Analysis Overview
SHA256
5da0d276e024f8a63516198ab8051c2bdfcca53108909d14513ec43fb8067af9
Threat Level: Known bad
The file 2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Detects Reflective DLL injection artifacts
xmrig
Cobaltstrike family
UPX dump on OEP (original entry point)
Xmrig family
XMRig Miner payload
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:39
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:39
Reported
2024-06-01 15:41
Platform
win7-20240221-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\thboYoh.exe | N/A |
| N/A | N/A | C:\Windows\System\yrfJqno.exe | N/A |
| N/A | N/A | C:\Windows\System\NpQlSIr.exe | N/A |
| N/A | N/A | C:\Windows\System\saLGqkN.exe | N/A |
| N/A | N/A | C:\Windows\System\XXXdBIw.exe | N/A |
| N/A | N/A | C:\Windows\System\ATVUtml.exe | N/A |
| N/A | N/A | C:\Windows\System\WwWbjOm.exe | N/A |
| N/A | N/A | C:\Windows\System\BujVIrY.exe | N/A |
| N/A | N/A | C:\Windows\System\UlrearW.exe | N/A |
| N/A | N/A | C:\Windows\System\yKIDUex.exe | N/A |
| N/A | N/A | C:\Windows\System\LPptXGb.exe | N/A |
| N/A | N/A | C:\Windows\System\YZlbNNk.exe | N/A |
| N/A | N/A | C:\Windows\System\HXwtbYf.exe | N/A |
| N/A | N/A | C:\Windows\System\FOtcJLv.exe | N/A |
| N/A | N/A | C:\Windows\System\NCNEZjC.exe | N/A |
| N/A | N/A | C:\Windows\System\txxvGpT.exe | N/A |
| N/A | N/A | C:\Windows\System\Qsgncri.exe | N/A |
| N/A | N/A | C:\Windows\System\IfjfIDU.exe | N/A |
| N/A | N/A | C:\Windows\System\DxMiLQm.exe | N/A |
| N/A | N/A | C:\Windows\System\shjAinu.exe | N/A |
| N/A | N/A | C:\Windows\System\uTLexuA.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\thboYoh.exe
C:\Windows\System\thboYoh.exe
C:\Windows\System\yrfJqno.exe
C:\Windows\System\yrfJqno.exe
C:\Windows\System\NpQlSIr.exe
C:\Windows\System\NpQlSIr.exe
C:\Windows\System\saLGqkN.exe
C:\Windows\System\saLGqkN.exe
C:\Windows\System\XXXdBIw.exe
C:\Windows\System\XXXdBIw.exe
C:\Windows\System\ATVUtml.exe
C:\Windows\System\ATVUtml.exe
C:\Windows\System\WwWbjOm.exe
C:\Windows\System\WwWbjOm.exe
C:\Windows\System\BujVIrY.exe
C:\Windows\System\BujVIrY.exe
C:\Windows\System\UlrearW.exe
C:\Windows\System\UlrearW.exe
C:\Windows\System\yKIDUex.exe
C:\Windows\System\yKIDUex.exe
C:\Windows\System\LPptXGb.exe
C:\Windows\System\LPptXGb.exe
C:\Windows\System\YZlbNNk.exe
C:\Windows\System\YZlbNNk.exe
C:\Windows\System\HXwtbYf.exe
C:\Windows\System\HXwtbYf.exe
C:\Windows\System\FOtcJLv.exe
C:\Windows\System\FOtcJLv.exe
C:\Windows\System\NCNEZjC.exe
C:\Windows\System\NCNEZjC.exe
C:\Windows\System\txxvGpT.exe
C:\Windows\System\txxvGpT.exe
C:\Windows\System\Qsgncri.exe
C:\Windows\System\Qsgncri.exe
C:\Windows\System\IfjfIDU.exe
C:\Windows\System\IfjfIDU.exe
C:\Windows\System\DxMiLQm.exe
C:\Windows\System\DxMiLQm.exe
C:\Windows\System\shjAinu.exe
C:\Windows\System\shjAinu.exe
C:\Windows\System\uTLexuA.exe
C:\Windows\System\uTLexuA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2104-0-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2104-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\thboYoh.exe
| MD5 | 19fc825792fbeb428b90e5b01477ae27 |
| SHA1 | 51f35522c26deccf11552b30b73ec960d912ec54 |
| SHA256 | 32fdf928bab4b8fd871936d998cd8ddcf7bd7272b31a1de3f81403c349338e7f |
| SHA512 | db6f1ef138e4fc40a1f4ac53667311c33e825f864fc00d68d75949f15f24607a2f5f5249003bc73bfc4d1cd2a7a7eb03106e2b258f8fb53ce9ddd9c5d96f373b |
memory/2104-8-0x000000013F230000-0x000000013F584000-memory.dmp
memory/1280-9-0x000000013F230000-0x000000013F584000-memory.dmp
\Windows\system\yrfJqno.exe
| MD5 | 6bfc5c4eed9b5d650750844c0992f9da |
| SHA1 | 102cc969fd759a12d57c4e652739d6331466b01a |
| SHA256 | e888e0f803740b295021af5ff20826546bd22202298034870ae85f06e239c25a |
| SHA512 | 62463c7525ba855ce694b7d1be1ab738019fccbd68cf4e39a68c5b17a49cde18d1800bb088533076f76afa2019301f24c3c3ab5378db95b492938ea246e491d3 |
C:\Windows\system\NpQlSIr.exe
| MD5 | 7a3efd7ceeb3e0a574d91d58a0c91902 |
| SHA1 | 41805fdd542a28e838c114ad8e3fe2d741f57078 |
| SHA256 | fe025e05ec52801f26099b95d1507f2e7bb6685e097df43546d2e5bbc81a419a |
| SHA512 | 41fc09fdc9030c3c6b5a467a91e24116647768216d2553454ba4be63bfacb965443c279bdde09e3739e9cff89e525acda4a429eacecd71c61d39f23ed2f4c9be |
C:\Windows\system\saLGqkN.exe
| MD5 | 645e8aa94fe7cd4bd07bdbd3de16ddfa |
| SHA1 | 3b77cc0a035e4c75e2373fa2aa217dfb910b8841 |
| SHA256 | 11d93871ee0bab198492953b97f64a038781918f7f156cf8da793ddf851bd9c0 |
| SHA512 | 660600023b1501bec3bb8afe2eda02a703ca47547721a6f476439c4f0308c3f59aad26f1de15f812ca945cb54979a9bb9afd736c0dda1b9785d4e037fb508656 |
memory/2104-25-0x0000000002350000-0x00000000026A4000-memory.dmp
C:\Windows\system\XXXdBIw.exe
| MD5 | 85eccccbb1250e3222c58a5b88fed533 |
| SHA1 | 0c0e907717c392596916d16e9663c2103357d598 |
| SHA256 | 7fd65186b4b72a9ff3e1405c4a543212067c8f14b91958a6abbebac19db9757e |
| SHA512 | d4a2851084a4a95cb09e8e21e21a9a6fde01c358a20e711175f4cb75771ee926f719043936cbf2db761bbba160038d8365c63df789a8cb6a1b581d43cb7c6741 |
C:\Windows\system\ATVUtml.exe
| MD5 | d1c275b4ff948787d3cbd22dc382c9a8 |
| SHA1 | 395e30e173d18fe486709517227be4a0056b940e |
| SHA256 | 54ece5e7c69bc7b751d58c78b0b51880aa07f5f2ec3c389742597b351718c672 |
| SHA512 | be68386a39afe13a34c0591e29e8942738230aa5ad432dd9fbf1002edc1b1e984c624ff1f2f52011d8072693e5f7f80ba6d08fd2ceb33a4e3f80ef3977de7a71 |
C:\Windows\system\WwWbjOm.exe
| MD5 | 5eb2fec7abee44b8589abf9fee9378e5 |
| SHA1 | fc3cec07657ec0dd3194b0555508198815bc85ee |
| SHA256 | 4856208d65cc4f4aab1fc4eef247f2d6b5bea9a416013cb3386e37daa4a0e53c |
| SHA512 | 637c01cdf98477b0463d7ec530fb50566b7f040e9b017e60253a72a8c00755a67f7a7baecc6e7e970be496ad36f460bb9800075de41b0bf7f0fed0eece204655 |
C:\Windows\system\BujVIrY.exe
| MD5 | 7e99c3b703cdc180b4b120e55836c224 |
| SHA1 | 59297a5adab8e9a77ef19b5c8351130509682d1e |
| SHA256 | 64f279afefb27af97e019fda4312ad225ebc4560728516aa14dcb1599456b3ce |
| SHA512 | 3b03d9129e42b31213aa6f8ee9ddc8b0132fceed126bab111890381c5940d01860810fb00444a37088967c8da1df229bc21543fe3043612a002f8a766d25d5a9 |
C:\Windows\system\yKIDUex.exe
| MD5 | 9aaae56723c8fffedfe04a65e23aef84 |
| SHA1 | 26fef1c7ceabec621090bf73d6c865b17ce55738 |
| SHA256 | cb87f9079cddca379b59ad7d48c210a31da62cffdc4f9bfe2b4ac66a30dff5fa |
| SHA512 | f52058d059ffb6a7889c6c52dea41d813ecf22d160ca07e77888a19d270bc71317832a2708ae8aee3db57989a0de27bf8cd6a92aa6b9130399c767966f6d544b |
\Windows\system\LPptXGb.exe
| MD5 | 9a4c1d2f7d40ebb5241d72b4d8db04ac |
| SHA1 | b102b3e8c307ecd3521a55d54d06625dd0733d73 |
| SHA256 | 9afdf13b8184f937a29d2c16b49d272dc118167941a417cbb6dd6b6d4ed2bdb9 |
| SHA512 | 6bb07fea0b015f6bd33bdf7fa7fe539d4103ca63c63edcc6ceed6e0f6ccc53a2e2484ca4b6e238beef9e6f58d601487342018b9c17af5b19ee26775a4cab805f |
C:\Windows\system\YZlbNNk.exe
| MD5 | 130dccc9a6b6dd57b4b13d8795a633ca |
| SHA1 | b190e4e8499eae4461a18b73f61c8afa90210943 |
| SHA256 | ff833de57fcc04c64834bcebea10cfa0e88228799c604df29e1b92ba65fb67af |
| SHA512 | 3cb28994a1b90198edc4241c64c04a97d978d4635b97a3c5bcf781d59ebc7bc64c7b59271e0d06c290272957807f55c1c93a830dba6f9e52db62dd16242772b2 |
C:\Windows\system\HXwtbYf.exe
| MD5 | 68120a00a3e8fb9a31143f4d45a7cb7e |
| SHA1 | ad3b2d15cfb8ef55aaff36d4932558046de65b43 |
| SHA256 | 988215d3ba7d02951e2b6484a5d86735aed3a1e0f0286a68ea78db499472a7e0 |
| SHA512 | f667c55aa2cd22e2ba8e3d5c1a4626111e822ca3e156f771e0c8c6d756bf00ae4d6b26874e5575c132caa6f54b0c9249ebfc2e6d2a8b286c444e602990ad70ad |
\Windows\system\txxvGpT.exe
| MD5 | de6341e22383910b8abfca582b1c7986 |
| SHA1 | 8636525a4d222b9234f73576db0385ab3bfa414e |
| SHA256 | 2e99d16e3eed682fa947fcc0bb39c083fc80289d0ed8b4be96f5f418f8bfce32 |
| SHA512 | 356364cf013caf9384f3f9ea189c81687b8e7c9a4e895cfc01437e228ed8c3aa7eaf088b71d64a4676087f8dc61c8d896d5664b486cd7a6c409f7632a203f9c8 |
C:\Windows\system\Qsgncri.exe
| MD5 | 82b0085353cb4f703cafa3cd0becc6f7 |
| SHA1 | 40b763bce89cc05b40c6198f9801a149e1f97268 |
| SHA256 | 7d3ff6d99fb448f59439f806f9161db3a8c40c42dbbdb606c60e6f886263172d |
| SHA512 | c65773c2a748c37d578f4c9e20b694285f9f21085b79b7613b18b1644304530b6828be1d709f069abfa04d05fb4fc8175ee72be6f9291f0529449f35d1046104 |
C:\Windows\system\DxMiLQm.exe
| MD5 | 3aa068d3f8ed2e7a5570289317e13893 |
| SHA1 | f77527e26278302f066d890732410fd678f344a6 |
| SHA256 | 2ebadd57f3b4c1941a140a40b944df7b9f7216f85a25d60b0f8802e30a4bbd53 |
| SHA512 | dcd3e8a2859c96b8f2e99766201ef6af31c6840b6fb38b95a6f20ca9fc393aeacbeb50dfcc8f425ab20fee6158347c7b0239ea501a60397efa08cf61bc4dfbf2 |
C:\Windows\system\shjAinu.exe
| MD5 | 5c76d96bfa875aecc458a2631c3fc4f6 |
| SHA1 | 0f00738780e86665b0241c54150b36513187a2c7 |
| SHA256 | 17314d8a95fde16ab4733745b354b3843f7e06fa62835e4c11260d6f159142f0 |
| SHA512 | 5500cde194be1ac2c22a2407fb23f434a1304251f9535bf71ec6d5563e0d832b26e981b405a9ec54d33fce6cd377a0b7014fd731edf07c89c50da42eec85bb58 |
\Windows\system\uTLexuA.exe
| MD5 | a715782ae1bf352aedece4bced8e13ea |
| SHA1 | 91b94523a967357499c0acc13acb6b8aca6ccbc7 |
| SHA256 | e164ff535c6965f809a31a5267ed2aea07e35835b6ee0172f5b9ee91d7ea1f42 |
| SHA512 | b8edc6ab94819c6c1c5992c5428bac1f4289cd40e4b31fdac1e23bf9110e20fc4410a77754f7b2b3466cfc4e3836dd383b81e3ad10ee91f583fbe8b7f637274e |
C:\Windows\system\IfjfIDU.exe
| MD5 | 6e6bc0c2085372124d779c9f81405e6f |
| SHA1 | eee4acc3ae9dde3794321aee0fa5888db2fb3d2b |
| SHA256 | 06b783a55bf887a6c41f8661aa9a8f336d219f0c1e3cb5ab98d38624bbf66702 |
| SHA512 | 6bc826369531907b9ac16bc704b5db55a8ce31fcb17d58267dc01031a4a28749ac8cfa355066edd949833b961340a7c996be2cc8458d29b321832fca227a0098 |
C:\Windows\system\NCNEZjC.exe
| MD5 | ac2f282ef13ebfb665a414af9d782e15 |
| SHA1 | 5ee155f4944e8e9c968ba33819c32c806eff0eb0 |
| SHA256 | 0fb87a613af11ab55bb74045b0dd56b90ac5636849f333ee5505eaa4e08e5d33 |
| SHA512 | 2183f88fc858716dd0cec09afaaf789be577a97b6a03042ab24628ab7e20b06e226a9261bea6c55bebb8263e64ed7d1c6b1556abe744c0f85c56eb5c7e875fb5 |
C:\Windows\system\FOtcJLv.exe
| MD5 | f4eb0da452b9c6ada173e41c25004a63 |
| SHA1 | 4e450ab08cd58e1f217dcbc92062738dc3e09055 |
| SHA256 | a50a04e3b389b64ec168de54e20ea7fa4160c03b2a7eb864bf6e661e8ff758c7 |
| SHA512 | bc112d0c0729c0153a94cf3fd418e02b192b99d33cc024b666975840e896ad1b8a3b52d02ae7f054268a72f8a29d148fd39eec1f541c6660e154ca06a24402a0 |
C:\Windows\system\UlrearW.exe
| MD5 | 91ee3b93a1e80bb4a28847c3928fa8db |
| SHA1 | 64c9411edfbbfac24d9520eb38e9e21bcd031338 |
| SHA256 | 9683dd894c61978029217acd614c631d1bbf46dc4430a9a8d52c120644bf6b06 |
| SHA512 | 2592b7d7ae4e64960ac2e003f72e982e2bf70e93f6fa206b7a3958c655640d1411e7a326e568c81ab398b80a5e53f67439c5c322a338f802b51dfdf1ae598084 |
memory/2072-110-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2568-112-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2104-111-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2264-113-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2104-114-0x0000000002350000-0x00000000026A4000-memory.dmp
memory/2280-115-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2104-119-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2104-122-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2436-121-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/1860-120-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2460-118-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2104-117-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2776-116-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2104-124-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2500-123-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2956-125-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2060-126-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2104-127-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/1508-128-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/3068-129-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2104-130-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2104-131-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2104-132-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/1280-133-0x000000013F230000-0x000000013F584000-memory.dmp
memory/3068-134-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2568-135-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2072-136-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2264-137-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2280-138-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2776-139-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2460-140-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1860-141-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2436-142-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2500-143-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2956-144-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2060-145-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/1508-146-0x000000013F0C0000-0x000000013F414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:39
Reported
2024-06-01 15:41
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\thboYoh.exe | N/A |
| N/A | N/A | C:\Windows\System\yrfJqno.exe | N/A |
| N/A | N/A | C:\Windows\System\NpQlSIr.exe | N/A |
| N/A | N/A | C:\Windows\System\saLGqkN.exe | N/A |
| N/A | N/A | C:\Windows\System\XXXdBIw.exe | N/A |
| N/A | N/A | C:\Windows\System\ATVUtml.exe | N/A |
| N/A | N/A | C:\Windows\System\WwWbjOm.exe | N/A |
| N/A | N/A | C:\Windows\System\BujVIrY.exe | N/A |
| N/A | N/A | C:\Windows\System\UlrearW.exe | N/A |
| N/A | N/A | C:\Windows\System\yKIDUex.exe | N/A |
| N/A | N/A | C:\Windows\System\LPptXGb.exe | N/A |
| N/A | N/A | C:\Windows\System\YZlbNNk.exe | N/A |
| N/A | N/A | C:\Windows\System\HXwtbYf.exe | N/A |
| N/A | N/A | C:\Windows\System\FOtcJLv.exe | N/A |
| N/A | N/A | C:\Windows\System\NCNEZjC.exe | N/A |
| N/A | N/A | C:\Windows\System\txxvGpT.exe | N/A |
| N/A | N/A | C:\Windows\System\Qsgncri.exe | N/A |
| N/A | N/A | C:\Windows\System\IfjfIDU.exe | N/A |
| N/A | N/A | C:\Windows\System\DxMiLQm.exe | N/A |
| N/A | N/A | C:\Windows\System\shjAinu.exe | N/A |
| N/A | N/A | C:\Windows\System\uTLexuA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\thboYoh.exe
C:\Windows\System\thboYoh.exe
C:\Windows\System\yrfJqno.exe
C:\Windows\System\yrfJqno.exe
C:\Windows\System\NpQlSIr.exe
C:\Windows\System\NpQlSIr.exe
C:\Windows\System\saLGqkN.exe
C:\Windows\System\saLGqkN.exe
C:\Windows\System\XXXdBIw.exe
C:\Windows\System\XXXdBIw.exe
C:\Windows\System\ATVUtml.exe
C:\Windows\System\ATVUtml.exe
C:\Windows\System\WwWbjOm.exe
C:\Windows\System\WwWbjOm.exe
C:\Windows\System\BujVIrY.exe
C:\Windows\System\BujVIrY.exe
C:\Windows\System\UlrearW.exe
C:\Windows\System\UlrearW.exe
C:\Windows\System\yKIDUex.exe
C:\Windows\System\yKIDUex.exe
C:\Windows\System\LPptXGb.exe
C:\Windows\System\LPptXGb.exe
C:\Windows\System\YZlbNNk.exe
C:\Windows\System\YZlbNNk.exe
C:\Windows\System\HXwtbYf.exe
C:\Windows\System\HXwtbYf.exe
C:\Windows\System\FOtcJLv.exe
C:\Windows\System\FOtcJLv.exe
C:\Windows\System\NCNEZjC.exe
C:\Windows\System\NCNEZjC.exe
C:\Windows\System\txxvGpT.exe
C:\Windows\System\txxvGpT.exe
C:\Windows\System\Qsgncri.exe
C:\Windows\System\Qsgncri.exe
C:\Windows\System\IfjfIDU.exe
C:\Windows\System\IfjfIDU.exe
C:\Windows\System\DxMiLQm.exe
C:\Windows\System\DxMiLQm.exe
C:\Windows\System\shjAinu.exe
C:\Windows\System\shjAinu.exe
C:\Windows\System\uTLexuA.exe
C:\Windows\System\uTLexuA.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 4.73.50.20.in-addr.arpa | udp |
Files
memory/4192-0-0x00007FF752F10000-0x00007FF753264000-memory.dmp
memory/4192-1-0x000001ACF2B80000-0x000001ACF2B90000-memory.dmp
C:\Windows\System\thboYoh.exe
| MD5 | 19fc825792fbeb428b90e5b01477ae27 |
| SHA1 | 51f35522c26deccf11552b30b73ec960d912ec54 |
| SHA256 | 32fdf928bab4b8fd871936d998cd8ddcf7bd7272b31a1de3f81403c349338e7f |
| SHA512 | db6f1ef138e4fc40a1f4ac53667311c33e825f864fc00d68d75949f15f24607a2f5f5249003bc73bfc4d1cd2a7a7eb03106e2b258f8fb53ce9ddd9c5d96f373b |
memory/1424-6-0x00007FF6D7060000-0x00007FF6D73B4000-memory.dmp
C:\Windows\System\yrfJqno.exe
| MD5 | 6bfc5c4eed9b5d650750844c0992f9da |
| SHA1 | 102cc969fd759a12d57c4e652739d6331466b01a |
| SHA256 | e888e0f803740b295021af5ff20826546bd22202298034870ae85f06e239c25a |
| SHA512 | 62463c7525ba855ce694b7d1be1ab738019fccbd68cf4e39a68c5b17a49cde18d1800bb088533076f76afa2019301f24c3c3ab5378db95b492938ea246e491d3 |
memory/4936-14-0x00007FF7C9BF0000-0x00007FF7C9F44000-memory.dmp
C:\Windows\System\NpQlSIr.exe
| MD5 | 7a3efd7ceeb3e0a574d91d58a0c91902 |
| SHA1 | 41805fdd542a28e838c114ad8e3fe2d741f57078 |
| SHA256 | fe025e05ec52801f26099b95d1507f2e7bb6685e097df43546d2e5bbc81a419a |
| SHA512 | 41fc09fdc9030c3c6b5a467a91e24116647768216d2553454ba4be63bfacb965443c279bdde09e3739e9cff89e525acda4a429eacecd71c61d39f23ed2f4c9be |
memory/1188-18-0x00007FF7306C0000-0x00007FF730A14000-memory.dmp
C:\Windows\System\saLGqkN.exe
| MD5 | 645e8aa94fe7cd4bd07bdbd3de16ddfa |
| SHA1 | 3b77cc0a035e4c75e2373fa2aa217dfb910b8841 |
| SHA256 | 11d93871ee0bab198492953b97f64a038781918f7f156cf8da793ddf851bd9c0 |
| SHA512 | 660600023b1501bec3bb8afe2eda02a703ca47547721a6f476439c4f0308c3f59aad26f1de15f812ca945cb54979a9bb9afd736c0dda1b9785d4e037fb508656 |
memory/3740-24-0x00007FF695F50000-0x00007FF6962A4000-memory.dmp
C:\Windows\System\XXXdBIw.exe
| MD5 | 85eccccbb1250e3222c58a5b88fed533 |
| SHA1 | 0c0e907717c392596916d16e9663c2103357d598 |
| SHA256 | 7fd65186b4b72a9ff3e1405c4a543212067c8f14b91958a6abbebac19db9757e |
| SHA512 | d4a2851084a4a95cb09e8e21e21a9a6fde01c358a20e711175f4cb75771ee926f719043936cbf2db761bbba160038d8365c63df789a8cb6a1b581d43cb7c6741 |
C:\Windows\System\ATVUtml.exe
| MD5 | d1c275b4ff948787d3cbd22dc382c9a8 |
| SHA1 | 395e30e173d18fe486709517227be4a0056b940e |
| SHA256 | 54ece5e7c69bc7b751d58c78b0b51880aa07f5f2ec3c389742597b351718c672 |
| SHA512 | be68386a39afe13a34c0591e29e8942738230aa5ad432dd9fbf1002edc1b1e984c624ff1f2f52011d8072693e5f7f80ba6d08fd2ceb33a4e3f80ef3977de7a71 |
C:\Windows\System\WwWbjOm.exe
| MD5 | 5eb2fec7abee44b8589abf9fee9378e5 |
| SHA1 | fc3cec07657ec0dd3194b0555508198815bc85ee |
| SHA256 | 4856208d65cc4f4aab1fc4eef247f2d6b5bea9a416013cb3386e37daa4a0e53c |
| SHA512 | 637c01cdf98477b0463d7ec530fb50566b7f040e9b017e60253a72a8c00755a67f7a7baecc6e7e970be496ad36f460bb9800075de41b0bf7f0fed0eece204655 |
memory/3232-41-0x00007FF6512B0000-0x00007FF651604000-memory.dmp
memory/4740-40-0x00007FF7F53B0000-0x00007FF7F5704000-memory.dmp
memory/2332-32-0x00007FF63AB50000-0x00007FF63AEA4000-memory.dmp
C:\Windows\System\BujVIrY.exe
| MD5 | 7e99c3b703cdc180b4b120e55836c224 |
| SHA1 | 59297a5adab8e9a77ef19b5c8351130509682d1e |
| SHA256 | 64f279afefb27af97e019fda4312ad225ebc4560728516aa14dcb1599456b3ce |
| SHA512 | 3b03d9129e42b31213aa6f8ee9ddc8b0132fceed126bab111890381c5940d01860810fb00444a37088967c8da1df229bc21543fe3043612a002f8a766d25d5a9 |
memory/1776-50-0x00007FF783FE0000-0x00007FF784334000-memory.dmp
C:\Windows\System\UlrearW.exe
| MD5 | 91ee3b93a1e80bb4a28847c3928fa8db |
| SHA1 | 64c9411edfbbfac24d9520eb38e9e21bcd031338 |
| SHA256 | 9683dd894c61978029217acd614c631d1bbf46dc4430a9a8d52c120644bf6b06 |
| SHA512 | 2592b7d7ae4e64960ac2e003f72e982e2bf70e93f6fa206b7a3958c655640d1411e7a326e568c81ab398b80a5e53f67439c5c322a338f802b51dfdf1ae598084 |
memory/2240-56-0x00007FF7DD840000-0x00007FF7DDB94000-memory.dmp
C:\Windows\System\yKIDUex.exe
| MD5 | 9aaae56723c8fffedfe04a65e23aef84 |
| SHA1 | 26fef1c7ceabec621090bf73d6c865b17ce55738 |
| SHA256 | cb87f9079cddca379b59ad7d48c210a31da62cffdc4f9bfe2b4ac66a30dff5fa |
| SHA512 | f52058d059ffb6a7889c6c52dea41d813ecf22d160ca07e77888a19d270bc71317832a2708ae8aee3db57989a0de27bf8cd6a92aa6b9130399c767966f6d544b |
memory/2364-62-0x00007FF632F00000-0x00007FF633254000-memory.dmp
C:\Windows\System\LPptXGb.exe
| MD5 | 9a4c1d2f7d40ebb5241d72b4d8db04ac |
| SHA1 | b102b3e8c307ecd3521a55d54d06625dd0733d73 |
| SHA256 | 9afdf13b8184f937a29d2c16b49d272dc118167941a417cbb6dd6b6d4ed2bdb9 |
| SHA512 | 6bb07fea0b015f6bd33bdf7fa7fe539d4103ca63c63edcc6ceed6e0f6ccc53a2e2484ca4b6e238beef9e6f58d601487342018b9c17af5b19ee26775a4cab805f |
C:\Windows\System\YZlbNNk.exe
| MD5 | 130dccc9a6b6dd57b4b13d8795a633ca |
| SHA1 | b190e4e8499eae4461a18b73f61c8afa90210943 |
| SHA256 | ff833de57fcc04c64834bcebea10cfa0e88228799c604df29e1b92ba65fb67af |
| SHA512 | 3cb28994a1b90198edc4241c64c04a97d978d4635b97a3c5bcf781d59ebc7bc64c7b59271e0d06c290272957807f55c1c93a830dba6f9e52db62dd16242772b2 |
memory/448-72-0x00007FF7ACBB0000-0x00007FF7ACF04000-memory.dmp
memory/3400-75-0x00007FF601290000-0x00007FF6015E4000-memory.dmp
C:\Windows\System\HXwtbYf.exe
| MD5 | 68120a00a3e8fb9a31143f4d45a7cb7e |
| SHA1 | ad3b2d15cfb8ef55aaff36d4932558046de65b43 |
| SHA256 | 988215d3ba7d02951e2b6484a5d86735aed3a1e0f0286a68ea78db499472a7e0 |
| SHA512 | f667c55aa2cd22e2ba8e3d5c1a4626111e822ca3e156f771e0c8c6d756bf00ae4d6b26874e5575c132caa6f54b0c9249ebfc2e6d2a8b286c444e602990ad70ad |
memory/1424-73-0x00007FF6D7060000-0x00007FF6D73B4000-memory.dmp
memory/4192-66-0x00007FF752F10000-0x00007FF753264000-memory.dmp
C:\Windows\System\FOtcJLv.exe
| MD5 | f4eb0da452b9c6ada173e41c25004a63 |
| SHA1 | 4e450ab08cd58e1f217dcbc92062738dc3e09055 |
| SHA256 | a50a04e3b389b64ec168de54e20ea7fa4160c03b2a7eb864bf6e661e8ff758c7 |
| SHA512 | bc112d0c0729c0153a94cf3fd418e02b192b99d33cc024b666975840e896ad1b8a3b52d02ae7f054268a72f8a29d148fd39eec1f541c6660e154ca06a24402a0 |
C:\Windows\System\NCNEZjC.exe
| MD5 | ac2f282ef13ebfb665a414af9d782e15 |
| SHA1 | 5ee155f4944e8e9c968ba33819c32c806eff0eb0 |
| SHA256 | 0fb87a613af11ab55bb74045b0dd56b90ac5636849f333ee5505eaa4e08e5d33 |
| SHA512 | 2183f88fc858716dd0cec09afaaf789be577a97b6a03042ab24628ab7e20b06e226a9261bea6c55bebb8263e64ed7d1c6b1556abe744c0f85c56eb5c7e875fb5 |
C:\Windows\System\txxvGpT.exe
| MD5 | de6341e22383910b8abfca582b1c7986 |
| SHA1 | 8636525a4d222b9234f73576db0385ab3bfa414e |
| SHA256 | 2e99d16e3eed682fa947fcc0bb39c083fc80289d0ed8b4be96f5f418f8bfce32 |
| SHA512 | 356364cf013caf9384f3f9ea189c81687b8e7c9a4e895cfc01437e228ed8c3aa7eaf088b71d64a4676087f8dc61c8d896d5664b486cd7a6c409f7632a203f9c8 |
memory/1432-100-0x00007FF7CE2C0000-0x00007FF7CE614000-memory.dmp
memory/1712-101-0x00007FF6F3630000-0x00007FF6F3984000-memory.dmp
memory/3740-99-0x00007FF695F50000-0x00007FF6962A4000-memory.dmp
memory/3616-91-0x00007FF627F40000-0x00007FF628294000-memory.dmp
memory/1188-88-0x00007FF7306C0000-0x00007FF730A14000-memory.dmp
memory/4676-84-0x00007FF617FA0000-0x00007FF6182F4000-memory.dmp
memory/4936-82-0x00007FF7C9BF0000-0x00007FF7C9F44000-memory.dmp
C:\Windows\System\Qsgncri.exe
| MD5 | 82b0085353cb4f703cafa3cd0becc6f7 |
| SHA1 | 40b763bce89cc05b40c6198f9801a149e1f97268 |
| SHA256 | 7d3ff6d99fb448f59439f806f9161db3a8c40c42dbbdb606c60e6f886263172d |
| SHA512 | c65773c2a748c37d578f4c9e20b694285f9f21085b79b7613b18b1644304530b6828be1d709f069abfa04d05fb4fc8175ee72be6f9291f0529449f35d1046104 |
C:\Windows\System\DxMiLQm.exe
| MD5 | 3aa068d3f8ed2e7a5570289317e13893 |
| SHA1 | f77527e26278302f066d890732410fd678f344a6 |
| SHA256 | 2ebadd57f3b4c1941a140a40b944df7b9f7216f85a25d60b0f8802e30a4bbd53 |
| SHA512 | dcd3e8a2859c96b8f2e99766201ef6af31c6840b6fb38b95a6f20ca9fc393aeacbeb50dfcc8f425ab20fee6158347c7b0239ea501a60397efa08cf61bc4dfbf2 |
C:\Windows\System\shjAinu.exe
| MD5 | 5c76d96bfa875aecc458a2631c3fc4f6 |
| SHA1 | 0f00738780e86665b0241c54150b36513187a2c7 |
| SHA256 | 17314d8a95fde16ab4733745b354b3843f7e06fa62835e4c11260d6f159142f0 |
| SHA512 | 5500cde194be1ac2c22a2407fb23f434a1304251f9535bf71ec6d5563e0d832b26e981b405a9ec54d33fce6cd377a0b7014fd731edf07c89c50da42eec85bb58 |
memory/3232-122-0x00007FF6512B0000-0x00007FF651604000-memory.dmp
C:\Windows\System\IfjfIDU.exe
| MD5 | 6e6bc0c2085372124d779c9f81405e6f |
| SHA1 | eee4acc3ae9dde3794321aee0fa5888db2fb3d2b |
| SHA256 | 06b783a55bf887a6c41f8661aa9a8f336d219f0c1e3cb5ab98d38624bbf66702 |
| SHA512 | 6bc826369531907b9ac16bc704b5db55a8ce31fcb17d58267dc01031a4a28749ac8cfa355066edd949833b961340a7c996be2cc8458d29b321832fca227a0098 |
memory/4268-114-0x00007FF61BA90000-0x00007FF61BDE4000-memory.dmp
memory/4540-113-0x00007FF7EE020000-0x00007FF7EE374000-memory.dmp
memory/5008-127-0x00007FF6D45B0000-0x00007FF6D4904000-memory.dmp
C:\Windows\System\uTLexuA.exe
| MD5 | a715782ae1bf352aedece4bced8e13ea |
| SHA1 | 91b94523a967357499c0acc13acb6b8aca6ccbc7 |
| SHA256 | e164ff535c6965f809a31a5267ed2aea07e35835b6ee0172f5b9ee91d7ea1f42 |
| SHA512 | b8edc6ab94819c6c1c5992c5428bac1f4289cd40e4b31fdac1e23bf9110e20fc4410a77754f7b2b3466cfc4e3836dd383b81e3ad10ee91f583fbe8b7f637274e |
memory/944-128-0x00007FF728380000-0x00007FF7286D4000-memory.dmp
memory/3940-133-0x00007FF608CB0000-0x00007FF609004000-memory.dmp
memory/3400-134-0x00007FF601290000-0x00007FF6015E4000-memory.dmp
memory/3616-135-0x00007FF627F40000-0x00007FF628294000-memory.dmp
memory/1712-136-0x00007FF6F3630000-0x00007FF6F3984000-memory.dmp
memory/4540-137-0x00007FF7EE020000-0x00007FF7EE374000-memory.dmp
memory/4268-138-0x00007FF61BA90000-0x00007FF61BDE4000-memory.dmp
memory/1424-139-0x00007FF6D7060000-0x00007FF6D73B4000-memory.dmp
memory/4936-140-0x00007FF7C9BF0000-0x00007FF7C9F44000-memory.dmp
memory/1188-141-0x00007FF7306C0000-0x00007FF730A14000-memory.dmp
memory/3740-142-0x00007FF695F50000-0x00007FF6962A4000-memory.dmp
memory/2332-143-0x00007FF63AB50000-0x00007FF63AEA4000-memory.dmp
memory/4740-144-0x00007FF7F53B0000-0x00007FF7F5704000-memory.dmp
memory/3232-145-0x00007FF6512B0000-0x00007FF651604000-memory.dmp
memory/1776-146-0x00007FF783FE0000-0x00007FF784334000-memory.dmp
memory/2240-147-0x00007FF7DD840000-0x00007FF7DDB94000-memory.dmp
memory/2364-148-0x00007FF632F00000-0x00007FF633254000-memory.dmp
memory/448-149-0x00007FF7ACBB0000-0x00007FF7ACF04000-memory.dmp
memory/3400-150-0x00007FF601290000-0x00007FF6015E4000-memory.dmp
memory/4676-151-0x00007FF617FA0000-0x00007FF6182F4000-memory.dmp
memory/3616-152-0x00007FF627F40000-0x00007FF628294000-memory.dmp
memory/1432-153-0x00007FF7CE2C0000-0x00007FF7CE614000-memory.dmp
memory/1712-154-0x00007FF6F3630000-0x00007FF6F3984000-memory.dmp
memory/4268-155-0x00007FF61BA90000-0x00007FF61BDE4000-memory.dmp
memory/4540-156-0x00007FF7EE020000-0x00007FF7EE374000-memory.dmp
memory/5008-158-0x00007FF6D45B0000-0x00007FF6D4904000-memory.dmp
memory/944-157-0x00007FF728380000-0x00007FF7286D4000-memory.dmp
memory/3940-159-0x00007FF608CB0000-0x00007FF609004000-memory.dmp