Analysis Overview
SHA256
99d25ab9d1116c2d763413464b9ceb657e63dbf6c36c48fdc003ed4afc7bcf33
Threat Level: Known bad
The file 2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
xmrig
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 02:15
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 02:15
Reported
2024-06-10 02:38
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
151s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\obKdBIH.exe | N/A |
| N/A | N/A | C:\Windows\System\yPuZbSY.exe | N/A |
| N/A | N/A | C:\Windows\System\zDaPLiM.exe | N/A |
| N/A | N/A | C:\Windows\System\hUViVJv.exe | N/A |
| N/A | N/A | C:\Windows\System\tAvwMYN.exe | N/A |
| N/A | N/A | C:\Windows\System\DyoVQoh.exe | N/A |
| N/A | N/A | C:\Windows\System\nxgsCUx.exe | N/A |
| N/A | N/A | C:\Windows\System\nFYUFAG.exe | N/A |
| N/A | N/A | C:\Windows\System\MHMZrCd.exe | N/A |
| N/A | N/A | C:\Windows\System\ZQaNtZn.exe | N/A |
| N/A | N/A | C:\Windows\System\uLDkDZE.exe | N/A |
| N/A | N/A | C:\Windows\System\nyTjQxK.exe | N/A |
| N/A | N/A | C:\Windows\System\MHZdScK.exe | N/A |
| N/A | N/A | C:\Windows\System\HDQCsCD.exe | N/A |
| N/A | N/A | C:\Windows\System\REGmrqC.exe | N/A |
| N/A | N/A | C:\Windows\System\omIJcXh.exe | N/A |
| N/A | N/A | C:\Windows\System\jjQTIzE.exe | N/A |
| N/A | N/A | C:\Windows\System\LtDEEwh.exe | N/A |
| N/A | N/A | C:\Windows\System\rpZcnTN.exe | N/A |
| N/A | N/A | C:\Windows\System\cIvymCX.exe | N/A |
| N/A | N/A | C:\Windows\System\CBuGoUw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\obKdBIH.exe
C:\Windows\System\obKdBIH.exe
C:\Windows\System\yPuZbSY.exe
C:\Windows\System\yPuZbSY.exe
C:\Windows\System\zDaPLiM.exe
C:\Windows\System\zDaPLiM.exe
C:\Windows\System\hUViVJv.exe
C:\Windows\System\hUViVJv.exe
C:\Windows\System\tAvwMYN.exe
C:\Windows\System\tAvwMYN.exe
C:\Windows\System\DyoVQoh.exe
C:\Windows\System\DyoVQoh.exe
C:\Windows\System\nxgsCUx.exe
C:\Windows\System\nxgsCUx.exe
C:\Windows\System\nFYUFAG.exe
C:\Windows\System\nFYUFAG.exe
C:\Windows\System\MHMZrCd.exe
C:\Windows\System\MHMZrCd.exe
C:\Windows\System\ZQaNtZn.exe
C:\Windows\System\ZQaNtZn.exe
C:\Windows\System\uLDkDZE.exe
C:\Windows\System\uLDkDZE.exe
C:\Windows\System\nyTjQxK.exe
C:\Windows\System\nyTjQxK.exe
C:\Windows\System\MHZdScK.exe
C:\Windows\System\MHZdScK.exe
C:\Windows\System\HDQCsCD.exe
C:\Windows\System\HDQCsCD.exe
C:\Windows\System\REGmrqC.exe
C:\Windows\System\REGmrqC.exe
C:\Windows\System\omIJcXh.exe
C:\Windows\System\omIJcXh.exe
C:\Windows\System\jjQTIzE.exe
C:\Windows\System\jjQTIzE.exe
C:\Windows\System\LtDEEwh.exe
C:\Windows\System\LtDEEwh.exe
C:\Windows\System\rpZcnTN.exe
C:\Windows\System\rpZcnTN.exe
C:\Windows\System\cIvymCX.exe
C:\Windows\System\cIvymCX.exe
C:\Windows\System\CBuGoUw.exe
C:\Windows\System\CBuGoUw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
C:\Windows\System\obKdBIH.exe
| MD5 | 6100e68e8bda0b06075960b3b507338a |
| SHA1 | 7377b23561b0faf75081024c9076603a9c515c0b |
| SHA256 | fbbace3a71fae67a2be0b7d1d76af23c3eae072bb881a9b0efcb450031f1907a |
| SHA512 | 19136110114856c6e8d19da15b74a3404eb988703f6aeb3730063cd96155c5c62ae4ef45c50a076c2289a09c89f59a351b7fa1b2119adb5bb048811121198a10 |
C:\Windows\System\yPuZbSY.exe
| MD5 | 9e6042b034a56699e39219510e042edf |
| SHA1 | 629f58befba29e2b4cf184d5d33ff97d23d0509c |
| SHA256 | 379769e053088ad2c1be5ae8c8e84a7ebd96d0c4b1695ccab4a933b4ae5bbdfa |
| SHA512 | 16e5d759cb119fcfa4427237c03873b232b023c5fb70a22ccdd0c134a99216124df9eabae69026082be5cc255b42cc99b83fd6dfae1ca8b7fdd0be14253d2fd5 |
memory/1364-8-0x00007FF7323A0000-0x00007FF7326F4000-memory.dmp
memory/628-14-0x00007FF7F7070000-0x00007FF7F73C4000-memory.dmp
memory/1784-20-0x00007FF6B6530000-0x00007FF6B6884000-memory.dmp
C:\Windows\System\hUViVJv.exe
| MD5 | 718a9719d584997246a1c2b8714a7b4e |
| SHA1 | 67ebfaa2dc4e3ec9116450be2af9ade40c009b82 |
| SHA256 | e7a67b547e60ffb017b063c22509cbd6bafdc90bb9e3aa6e7998e1092161c964 |
| SHA512 | 8de9cd89a5ae07a335a64e6a06b2103eb24b41be6aa300d046d39ebf01f32b4c961b6a6513a3c6f615876a5dc3d4955b8f9159ecf3d2ba36fbc509236a3bcf5e |
C:\Windows\System\tAvwMYN.exe
| MD5 | 0e4916bdc2ef1c266d761f56116a118e |
| SHA1 | 9a0cfd04ce43b85bd6c5776431bf7706ff310623 |
| SHA256 | 6e0042b71e79661f2cdce270f9c8ad31d4e976143fd43faf39f6e47ee2c8503e |
| SHA512 | f59f576233e408dacc195782ba6759e644634f31b400788c06d2b26e104466bf83189b82f5a452f605b748b80823a3324cb814310bc885b6a3e7cabd3a52ebf4 |
memory/5048-30-0x00007FF6382B0000-0x00007FF638604000-memory.dmp
C:\Windows\System\DyoVQoh.exe
| MD5 | f643883f259de01dd5329353aba9e3bc |
| SHA1 | 8a0c9acc560b2a903e1249b54de084c27f2f7330 |
| SHA256 | 885d32479d3d931762c4646bd89041e2dc323a00afc74c5ce659e0439525e486 |
| SHA512 | 4fbee57fc43773ceb767e4aa78bc2879a54950d29e94d06ab5acf504f8c6e1b3a52cc3f816f267cfbe746c86e79bc3431149abbf38cd824127a0e4b7532c9af9 |
C:\Windows\System\DyoVQoh.exe
| MD5 | fc039487119680c031c847172e8b36d3 |
| SHA1 | 5beddf6541d9cd9419920f162e4e22297e197c31 |
| SHA256 | 7f124be7afb7e79318f0a00234a8d06798cc685d6ea1aa9ba401a63e32b5a56f |
| SHA512 | 48b7e0f173d7b3354b0ecbf6530234964b4c9b04ec9ed6eec4db91197f54add5f1d43f132d408351a108919dc08d3e65f5251fbec77c10bfc1d44f6c15d24f98 |
memory/4980-33-0x00007FF6ECDF0000-0x00007FF6ED144000-memory.dmp
memory/516-38-0x00007FF76E3F0000-0x00007FF76E744000-memory.dmp
C:\Windows\System\nxgsCUx.exe
| MD5 | bb237d1497148550688196f8c0b58b33 |
| SHA1 | 4dfb56c31f3d8b83c8d12d4841f54a64ec2a8cd3 |
| SHA256 | fa746348ea29453603ec4e9959058a57e069eff1f7f29f1e6c21304df723e336 |
| SHA512 | 45b7014799dcb1d50b5233d9915234344279a6c5e37b9cae934839ca4767c02573d6ba4c46da6f006949a433cc7887495f03868bac920b182655a7b744ab606a |
C:\Windows\System\nFYUFAG.exe
| MD5 | f7a8288af541c4baa9c88e7fc3b809a8 |
| SHA1 | 890403d5bfd29ba9349a1760a7c598a635338176 |
| SHA256 | f611c2fab3f2c2dc30fe71a7a6d4923eb09e83bbc5cd17d41416fe862eaa2af4 |
| SHA512 | 14258b4c74720b84d36dcd1e32fc868b8f0d61282a14beea9605499f2fcde88f8b036ca5a453c3fd86a4dfae5b7f2a50e5e5bc079080dc1908041630fec37f8f |
C:\Windows\System\nFYUFAG.exe
| MD5 | f58e08b72cd17e761a2a9f9a3a7d78cc |
| SHA1 | de782543edc8d84dab9d9abe05bbdf2b60d9debc |
| SHA256 | d51134031d6f071ff52e7180e3d9294950682ace4a5b62ba95ca51f8aaf4d416 |
| SHA512 | 2f3135907838b1783f70fe1e915d25187b71ee9e2054dd7b25c46ddd6b1f79b7bc06ac2680bfd1d5479a23571973dd3ae2d097c1f4404cfc2cde416343d50eb2 |
C:\Windows\System\ZQaNtZn.exe
| MD5 | c42167c1b389c3da3baf08d29a4ffb23 |
| SHA1 | b17b3c99c168035a635c242e33148a1655229d79 |
| SHA256 | ca096026535aad7a5c88f1f3be41e6b8629b5cbde82bec035b64c6e4c5a573cb |
| SHA512 | 0ed7e2d6688802525de13634d2d17e2719d4236fd2b19aa5f177a6ac5b6a308b4860efa3a9dd364c5eb8e25186924199f5640d45499c1bc697631ad2d6abe9c9 |
memory/2012-56-0x00007FF6B7F50000-0x00007FF6B82A4000-memory.dmp
C:\Windows\System\ZQaNtZn.exe
| MD5 | 6236e8172dd53bf62f644cfe0ed886d3 |
| SHA1 | 8ca18ffe9bbfbe45410d9b59254a1810ea23f357 |
| SHA256 | 55980b27bd506ab86e4775e25257590aba650464fc27cb5343cc100d30379f6a |
| SHA512 | 4824863797edefac6f147b1445a22e460ff9793365a4b1c6e0c38d85cb2d2c1e41561b0e7f68c920e608fbcae38e3c9b7a32f1157a4ef9d9356a07d59fa80beb |
C:\Windows\System\uLDkDZE.exe
| MD5 | 26c8f00289cc3bdd26a843c51bedf3c8 |
| SHA1 | e14e1dddc9f1049c50e880466809c21b37eff3f5 |
| SHA256 | 63cfb616d26cc402801abdfa04ad9336ba1e41138d6a9c9dc393fd77fa974599 |
| SHA512 | 967ab791893a878006d08fe438fca6b46caedb6ffee669211c1b3ee46c50d569a3a42c0ab98c4fa4f730050db56751645005be5a20d415153c19e2a55aba664a |
C:\Windows\System\MHZdScK.exe
| MD5 | 4c8c5833e867ba909aecc9d08e7f6301 |
| SHA1 | 892c9f7c96581e21485ab02da8dcf4a38e5332cd |
| SHA256 | a77b722cf51ae2a9cba37b8299fa5d2ba9c23def99edac7762983cbc3a45f900 |
| SHA512 | 834bda0212ff60f10bc8bc9b9825ef8eb7ceb8cd2e1cfe2694ddd245474f9657fe9c4745fb3c68a4e5a6c7bf5f21a301636372499f3ff108f7621905b0e2018a |
memory/1784-82-0x00007FF6B6530000-0x00007FF6B6884000-memory.dmp
memory/3608-89-0x00007FF7C63B0000-0x00007FF7C6704000-memory.dmp
memory/1812-86-0x00007FF721140000-0x00007FF721494000-memory.dmp
memory/4344-95-0x00007FF7FC5C0000-0x00007FF7FC914000-memory.dmp
memory/4980-94-0x00007FF6ECDF0000-0x00007FF6ED144000-memory.dmp
memory/3896-109-0x00007FF661850000-0x00007FF661BA4000-memory.dmp
C:\Windows\System\jjQTIzE.exe
| MD5 | 129f3d64cbeca05a53ef528b3290734c |
| SHA1 | 71740da16ce0c6c904ccb37e278a6ad593c1a480 |
| SHA256 | 8bff8690eaf4a5e3f573418a963622e185f8d501862caf038cd51f7fb5a2debe |
| SHA512 | 678c5888d6fd5cfe6ce1594083820c6bdb4991f848b7bf64517b2c7aae2761350709aee9fa7ba71fac788e0eaf0979bc249996e90211dac6917778ab1bc5ebbe |
memory/1608-106-0x00007FF7A3370000-0x00007FF7A36C4000-memory.dmp
memory/4124-105-0x00007FF719C90000-0x00007FF719FE4000-memory.dmp
memory/1132-114-0x00007FF6AA1B0000-0x00007FF6AA504000-memory.dmp
memory/1288-113-0x00007FF645800000-0x00007FF645B54000-memory.dmp
C:\Windows\System\omIJcXh.exe
| MD5 | 7b14f3c14c633ee8244aa174a19c77c2 |
| SHA1 | 20be5b944aeee15deaa0f6d867d726a44b447a5f |
| SHA256 | 55116a4a0ec483097b0ca249d480875a1240a34b0d8dbd30e2646420c3223977 |
| SHA512 | faa445d170a8b3a88ae18d7d86ed359fa18478abeca09c06495daf71dbe7be3ccce2c3ede03a3fd5934b65314c2c44d9e117a0e20acaadccef662d86865bb29f |
C:\Windows\System\rpZcnTN.exe
| MD5 | fce36e7a127a9c45d54e1b8d90fdd7dd |
| SHA1 | 8542d25e949a7392da2a93826107eaa40ecc4cc5 |
| SHA256 | b444293ba0ec99638690f826a0742a8768937b49529c8a6756d6366ed24a602f |
| SHA512 | 305798c3491a2a73389f1d7751402c6a23f5215075ba486c290c2f789dc31a38e03eddcf5f70014163a4339376b4bec87bf7595b275ac3d6efe0ee4cac2b7a79 |
C:\Windows\System\cIvymCX.exe
| MD5 | eb54c79b111a6637e43c4f642a0f578a |
| SHA1 | 7126fb33254f9893bdd1cf918a8c8e9e58a5c486 |
| SHA256 | 47614a6695ce7c97b28e1f39c3b163ad3c824b5473f3c2eb2389305882a46a3b |
| SHA512 | 9387cfbd62c0cf9d8096a58a915fa98f29aba970808faee28634e1422efa6b74c311933c7e78e32fd70490bcc0d5624eda048e3f390eee1a6f7931c06e51a342 |
memory/4612-129-0x00007FF66FD20000-0x00007FF670074000-memory.dmp
memory/764-128-0x00007FF6E3800000-0x00007FF6E3B54000-memory.dmp
memory/2092-122-0x00007FF603920000-0x00007FF603C74000-memory.dmp
memory/4820-77-0x00007FF799E70000-0x00007FF79A1C4000-memory.dmp
memory/3860-70-0x00007FF7A9150000-0x00007FF7A94A4000-memory.dmp
memory/1364-69-0x00007FF7323A0000-0x00007FF7326F4000-memory.dmp
memory/548-134-0x00007FF79C900000-0x00007FF79CC54000-memory.dmp
memory/764-61-0x00007FF6E3800000-0x00007FF6E3B54000-memory.dmp
memory/5092-60-0x00007FF6AE040000-0x00007FF6AE394000-memory.dmp
C:\Windows\System\MHMZrCd.exe
| MD5 | 23ef65c9adc41eaf6b0c48d81830500d |
| SHA1 | f3b5be1d3ec84f5757d7fc849ba6d57e65986d23 |
| SHA256 | c0553c150e476b7238fad5b8e32984e084fbccde943d134cbfc445b319bbb673 |
| SHA512 | a8d00840d571f6522efabddf4198b6794e8574c0e3de4c61cb9a6ac099f1151cc82da7ee79e1e0d60a0c763b24394555433441312609090667d2850cf4866007 |
memory/1288-48-0x00007FF645800000-0x00007FF645B54000-memory.dmp
memory/1608-44-0x00007FF7A3370000-0x00007FF7A36C4000-memory.dmp
C:\Windows\System\nxgsCUx.exe
| MD5 | 9b452c7233bc232406701a6413f016b6 |
| SHA1 | 0ee1449a3b908a371773125dd1c3f9e4c53fc543 |
| SHA256 | 5943834ca9546edc3a1b1ca6936a4e21c83013aa8d2e3ef37396408c13242c1e |
| SHA512 | 0509ff74bab6a7dddb62fea870311dae0453ea1232d81d9fea499f4990b1514704d891348ce0f3cb8b9cb4847cd2e524d312db1d8c6a1175b113128fcb78ec93 |
C:\Windows\System\hUViVJv.exe
| MD5 | 30ed13e7d503092e2de1c0d016fa838e |
| SHA1 | 7ec796bcc46ac4640be38de97fce01bf3dc94ba8 |
| SHA256 | a977e5fa5f4d28e1b00a0d61150d8123cbb7001870c2a635897c069648486b53 |
| SHA512 | b37169282b1ff8642bebe0bcc8428366ffcbba9e20af24bbabbb978f80c5f212f6c1067e596f54c49c5244fe73e59cd10d4f4ee152856283314085dda1c510d5 |
C:\Windows\System\zDaPLiM.exe
| MD5 | 58a4712967944e3af233a6a684eda90b |
| SHA1 | 03b472164cb36f194a60ef2f81fdee36116273cd |
| SHA256 | 254d0397dbe929b22cf4152777b1b8b37b82405d291c1d12a4d8383f9bbeb290 |
| SHA512 | 6745334fcc2fc94228948402460d1c9152ed6ed9b4fb6327bad3b2be1c44ba375957a7dafcf9ad02c3dd96f1dda467eda50afcbe909c9cfb04db71984d201a0e |
memory/5092-1-0x00000187F8180000-0x00000187F8190000-memory.dmp
memory/5092-0-0x00007FF6AE040000-0x00007FF6AE394000-memory.dmp
memory/3608-135-0x00007FF7C63B0000-0x00007FF7C6704000-memory.dmp
memory/4344-136-0x00007FF7FC5C0000-0x00007FF7FC914000-memory.dmp
memory/1132-137-0x00007FF6AA1B0000-0x00007FF6AA504000-memory.dmp
memory/1364-138-0x00007FF7323A0000-0x00007FF7326F4000-memory.dmp
memory/628-139-0x00007FF7F7070000-0x00007FF7F73C4000-memory.dmp
memory/1784-140-0x00007FF6B6530000-0x00007FF6B6884000-memory.dmp
memory/5048-141-0x00007FF6382B0000-0x00007FF638604000-memory.dmp
memory/516-143-0x00007FF76E3F0000-0x00007FF76E744000-memory.dmp
memory/4980-142-0x00007FF6ECDF0000-0x00007FF6ED144000-memory.dmp
memory/1608-144-0x00007FF7A3370000-0x00007FF7A36C4000-memory.dmp
memory/1288-145-0x00007FF645800000-0x00007FF645B54000-memory.dmp
memory/2012-146-0x00007FF6B7F50000-0x00007FF6B82A4000-memory.dmp
memory/764-147-0x00007FF6E3800000-0x00007FF6E3B54000-memory.dmp
memory/3860-148-0x00007FF7A9150000-0x00007FF7A94A4000-memory.dmp
memory/4820-149-0x00007FF799E70000-0x00007FF79A1C4000-memory.dmp
memory/1812-150-0x00007FF721140000-0x00007FF721494000-memory.dmp
memory/3608-151-0x00007FF7C63B0000-0x00007FF7C6704000-memory.dmp
memory/4344-152-0x00007FF7FC5C0000-0x00007FF7FC914000-memory.dmp
memory/4124-153-0x00007FF719C90000-0x00007FF719FE4000-memory.dmp
memory/3896-154-0x00007FF661850000-0x00007FF661BA4000-memory.dmp
memory/1132-155-0x00007FF6AA1B0000-0x00007FF6AA504000-memory.dmp
memory/2092-156-0x00007FF603920000-0x00007FF603C74000-memory.dmp
memory/4612-157-0x00007FF66FD20000-0x00007FF670074000-memory.dmp
memory/548-158-0x00007FF79C900000-0x00007FF79CC54000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 02:15
Reported
2024-06-10 02:38
Platform
win7-20240220-en
Max time kernel
133s
Max time network
145s
Command Line
Signatures
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\buRAnNu.exe | N/A |
| N/A | N/A | C:\Windows\System\cXMRSyQ.exe | N/A |
| N/A | N/A | C:\Windows\System\YsFvDkz.exe | N/A |
| N/A | N/A | C:\Windows\System\ZMGjpCt.exe | N/A |
| N/A | N/A | C:\Windows\System\YgHYeKa.exe | N/A |
| N/A | N/A | C:\Windows\System\twWSwRk.exe | N/A |
| N/A | N/A | C:\Windows\System\HVrLhRV.exe | N/A |
| N/A | N/A | C:\Windows\System\IMXdJbI.exe | N/A |
| N/A | N/A | C:\Windows\System\LilJKaV.exe | N/A |
| N/A | N/A | C:\Windows\System\NGRXJIc.exe | N/A |
| N/A | N/A | C:\Windows\System\BAfFvJY.exe | N/A |
| N/A | N/A | C:\Windows\System\vFklkYU.exe | N/A |
| N/A | N/A | C:\Windows\System\mZEaiyG.exe | N/A |
| N/A | N/A | C:\Windows\System\evXDusf.exe | N/A |
| N/A | N/A | C:\Windows\System\cYlTRKb.exe | N/A |
| N/A | N/A | C:\Windows\System\GRmjLhh.exe | N/A |
| N/A | N/A | C:\Windows\System\wfKljue.exe | N/A |
| N/A | N/A | C:\Windows\System\OzsxXIC.exe | N/A |
| N/A | N/A | C:\Windows\System\ybgdJoo.exe | N/A |
| N/A | N/A | C:\Windows\System\UDIjIQL.exe | N/A |
| N/A | N/A | C:\Windows\System\IbOaSkR.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\buRAnNu.exe
C:\Windows\System\buRAnNu.exe
C:\Windows\System\cXMRSyQ.exe
C:\Windows\System\cXMRSyQ.exe
C:\Windows\System\YsFvDkz.exe
C:\Windows\System\YsFvDkz.exe
C:\Windows\System\ZMGjpCt.exe
C:\Windows\System\ZMGjpCt.exe
C:\Windows\System\YgHYeKa.exe
C:\Windows\System\YgHYeKa.exe
C:\Windows\System\twWSwRk.exe
C:\Windows\System\twWSwRk.exe
C:\Windows\System\HVrLhRV.exe
C:\Windows\System\HVrLhRV.exe
C:\Windows\System\IMXdJbI.exe
C:\Windows\System\IMXdJbI.exe
C:\Windows\System\LilJKaV.exe
C:\Windows\System\LilJKaV.exe
C:\Windows\System\NGRXJIc.exe
C:\Windows\System\NGRXJIc.exe
C:\Windows\System\BAfFvJY.exe
C:\Windows\System\BAfFvJY.exe
C:\Windows\System\vFklkYU.exe
C:\Windows\System\vFklkYU.exe
C:\Windows\System\mZEaiyG.exe
C:\Windows\System\mZEaiyG.exe
C:\Windows\System\GRmjLhh.exe
C:\Windows\System\GRmjLhh.exe
C:\Windows\System\evXDusf.exe
C:\Windows\System\evXDusf.exe
C:\Windows\System\wfKljue.exe
C:\Windows\System\wfKljue.exe
C:\Windows\System\cYlTRKb.exe
C:\Windows\System\cYlTRKb.exe
C:\Windows\System\OzsxXIC.exe
C:\Windows\System\OzsxXIC.exe
C:\Windows\System\ybgdJoo.exe
C:\Windows\System\ybgdJoo.exe
C:\Windows\System\UDIjIQL.exe
C:\Windows\System\UDIjIQL.exe
C:\Windows\System\IbOaSkR.exe
C:\Windows\System\IbOaSkR.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2836-1-0x0000000000200000-0x0000000000210000-memory.dmp
C:\Windows\system\YsFvDkz.exe
| MD5 | 73a134cd0574e0ac4f9ae8d368fe6713 |
| SHA1 | e2227e959604b37a9bdb02baa39330d0193c4478 |
| SHA256 | afdcdfb50c133451b3b918ca491959ae903ca8c4ef613eeb36394efc56a9fc80 |
| SHA512 | db2aee929081cf5ff909b429bd2ba38ec570e587cf43a84f3c2620176f47ef63d0f4d9b06b91ca1fe58fbe5fde8028bba9da8589d095c24c9dd7af2d23bc492a |
\Windows\system\YgHYeKa.exe
| MD5 | 2b325ba998218e1724cf0adeb30ee980 |
| SHA1 | 91c91f972b93ca21c02dbae5cc375d4e1212c0a0 |
| SHA256 | 3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9 |
| SHA512 | d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5 |
C:\Windows\system\twWSwRk.exe
| MD5 | fc039487119680c031c847172e8b36d3 |
| SHA1 | 5beddf6541d9cd9419920f162e4e22297e197c31 |
| SHA256 | 7f124be7afb7e79318f0a00234a8d06798cc685d6ea1aa9ba401a63e32b5a56f |
| SHA512 | 48b7e0f173d7b3354b0ecbf6530234964b4c9b04ec9ed6eec4db91197f54add5f1d43f132d408351a108919dc08d3e65f5251fbec77c10bfc1d44f6c15d24f98 |
memory/2536-38-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2836-36-0x000000013FEE0000-0x0000000140234000-memory.dmp
C:\Windows\system\mZEaiyG.exe
| MD5 | 8d646e924fd0d1b8f2b6032bf921c68b |
| SHA1 | 77143c80f89669f1e640229b6197871994aedd23 |
| SHA256 | e35136f6ac4e5d25610db8b767a0f545fd9fe553bb2b7afaf2ded18cac30d498 |
| SHA512 | ec7c5a3e370172a6cb8c08d4d14c7c9dfcb67c2875d66b2b75ccefa87b0e450630c685404597ccd6d097f7b105f7bdc76ee9b759b8cea8acda23d945bc5149c3 |
C:\Windows\system\UDIjIQL.exe
| MD5 | eb54c79b111a6637e43c4f642a0f578a |
| SHA1 | 7126fb33254f9893bdd1cf918a8c8e9e58a5c486 |
| SHA256 | 47614a6695ce7c97b28e1f39c3b163ad3c824b5473f3c2eb2389305882a46a3b |
| SHA512 | 9387cfbd62c0cf9d8096a58a915fa98f29aba970808faee28634e1422efa6b74c311933c7e78e32fd70490bcc0d5624eda048e3f390eee1a6f7931c06e51a342 |
memory/2836-120-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2004-125-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2836-124-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2024-123-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2456-122-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2672-128-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2572-129-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2836-130-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2836-127-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2836-126-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2836-121-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/1888-119-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2836-114-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2444-111-0x000000013F4C0000-0x000000013F814000-memory.dmp
\Windows\system\UDIjIQL.exe
| MD5 | b7b3b40f61f1991e9770c1c68e752499 |
| SHA1 | a862f3071a84f81fa43a78a7a68aa41997dbb2b6 |
| SHA256 | 9bf015fad34bff87e5bf5753e9ae26d1f61c246609e6969a684e5128a99c0d62 |
| SHA512 | 2c4f4eb08d8b65b58f48513702293d03fd6b1f65cad524eab4ff88a151087171421a7c861eb131e89ad30ae5ee96b21bbd41f1893feed3561e4cffe99f701b38 |
memory/2836-107-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2412-98-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2524-87-0x000000013FD80000-0x00000001400D4000-memory.dmp
\Windows\system\GRmjLhh.exe
| MD5 | 30ed13e7d503092e2de1c0d016fa838e |
| SHA1 | 7ec796bcc46ac4640be38de97fce01bf3dc94ba8 |
| SHA256 | a977e5fa5f4d28e1b00a0d61150d8123cbb7001870c2a635897c069648486b53 |
| SHA512 | b37169282b1ff8642bebe0bcc8428366ffcbba9e20af24bbabbb978f80c5f212f6c1067e596f54c49c5244fe73e59cd10d4f4ee152856283314085dda1c510d5 |
memory/2512-71-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
C:\Windows\system\OzsxXIC.exe
| MD5 | f64844b7e414b8a5d0ba8b924cdf01a8 |
| SHA1 | 4e732905a1b8a8f77211a5bc5f7c94c23443409f |
| SHA256 | 90b1557d22cf9e8ed8676924b48e1864ce513f6e0a352ff82929c0815ec85a41 |
| SHA512 | 053520dda3f572bf3ba1f34d2a05d74332cd3d6fc84b1f95aa1a6d1e74117b79d0441c1b5fb594eff16f953b9466d8b846caeb73a6cebefcd511d5529ab69e34 |
C:\Windows\system\vFklkYU.exe
| MD5 | 08335df7103abc2469c627c6ab490b75 |
| SHA1 | 663318a93774d93d6095a04cf5494b48eb7d64be |
| SHA256 | 58df3e0732ea3099d265f1cebcc12671ec8cd599b805e002740e15fb8f518f08 |
| SHA512 | 8f7208f2a7c23589362de25aa76773ad075a6272ad2246f1bcd66d82f26b8b4ae6a99af20bcf359a45f35c2492e458ab92be86502fcd38ae1b4f2c4222058ff7 |
\Windows\system\cYlTRKb.exe
| MD5 | 60aee69d850ada64830931a6fc7b9ccd |
| SHA1 | 7880bc478ec7824830f545eda401e9f95c3c415f |
| SHA256 | 14307b2d5f383a974420f2a9777a74c42c68a6cb951ae178d6f299af3f498980 |
| SHA512 | c8d1f7d1b9e24384b0f9a048ac1dbd121984a8450751ca27bb785a6bbe758a546ee207f038646cc657aef768102ca1b03828d22d5aec143393f63d708e9abee7 |
\Windows\system\evXDusf.exe
| MD5 | cffe3312bc6260e706dbd30103202498 |
| SHA1 | a4ed8bd8dfa1e4d1c5e843417946c6c0f3f1ca0a |
| SHA256 | 9d3cf73780b622b734a1473e4bf3b98e19a7c48d5a3b1cc60e8d023e1e1205a4 |
| SHA512 | b56972964b74d2d6577caf4ea702615721087f290ff7e95fae0803625583dc571b6f53188fb46f5875af0047ddaf8561eaff0c23593e25cf4d04322ae338f746 |
\Windows\system\BAfFvJY.exe
| MD5 | f643883f259de01dd5329353aba9e3bc |
| SHA1 | 8a0c9acc560b2a903e1249b54de084c27f2f7330 |
| SHA256 | 885d32479d3d931762c4646bd89041e2dc323a00afc74c5ce659e0439525e486 |
| SHA512 | 4fbee57fc43773ceb767e4aa78bc2879a54950d29e94d06ab5acf504f8c6e1b3a52cc3f816f267cfbe746c86e79bc3431149abbf38cd824127a0e4b7532c9af9 |
C:\Windows\system\NGRXJIc.exe
| MD5 | 98745a9aa8ca46cc8241fc16142c1181 |
| SHA1 | 7c8ca535bb417a65eff33e97abb381f4c1892dd7 |
| SHA256 | ccae5953b9ee012fa8730d55ccfa2c5005fa52dab36f2d45ad2c4a7c0588c491 |
| SHA512 | 5a280e98987bc67ab4ffd2f170ec04c9fff29bd4fadfc3768b28d78be695cda6e37d821e8525b81b419f80642841ae75b5398b2f20af5a835e0f5d8794aa1a52 |
\Windows\system\NGRXJIc.exe
| MD5 | 9e6042b034a56699e39219510e042edf |
| SHA1 | 629f58befba29e2b4cf184d5d33ff97d23d0509c |
| SHA256 | 379769e053088ad2c1be5ae8c8e84a7ebd96d0c4b1695ccab4a933b4ae5bbdfa |
| SHA512 | 16e5d759cb119fcfa4427237c03873b232b023c5fb70a22ccdd0c134a99216124df9eabae69026082be5cc255b42cc99b83fd6dfae1ca8b7fdd0be14253d2fd5 |
C:\Windows\system\HVrLhRV.exe
| MD5 | 68879e5e116adbd5e8cd653f155d4826 |
| SHA1 | b9b840cc484b877f9d863120dd69b1678cfe5bbb |
| SHA256 | dd4eae2272c69d5569a29c9e6e2621716f32a7d50bc5617df6be7504e46af720 |
| SHA512 | c85b5acbfb39cf4eea2d6da1c2b8727e6e9d6ed7a532c7214c3e4b25ebbc20caf0babd11d19492960ba28473a5dc22e360d297d314f333c75a1915a7b5479293 |
memory/2836-33-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2628-29-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2516-23-0x000000013FEC0000-0x0000000140214000-memory.dmp
C:\Windows\system\ZMGjpCt.exe
| MD5 | 235913608e9b54d59a255fec4c66a00f |
| SHA1 | 2bfcc4288e681725bc99002d41f5b62e004a5666 |
| SHA256 | 8c0da6753b13726704b2bf23cf9307497ab3c191e3e86e5e0f0166640e830c6a |
| SHA512 | edcda04b4a57775355639444a51a5a8029027cbcc92a0b49089391a755477e36c679a5a6b525aba2070090efdafbbc705379b2d64e01e839be15aad06dce39f5 |
memory/2836-10-0x000000013FEC0000-0x0000000140214000-memory.dmp
\Windows\system\cXMRSyQ.exe
| MD5 | 4b5b10f3552969f051eadcd37a9c7397 |
| SHA1 | 0f2b41104db736f9360793c29e92119a74fa37e0 |
| SHA256 | f633addb5a572461a15c024f25c75063b5d269a87a95a59eded006b1a75cf6d7 |
| SHA512 | ff3c4d40b8c5d525ac0a6eea8b3a5d4134595a19a427e51a3372aac1f7c3120344a3a0a217c283ce087f145e2b66cae626a08d41a64181e3520c23f3a9afe269 |
memory/2836-0-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2836-131-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2836-132-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2836-133-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2836-134-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2516-135-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2536-138-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2572-139-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2412-143-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2024-145-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2004-147-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2456-146-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/1888-144-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2444-142-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2524-141-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2512-140-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2672-137-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2628-136-0x000000013F280000-0x000000013F5D4000-memory.dmp