | C:\Windows\System\PRBONxL.exe | N/A |
| N/A | N/A | C:\Windows\System\yokdlBz.exe | N/A |
| N/A | N/A | C:\Windows\System\trVbduK.exe | N/A |
| N/A | N/A | C:\Windows\System\VDMFwns.exe | N/A |
| N/A | N/A | C:\Windows\System\IBokypP.exe | N/A |
| N/A | N/A | C:\Windows\System\jmUJaHS.exe | N/A |
| N/A | N/A | C:\Windows\System\trrShHC.exe | N/A |
| N/A | N/A | C:\Windows\System\ozpmzaN.exe | N/A |
| N/A | N/A | C:\Windows\System\TJQGOKL.exe | N/A |
| N/A | N/A | C:\Windows\System\dNBuPzi.exe | N/A |
| N/A | N/A | C:\Windows\System\hcclINw.exe | N/A |
| N/A | N/A | C:\Windows\System\foJnirX.exe | N/A |
| N/A | N/A | C:\Windows\System\sWoIXcT.exe | N/A |
| N/A | N/A | C:\Windows\System\QWSdClF.exe | N/A |
| N/A | N/A | C:\Windows\System\rFwamDN.exe | N/A |
| N/A | N/A | C:\Windows\System\QZjdKLT.exe | N/A |
| N/A | N/A | C:\Windows\System\zkIrmVT.exe | N/A |
| N/A | N/A | C:\Windows\System\EbDXJPT.exe | N/A |
| N/A | N/A | C:\Windows\System\HHoWZgw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\XeJSRmM.exe
C:\Windows\System\XeJSRmM.exe
C:\Windows\System\PAClIwK.exe
C:\Windows\System\PAClIwK.exe
C:\Windows\System\PRBONxL.exe
C:\Windows\System\PRBONxL.exe
C:\Windows\System\yokdlBz.exe
C:\Windows\System\yokdlBz.exe
C:\Windows\System\trVbduK.exe
C:\Windows\System\trVbduK.exe
C:\Windows\System\VDMFwns.exe
C:\Windows\System\VDMFwns.exe
C:\Windows\System\IBokypP.exe
C:\Windows\System\IBokypP.exe
C:\Windows\System\jmUJaHS.exe
C:\Windows\System\jmUJaHS.exe
C:\Windows\System\trrShHC.exe
C:\Windows\System\trrShHC.exe
C:\Windows\System\ozpmzaN.exe
C:\Windows\System\ozpmzaN.exe
C:\Windows\System\TJQGOKL.exe
C:\Windows\System\TJQGOKL.exe
C:\Windows\System\dNBuPzi.exe
C:\Windows\System\dNBuPzi.exe
C:\Windows\System\hcclINw.exe
C:\Windows\System\hcclINw.exe
C:\Windows\System\foJnirX.exe
C:\Windows\System\foJnirX.exe
C:\Windows\System\sWoIXcT.exe
C:\Windows\System\sWoIXcT.exe
C:\Windows\System\QWSdClF.exe
C:\Windows\System\QWSdClF.exe
C:\Windows\System\rFwamDN.exe
C:\Windows\System\rFwamDN.exe
C:\Windows\System\QZjdKLT.exe
C:\Windows\System\QZjdKLT.exe
C:\Windows\System\zkIrmVT.exe
C:\Windows\System\zkIrmVT.exe
C:\Windows\System\HHoWZgw.exe
C:\Windows\System\HHoWZgw.exe
C:\Windows\System\EbDXJPT.exe
C:\Windows\System\EbDXJPT.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1220-0-0x00007FF6AB190000-0x00007FF6AB4E4000-memory.dmp
memory/1220-1-0x00000166C6B50000-0x00000166C6B60000-memory.dmp
C:\Windows\System\XeJSRmM.exe
| MD5 | 9f272d8ef98bed45ae88482a63327180 |
| SHA1 | 1863272c2c425e593c21ab32b7ecc988d9ba0d60 |
| SHA256 | 81330138c309b20dd99de8b8e66a1890565b794dcc1b3a9345b530d4baaa4ff9 |
| SHA512 | d59bff23dcf27be313a5572343e7b688f92d4cb2232e52cb1456552d296bb3cad411f8463891f6cc56295c60f66fdb06a1bc6146fb8a7862a2e94410aa988d0a |
C:\Windows\System\PAClIwK.exe
| MD5 | 0815d6335d7bd904744f4738631d29dc |
| SHA1 | af94fde2e856d89a18ba73c2021b50862c87da66 |
| SHA256 | 254dd7d944fdf5f991cdb378e7f99190072b866c69362921239d877c1498d669 |
| SHA512 | 66bd33149b96fc38a5930533e23a3b063b6a63882e0e33f17a8673c98fc5d9c773e1cb16a2d546a87741f5582f0635652363ed3fba94e5a9d8f1d87e9572c56a |
memory/972-14-0x00007FF63DB90000-0x00007FF63DEE4000-memory.dmp
C:\Windows\System\PRBONxL.exe
| MD5 | 86a75ddc23049be7fe7a95340ef27ad7 |
| SHA1 | 571ba4312feda72ec6ad7742f49ddfdd68946759 |
| SHA256 | ec7f8ab154781c675a8b13597044f673ff4067186e14845e42024ff1b2c6b70c |
| SHA512 | 698be0d1e2f2453b581576b5619104e05870a575bc8646425641498c311189014183377dabb273908dc540cd7b63e9767ec21a473545c473cb7ec720e3242466 |
C:\Windows\System\yokdlBz.exe
| MD5 | f4179ab261f93fb7ec82d4922ec81fe8 |
| SHA1 | 964e790419f5b58092c8e552aac954590d1aa4c6 |
| SHA256 | 880ae4eb6b47c12e7f58bb834e6e78e76a7158d4518acf500959db05b605f1c3 |
| SHA512 | c71da57ad6bd6c99a43b5fb37f260079603fb826e93e2160edbb70ed174b0d9b1d5db0027ec88142d31f2f40050175f76ab83534184e0b4024ceee9844ab6781 |
C:\Windows\System\trVbduK.exe
| MD5 | 8bfbf88e3f8cc1440be41018c7ef4557 |
| SHA1 | eb39e7bbb275f3d922ee333c72b83af56958362f |
| SHA256 | 4f1d0f1776f872d58727081598cd048871df523d39477250a10ce1ce7675f424 |
| SHA512 | 0438810f16885c2645c0b8de70ade85f5c1d537fb0ac1ae3207f913a73d1641c60d961d7bcb35a618b120bfe87cf3e1a1e0021e856883e620e2a233989ee6cbe |
memory/4180-32-0x00007FF677B10000-0x00007FF677E64000-memory.dmp
C:\Windows\System\jmUJaHS.exe
| MD5 | c65f918f9146f59f24217e02244a62c1 |
| SHA1 | 38bddce8c6c304e41ebd6b7dca36e547d1b31286 |
| SHA256 | d55b0ae3470bbea615fde70aebd9c60df776b5a506785a1f4ef5269810d30cd6 |
| SHA512 | 26aca79cba7a96c5225aae44a5a2bf4b7e1af55395d922786da9e910b13643afea80aa022a2bf37fc4048b22cba5e2e279239cec8c545f0d2e79cbe152a80a8d |
C:\Windows\System\ozpmzaN.exe
| MD5 | 8265e816829079e02d2a2cdb288c93d5 |
| SHA1 | 04bfa9f896d6ef054788606f2f4721ef99e6641b |
| SHA256 | 5fa5a005db7d7204d424d9c083e20e24074d85e0b12dc7e29baf2850c58966ad |
| SHA512 | 6f178b763a1d48188c0a738b39163f3821db5bee2c6b5ef36eea4419d2c7d5afb7ac048e5371442d930ed90ef5485539ed6804cb6120215e093d6178d661caa4 |
C:\Windows\System\dNBuPzi.exe
| MD5 | 82e15f316d9495adaa82b8f1c006fe04 |
| SHA1 | 98d1f61a7b27f8ba09709e523668bbe32ffa424a |
| SHA256 | 06bf14f8a17d99638b3f9defff86d087d579a0a76ea3e498a0a288fef59c9f9a |
| SHA512 | 250a1ea74544b12c5e8c5c2056f2d020db2c545f97bc7a162e338685819099cf6e7b66497bfe4e4a13ac5c4036762cd4c38683bf2b62de077204c86f9c1b63b9 |
C:\Windows\System\hcclINw.exe
| MD5 | 09e2906fdf706e88944756de1053de66 |
| SHA1 | 55fea1171e3bed1773d49848f5faf7a4e1484750 |
| SHA256 | b499fe5c590ff299c68c4d31c8a9d59fbd75e91caa93fd237b413829ee5a0efb |
| SHA512 | 6bd50fc5aaf083942fab6aa21a0b546c71480a5b54ed48af087f9b025a72d1004cb7096214605ecc316ff576f300a11068cab81f32594b29bec23db10a961c20 |
C:\Windows\System\QWSdClF.exe
| MD5 | 3430fec3d20aea92d2310327d5b51a1c |
| SHA1 | ba4dff18183f972de13c6ae0a66776a127033c79 |
| SHA256 | d6f6fc8db17d783369a7020bc2f9f71b04fa6b9e8633fe6b835b22f475beb82b |
| SHA512 | ac3ae934d8b2756439f59b3659db29f547140fff83c8b109df0a74d4ef5f4be6cc83b4f4f8869d3953153634a46f9ba1b3d147be0e3de3f02278a13c2e7d033f |
memory/2000-93-0x00007FF6B2020000-0x00007FF6B2374000-memory.dmp
memory/5060-104-0x00007FF632A70000-0x00007FF632DC4000-memory.dmp
memory/4620-112-0x00007FF6F2270000-0x00007FF6F25C4000-memory.dmp
memory/5072-116-0x00007FF776970000-0x00007FF776CC4000-memory.dmp
memory/4088-120-0x00007FF795410000-0x00007FF795764000-memory.dmp
memory/4232-124-0x00007FF6676A0000-0x00007FF6679F4000-memory.dmp
memory/1516-126-0x00007FF65D2B0000-0x00007FF65D604000-memory.dmp
memory/3896-125-0x00007FF70E270000-0x00007FF70E5C4000-memory.dmp
memory/2300-123-0x00007FF730B30000-0x00007FF730E84000-memory.dmp
memory/3940-122-0x00007FF66F8C0000-0x00007FF66FC14000-memory.dmp
memory/1780-121-0x00007FF74AC90000-0x00007FF74AFE4000-memory.dmp
memory/1460-119-0x00007FF6D9070000-0x00007FF6D93C4000-memory.dmp
memory/2476-118-0x00007FF620BB0000-0x00007FF620F04000-memory.dmp
memory/1288-117-0x00007FF64F7A0000-0x00007FF64FAF4000-memory.dmp
memory/2256-115-0x00007FF681E10000-0x00007FF682164000-memory.dmp
C:\Windows\System\HHoWZgw.exe
| MD5 | 4015ab07f146372988ec64ed7483b73c |
| SHA1 | c05bac694d57b64c1081dc892acdc5ada986af8f |
| SHA256 | b5843a308d66fa8356f0ca60a56829fded44e7ba29f4773b5048e6c0f7248a43 |
| SHA512 | 55a35ecfe8cbda40d5730f6330f1921eb44be988ac91ae0c10f40ec1d22cca947c36bf7fde2f18f0d4a4728cc48433588b62a63bb475102dc16109f2da75f537 |
C:\Windows\System\EbDXJPT.exe
| MD5 | 14c068c1604cf78c2835d0431438f821 |
| SHA1 | 2a118fe64bca4cb4ea04c9a2b399c7545ddb0cbc |
| SHA256 | 20569c6d00338ab997850febac81f5529e0864048b96765edec917c329e94475 |
| SHA512 | e2a56e61b66dc726504fe36cb4801edb49fdbee3627a5c13d181bb59f189fe0a12f764063575331ee4e0928bddd471455713709ae1320bbae7c13d35bf8de668 |
memory/4616-109-0x00007FF76B210000-0x00007FF76B564000-memory.dmp
C:\Windows\System\zkIrmVT.exe
| MD5 | 4329e94c76a7df88ed939632a2fb3ee0 |
| SHA1 | 4484a5546d669a5311a2572cab7f30c004e26e28 |
| SHA256 | fef164660f94c4040f3b90edc2d71e028e0b7bd550dba595cd3d8307bccade72 |
| SHA512 | 627da1995d43b76bc2d06fdb629a9c64cba21e8e48301f2a7ed813370f9c369b3413d17481fd232bbbfe30815058bc0bb9afdb6d455361097e714d64ca22c716 |
C:\Windows\System\foJnirX.exe
| MD5 | 47df458851d1c7ffd034f2394abcabc2 |
| SHA1 | fef4c0ba47ca0c4f7932257c9c109d3945ff7eb6 |
| SHA256 | 205706b65fc57bf1fca2dc5ccdc900d5fe00e25cdf4b667fc1cc9272fb149bd3 |
| SHA512 | ba1e0d50a271636df04206eaf1826226e1336f9234138c9a6c175e664423ea8069cb2593aedb6e0a741a215224d2204eea2ad77f02d98cd2d796eae2d91ff810 |
C:\Windows\System\QZjdKLT.exe
| MD5 | cf237d1ffdbe838dc2a52e8baa96b487 |
| SHA1 | 01ef1f5dda82ec0cd7e2366fd4d58d90f3c083a6 |
| SHA256 | d84aaf76c2b127c4dda636ddfcbefb865fdb7e121609965a25180268cc2cbd1c |
| SHA512 | 3fdbcdd325005937d09f9ae3cb33d61da2195d329e6266234205d9efe8023efd093d6f37675f7d44069f748638e70f2ae5a007028bbd1712b7f5df26cda7bc58 |
C:\Windows\System\rFwamDN.exe
| MD5 | 7730d7f393abc0f8a4a66d1de5a36bcc |
| SHA1 | 6b372cf8decb4d2d0f2e3ba78828211057d3ad1c |
| SHA256 | 76a268ec28312fcc2414e0110e03336f10fba7686c1567ae322dcccead5e4ab7 |
| SHA512 | 6ed84ba339baaf200422696b69e46bad322e10ea1cd78f3e375ca677b36a2d7b7d528b76786347aaa3ce8a41694a4f2459d22eb608f8bc4500109c9eb358d538 |
C:\Windows\System\sWoIXcT.exe
| MD5 | 25a27b6783c075559ab0b4c0b3dd79eb |
| SHA1 | d62a701936f3e8a20d1d1f14770a0cea663d4fd2 |
| SHA256 | 16b0a75056cecb917011b1e6066962047d19c78e65a298a736103f1d8390599f |
| SHA512 | b0509aec7bec11f7718c899f986e6e717b77e8bd430c10a3a05ee86bc4700cad0935866763754a7c828f3d3812e767bee80ab5e8f1a86205924f3d8d7137a9e2 |
memory/1748-86-0x00007FF7210F0000-0x00007FF721444000-memory.dmp
C:\Windows\System\TJQGOKL.exe
| MD5 | 995f41799a78a942e230a2f48a295174 |
| SHA1 | edd6de37881a0d0ec56527ad5ce00373dbbf82bb |
| SHA256 | 1e2ebd3cbad5b77b985478b9ee5ee71a5793230e1655a2316e7ba8cf98076889 |
| SHA512 | 88aa8d1b673003e428823e84a07e1548bf5fc22a543ce80c3f7d88db071cc5a34780276fc43e79a0428a962504f73b92b4463fa8139c740745d7a3508e15978a |
C:\Windows\System\trrShHC.exe
| MD5 | 42294c11f0e2bb5b6cd59d505f37cf63 |
| SHA1 | 5b2730ba16eeb7553f5cdcb1bf4beb3c9354ad7e |
| SHA256 | 72665ada60dcd8729b3a750284b09acf07b812be2b0ef962759e63d633c1fad8 |
| SHA512 | 0ba2635d6fdb4cf201d93d6345519ad45a764cbe2245e73aeeb03dd4390f1d0ab7b5b746d316111bb9f146a0e79a8bfbba8fd51fae29b38b2a1f4386bc362e53 |
C:\Windows\System\IBokypP.exe
| MD5 | a5025509ea791a30f1d17c53aec5d099 |
| SHA1 | 78a842eabef862a71500b99f79bae7c590856f8c |
| SHA256 | 333c639536b7005f352cb26e2f85c3ec9f5092339eaba3f55786892bc8bce760 |
| SHA512 | 84aa284bcbcc469960af3ec304c9dbd7c64856c429ad9e98b6ad49641d5dba63b21239739e714df80cd2e2b1126139d19296dc192d6b8214ccb41d96f0805daf |
C:\Windows\System\VDMFwns.exe
| MD5 | 9b679f5b483dd5111846b6c31a627371 |
| SHA1 | 4622c1665bf9a211e4d870b5c6248b36500e6c86 |
| SHA256 | 696ff9b9ffb2cf259ff4ce33f9c248def1fda34c2553f08f4b770e4fb8159a90 |
| SHA512 | eba1aef6be49d6b0822447c9d86e2925d995299c9d7ecc5654291f2381722051074150cc5bba95263ed8b9778c23ae1ffbb8004717ad5ab093fb647fafed75a5 |
memory/4532-18-0x00007FF6A8470000-0x00007FF6A87C4000-memory.dmp
memory/3464-8-0x00007FF6A7440000-0x00007FF6A7794000-memory.dmp
memory/1220-128-0x00007FF6AB190000-0x00007FF6AB4E4000-memory.dmp
memory/972-129-0x00007FF63DB90000-0x00007FF63DEE4000-memory.dmp
memory/4532-130-0x00007FF6A8470000-0x00007FF6A87C4000-memory.dmp
memory/1288-131-0x00007FF64F7A0000-0x00007FF64FAF4000-memory.dmp
memory/3464-132-0x00007FF6A7440000-0x00007FF6A7794000-memory.dmp
memory/972-133-0x00007FF63DB90000-0x00007FF63DEE4000-memory.dmp
memory/4532-134-0x00007FF6A8470000-0x00007FF6A87C4000-memory.dmp
memory/4180-135-0x00007FF677B10000-0x00007FF677E64000-memory.dmp
memory/3940-136-0x00007FF66F8C0000-0x00007FF66FC14000-memory.dmp
memory/1748-137-0x00007FF7210F0000-0x00007FF721444000-memory.dmp
memory/2300-138-0x00007FF730B30000-0x00007FF730E84000-memory.dmp
memory/2000-139-0x00007FF6B2020000-0x00007FF6B2374000-memory.dmp
memory/4616-140-0x00007FF76B210000-0x00007FF76B564000-memory.dmp
memory/5060-141-0x00007FF632A70000-0x00007FF632DC4000-memory.dmp
memory/4620-142-0x00007FF6F2270000-0x00007FF6F25C4000-memory.dmp
memory/2256-143-0x00007FF681E10000-0x00007FF682164000-memory.dmp
memory/1460-145-0x00007FF6D9070000-0x00007FF6D93C4000-memory.dmp
memory/4232-144-0x00007FF6676A0000-0x00007FF6679F4000-memory.dmp
memory/2476-146-0x00007FF620BB0000-0x00007FF620F04000-memory.dmp
memory/4088-148-0x00007FF795410000-0x00007FF795764000-memory.dmp
memory/5072-147-0x00007FF776970000-0x00007FF776CC4000-memory.dmp
memory/1780-149-0x00007FF74AC90000-0x00007FF74AFE4000-memory.dmp
memory/1516-150-0x00007FF65D2B0000-0x00007FF65D604000-memory.dmp
memory/3896-151-0x00007FF70E270000-0x00007FF70E5C4000-memory.dmp
memory/1288-152-0x00007FF64F7A0000-0x00007FF64FAF4000-memory.dmp