Analysis Overview
SHA256
cdce79e68b7d47cda949e72c69a45d7e5bbe34fba232bb5bca34b9a119144fae
Threat Level: Known bad
The file 202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Cobaltstrike family
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 19:16
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 19:16
Reported
2024-05-22 19:18
Platform
win7-20240221-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NFEQzyB.exe | N/A |
| N/A | N/A | C:\Windows\System\YzmPnoi.exe | N/A |
| N/A | N/A | C:\Windows\System\rXRaZFU.exe | N/A |
| N/A | N/A | C:\Windows\System\iZWTwAg.exe | N/A |
| N/A | N/A | C:\Windows\System\PhkbIPi.exe | N/A |
| N/A | N/A | C:\Windows\System\NIgCFkw.exe | N/A |
| N/A | N/A | C:\Windows\System\RFxTCtw.exe | N/A |
| N/A | N/A | C:\Windows\System\VQIVTpU.exe | N/A |
| N/A | N/A | C:\Windows\System\zKajvdK.exe | N/A |
| N/A | N/A | C:\Windows\System\HqeVwzZ.exe | N/A |
| N/A | N/A | C:\Windows\System\JPvbPGy.exe | N/A |
| N/A | N/A | C:\Windows\System\OmANoPa.exe | N/A |
| N/A | N/A | C:\Windows\System\zZGBOhL.exe | N/A |
| N/A | N/A | C:\Windows\System\NVhywEP.exe | N/A |
| N/A | N/A | C:\Windows\System\xWZkrLk.exe | N/A |
| N/A | N/A | C:\Windows\System\IWGaubk.exe | N/A |
| N/A | N/A | C:\Windows\System\ErTJmQE.exe | N/A |
| N/A | N/A | C:\Windows\System\qhebuWh.exe | N/A |
| N/A | N/A | C:\Windows\System\JpvVTwU.exe | N/A |
| N/A | N/A | C:\Windows\System\aVzPdVC.exe | N/A |
| N/A | N/A | C:\Windows\System\TYaamfu.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe"
C:\Windows\System\NFEQzyB.exe
C:\Windows\System\NFEQzyB.exe
C:\Windows\System\YzmPnoi.exe
C:\Windows\System\YzmPnoi.exe
C:\Windows\System\rXRaZFU.exe
C:\Windows\System\rXRaZFU.exe
C:\Windows\System\PhkbIPi.exe
C:\Windows\System\PhkbIPi.exe
C:\Windows\System\iZWTwAg.exe
C:\Windows\System\iZWTwAg.exe
C:\Windows\System\RFxTCtw.exe
C:\Windows\System\RFxTCtw.exe
C:\Windows\System\NIgCFkw.exe
C:\Windows\System\NIgCFkw.exe
C:\Windows\System\VQIVTpU.exe
C:\Windows\System\VQIVTpU.exe
C:\Windows\System\zKajvdK.exe
C:\Windows\System\zKajvdK.exe
C:\Windows\System\HqeVwzZ.exe
C:\Windows\System\HqeVwzZ.exe
C:\Windows\System\JPvbPGy.exe
C:\Windows\System\JPvbPGy.exe
C:\Windows\System\NVhywEP.exe
C:\Windows\System\NVhywEP.exe
C:\Windows\System\OmANoPa.exe
C:\Windows\System\OmANoPa.exe
C:\Windows\System\qhebuWh.exe
C:\Windows\System\qhebuWh.exe
C:\Windows\System\zZGBOhL.exe
C:\Windows\System\zZGBOhL.exe
C:\Windows\System\JpvVTwU.exe
C:\Windows\System\JpvVTwU.exe
C:\Windows\System\xWZkrLk.exe
C:\Windows\System\xWZkrLk.exe
C:\Windows\System\aVzPdVC.exe
C:\Windows\System\aVzPdVC.exe
C:\Windows\System\IWGaubk.exe
C:\Windows\System\IWGaubk.exe
C:\Windows\System\TYaamfu.exe
C:\Windows\System\TYaamfu.exe
C:\Windows\System\ErTJmQE.exe
C:\Windows\System\ErTJmQE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3048-0-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/3048-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\NFEQzyB.exe
| MD5 | b77978fcb59d862ea9313924f2b389e7 |
| SHA1 | cca8b6033fa6174038710d8b51cf95795e2b3c2f |
| SHA256 | ec0a3353d4436f3b42774639ae97c06e46d031dc2606c086ef8b1ea966afc79f |
| SHA512 | 2b99fd191c96afc103445fad6e29883551e3bc532485c4f4cf2f6031c000e3bc93eb1bdb94d417213363ee5d403af4bc0993081528b2a711d32c7a811f2e9c16 |
memory/2448-41-0x000000013F580000-0x000000013F8D1000-memory.dmp
C:\Windows\system\VQIVTpU.exe
| MD5 | 08299ff696cbe69ff635204e97df4a60 |
| SHA1 | e232d8f408fd18844a61e1dc03e3fb515acca49c |
| SHA256 | a48f48af233676124555bf8c11d2c2c196f5c67f262d3393827801e6e20bc9e4 |
| SHA512 | 0642bd12db1650b4b78a72a5c5dec6b5081f9442f1ac65b98d6d2c4b8fa9fe055824656e46da98747dd017ee8081e76280cd9c25cefa2c5b24fa64358168858d |
memory/3048-28-0x00000000021B0000-0x0000000002501000-memory.dmp
memory/2420-55-0x000000013F230000-0x000000013F581000-memory.dmp
\Windows\system\xWZkrLk.exe
| MD5 | f546871cea646316ece66dd58db1cbe8 |
| SHA1 | cd14d544ad2ab82321eb765e124b3dccbf2f50c4 |
| SHA256 | b45bc357bc48ccf4ac30eb5bf98349de299b993e9b762ec7ed680876256359ed |
| SHA512 | 300602f2f83b470594e34660b412e82b134c16a61b0137dd3a609eec82f7fd0abc6cede571d8267d4611450d970959d0ab5a8477886b156fed698fbf435615c4 |
C:\Windows\system\JpvVTwU.exe
| MD5 | ca35bb3ad977ce2540d04a127800fa46 |
| SHA1 | d5ac1049d7bc911360fc0b777b947518348f52fd |
| SHA256 | 01092b31ac1963ce73ff96faa33a08acb27b6dd2b2a9b118f57a3f4879b1cb06 |
| SHA512 | bca8f6972e79c65d591476265d9cd0db1a6394c787172db0da6424e03c14dd4c7d8ae08f30f4337c425a624eacbc22d15b2b76ab528d3b6c5f4ab7f9f23b6983 |
memory/2944-96-0x000000013F240000-0x000000013F591000-memory.dmp
\Windows\system\TYaamfu.exe
| MD5 | 4db40550a8a405226847478d6fa8f459 |
| SHA1 | 994d52f0d881bc1bf96cda12e8d4b4e2ab80edc8 |
| SHA256 | 4dcb83d498e06d0c2ec0cb8da046e2c28de8c3ddc5d836841783a9b78bfe0c4b |
| SHA512 | dc231f99221fd2af39eca498798361805abe9af13666d51d3fe24eb40655976ee66f68d6393aecb00db57990e1ca4c46bffb1feee538746f70945cffb350366c |
memory/3048-97-0x00000000021B0000-0x0000000002501000-memory.dmp
\Windows\system\aVzPdVC.exe
| MD5 | 86d3864916f1a6acdd291718d2fa9949 |
| SHA1 | 8f9fe188a80b0a837c8a692567e46862abbdb2bb |
| SHA256 | a09172ad232de6582d1757f0b32467e33b59c09fbf3cbdc554561e90d4788dd0 |
| SHA512 | 2f7617659ba9fcbcd518d63f6226ae052fde36e37f59718ee648e71748a6ffc122b660481110a83df815acf1d40f0143cf9dbd88739ce6312ea527717cbc8781 |
C:\Windows\system\NVhywEP.exe
| MD5 | 4d78eb97fe50b273cb75f7e1f345d580 |
| SHA1 | 0c330348b5419bb65f408b53fe3d0b955b0dd7be |
| SHA256 | 3fcf2bb9fbc791091735779bce3984951fcff5d881c5a117027f289b4334ba07 |
| SHA512 | d86bfcbfc8dcee7f8a5851514bdefc34d14a7a992c9d7a60412256b1ed40777f3d8c36260fa3b9267e112ea61c491c653b6a063399ce78c3099ffbb429775ef0 |
\Windows\system\qhebuWh.exe
| MD5 | 101adb101bfd223b1fe00f2f1b8476a1 |
| SHA1 | 4ccb5d0405356514c031bb643572bd65b05a338c |
| SHA256 | 9b19819d14aa899ce18757678674036f581dabe0c9695f895faa665256c43236 |
| SHA512 | 0222a8940fbefc9bd9f7c7feae5d2765ada0ad65de1f03511b11be8d927c3b5570b614523c11f2d7010700c524906c7f88abd095cab2d0b6a61fc16e4e1a74e0 |
memory/524-116-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/3048-115-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/1384-114-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/3048-113-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/3048-112-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/1076-111-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/820-110-0x000000013F3B0000-0x000000013F701000-memory.dmp
C:\Windows\system\ErTJmQE.exe
| MD5 | 2cc8e9602dba58825118995709c9147f |
| SHA1 | 6f551b30218eabac9f4131c6e1cf07653f2d3316 |
| SHA256 | f1e09c4e7d62b62fbe6f204a2612e869dea6fd2de4716fdfb2df39f1165549a1 |
| SHA512 | bafe280ddf17329056059c6ec609badcb42eb68fc157ae3ba4c441d73c44b7f84509e4f41557ebbe412b2149bff977949d14da4a87d4f24d570aa1130252953a |
memory/3048-108-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/3048-102-0x00000000021B0000-0x0000000002501000-memory.dmp
C:\Windows\system\IWGaubk.exe
| MD5 | 730c0a0c26bd413d853654ad525906d8 |
| SHA1 | 676aa650b7d903b42289960baa383c2421d589c5 |
| SHA256 | 72c684afcbee42d4a2e3cbdb89971e3252d1ef9fcf6a619e94954ed5e3c0721a |
| SHA512 | a34fd888dc390f4b7ae3d576013988fc864bf081644b4833cf48bb66687291e73da138cacc99eb76918daaa0e1788e7f180e41ab8753d4cbd6b4bf72c76f24e5 |
memory/3048-92-0x00000000021B0000-0x0000000002501000-memory.dmp
memory/3048-90-0x00000000021B0000-0x0000000002501000-memory.dmp
C:\Windows\system\zZGBOhL.exe
| MD5 | aaf67029147cac77d7b3d09546f69951 |
| SHA1 | dc5103564bd63d7ce1a6afb0ee6db3018a02a675 |
| SHA256 | 47e8e6a9f8d3bebd6817786a49427ea0248b33a6a6db2bb2ba1c699765464cb8 |
| SHA512 | 5f2080e0a1a3bc7d1ccec7b643a59e7b9a797a8481df71be56b8ac21e686759e4a9c53057e8e21975c7cad36680d601cbbf97d0c080c6de7fa7105eb20c8b8d8 |
C:\Windows\system\OmANoPa.exe
| MD5 | a5ed7f653524a37814ea41852f4e8bf1 |
| SHA1 | b5339da96ca97792b86281e89871e69878a14a3c |
| SHA256 | 1a85533e62c9f7781a881cff88bab97c5797a9b9949fa1bde2eaccab69820ca0 |
| SHA512 | ebfa1863f4369887cc498ec39e62005d3a62f3e65539cb0da0d3aaf4abaad8d577c90a6bac1f7370d113a71cf7038bc8500f3f521d8eba75172a041d301a44b8 |
C:\Windows\system\JPvbPGy.exe
| MD5 | 397223f03ebfea8e6944090db676faf2 |
| SHA1 | 2cd3555cbe4f3a44c634c9818df8c1d14ee16dd4 |
| SHA256 | fcf14202ce8f09a682e9482e41f3d0b2fc0c7d03d7b82a641127ea35d4339103 |
| SHA512 | dc93e991cd19a45471526eb6ec273c11604b6e47e6dbb5f7878907f73e56b2559849ef5d8312778ce495378299ddad4cda169adcb81d9b58fdf724291bec9e0e |
C:\Windows\system\HqeVwzZ.exe
| MD5 | 470b7b71136e30b5f2af13059e15e172 |
| SHA1 | e9f5dbd6a473e43625f5770a1740176a1a70ae70 |
| SHA256 | 5dcd91d02b3a6f4c6a37eceddd90c82bb15efb5b5a37d3c0b80430a01499768d |
| SHA512 | aae97346d793adaa7e113b3301db4ab682813675be7509d741102bd7170721a0835993f4f689173d81e3a1b9a956df6d3e658959d99da56177f94a6b5aaf0568 |
C:\Windows\system\zKajvdK.exe
| MD5 | bfbdbf328656c6c509a3117bc9199e94 |
| SHA1 | ae47855de6c528c02246ded95c2f5d032aea8e3b |
| SHA256 | 7cf8f6ba980de68b403f2d7dbbfdd0b9582f2ca5c21b8a01db1900d5bcef1837 |
| SHA512 | 44f6c2c5a6d8d8d35af1b6364f2d4cf4b79c2b1a018d41bf0019aba3557327819b1ae9cf26932deaf20ff6150a6d72df2937927be35ebc0fee89158fd0f31738 |
memory/3048-133-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2768-54-0x000000013F0C0000-0x000000013F411000-memory.dmp
C:\Windows\system\RFxTCtw.exe
| MD5 | 07076f1a19372ad4af489da7f105602b |
| SHA1 | 3810749f436199d6002ff05d04b8fbe3a481d03f |
| SHA256 | c16511c69c9922beb85fa0e93f720cee1b10608baeb6210afe7000e100a6aa5a |
| SHA512 | aa65fd2efbb539b912b99a13b1ea58d65682f9c0eb085aa135849b0e159fb46123a05e473f4dc84cc74992d72bde654b3aab527b6b79debb88a6a4c6edc96a62 |
memory/3048-49-0x00000000021B0000-0x0000000002501000-memory.dmp
memory/2696-48-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/3048-47-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/3048-46-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/3056-45-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
C:\Windows\system\iZWTwAg.exe
| MD5 | e62d97ac2657d0b188c6ab628188355f |
| SHA1 | 83d96570ee5fec8ea48bfcc26b7d303c0da034a4 |
| SHA256 | 29d5964ced7387db6727b4371510bd747aafd030343e6167012d12d182263abc |
| SHA512 | 4b668abed6bbb8f4f4efb032287c379747dc18384f6411461240e15d5e0265446e92f1a5911736a956c5c2b0c484ffb9d6cfb65bc7a618217e44e7aed7b0be9a |
memory/2552-40-0x000000013F9D0000-0x000000013FD21000-memory.dmp
C:\Windows\system\rXRaZFU.exe
| MD5 | 68839dc64953b14f24f7e70d574fa813 |
| SHA1 | b226c5877fb3942e3822746d12cbb0ac35a86a6e |
| SHA256 | efce37d83ab6bb12674f03cb14821ac779b32ca4ddbe7a4f43eefeddaa0e15fc |
| SHA512 | cf229a885e2e50325c3a6412e553d991e6b3946e3c6b3288c437ac1370d33d6661824a20acc03cda887778e504228d128868580adcc6ef281d8d9c18699ca772 |
memory/2716-39-0x000000013F630000-0x000000013F981000-memory.dmp
memory/3048-38-0x000000013F880000-0x000000013FBD1000-memory.dmp
C:\Windows\system\NIgCFkw.exe
| MD5 | 3e62968a33d33b4c111d71e55ffa301f |
| SHA1 | ffc54d76b83a03c182a29ce4898b8862a42c21f0 |
| SHA256 | 88ad97d45f4a2b1523228f09180b824550117e52521f5e9e3cac7c3e6bda53e2 |
| SHA512 | efe957238c1f8f111cadb8c0b45d894c899d3fe61d934b10d74c76f97c57474f1030e86ab4e1b22d56309777d8f4a612b7b5562bf5b3ae4ccc1534e9cfac25e7 |
C:\Windows\system\PhkbIPi.exe
| MD5 | 768105ef2e50cf86358fadab19291ce0 |
| SHA1 | a42f04aaaaa06de4ed8751a22600d96b677c9bbe |
| SHA256 | d1381c4180d45ebe6b39b30f7e291badb2387b1e28ae61f862af47baea8e075d |
| SHA512 | 9ab7d4c6fbbe8bed704656bf50a39cd0aa2f3e01273033585328b380c95556defdeaedf77e35188a6141cb26ea2c57e35863093e0c85cb199b8234d72dfeac65 |
memory/2548-33-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/1996-145-0x000000013F340000-0x000000013F691000-memory.dmp
memory/820-144-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/860-149-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2824-150-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/1232-153-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/1336-154-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/3048-156-0x000000013F630000-0x000000013F981000-memory.dmp
memory/3048-155-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2180-152-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2956-151-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/1384-148-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/1728-147-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/1076-146-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/524-143-0x000000013F260000-0x000000013F5B1000-memory.dmp
C:\Windows\system\YzmPnoi.exe
| MD5 | b7c5e52a5e818fd986fc0eae4338e8fd |
| SHA1 | bc2d363c84cf561e52f9308fe258d96b1995b6e8 |
| SHA256 | da2ad62628d3242b5163e8b0718af1071a7137637d9f0c563191f8b69d241067 |
| SHA512 | 9c3e1a68a1b29830939bf9b90e2ea6066d8dd2fdb1abd9c2ac873bb9153ad7158bf143ef234fe6f16c6ef0b4a9be8aedca2af570f577c5a22eaa7e9d8cc0fbd0 |
memory/3048-157-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/3056-211-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2548-212-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/2716-220-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2696-223-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2448-226-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2552-225-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2420-228-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2944-232-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2768-231-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/1076-234-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/820-242-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/524-244-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/1384-238-0x000000013F940000-0x000000013FC91000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 19:16
Reported
2024-05-22 19:18
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NFEQzyB.exe | N/A |
| N/A | N/A | C:\Windows\System\YzmPnoi.exe | N/A |
| N/A | N/A | C:\Windows\System\rXRaZFU.exe | N/A |
| N/A | N/A | C:\Windows\System\PhkbIPi.exe | N/A |
| N/A | N/A | C:\Windows\System\iZWTwAg.exe | N/A |
| N/A | N/A | C:\Windows\System\RFxTCtw.exe | N/A |
| N/A | N/A | C:\Windows\System\NIgCFkw.exe | N/A |
| N/A | N/A | C:\Windows\System\VQIVTpU.exe | N/A |
| N/A | N/A | C:\Windows\System\zKajvdK.exe | N/A |
| N/A | N/A | C:\Windows\System\HqeVwzZ.exe | N/A |
| N/A | N/A | C:\Windows\System\JPvbPGy.exe | N/A |
| N/A | N/A | C:\Windows\System\NVhywEP.exe | N/A |
| N/A | N/A | C:\Windows\System\OmANoPa.exe | N/A |
| N/A | N/A | C:\Windows\System\qhebuWh.exe | N/A |
| N/A | N/A | C:\Windows\System\zZGBOhL.exe | N/A |
| N/A | N/A | C:\Windows\System\JpvVTwU.exe | N/A |
| N/A | N/A | C:\Windows\System\xWZkrLk.exe | N/A |
| N/A | N/A | C:\Windows\System\aVzPdVC.exe | N/A |
| N/A | N/A | C:\Windows\System\IWGaubk.exe | N/A |
| N/A | N/A | C:\Windows\System\TYaamfu.exe | N/A |
| N/A | N/A | C:\Windows\System\ErTJmQE.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe"
C:\Windows\System\NFEQzyB.exe
C:\Windows\System\NFEQzyB.exe
C:\Windows\System\YzmPnoi.exe
C:\Windows\System\YzmPnoi.exe
C:\Windows\System\rXRaZFU.exe
C:\Windows\System\rXRaZFU.exe
C:\Windows\System\PhkbIPi.exe
C:\Windows\System\PhkbIPi.exe
C:\Windows\System\iZWTwAg.exe
C:\Windows\System\iZWTwAg.exe
C:\Windows\System\RFxTCtw.exe
C:\Windows\System\RFxTCtw.exe
C:\Windows\System\NIgCFkw.exe
C:\Windows\System\NIgCFkw.exe
C:\Windows\System\VQIVTpU.exe
C:\Windows\System\VQIVTpU.exe
C:\Windows\System\zKajvdK.exe
C:\Windows\System\zKajvdK.exe
C:\Windows\System\HqeVwzZ.exe
C:\Windows\System\HqeVwzZ.exe
C:\Windows\System\JPvbPGy.exe
C:\Windows\System\JPvbPGy.exe
C:\Windows\System\NVhywEP.exe
C:\Windows\System\NVhywEP.exe
C:\Windows\System\OmANoPa.exe
C:\Windows\System\OmANoPa.exe
C:\Windows\System\qhebuWh.exe
C:\Windows\System\qhebuWh.exe
C:\Windows\System\zZGBOhL.exe
C:\Windows\System\zZGBOhL.exe
C:\Windows\System\JpvVTwU.exe
C:\Windows\System\JpvVTwU.exe
C:\Windows\System\xWZkrLk.exe
C:\Windows\System\xWZkrLk.exe
C:\Windows\System\aVzPdVC.exe
C:\Windows\System\aVzPdVC.exe
C:\Windows\System\IWGaubk.exe
C:\Windows\System\IWGaubk.exe
C:\Windows\System\TYaamfu.exe
C:\Windows\System\TYaamfu.exe
C:\Windows\System\ErTJmQE.exe
C:\Windows\System\ErTJmQE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
memory/3036-0-0x00007FF7A48E0000-0x00007FF7A4C31000-memory.dmp
memory/3036-1-0x000002A160D50000-0x000002A160D60000-memory.dmp
C:\Windows\System\NFEQzyB.exe
| MD5 | b77978fcb59d862ea9313924f2b389e7 |
| SHA1 | cca8b6033fa6174038710d8b51cf95795e2b3c2f |
| SHA256 | ec0a3353d4436f3b42774639ae97c06e46d031dc2606c086ef8b1ea966afc79f |
| SHA512 | 2b99fd191c96afc103445fad6e29883551e3bc532485c4f4cf2f6031c000e3bc93eb1bdb94d417213363ee5d403af4bc0993081528b2a711d32c7a811f2e9c16 |
memory/4488-7-0x00007FF610480000-0x00007FF6107D1000-memory.dmp
C:\Windows\System\rXRaZFU.exe
| MD5 | 68839dc64953b14f24f7e70d574fa813 |
| SHA1 | b226c5877fb3942e3822746d12cbb0ac35a86a6e |
| SHA256 | efce37d83ab6bb12674f03cb14821ac779b32ca4ddbe7a4f43eefeddaa0e15fc |
| SHA512 | cf229a885e2e50325c3a6412e553d991e6b3946e3c6b3288c437ac1370d33d6661824a20acc03cda887778e504228d128868580adcc6ef281d8d9c18699ca772 |
memory/4564-12-0x00007FF717C30000-0x00007FF717F81000-memory.dmp
memory/2200-20-0x00007FF7F7C20000-0x00007FF7F7F71000-memory.dmp
C:\Windows\System\YzmPnoi.exe
| MD5 | b7c5e52a5e818fd986fc0eae4338e8fd |
| SHA1 | bc2d363c84cf561e52f9308fe258d96b1995b6e8 |
| SHA256 | da2ad62628d3242b5163e8b0718af1071a7137637d9f0c563191f8b69d241067 |
| SHA512 | 9c3e1a68a1b29830939bf9b90e2ea6066d8dd2fdb1abd9c2ac873bb9153ad7158bf143ef234fe6f16c6ef0b4a9be8aedca2af570f577c5a22eaa7e9d8cc0fbd0 |
C:\Windows\System\PhkbIPi.exe
| MD5 | 768105ef2e50cf86358fadab19291ce0 |
| SHA1 | a42f04aaaaa06de4ed8751a22600d96b677c9bbe |
| SHA256 | d1381c4180d45ebe6b39b30f7e291badb2387b1e28ae61f862af47baea8e075d |
| SHA512 | 9ab7d4c6fbbe8bed704656bf50a39cd0aa2f3e01273033585328b380c95556defdeaedf77e35188a6141cb26ea2c57e35863093e0c85cb199b8234d72dfeac65 |
C:\Windows\System\iZWTwAg.exe
| MD5 | e62d97ac2657d0b188c6ab628188355f |
| SHA1 | 83d96570ee5fec8ea48bfcc26b7d303c0da034a4 |
| SHA256 | 29d5964ced7387db6727b4371510bd747aafd030343e6167012d12d182263abc |
| SHA512 | 4b668abed6bbb8f4f4efb032287c379747dc18384f6411461240e15d5e0265446e92f1a5911736a956c5c2b0c484ffb9d6cfb65bc7a618217e44e7aed7b0be9a |
memory/2444-24-0x00007FF63D9B0000-0x00007FF63DD01000-memory.dmp
memory/4484-32-0x00007FF70F660000-0x00007FF70F9B1000-memory.dmp
C:\Windows\System\RFxTCtw.exe
| MD5 | 07076f1a19372ad4af489da7f105602b |
| SHA1 | 3810749f436199d6002ff05d04b8fbe3a481d03f |
| SHA256 | c16511c69c9922beb85fa0e93f720cee1b10608baeb6210afe7000e100a6aa5a |
| SHA512 | aa65fd2efbb539b912b99a13b1ea58d65682f9c0eb085aa135849b0e159fb46123a05e473f4dc84cc74992d72bde654b3aab527b6b79debb88a6a4c6edc96a62 |
C:\Windows\System\NIgCFkw.exe
| MD5 | 3e62968a33d33b4c111d71e55ffa301f |
| SHA1 | ffc54d76b83a03c182a29ce4898b8862a42c21f0 |
| SHA256 | 88ad97d45f4a2b1523228f09180b824550117e52521f5e9e3cac7c3e6bda53e2 |
| SHA512 | efe957238c1f8f111cadb8c0b45d894c899d3fe61d934b10d74c76f97c57474f1030e86ab4e1b22d56309777d8f4a612b7b5562bf5b3ae4ccc1534e9cfac25e7 |
C:\Windows\System\VQIVTpU.exe
| MD5 | 08299ff696cbe69ff635204e97df4a60 |
| SHA1 | e232d8f408fd18844a61e1dc03e3fb515acca49c |
| SHA256 | a48f48af233676124555bf8c11d2c2c196f5c67f262d3393827801e6e20bc9e4 |
| SHA512 | 0642bd12db1650b4b78a72a5c5dec6b5081f9442f1ac65b98d6d2c4b8fa9fe055824656e46da98747dd017ee8081e76280cd9c25cefa2c5b24fa64358168858d |
C:\Windows\System\zKajvdK.exe
| MD5 | bfbdbf328656c6c509a3117bc9199e94 |
| SHA1 | ae47855de6c528c02246ded95c2f5d032aea8e3b |
| SHA256 | 7cf8f6ba980de68b403f2d7dbbfdd0b9582f2ca5c21b8a01db1900d5bcef1837 |
| SHA512 | 44f6c2c5a6d8d8d35af1b6364f2d4cf4b79c2b1a018d41bf0019aba3557327819b1ae9cf26932deaf20ff6150a6d72df2937927be35ebc0fee89158fd0f31738 |
memory/3624-51-0x00007FF6527F0000-0x00007FF652B41000-memory.dmp
C:\Windows\System\OmANoPa.exe
| MD5 | a5ed7f653524a37814ea41852f4e8bf1 |
| SHA1 | b5339da96ca97792b86281e89871e69878a14a3c |
| SHA256 | 1a85533e62c9f7781a881cff88bab97c5797a9b9949fa1bde2eaccab69820ca0 |
| SHA512 | ebfa1863f4369887cc498ec39e62005d3a62f3e65539cb0da0d3aaf4abaad8d577c90a6bac1f7370d113a71cf7038bc8500f3f521d8eba75172a041d301a44b8 |
memory/4116-78-0x00007FF703670000-0x00007FF7039C1000-memory.dmp
C:\Windows\System\qhebuWh.exe
| MD5 | 101adb101bfd223b1fe00f2f1b8476a1 |
| SHA1 | 4ccb5d0405356514c031bb643572bd65b05a338c |
| SHA256 | 9b19819d14aa899ce18757678674036f581dabe0c9695f895faa665256c43236 |
| SHA512 | 0222a8940fbefc9bd9f7c7feae5d2765ada0ad65de1f03511b11be8d927c3b5570b614523c11f2d7010700c524906c7f88abd095cab2d0b6a61fc16e4e1a74e0 |
memory/4488-89-0x00007FF610480000-0x00007FF6107D1000-memory.dmp
C:\Windows\System\zZGBOhL.exe
| MD5 | aaf67029147cac77d7b3d09546f69951 |
| SHA1 | dc5103564bd63d7ce1a6afb0ee6db3018a02a675 |
| SHA256 | 47e8e6a9f8d3bebd6817786a49427ea0248b33a6a6db2bb2ba1c699765464cb8 |
| SHA512 | 5f2080e0a1a3bc7d1ccec7b643a59e7b9a797a8481df71be56b8ac21e686759e4a9c53057e8e21975c7cad36680d601cbbf97d0c080c6de7fa7105eb20c8b8d8 |
C:\Windows\System\xWZkrLk.exe
| MD5 | f546871cea646316ece66dd58db1cbe8 |
| SHA1 | cd14d544ad2ab82321eb765e124b3dccbf2f50c4 |
| SHA256 | b45bc357bc48ccf4ac30eb5bf98349de299b993e9b762ec7ed680876256359ed |
| SHA512 | 300602f2f83b470594e34660b412e82b134c16a61b0137dd3a609eec82f7fd0abc6cede571d8267d4611450d970959d0ab5a8477886b156fed698fbf435615c4 |
C:\Windows\System\aVzPdVC.exe
| MD5 | 86d3864916f1a6acdd291718d2fa9949 |
| SHA1 | 8f9fe188a80b0a837c8a692567e46862abbdb2bb |
| SHA256 | a09172ad232de6582d1757f0b32467e33b59c09fbf3cbdc554561e90d4788dd0 |
| SHA512 | 2f7617659ba9fcbcd518d63f6226ae052fde36e37f59718ee648e71748a6ffc122b660481110a83df815acf1d40f0143cf9dbd88739ce6312ea527717cbc8781 |
C:\Windows\System\TYaamfu.exe
| MD5 | 4db40550a8a405226847478d6fa8f459 |
| SHA1 | 994d52f0d881bc1bf96cda12e8d4b4e2ab80edc8 |
| SHA256 | 4dcb83d498e06d0c2ec0cb8da046e2c28de8c3ddc5d836841783a9b78bfe0c4b |
| SHA512 | dc231f99221fd2af39eca498798361805abe9af13666d51d3fe24eb40655976ee66f68d6393aecb00db57990e1ca4c46bffb1feee538746f70945cffb350366c |
C:\Windows\System\ErTJmQE.exe
| MD5 | 2cc8e9602dba58825118995709c9147f |
| SHA1 | 6f551b30218eabac9f4131c6e1cf07653f2d3316 |
| SHA256 | f1e09c4e7d62b62fbe6f204a2612e869dea6fd2de4716fdfb2df39f1165549a1 |
| SHA512 | bafe280ddf17329056059c6ec609badcb42eb68fc157ae3ba4c441d73c44b7f84509e4f41557ebbe412b2149bff977949d14da4a87d4f24d570aa1130252953a |
C:\Windows\System\IWGaubk.exe
| MD5 | 730c0a0c26bd413d853654ad525906d8 |
| SHA1 | 676aa650b7d903b42289960baa383c2421d589c5 |
| SHA256 | 72c684afcbee42d4a2e3cbdb89971e3252d1ef9fcf6a619e94954ed5e3c0721a |
| SHA512 | a34fd888dc390f4b7ae3d576013988fc864bf081644b4833cf48bb66687291e73da138cacc99eb76918daaa0e1788e7f180e41ab8753d4cbd6b4bf72c76f24e5 |
C:\Windows\System\JpvVTwU.exe
| MD5 | ca35bb3ad977ce2540d04a127800fa46 |
| SHA1 | d5ac1049d7bc911360fc0b777b947518348f52fd |
| SHA256 | 01092b31ac1963ce73ff96faa33a08acb27b6dd2b2a9b118f57a3f4879b1cb06 |
| SHA512 | bca8f6972e79c65d591476265d9cd0db1a6394c787172db0da6424e03c14dd4c7d8ae08f30f4337c425a624eacbc22d15b2b76ab528d3b6c5f4ab7f9f23b6983 |
memory/3460-90-0x00007FF6AF090000-0x00007FF6AF3E1000-memory.dmp
memory/4832-79-0x00007FF796450000-0x00007FF7967A1000-memory.dmp
memory/804-77-0x00007FF7244E0000-0x00007FF724831000-memory.dmp
memory/3036-76-0x00007FF7A48E0000-0x00007FF7A4C31000-memory.dmp
C:\Windows\System\NVhywEP.exe
| MD5 | 4d78eb97fe50b273cb75f7e1f345d580 |
| SHA1 | 0c330348b5419bb65f408b53fe3d0b955b0dd7be |
| SHA256 | 3fcf2bb9fbc791091735779bce3984951fcff5d881c5a117027f289b4334ba07 |
| SHA512 | d86bfcbfc8dcee7f8a5851514bdefc34d14a7a992c9d7a60412256b1ed40777f3d8c36260fa3b9267e112ea61c491c653b6a063399ce78c3099ffbb429775ef0 |
C:\Windows\System\JPvbPGy.exe
| MD5 | 397223f03ebfea8e6944090db676faf2 |
| SHA1 | 2cd3555cbe4f3a44c634c9818df8c1d14ee16dd4 |
| SHA256 | fcf14202ce8f09a682e9482e41f3d0b2fc0c7d03d7b82a641127ea35d4339103 |
| SHA512 | dc93e991cd19a45471526eb6ec273c11604b6e47e6dbb5f7878907f73e56b2559849ef5d8312778ce495378299ddad4cda169adcb81d9b58fdf724291bec9e0e |
C:\Windows\System\HqeVwzZ.exe
| MD5 | 470b7b71136e30b5f2af13059e15e172 |
| SHA1 | e9f5dbd6a473e43625f5770a1740176a1a70ae70 |
| SHA256 | 5dcd91d02b3a6f4c6a37eceddd90c82bb15efb5b5a37d3c0b80430a01499768d |
| SHA512 | aae97346d793adaa7e113b3301db4ab682813675be7509d741102bd7170721a0835993f4f689173d81e3a1b9a956df6d3e658959d99da56177f94a6b5aaf0568 |
memory/2484-58-0x00007FF600B20000-0x00007FF600E71000-memory.dmp
memory/5028-47-0x00007FF7887B0000-0x00007FF788B01000-memory.dmp
memory/1612-45-0x00007FF73CC10000-0x00007FF73CF61000-memory.dmp
memory/2880-40-0x00007FF6AE860000-0x00007FF6AEBB1000-memory.dmp
memory/4564-123-0x00007FF717C30000-0x00007FF717F81000-memory.dmp
memory/1500-124-0x00007FF72F700000-0x00007FF72FA51000-memory.dmp
memory/4648-125-0x00007FF659070000-0x00007FF6593C1000-memory.dmp
memory/4328-128-0x00007FF68B4A0000-0x00007FF68B7F1000-memory.dmp
memory/3068-129-0x00007FF60E300000-0x00007FF60E651000-memory.dmp
memory/3244-130-0x00007FF70F810000-0x00007FF70FB61000-memory.dmp
memory/4204-127-0x00007FF768970000-0x00007FF768CC1000-memory.dmp
memory/1828-126-0x00007FF72E700000-0x00007FF72EA51000-memory.dmp
memory/5028-139-0x00007FF7887B0000-0x00007FF788B01000-memory.dmp
memory/3624-140-0x00007FF6527F0000-0x00007FF652B41000-memory.dmp
memory/2484-141-0x00007FF600B20000-0x00007FF600E71000-memory.dmp
memory/1612-138-0x00007FF73CC10000-0x00007FF73CF61000-memory.dmp
memory/3036-131-0x00007FF7A48E0000-0x00007FF7A4C31000-memory.dmp
memory/2880-137-0x00007FF6AE860000-0x00007FF6AEBB1000-memory.dmp
memory/2444-135-0x00007FF63D9B0000-0x00007FF63DD01000-memory.dmp
memory/4832-144-0x00007FF796450000-0x00007FF7967A1000-memory.dmp
memory/3036-153-0x00007FF7A48E0000-0x00007FF7A4C31000-memory.dmp
memory/4488-203-0x00007FF610480000-0x00007FF6107D1000-memory.dmp
memory/4564-207-0x00007FF717C30000-0x00007FF717F81000-memory.dmp
memory/2200-206-0x00007FF7F7C20000-0x00007FF7F7F71000-memory.dmp
memory/2444-209-0x00007FF63D9B0000-0x00007FF63DD01000-memory.dmp
memory/4484-211-0x00007FF70F660000-0x00007FF70F9B1000-memory.dmp
memory/2880-213-0x00007FF6AE860000-0x00007FF6AEBB1000-memory.dmp
memory/5028-215-0x00007FF7887B0000-0x00007FF788B01000-memory.dmp
memory/1612-217-0x00007FF73CC10000-0x00007FF73CF61000-memory.dmp
memory/2484-219-0x00007FF600B20000-0x00007FF600E71000-memory.dmp
memory/3624-221-0x00007FF6527F0000-0x00007FF652B41000-memory.dmp
memory/804-223-0x00007FF7244E0000-0x00007FF724831000-memory.dmp
memory/4116-225-0x00007FF703670000-0x00007FF7039C1000-memory.dmp
memory/4832-236-0x00007FF796450000-0x00007FF7967A1000-memory.dmp
memory/3460-238-0x00007FF6AF090000-0x00007FF6AF3E1000-memory.dmp
memory/1500-240-0x00007FF72F700000-0x00007FF72FA51000-memory.dmp
memory/4648-242-0x00007FF659070000-0x00007FF6593C1000-memory.dmp
memory/1828-244-0x00007FF72E700000-0x00007FF72EA51000-memory.dmp
memory/4204-246-0x00007FF768970000-0x00007FF768CC1000-memory.dmp
memory/4328-248-0x00007FF68B4A0000-0x00007FF68B7F1000-memory.dmp
memory/3068-251-0x00007FF60E300000-0x00007FF60E651000-memory.dmp
memory/3244-252-0x00007FF70F810000-0x00007FF70FB61000-memory.dmp