Analysis Overview
SHA256
68ec096ed3ebef262ccad229af10d48bd4df27c078201313b8157d028b6336b5
Threat Level: Known bad
The file 2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobalt Strike reflective loader
xmrig
Cobaltstrike family
Cobaltstrike
Xmrig family
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 18:01
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 18:01
Reported
2024-05-22 18:04
Platform
win7-20240221-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fLBoDGd.exe | N/A |
| N/A | N/A | C:\Windows\System\GLEvzJW.exe | N/A |
| N/A | N/A | C:\Windows\System\TBcCnxs.exe | N/A |
| N/A | N/A | C:\Windows\System\HZgEkeP.exe | N/A |
| N/A | N/A | C:\Windows\System\jeHpZhS.exe | N/A |
| N/A | N/A | C:\Windows\System\nXjUcqW.exe | N/A |
| N/A | N/A | C:\Windows\System\AkwMsEg.exe | N/A |
| N/A | N/A | C:\Windows\System\dWwUaqE.exe | N/A |
| N/A | N/A | C:\Windows\System\iYVICaI.exe | N/A |
| N/A | N/A | C:\Windows\System\YSXaPIx.exe | N/A |
| N/A | N/A | C:\Windows\System\ZJOavQi.exe | N/A |
| N/A | N/A | C:\Windows\System\EFhGpkr.exe | N/A |
| N/A | N/A | C:\Windows\System\TEYRbku.exe | N/A |
| N/A | N/A | C:\Windows\System\IFrFWJc.exe | N/A |
| N/A | N/A | C:\Windows\System\rDurjWW.exe | N/A |
| N/A | N/A | C:\Windows\System\RGVRtSr.exe | N/A |
| N/A | N/A | C:\Windows\System\wSUICCS.exe | N/A |
| N/A | N/A | C:\Windows\System\GqQLqvM.exe | N/A |
| N/A | N/A | C:\Windows\System\GogBUMk.exe | N/A |
| N/A | N/A | C:\Windows\System\UDgEhip.exe | N/A |
| N/A | N/A | C:\Windows\System\REtfBwO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe"
C:\Windows\System\fLBoDGd.exe
C:\Windows\System\fLBoDGd.exe
C:\Windows\System\GLEvzJW.exe
C:\Windows\System\GLEvzJW.exe
C:\Windows\System\HZgEkeP.exe
C:\Windows\System\HZgEkeP.exe
C:\Windows\System\TBcCnxs.exe
C:\Windows\System\TBcCnxs.exe
C:\Windows\System\jeHpZhS.exe
C:\Windows\System\jeHpZhS.exe
C:\Windows\System\nXjUcqW.exe
C:\Windows\System\nXjUcqW.exe
C:\Windows\System\AkwMsEg.exe
C:\Windows\System\AkwMsEg.exe
C:\Windows\System\dWwUaqE.exe
C:\Windows\System\dWwUaqE.exe
C:\Windows\System\iYVICaI.exe
C:\Windows\System\iYVICaI.exe
C:\Windows\System\YSXaPIx.exe
C:\Windows\System\YSXaPIx.exe
C:\Windows\System\ZJOavQi.exe
C:\Windows\System\ZJOavQi.exe
C:\Windows\System\EFhGpkr.exe
C:\Windows\System\EFhGpkr.exe
C:\Windows\System\TEYRbku.exe
C:\Windows\System\TEYRbku.exe
C:\Windows\System\IFrFWJc.exe
C:\Windows\System\IFrFWJc.exe
C:\Windows\System\rDurjWW.exe
C:\Windows\System\rDurjWW.exe
C:\Windows\System\RGVRtSr.exe
C:\Windows\System\RGVRtSr.exe
C:\Windows\System\GqQLqvM.exe
C:\Windows\System\GqQLqvM.exe
C:\Windows\System\wSUICCS.exe
C:\Windows\System\wSUICCS.exe
C:\Windows\System\GogBUMk.exe
C:\Windows\System\GogBUMk.exe
C:\Windows\System\UDgEhip.exe
C:\Windows\System\UDgEhip.exe
C:\Windows\System\REtfBwO.exe
C:\Windows\System\REtfBwO.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1640-0-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/1640-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\fLBoDGd.exe
| MD5 | b8cd7c70b9a05ccdcc3c92f422234c51 |
| SHA1 | 5e3085fcbd19ddb2ef3813d91df2ecf5baf4cfa0 |
| SHA256 | fd991f8f05d773278abecd347a5b6f456fd7ae175c6d724cf2b818b122434077 |
| SHA512 | 3e79b537f2b82cce17da44362b1de869d7147aa4c5218c06933c9e3e2c392367b07ff86ab7461a1fc25b7696eae9013b404940bfbbb0c718cd4c523b9801e37e |
memory/1640-7-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/1628-8-0x000000013F5F0000-0x000000013F941000-memory.dmp
\Windows\system\GLEvzJW.exe
| MD5 | 407874e73c72dafe39b93bf2175e3a79 |
| SHA1 | a67b66c1ebd848050b7706a308a508239cfcf8c1 |
| SHA256 | 496a08015815fadb205104f4737c3aadbf80b1b854d888287a1b334588f95c96 |
| SHA512 | 6e0b2d36dbdd6a012eb55e2ff585324b56cefaefb50fb59836117421a22d5395d6a2d57b908bf64599d9e6617bb73a7ccda8330d482bd0311348d038ad001133 |
C:\Windows\system\HZgEkeP.exe
| MD5 | d8501dcf9fd33b86e058fbf3579875d5 |
| SHA1 | a1326b13c653f6d7cd28b1447ff1a12892fb71b2 |
| SHA256 | def6e591604871d0a7ded181eece4625c3493c0f03e4d54056909f8a0c0c5a9f |
| SHA512 | 46376078586dddceff09bec531e313075b309a7495232361db73f9ceb0d0f883c5c06de2dd2757adc3f717a3b6267ce553b176f330b0ab0a8f452b1b7b3d3178 |
C:\Windows\system\TBcCnxs.exe
| MD5 | 141fdfaa38bfc8550b86916c6b7e30c9 |
| SHA1 | 52fa4f410c2ac4f0f2ef5bf9501187681e1c0f59 |
| SHA256 | 6ec771985c7ee6a1eb59226654d7c4d6930ad596320b0b03bfe8289677f461ca |
| SHA512 | 1cf56c6494d47695a0b374fdf27dd376cbec25d47bf73e07e82bdfdb4fcfa12e63d9e480f4ecea4c58ae6833c704c753d156e2ff525a07037ab85f193555448d |
C:\Windows\system\jeHpZhS.exe
| MD5 | cdef4f93b712b5438c49c0d8a616cccc |
| SHA1 | c9027054764e76265ee5180330d6deb1298333bc |
| SHA256 | 76a0d83f40f4917c97f400477f648d276c4738dc23ea0af4551ecf807f03bebe |
| SHA512 | 21ef081fabe338cb284fbeff7402bbcc21a684783dc6f13d8b072f3a0af0b021efeb9aa857f08ad7f2b680a65e713f746b61f69f7f74dcfadbd0c1eef19eb6ed |
C:\Windows\system\nXjUcqW.exe
| MD5 | fc9a7977c3d23f4410403c3a1481aa63 |
| SHA1 | db537fa166e564c398a85ebb92ad572202794658 |
| SHA256 | 286cebbff0a66f274263293d906aed139b0b20a85cc7dfea7937d2dbee34953d |
| SHA512 | ba20da0dd2a13ca82654b98cd5e059f470a4bdd96bd24caed5e193054f52024c0a488d856fcb7a1be278e67bfc15cce1d584dbe587d4642a82d196e7cb01595b |
memory/2656-33-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2812-18-0x000000013F310000-0x000000013F661000-memory.dmp
\Windows\system\dWwUaqE.exe
| MD5 | db5ae4d77ff3ccffc477199e4b75e0d5 |
| SHA1 | 3052180116b6f18720624c38c3c1e21ef527fb5c |
| SHA256 | 8a5729fa8cba4ff032d42389beb2d35aa9b32b2313f33c638ea091b12fc03aed |
| SHA512 | 83008720ccfa9fbb422d4f1cc69258496e700faf8bbdabcfe5eda01c2f7761177a166c364bda3c9ab08c5274cb779f8c5572c53eb180d7e71452933309e94e67 |
memory/1640-51-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2592-57-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2476-48-0x000000013FF80000-0x00000001402D1000-memory.dmp
C:\Windows\system\AkwMsEg.exe
| MD5 | 83e6930c19feece5ce685b04ec764edd |
| SHA1 | 30f10fa7b7861b1911ba5c118a45cd4100a1ebf1 |
| SHA256 | ef8004da75cbc4e79b0428957110db59747cb5ebbc42644746a13fc9d07b0bed |
| SHA512 | 266fdeb0c48a3a52d79dd93925bbbb517ce7d55183775f219d6d8fc9c0d87845bea6ba484ac453e3a5e53819cbec32cda3f388a1ec774a815c43bc88af8290a3 |
memory/2952-46-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/1388-45-0x000000013F540000-0x000000013F891000-memory.dmp
memory/1640-69-0x00000000023D0000-0x0000000002721000-memory.dmp
memory/2644-65-0x000000013FDF0000-0x0000000140141000-memory.dmp
C:\Windows\system\iYVICaI.exe
| MD5 | 0bb2221d384988ff0131f1fd01defc4b |
| SHA1 | c88130b3f3c95e048aaa27f799932693e67a2d33 |
| SHA256 | 12675752e9c10afb7734c752f05152bceceb625664e4cc865a05e10a91bf53a4 |
| SHA512 | 89aa7763d2a6414a376c9558814ef85c79a10257b843ccc0ea4b1a5a17d3971215a1ea3e90669fee854d18a7d236a4d1ebe3151e5bba5e01066c7f9f1a554b28 |
memory/1640-62-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/1628-61-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\EFhGpkr.exe
| MD5 | c06e1491967f9659360a0080ca16f0c2 |
| SHA1 | 36f3b78e444cfd7525f6302c5e3ebed18f380943 |
| SHA256 | 695bdff37c54480253c89d4c81daf7fdf257dfce7c014ca55834baa5bb9fb21d |
| SHA512 | 438ebfe1dc1aa69054087c6ca5965a97e3398615a079a98505de633205c21744ad752e0760353ad57a0d3a0c547234f894d9ba95dd8df3c7a1548268450e1917 |
memory/1640-85-0x00000000023D0000-0x0000000002721000-memory.dmp
\Windows\system\TEYRbku.exe
| MD5 | 3c105f6580d14dbd130aeab4a21e6e3b |
| SHA1 | a75b86f51a5e286fde40711fc995dd3b75d8ad27 |
| SHA256 | 5a9174578080b1ebe8fa2631c5edf160ba723a536dcd2411e1fbbb37d23803ef |
| SHA512 | 9c6580904ffc95fcc15958c8618d85743d338ad4207c9af140163af74f703d5b6a8828c2731247aa3d0bf55b7b6dac41c2b8b6dc099e83fc4081ad43b05fe515 |
memory/1640-102-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2460-103-0x000000013FE40000-0x0000000140191000-memory.dmp
C:\Windows\system\GqQLqvM.exe
| MD5 | 7ca245e6cc310d9c9d2f2844a8d94fb7 |
| SHA1 | 34bafd3906ea38c7aad545f74a9a187f5b33028e |
| SHA256 | 3ef3090a6dea139e04f8d1573d78914bb1ac83da299b0b177c1489390622f1fd |
| SHA512 | 2dfd5b62689013eab06add840c4f5a0f2b92ae5fdc7e238241f51ff3a199b22cfbbf36e14d20b9e0acbcaa57cd3964e6004867f1fe7453a8d11fb5ca6ec16c1e |
C:\Windows\system\UDgEhip.exe
| MD5 | f86b4440b4bf3e46414a4ff7e9b3fad7 |
| SHA1 | 44baa6b545ac1507ce35e2fc04709efb10dcc3f0 |
| SHA256 | 026386e2eb0a04e29a470e0cedf0d484f1253e590afb0660e3c53770978ff77b |
| SHA512 | 758c839cb6f3cc26c0edb8c89a5b740cd3b52194ced3cd103c3041becad7da3880cabb2366f693fe30ed034cf0767ec771c635daf5a39a00c9d77b3f4492104f |
C:\Windows\system\REtfBwO.exe
| MD5 | 8e05e79e28ca50b18897217818b6429b |
| SHA1 | e0bf25105d4d10098ebf6d6ad4407fb0bcd9a2df |
| SHA256 | 5dc07b16f7e826b892550d8bed6ee82065378a2517a77fa8f60648fa99c3b0d9 |
| SHA512 | 4d420e701aa1ab451340b6cc314952e04e9af54091297ad33d34cd80550a6e5511ff9617cf11dcd8a0b3ea5f4aafd5487ca5e5bb238d7692cad087af33602310 |
C:\Windows\system\GogBUMk.exe
| MD5 | b5c64d2e544f0348851e09d770896240 |
| SHA1 | f88381c99334118d51f93b0ab8448d6f005921a8 |
| SHA256 | 0f6447b2b5946335fa3bb9ed2a21e184ace8e599abf3137c10a69322315580f9 |
| SHA512 | f4a79fcbe3e4fb09b95a01b4449365edc47fd99754fee37fee7acee53327999e7e6f7dcd28ca8b9dfd5c35391f42d6bb469ebffedfda87cebdc0e30aef852b28 |
memory/1640-110-0x000000013F550000-0x000000013F8A1000-memory.dmp
C:\Windows\system\wSUICCS.exe
| MD5 | b592b1b155f56b1740a3855c4aedc15c |
| SHA1 | e2d8cdd03addfe638cdb59fbae6fbaa862eeded0 |
| SHA256 | c4d6a74bc57a2feb8ceefdd9bbc0cce6de740aa06ac615095456ac362534ae46 |
| SHA512 | ff0da46c94c727b20dda65c04d4ac7a842eb1eedc26960e0745cb905ac985df119c16a573d63f3815bc6ee90a8e440899256753f6bb970f45293430d011f5d37 |
memory/2592-141-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/1640-109-0x000000013FD60000-0x00000001400B1000-memory.dmp
C:\Windows\system\RGVRtSr.exe
| MD5 | 6700296468169e915538d99336717017 |
| SHA1 | c16a0fef33904d0ba76bd958cd95cc75316e7f4d |
| SHA256 | 901b19ba67e60d74f99d25f3a47fcc1931bd6e3c5092c56c4bec8744b9ae03aa |
| SHA512 | 7a6e9a6592db016937d8fb8feca50648da8d81e2cba04755dbe352d559f3cb2a8e50673365448a66777dfb463a8682c0a8350890a3772d413d8be19c06785315 |
C:\Windows\system\rDurjWW.exe
| MD5 | 51ac271016b066195d92638702317ff7 |
| SHA1 | 376ebe468449299aad32c43e1963c6d2bd3dc766 |
| SHA256 | 9fc126a71ce6b2be9c9779fabdbc9341447d00d28fda55cebae536b9931fc52b |
| SHA512 | fce20d006fc26e76c68fa78f67368bf4319715d2f2df81b18ecaf218ec30dc01cbef28d8c5ed7b1c3e5de7a0ba259a18745ab942926f75debd240261b725a043 |
memory/2384-94-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/1640-93-0x00000000023D0000-0x0000000002721000-memory.dmp
memory/2952-92-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/2476-101-0x000000013FF80000-0x00000001402D1000-memory.dmp
C:\Windows\system\IFrFWJc.exe
| MD5 | 424c7ef0c3c25bf0d5e682f1e9a081af |
| SHA1 | 9d2665c50bd839f0d57e06cd76ee364fbc83ceca |
| SHA256 | 525eb09ae396e91380704337c77b0b3f9ef8c311f1a37b1a6961370cbfbd3db9 |
| SHA512 | bb89e819ccc3b7c25686d477beb63ed61ba4e0b181fb0ab742360ad3f88f0a83815644a6208ad3d3f2cd8ccff7195bd081e6c3fdc691cef5cbbbd08952465a46 |
memory/2604-86-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2696-81-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2656-80-0x000000013FA50000-0x000000013FDA1000-memory.dmp
C:\Windows\system\ZJOavQi.exe
| MD5 | 41c5ee3a9adb9875c205ca0fc4612d82 |
| SHA1 | 5b7fe52555a00a9e72051e453f4ee3713c7e4aab |
| SHA256 | ea533585f64fce7e92d2a7bc2998fa716b25b996eba47995eb5fc6e102b47167 |
| SHA512 | 325e55acd2cda97b5027240c24134c7441770a6da0d0cc9a8ed163b616e4584820b1f1cd2441f4560e6721803cef5d1b750e4c9fa99f151dd77e380c547c8029 |
memory/1640-76-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2544-70-0x000000013F870000-0x000000013FBC1000-memory.dmp
C:\Windows\system\YSXaPIx.exe
| MD5 | 60a172c7f871ccee1bb23b9389cda936 |
| SHA1 | 992ea596bde993f79bfd5ae879071f16187d0b49 |
| SHA256 | 237c022197b264e736f57188ca9521e56f7ca55db647cce72964974631789415 |
| SHA512 | 0dfa80b20b3921b8b859e3d36024ae881d42ad8c7d97fd7e230282966f2ea84d34c8579d7bca2e52f893f8a8dd173dc94da938821f85117afc6e814745008edc |
memory/1640-142-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2644-147-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/1640-44-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/3028-43-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/1640-42-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/1640-41-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/1640-56-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/1640-23-0x00000000023D0000-0x0000000002721000-memory.dmp
memory/1640-20-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2460-157-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2280-164-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2016-163-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/1696-162-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/1900-161-0x000000013F630000-0x000000013F981000-memory.dmp
memory/1248-160-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/828-159-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/3008-158-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2384-156-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2604-155-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2544-153-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/1640-165-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/1640-170-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/1640-188-0x00000000023D0000-0x0000000002721000-memory.dmp
memory/1640-189-0x00000000023D0000-0x0000000002721000-memory.dmp
memory/1640-193-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/1640-206-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/1628-216-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2812-218-0x000000013F310000-0x000000013F661000-memory.dmp
memory/2656-221-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/1388-222-0x000000013F540000-0x000000013F891000-memory.dmp
memory/3028-224-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2952-226-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/2476-228-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2592-230-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2544-240-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2644-239-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2696-242-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2604-244-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2384-246-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2460-248-0x000000013FE40000-0x0000000140191000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 18:01
Reported
2024-05-22 18:04
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SdIKoDP.exe | N/A |
| N/A | N/A | C:\Windows\System\kUefigO.exe | N/A |
| N/A | N/A | C:\Windows\System\fGLkcgD.exe | N/A |
| N/A | N/A | C:\Windows\System\KtFEPji.exe | N/A |
| N/A | N/A | C:\Windows\System\XKbKsTg.exe | N/A |
| N/A | N/A | C:\Windows\System\WWRRQUZ.exe | N/A |
| N/A | N/A | C:\Windows\System\VIHggJD.exe | N/A |
| N/A | N/A | C:\Windows\System\ydvceRG.exe | N/A |
| N/A | N/A | C:\Windows\System\irvrdqI.exe | N/A |
| N/A | N/A | C:\Windows\System\NHOkfrl.exe | N/A |
| N/A | N/A | C:\Windows\System\fyivnAC.exe | N/A |
| N/A | N/A | C:\Windows\System\NMyBBLt.exe | N/A |
| N/A | N/A | C:\Windows\System\uXwWqFj.exe | N/A |
| N/A | N/A | C:\Windows\System\zbVmqoH.exe | N/A |
| N/A | N/A | C:\Windows\System\vvLJmYy.exe | N/A |
| N/A | N/A | C:\Windows\System\ZHXAIpw.exe | N/A |
| N/A | N/A | C:\Windows\System\AfdTyGr.exe | N/A |
| N/A | N/A | C:\Windows\System\HYJBVOn.exe | N/A |
| N/A | N/A | C:\Windows\System\GZgCqhL.exe | N/A |
| N/A | N/A | C:\Windows\System\UyBpDoV.exe | N/A |
| N/A | N/A | C:\Windows\System\XeOHfMq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe"
C:\Windows\System\SdIKoDP.exe
C:\Windows\System\SdIKoDP.exe
C:\Windows\System\kUefigO.exe
C:\Windows\System\kUefigO.exe
C:\Windows\System\fGLkcgD.exe
C:\Windows\System\fGLkcgD.exe
C:\Windows\System\KtFEPji.exe
C:\Windows\System\KtFEPji.exe
C:\Windows\System\XKbKsTg.exe
C:\Windows\System\XKbKsTg.exe
C:\Windows\System\WWRRQUZ.exe
C:\Windows\System\WWRRQUZ.exe
C:\Windows\System\VIHggJD.exe
C:\Windows\System\VIHggJD.exe
C:\Windows\System\ydvceRG.exe
C:\Windows\System\ydvceRG.exe
C:\Windows\System\irvrdqI.exe
C:\Windows\System\irvrdqI.exe
C:\Windows\System\NHOkfrl.exe
C:\Windows\System\NHOkfrl.exe
C:\Windows\System\fyivnAC.exe
C:\Windows\System\fyivnAC.exe
C:\Windows\System\NMyBBLt.exe
C:\Windows\System\NMyBBLt.exe
C:\Windows\System\uXwWqFj.exe
C:\Windows\System\uXwWqFj.exe
C:\Windows\System\zbVmqoH.exe
C:\Windows\System\zbVmqoH.exe
C:\Windows\System\vvLJmYy.exe
C:\Windows\System\vvLJmYy.exe
C:\Windows\System\ZHXAIpw.exe
C:\Windows\System\ZHXAIpw.exe
C:\Windows\System\AfdTyGr.exe
C:\Windows\System\AfdTyGr.exe
C:\Windows\System\HYJBVOn.exe
C:\Windows\System\HYJBVOn.exe
C:\Windows\System\GZgCqhL.exe
C:\Windows\System\GZgCqhL.exe
C:\Windows\System\UyBpDoV.exe
C:\Windows\System\UyBpDoV.exe
C:\Windows\System\XeOHfMq.exe
C:\Windows\System\XeOHfMq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.251.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
memory/220-0-0x00007FF7351F0000-0x00007FF735541000-memory.dmp
memory/220-1-0x00000284E3BD0000-0x00000284E3BE0000-memory.dmp
C:\Windows\System\SdIKoDP.exe
| MD5 | 2fa2e30bfb8cafcae33ff733b110b07e |
| SHA1 | 3ca3563d0b96fbc60cf8e84224a93f19d69df7b5 |
| SHA256 | 41f160cba604b2b2e3580f4bc849e756fd166ea9f5e520b616cbb486a08e562d |
| SHA512 | 1be77d3c2783c3bdacd35f4882e04e5bbae62e1cb802ed31f8787647382b1db3ae4bc88c8f0e5edb6fc67183dbabc3f47bec1199e278dd83a67407babac0172b |
memory/216-6-0x00007FF622DF0000-0x00007FF623141000-memory.dmp
C:\Windows\System\fGLkcgD.exe
| MD5 | db5d1835498be84da78cd6ba95ae7c72 |
| SHA1 | cbead27cb8e33b83dd2241a2e985cd7d1df625a5 |
| SHA256 | e821ce2cd1736ff4ca09122a17c7f19f49004f0c629a60c6e799d6ab92ed7fbf |
| SHA512 | 98441cf1085d5f8f5e6d5406f699eef60dac475009b96ce5d4784affd530280e2ea7fc1a4270d9257a53eabfbf845845fba5bee57f9dab170f1ac455fbaf3605 |
C:\Windows\System\kUefigO.exe
| MD5 | 97dca85e3e6146dac753008091ce8fc1 |
| SHA1 | aed314569254d9fd0d128eb50aef7409e983645e |
| SHA256 | c4b7754588213129690721eed373e790894979156048db3cc0740d3331e8ac51 |
| SHA512 | 8c24e1a8f53e5899b4d94ecfd7c2a5105c512158271c955bd4cffa4edc3840a16504e8e85e6c46733efd5d358665d9900dc8671e6866fb91c39dc36d15a59275 |
memory/5012-18-0x00007FF7B8CA0000-0x00007FF7B8FF1000-memory.dmp
memory/4560-14-0x00007FF789DF0000-0x00007FF78A141000-memory.dmp
C:\Windows\System\KtFEPji.exe
| MD5 | 401341dbf1741aeb5fdf07ba6aa9d2cb |
| SHA1 | 5877d30926033b2643dc9c3c9abd8ed783dd01c7 |
| SHA256 | 7ed3216534b62e0ffb43c3a54a41fa8a1af0f764e0e091d7c29c8c2f1f390f84 |
| SHA512 | 4e0c5789a90a285a20839590eab3efa86ff693a4b218fb716b27b5dd1c689a6d70ac83df4609710e55515f0e610f53c8b7b7f6daa884076e34d3c73e2e4fa7d9 |
C:\Windows\System\XKbKsTg.exe
| MD5 | 052f6b011b4bd1ce7da06aa7d97c7fec |
| SHA1 | 852c5893e3d7205cda844c1d33c4ad7afa9995eb |
| SHA256 | ca302a88cf717fc55a914fab5154621bf7f15b85b3e388746044b52798b77c62 |
| SHA512 | 4119c6cc5331f6b01433a9740e33516e95f78fb782964e44bddd2f18ed2d465105dedbcc7b2890f3f36cdebc4d5fbb36206a37b1811a889cd1635ca995d204e0 |
memory/1428-26-0x00007FF66E080000-0x00007FF66E3D1000-memory.dmp
C:\Windows\System\WWRRQUZ.exe
| MD5 | a637faae944a00c689d91cc5d64554fe |
| SHA1 | cd14467a9ad6d0dbb33b608349949e98dab546d8 |
| SHA256 | d8345b1c4722f4f6d6d330971f7650618f06d2b979e5458543d6e50e5b518b4e |
| SHA512 | 9c4c6fdfe42bdc70a4e82645d027a5b9cd4717b4f89d9db332d7f21555583b75e48f594fc39783193999a37b9785c1565bd39a458cd1899e80d5e93ce14e769a |
memory/2904-33-0x00007FF738CF0000-0x00007FF739041000-memory.dmp
C:\Windows\System\VIHggJD.exe
| MD5 | f750739068c020ac031f2d68202cbe0c |
| SHA1 | 99350c14e7c0c4db436734c734d62f7f174ce079 |
| SHA256 | deb4f0cd45dd2a25ed7a9284b5ef659aba1137dd20bc365ea1da3729f71188c0 |
| SHA512 | 87db1c624d7ee2b9451ca1c9e72be35b5dcaaac20fbde3b4c22582a898e2b11083f96a22b0b83d19f836547ab83b2a27e450e0134f1ad8e5fc316743b220a342 |
memory/3784-40-0x00007FF6F6790000-0x00007FF6F6AE1000-memory.dmp
memory/1864-44-0x00007FF755C80000-0x00007FF755FD1000-memory.dmp
C:\Windows\System\ydvceRG.exe
| MD5 | 58a906c9bea4b7cf45798bf16b039c79 |
| SHA1 | 80721aca70b93e89aee1281825ca515fe71377d2 |
| SHA256 | 1888798d4df987ce2a0d295d898fa5ea29e899adc4172d0a7d6e32bd017a145f |
| SHA512 | 65698b75aa95da0b859b024a6edce5ae325dd8ec3a822ba1c095011c0d0f701aa0acfab3ee7b34a3e32ffddeabee0b82a6cc7ed840d48e284527e3e69cfe755f |
memory/4640-52-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp
C:\Windows\System\irvrdqI.exe
| MD5 | bac658ffc72f970919411ce70a3f56b4 |
| SHA1 | c83e6acbee326f67ae3db9d78d5d6ee8559ca3ae |
| SHA256 | 5f001d3ae412be2128d4af66b84db2c8d71397e4b364237caba49faf2d57dd60 |
| SHA512 | 1d9419659f2850b0017279a0fa71dfd4b18af3295b74ed2d6bc4852ad404633536443c5a504bbb7df631757cb9e5cd41316a184067c6a3bba544b7468dfad1f8 |
memory/2460-56-0x00007FF79CBB0000-0x00007FF79CF01000-memory.dmp
C:\Windows\System\NHOkfrl.exe
| MD5 | da473e0a7521f3d8879ff1982bfca922 |
| SHA1 | a3fe28430e768e53d84f90c5008cc3dcc4ef8316 |
| SHA256 | ec7b3e19fa576a96c2d8705d8e64d72381905dcc78452554b08b1d411d29eada |
| SHA512 | 0c308ccd548ab11f100560666c8123c474aafe2965fa8b176f6c7cf8aa49b82b3dfbd4036f25efb8e2cfc46792f0bbd4fa9c2c9e1f5949aafc3ec0cbd96bdfe1 |
C:\Windows\System\fyivnAC.exe
| MD5 | c232590739b3ee2939abaa2c120b8217 |
| SHA1 | 6316bdbac7b3795dd7e2aa526ff22ac211a90cb2 |
| SHA256 | 908647fe42f314038aa4cc756c4b643bfd2551729de2fa9066c85f8eb0f5ba3e |
| SHA512 | 3e02f6bd06e08efdeab3b1109d83a59d0e2e2a6914df89f90cbd7ceb343cb3ae10b080980e199d21d281eeee9bb6313161731b212de38392c2aa9ca88d34a8c3 |
C:\Windows\System\NMyBBLt.exe
| MD5 | 680213ad05f8b7242354f6f465ee2adb |
| SHA1 | cc7ceeffddf84adf7d4a749b7ef669442e025b48 |
| SHA256 | 84c090e3577e9ae528e62859be454a5c0723206b0986d1b5eb8be74665e8987e |
| SHA512 | ff97105cd289a9be62eafc1c9d9577d1148e0eb8ad59852230d8d70283000e8f0ca826ff2d797d77103ad78309a5604d66ef4efd9f9ad1f51682af63d5980bfe |
memory/64-75-0x00007FF7296C0000-0x00007FF729A11000-memory.dmp
C:\Windows\System\uXwWqFj.exe
| MD5 | 38947535975f5371e1518b83cd5c0d37 |
| SHA1 | 30dba92ccafbc809e29f29b5f3df3a4da00fbbb2 |
| SHA256 | 9a1c2d3000473c51829eeb6f1628cae36cb07c877dd3b9e286394b00c34510d6 |
| SHA512 | 7592bd5c472c58553d4dc46585722f677a4dd52150215c2c1fd8e7945e3571a87417c2a547a0487a8ae9936656cbaca89ad6308cac0d84de01fd7f95bc76cada |
memory/5012-84-0x00007FF7B8CA0000-0x00007FF7B8FF1000-memory.dmp
C:\Windows\System\zbVmqoH.exe
| MD5 | cb32241c92c462f38e486869e98b2c12 |
| SHA1 | 8c6684115a5091f88e69435fd64cfe3d33f67c4d |
| SHA256 | 80484bd03528edef3d03d17cdb7f0ae5236f8b08f64b67745b0d397997bd36d3 |
| SHA512 | 3c448f2f4eca11ddfed115866c8e35d930d4149ada9496069082f382316dfa6f052b9bcb0462db5513a8d5b88c9bc6259f66a4ebbfe4fe241ea8123e8ad405da |
C:\Windows\System\vvLJmYy.exe
| MD5 | faf4f5e6902b454e4e42f7ca391841e5 |
| SHA1 | f9cdca20c6ea067511e336c8b8d6991a71922316 |
| SHA256 | 7f91eb527ed88ec7af67961a2eb440c2952a8ff9ee0aa2f16f75993c8adb6245 |
| SHA512 | d9a7001d9210f7334ef22a4d9f1a45649e4610f4c016923d0bd29c458e3fb3204006f28b3e57302b4a6bf5f699f6cdc6a602f3d491ee28f949960716e51b6046 |
C:\Windows\System\ZHXAIpw.exe
| MD5 | 81ffd519da8db987cf440893b70e8384 |
| SHA1 | 27668f2dbe497a31863f0bac4a9c14d6adfef8af |
| SHA256 | 26ddc70cb17339c10516104a582d337b692d1ba2fd35aa536d1ed3dd9b08548c |
| SHA512 | 6188ab40e1b95677d66017e8812475d40eb6699361bc750ef14f9fac5720d9b7a03023aca06644506cf9a32c5760fc864e5542048371c8557ef1da8272443094 |
memory/2904-108-0x00007FF738CF0000-0x00007FF739041000-memory.dmp
C:\Windows\System\AfdTyGr.exe
| MD5 | 2b3a36ac3230bedaee109783ac4c1fef |
| SHA1 | 16411d9b0e9bd51a456086e93ae08210d81ae789 |
| SHA256 | 9d7e10210a361b3156569d5f002f884e370682110fbe408eb4d64da80647c1db |
| SHA512 | 2a1d77d01ba544da2d5db7afc87b4ad3d3cc937c4657993e5c7c92009acd62f880a10df3ae210e61504b55ade301fad362f367b23f7ed79362a64f8011cb99c4 |
C:\Windows\System\GZgCqhL.exe
| MD5 | 2814864a3c40ac9fbcef0ec358908533 |
| SHA1 | 768fa6c2c3f3415f73b788120c8398ff5d80a57e |
| SHA256 | e1bf2ae11a245c780717ea00d091b596316d8c862e26d11ee1e2e721196db348 |
| SHA512 | 111dc1f7c12db41e9d08b0fb63ef7b1473200030c33fe8de0bef8dce0b6314258428494e2dfe0c4cc72b7573cd127494e21d0b9d681a79a79af5f28e9ec06a44 |
memory/1048-117-0x00007FF759C80000-0x00007FF759FD1000-memory.dmp
C:\Windows\System\HYJBVOn.exe
| MD5 | e76a9fc0d56ce04b2669103054cecd08 |
| SHA1 | 941f9a7ba231539c5222a73b7da937afac427855 |
| SHA256 | fa50e02c2a007cd8006ddf5ea7d9b0de6f5a31cb6e7f15d2b4d4f10a42a6a41f |
| SHA512 | 56b8bbfbdd5e61fd33080298e696f2cef97714d7111ea5c38f1377a17d71ecc878fc98c1659174ec4418872a1368302e6b7e54a4b1cd36156fcc951a04a343ad |
memory/1912-112-0x00007FF669D00000-0x00007FF66A051000-memory.dmp
memory/2472-109-0x00007FF6B1450000-0x00007FF6B17A1000-memory.dmp
memory/2692-94-0x00007FF7C48A0000-0x00007FF7C4BF1000-memory.dmp
memory/660-93-0x00007FF79BAF0000-0x00007FF79BE41000-memory.dmp
memory/868-86-0x00007FF7887A0000-0x00007FF788AF1000-memory.dmp
memory/2532-78-0x00007FF618690000-0x00007FF6189E1000-memory.dmp
memory/4560-76-0x00007FF789DF0000-0x00007FF78A141000-memory.dmp
memory/216-69-0x00007FF622DF0000-0x00007FF623141000-memory.dmp
memory/676-62-0x00007FF71C3C0000-0x00007FF71C711000-memory.dmp
memory/220-61-0x00007FF7351F0000-0x00007FF735541000-memory.dmp
memory/2852-128-0x00007FF6110F0000-0x00007FF611441000-memory.dmp
C:\Windows\System\XeOHfMq.exe
| MD5 | 9bcaa3972771ad3419d6d9e7c40c97f6 |
| SHA1 | f3e5c4406df8bb603ad22b675f37b4f5bb9cc4b2 |
| SHA256 | f6321f854faf836c7f2f7e39b63349735172e4634d08a5d24b81cc155d6d7531 |
| SHA512 | 68c09cb98c39be71c557fd7af70deb04fc5b10baf8fef6e026b657ab19b70a5482e55cb4e308541f7fd8259ea5e9b08bebb21042013ba2137008d447477e94a8 |
memory/4708-139-0x00007FF7BE0D0000-0x00007FF7BE421000-memory.dmp
memory/2244-141-0x00007FF6B1930000-0x00007FF6B1C81000-memory.dmp
memory/4640-135-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp
memory/1864-134-0x00007FF755C80000-0x00007FF755FD1000-memory.dmp
C:\Windows\System\UyBpDoV.exe
| MD5 | bc7f66e2c1f04b4cdb341261881cefcd |
| SHA1 | 75e1a151419662e0f518023a833a57a80235cc66 |
| SHA256 | 06f69e5a9429a5740fe5d7a9369a8a6cc87ceee2bfdae86abb5db20d47be0258 |
| SHA512 | ea484c4924321e83290054f7a2d3fa078765149524b752a356125a994cf635a1c70518649c4920284a27598dba20db5ce5cd1bdfe50becc2f64e19525d9f524f |
memory/676-145-0x00007FF71C3C0000-0x00007FF71C711000-memory.dmp
memory/2692-150-0x00007FF7C48A0000-0x00007FF7C4BF1000-memory.dmp
memory/1048-153-0x00007FF759C80000-0x00007FF759FD1000-memory.dmp
memory/1912-152-0x00007FF669D00000-0x00007FF66A051000-memory.dmp
memory/220-156-0x00007FF7351F0000-0x00007FF735541000-memory.dmp
memory/216-203-0x00007FF622DF0000-0x00007FF623141000-memory.dmp
memory/4560-205-0x00007FF789DF0000-0x00007FF78A141000-memory.dmp
memory/5012-207-0x00007FF7B8CA0000-0x00007FF7B8FF1000-memory.dmp
memory/1428-215-0x00007FF66E080000-0x00007FF66E3D1000-memory.dmp
memory/2904-217-0x00007FF738CF0000-0x00007FF739041000-memory.dmp
memory/3784-219-0x00007FF6F6790000-0x00007FF6F6AE1000-memory.dmp
memory/1864-221-0x00007FF755C80000-0x00007FF755FD1000-memory.dmp
memory/4640-225-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp
memory/2460-227-0x00007FF79CBB0000-0x00007FF79CF01000-memory.dmp
memory/676-229-0x00007FF71C3C0000-0x00007FF71C711000-memory.dmp
memory/64-231-0x00007FF7296C0000-0x00007FF729A11000-memory.dmp
memory/2532-233-0x00007FF618690000-0x00007FF6189E1000-memory.dmp
memory/868-235-0x00007FF7887A0000-0x00007FF788AF1000-memory.dmp
memory/660-237-0x00007FF79BAF0000-0x00007FF79BE41000-memory.dmp
memory/2692-239-0x00007FF7C48A0000-0x00007FF7C4BF1000-memory.dmp
memory/2472-241-0x00007FF6B1450000-0x00007FF6B17A1000-memory.dmp
memory/1912-243-0x00007FF669D00000-0x00007FF66A051000-memory.dmp
memory/1048-245-0x00007FF759C80000-0x00007FF759FD1000-memory.dmp
memory/2852-247-0x00007FF6110F0000-0x00007FF611441000-memory.dmp
memory/4708-252-0x00007FF7BE0D0000-0x00007FF7BE421000-memory.dmp
memory/2244-254-0x00007FF6B1930000-0x00007FF6B1C81000-memory.dmp