Analysis Overview
SHA256
399a0ec2fcb54cb0c481c572ba4d321c04e455fc5103b2fba1adf0525e0981b4
Threat Level: Known bad
The file 2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Cobaltstrike
xmrig
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 22:01
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 22:01
Reported
2024-05-29 22:04
Platform
win7-20240508-en
Max time kernel
140s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HXFWQFH.exe | N/A |
| N/A | N/A | C:\Windows\System\rBiMpby.exe | N/A |
| N/A | N/A | C:\Windows\System\JTICjnl.exe | N/A |
| N/A | N/A | C:\Windows\System\iNGKnCQ.exe | N/A |
| N/A | N/A | C:\Windows\System\fBUrzhg.exe | N/A |
| N/A | N/A | C:\Windows\System\BLPYaDF.exe | N/A |
| N/A | N/A | C:\Windows\System\SqLLhpR.exe | N/A |
| N/A | N/A | C:\Windows\System\eFUJANf.exe | N/A |
| N/A | N/A | C:\Windows\System\LOyllnq.exe | N/A |
| N/A | N/A | C:\Windows\System\LrZGdcE.exe | N/A |
| N/A | N/A | C:\Windows\System\fXPOCVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\igMzXsO.exe | N/A |
| N/A | N/A | C:\Windows\System\DDVQRxJ.exe | N/A |
| N/A | N/A | C:\Windows\System\bHxyyNZ.exe | N/A |
| N/A | N/A | C:\Windows\System\OTRMlfE.exe | N/A |
| N/A | N/A | C:\Windows\System\eIvSFIP.exe | N/A |
| N/A | N/A | C:\Windows\System\BfONQiY.exe | N/A |
| N/A | N/A | C:\Windows\System\liMwqKS.exe | N/A |
| N/A | N/A | C:\Windows\System\TXHcwIU.exe | N/A |
| N/A | N/A | C:\Windows\System\AQFrzNQ.exe | N/A |
| N/A | N/A | C:\Windows\System\mIMleEv.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\HXFWQFH.exe
C:\Windows\System\HXFWQFH.exe
C:\Windows\System\rBiMpby.exe
C:\Windows\System\rBiMpby.exe
C:\Windows\System\JTICjnl.exe
C:\Windows\System\JTICjnl.exe
C:\Windows\System\BLPYaDF.exe
C:\Windows\System\BLPYaDF.exe
C:\Windows\System\iNGKnCQ.exe
C:\Windows\System\iNGKnCQ.exe
C:\Windows\System\bHxyyNZ.exe
C:\Windows\System\bHxyyNZ.exe
C:\Windows\System\fBUrzhg.exe
C:\Windows\System\fBUrzhg.exe
C:\Windows\System\OTRMlfE.exe
C:\Windows\System\OTRMlfE.exe
C:\Windows\System\SqLLhpR.exe
C:\Windows\System\SqLLhpR.exe
C:\Windows\System\eIvSFIP.exe
C:\Windows\System\eIvSFIP.exe
C:\Windows\System\eFUJANf.exe
C:\Windows\System\eFUJANf.exe
C:\Windows\System\BfONQiY.exe
C:\Windows\System\BfONQiY.exe
C:\Windows\System\LOyllnq.exe
C:\Windows\System\LOyllnq.exe
C:\Windows\System\liMwqKS.exe
C:\Windows\System\liMwqKS.exe
C:\Windows\System\LrZGdcE.exe
C:\Windows\System\LrZGdcE.exe
C:\Windows\System\TXHcwIU.exe
C:\Windows\System\TXHcwIU.exe
C:\Windows\System\fXPOCVQ.exe
C:\Windows\System\fXPOCVQ.exe
C:\Windows\System\AQFrzNQ.exe
C:\Windows\System\AQFrzNQ.exe
C:\Windows\System\igMzXsO.exe
C:\Windows\System\igMzXsO.exe
C:\Windows\System\mIMleEv.exe
C:\Windows\System\mIMleEv.exe
C:\Windows\System\DDVQRxJ.exe
C:\Windows\System\DDVQRxJ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2992-0-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2992-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\HXFWQFH.exe
| MD5 | 968098ccc5cb11b7a8058129a9e86f18 |
| SHA1 | b7d73001ce44c15c5cbc6dc775c2abe294092f7a |
| SHA256 | 63e83f08b63097f5e143ee1304a7120ea007b4299aa73361b1474dc1e9f31f30 |
| SHA512 | 64d4a40abd0f2e5c923471a0fa88d8016511f65d39466bd36d5dc3a815595f0c09c39eb551c566a777164188f5970c8549428574aa272ce0c7012d85bae4681c |
\Windows\system\rBiMpby.exe
| MD5 | 72421ba88b1a0ecfa79b3b60c0d98985 |
| SHA1 | fbf5cad0e2d52205dd639a66ff1cc2e57d5780d5 |
| SHA256 | 1ba419d3a39d0129b85a1e871fe63a32967a480c47ef122755d50b745c493d12 |
| SHA512 | 5179c743e7e5a20ba7de0000103f8efa48b4de45893aa1c79094eaba80a7e234ba983646d7fc52fd76f69cc680e91c3315d24878cf3ff31389d96b0d6f353082 |
\Windows\system\bHxyyNZ.exe
| MD5 | b9d5418cedc2f459a381d93249915250 |
| SHA1 | 67a2e6eac739ebcd505c9f544c57904980fb8de9 |
| SHA256 | ad7afb225576a6fffd6ec312a3dca539a7cb10c8cde96b6b1612529a96c6c06e |
| SHA512 | cfacb59802ec5ea97d118eb7196d778cab9d7325c0112d78293586ad8b64a7af062156ac61900a58c0f4c5f54324e60bf79200af7775b68cd3bca460cd17f1d3 |
C:\Windows\system\BLPYaDF.exe
| MD5 | f3c47c0094ccf2e35da6866d4062a62b |
| SHA1 | 0a75cde8f449c49036bb0074de084b52eb739575 |
| SHA256 | fb69fb4db5eac8113b29553defaebe35f2c4236e2daf9e811386fda0fc963e68 |
| SHA512 | 0db6d6399ea63ca95e1402e3bed53961ae1a0d899bc63b1e9bb4322767134c223b4aca747c0278749d158aaf904c114426bb45a2485fa4310fd9a29f4555484b |
\Windows\system\eFUJANf.exe
| MD5 | bc2f88402ca32a603a2b4da44b7130fa |
| SHA1 | 9654749e36329bab282b868a5b7c9a63c430c818 |
| SHA256 | 0b4136dfda62e6c50d64a7433b372010f067e24e20eba4b74771fc9e597a4f0b |
| SHA512 | 8af31860fe5ff8185b4273497f48515a11ff2c6e81a97e3b36525cf9f67874d7ad797b8331aca72045a74fbcec1653db7db3e19ef07084cf98e91a8dc89fcb34 |
\Windows\system\SqLLhpR.exe
| MD5 | a7cf3060e14f68a8e3e6abf4fea62626 |
| SHA1 | e2b6e7307cb65451b5482bcb42ed9ac032dbfc1c |
| SHA256 | 573b3df410a790c23734db32fc4a846146714f0688bd01662a3b616ef9d84ca9 |
| SHA512 | 149321c0b10dfc6d1dce2a4e0c7edab645441c5dc7462c8a526eba1c1f6209b54cabea11f673101598f8c3b87f2c1932c827ef3ac59285111f97720f84a7d98d |
C:\Windows\system\JTICjnl.exe
| MD5 | 21448e35cf02f07e6ba67ae6b6270a78 |
| SHA1 | 0c6860ec545418198b297bb0b11e834ffcdfe337 |
| SHA256 | 0a8de2f0769f8474a4b6515c122b05db98924ef9aa5b64c98fd2396f4e18f370 |
| SHA512 | f0749c5803acde5679c7a95f96d18356f74488d35ca53565b6d4dd3a7f62862e64204e3e32b33be1b38d0ccd3fb1d477be31ee4d96d164b973131f7960efdf46 |
memory/804-19-0x000000013F130000-0x000000013F481000-memory.dmp
\Windows\system\fBUrzhg.exe
| MD5 | 5d609cecbbf655b56222fea49859e023 |
| SHA1 | 3d2be34bcf0f5bb2ce64a35d5f0a4e8def4b0faf |
| SHA256 | bbcbc5ceb61c3d1b9df71860a3220469a65c7524d0e81ac422d406d52a205ea1 |
| SHA512 | 85889333a4c8bd32db1dd704572eaa06873592bb07d3cce937cb8c53de181a2fa1c8a5e5a81db70a77d1dae09acaf97d21ef4216e2a821987d9b21cfd2aba01b |
\Windows\system\iNGKnCQ.exe
| MD5 | be5e3fd224c69e7a9901048cbf512f88 |
| SHA1 | 49567683122a1842fe87881f80b3a2871ebea8ec |
| SHA256 | 3fff84176168f91f85f90af2d6b93f487d7a77ccc349890fbbb921304994727e |
| SHA512 | 4e903621197a42513e3aca659490b71acae00725c2975aac37997125ad4866bbf07ddc904c194026ac05f663b690861c918c69a176337d2784c6aaa8a25abb7d |
memory/2600-12-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/2992-91-0x0000000002510000-0x0000000002861000-memory.dmp
memory/2656-90-0x000000013F670000-0x000000013F9C1000-memory.dmp
\Windows\system\DDVQRxJ.exe
| MD5 | b561ca3f0f85f85251181e18653e755b |
| SHA1 | 82445d130c0e93c320c91644ce86674be9233ca8 |
| SHA256 | 89adbe033cb4b961f919dd423f228d97475a55b54c4ed9eb7a962b2d65345df4 |
| SHA512 | a5c041080396d48a3db0199ab533d52cacc5ab08d73f6db0749198a6ad3ea541b3ab93c33b7cf7619558d2aae1d08c291bd9111efb7b8f77ab39d2639ba96938 |
memory/2992-84-0x000000013FB90000-0x000000013FEE1000-memory.dmp
\Windows\system\igMzXsO.exe
| MD5 | a3e88b27bb609415d826c17a22ebf1c5 |
| SHA1 | b1bb014c1d462fd2485ee5e230994f425fd62ec7 |
| SHA256 | 423ccdb0fa239f0bab116b33c8c2781a737e412d48ea529b34bd7cd298bbee3d |
| SHA512 | e4d5b4fad09d502543b218e887f2d094bbe77fc2bce99f5dce72d080708cdfed429a7e8f97b2717c677b827d2731ea708e5c656eb56fe5218cea446e65834d35 |
\Windows\system\fXPOCVQ.exe
| MD5 | 8b508f80fe422db0673c3a0fd474d67b |
| SHA1 | 9946c15c8590b85e2ae9eca41b0af099abc5ee32 |
| SHA256 | c6941a11cc921d63a54990a16af0bef9261100305d399e29758e568993f8dc40 |
| SHA512 | ddc3c09c73c846d2b485434b8f6cf19b8389b8ef235027f059f7152e649ca76f9df0847201a7798bb1cf2f6ef12312d1d09f16cec6e8858b8c29248dd4267886 |
\Windows\system\LrZGdcE.exe
| MD5 | fafd34cd3803e1dfbbbeb9f524d7cdc9 |
| SHA1 | c44b3b72ca1f48879bab6a3e390ba5f840898aad |
| SHA256 | 8562b27b2087a85918b1366a18b18fe689528a9d4e5c160bb2a40074979df375 |
| SHA512 | d3fdf039afa9ec1292ba83b1fc7c0cd892f905efe9e433a1501480f086af4695a4aa3f01470a7a49ee97beb2b0e8eae81edf15f73742d30b3c174e80c32adde7 |
\Windows\system\LOyllnq.exe
| MD5 | 03e9f7485015c3e9f3acce41b3317a27 |
| SHA1 | efa95ba46f57cda6aeb490f4c6aeee15115aeddb |
| SHA256 | 7da84763da8d85de67fd2fb71655cb139b860619f46912ffa23092002f4a0673 |
| SHA512 | 439b2232e0f7d8b698cfb9c6b5c191aa6c48ad382cea1f6f789299758e803214b2f9257dffc17e87e25025f05730e22389a6ad7493c3b3c39e19aabc8df2dac8 |
C:\Windows\system\TXHcwIU.exe
| MD5 | ededae0ebd32c55d857db863cf1071b4 |
| SHA1 | 9cd7bfff60093c41887c2ee6879ed4fc752d4f6b |
| SHA256 | e1bd578434972cf0161199940d679460ac2acd677165e50998a81b3d9ed9f675 |
| SHA512 | 21d389fe762754e692829370dd446b25eb5344021da951e84e74cc89815d4d7c5d8d87a28d00abf80d9094dcbd7c39dc190fa875dfc7f822c3a1af8d220709ef |
\Windows\system\mIMleEv.exe
| MD5 | 8947fa19528851a27c00b06aa5bd1ff2 |
| SHA1 | 24cd623dea83e04198d31f46295f98a6248ba214 |
| SHA256 | 1094c19c657fbca5115f0b773ed14bc1770666b98c348770e3ef91d363e9c28e |
| SHA512 | f716b3439a08734d23a47f35adcca36363611790b0635db7b201925c8256a77a076e18910ac04f5ce87194c36e476122cd4d365b735dabf902e35ca0a7d9573b |
\Windows\system\AQFrzNQ.exe
| MD5 | d1fe08af60070575fae30bab65dd177d |
| SHA1 | 0d7ecc7fa8e5bc28e020d7f5e621c0d5a9ce9405 |
| SHA256 | c64d721590c0acc29548632c1ad505c8f2493997eb60ce2e8e42180f7a458174 |
| SHA512 | a8049c3fcfbd343aaefab88ae3f1f25f6451d597bef72085e338ef8f7d801c045d8377dfdd1e367f92907dfae34236d5b2c599347708ac5b340ccc7d61325247 |
\Windows\system\liMwqKS.exe
| MD5 | 4fe992005f60be63f8c38d41835e1370 |
| SHA1 | db4d46a8bd3a94ff0184a504e7f0ac88711fc8eb |
| SHA256 | 166c30e66010a8dd0ec2a0a74424d7eb3a2c98a68568c382fdab3f3e4690a3a7 |
| SHA512 | 44b9e1f0f5d4ceb825abcf9b7e680434ffe6988237456d6aef1f2aa890c6f59a803ede5b2230c6c43fd712de3b63a6bcfe8ea1127e8cf08567580fa28d3e9ca3 |
memory/2992-58-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2620-57-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2992-55-0x000000013FFB0000-0x0000000140301000-memory.dmp
\Windows\system\BfONQiY.exe
| MD5 | a8562f81337f0af6e59fdd20cd772c6d |
| SHA1 | 39d38d9f3abc7c6a98f111388a3f4e76ae88f6b5 |
| SHA256 | 5992799d1b9aae4c1c0b762c23922e4f0afe034f4ec5e8abf7ad0ca85996e10c |
| SHA512 | c2bb2a8a213adc6abde7e9778a1db75094681fe06fbb330d8a63a15bc0217f3495d0003d0b8dfe40acb547658f0ab47dfe3d0a89338a9a484de00253b1812833 |
\Windows\system\eIvSFIP.exe
| MD5 | 2f0301be8d784ba064750f67f78c60b9 |
| SHA1 | ff7b37f6ab066ec2969849e7b15d5aae56606750 |
| SHA256 | d3f89ad188470f7019c0bfdd4287fd71dc135471302525707929c645e21d3a79 |
| SHA512 | 1aa11628dc58a4f348757c2a452a70d0ec4d87da94b6a316ada1f44e47b46db9fcb61e88674c06519226eb3cb47a7558b905f3fa971afd9259cca36099de3ffa |
memory/2992-39-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2992-34-0x0000000002510000-0x0000000002861000-memory.dmp
\Windows\system\OTRMlfE.exe
| MD5 | 957f4b84e1ccad32a78db4ffc63e2060 |
| SHA1 | a728be9807f3f90df7819d290267ecdff85f49e2 |
| SHA256 | d9e5d6640e7811930839ff6bbf494611e87dd3255afe7b733504199e41f3be47 |
| SHA512 | 985dbf04d0f2811d42cd757cfaeaab69c2598b22a57cf4333959de8b99633b1613b42405932f5f310068b63c197e42b4a5e37c1b9f1665b441bf6bd2aa15a224 |
memory/2992-118-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2100-117-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2992-116-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/2776-115-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2992-114-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2156-113-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2992-112-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2992-111-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2992-110-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2992-109-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2992-108-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/2992-107-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2992-106-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2992-99-0x000000013FCB0000-0x0000000140001000-memory.dmp
memory/2800-97-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2992-29-0x0000000002510000-0x0000000002861000-memory.dmp
memory/2712-143-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/1928-141-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2820-139-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/804-135-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2992-133-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/3032-154-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/3028-153-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2912-152-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2892-151-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/1684-150-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/2556-149-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/1436-148-0x000000013F300000-0x000000013F651000-memory.dmp
memory/1820-147-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2588-146-0x000000013FCB0000-0x0000000140001000-memory.dmp
memory/1048-145-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2992-155-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2992-156-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2600-201-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/2156-205-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/804-204-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2776-207-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2620-209-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2800-212-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2656-213-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2100-215-0x000000013FFF0000-0x0000000140341000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 22:01
Reported
2024-05-29 22:04
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NkCgtGs.exe | N/A |
| N/A | N/A | C:\Windows\System\YTVUtlc.exe | N/A |
| N/A | N/A | C:\Windows\System\TCTMJQs.exe | N/A |
| N/A | N/A | C:\Windows\System\JSfBQPc.exe | N/A |
| N/A | N/A | C:\Windows\System\OXAAeJO.exe | N/A |
| N/A | N/A | C:\Windows\System\giGiaUy.exe | N/A |
| N/A | N/A | C:\Windows\System\zXHLjEq.exe | N/A |
| N/A | N/A | C:\Windows\System\zqoDnrC.exe | N/A |
| N/A | N/A | C:\Windows\System\WDuqChN.exe | N/A |
| N/A | N/A | C:\Windows\System\JJerXRV.exe | N/A |
| N/A | N/A | C:\Windows\System\fdgzivV.exe | N/A |
| N/A | N/A | C:\Windows\System\BXFmkyx.exe | N/A |
| N/A | N/A | C:\Windows\System\QfeJhGW.exe | N/A |
| N/A | N/A | C:\Windows\System\isXFKMv.exe | N/A |
| N/A | N/A | C:\Windows\System\BvnBbFQ.exe | N/A |
| N/A | N/A | C:\Windows\System\lbckSTS.exe | N/A |
| N/A | N/A | C:\Windows\System\MZjoCLb.exe | N/A |
| N/A | N/A | C:\Windows\System\CRPzXLc.exe | N/A |
| N/A | N/A | C:\Windows\System\FnNZMew.exe | N/A |
| N/A | N/A | C:\Windows\System\RlbtPwF.exe | N/A |
| N/A | N/A | C:\Windows\System\ZydCZLz.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\NkCgtGs.exe
C:\Windows\System\NkCgtGs.exe
C:\Windows\System\YTVUtlc.exe
C:\Windows\System\YTVUtlc.exe
C:\Windows\System\TCTMJQs.exe
C:\Windows\System\TCTMJQs.exe
C:\Windows\System\JSfBQPc.exe
C:\Windows\System\JSfBQPc.exe
C:\Windows\System\OXAAeJO.exe
C:\Windows\System\OXAAeJO.exe
C:\Windows\System\giGiaUy.exe
C:\Windows\System\giGiaUy.exe
C:\Windows\System\zXHLjEq.exe
C:\Windows\System\zXHLjEq.exe
C:\Windows\System\zqoDnrC.exe
C:\Windows\System\zqoDnrC.exe
C:\Windows\System\WDuqChN.exe
C:\Windows\System\WDuqChN.exe
C:\Windows\System\JJerXRV.exe
C:\Windows\System\JJerXRV.exe
C:\Windows\System\fdgzivV.exe
C:\Windows\System\fdgzivV.exe
C:\Windows\System\BXFmkyx.exe
C:\Windows\System\BXFmkyx.exe
C:\Windows\System\QfeJhGW.exe
C:\Windows\System\QfeJhGW.exe
C:\Windows\System\isXFKMv.exe
C:\Windows\System\isXFKMv.exe
C:\Windows\System\BvnBbFQ.exe
C:\Windows\System\BvnBbFQ.exe
C:\Windows\System\lbckSTS.exe
C:\Windows\System\lbckSTS.exe
C:\Windows\System\MZjoCLb.exe
C:\Windows\System\MZjoCLb.exe
C:\Windows\System\CRPzXLc.exe
C:\Windows\System\CRPzXLc.exe
C:\Windows\System\FnNZMew.exe
C:\Windows\System\FnNZMew.exe
C:\Windows\System\RlbtPwF.exe
C:\Windows\System\RlbtPwF.exe
C:\Windows\System\ZydCZLz.exe
C:\Windows\System\ZydCZLz.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1320-0-0x00007FF6BB7C0000-0x00007FF6BBB11000-memory.dmp
memory/1320-1-0x0000025489A30000-0x0000025489A40000-memory.dmp
C:\Windows\System\NkCgtGs.exe
| MD5 | 834afd1150f6f5583fc9eb45217b6ac5 |
| SHA1 | 470e15e27969675e6b5e9d2eef56dd6f1ce47cbb |
| SHA256 | fd395abaf6ef142d40802b05e56593905aeb5705d0245a87c018a90a6daa37e7 |
| SHA512 | 54cfcc04d084516c2e9add81a1adf0c89cf80322b317c5a7752cf21ae875bfa88520c4ed8cf868c86525b84533327566f1fcb053f7f78a9e832e960e55f1cb90 |
C:\Windows\System\YTVUtlc.exe
| MD5 | 0ebe35220881669986b3c7b932010b2d |
| SHA1 | 7d9c717b18dd47a8583808010682980f298b5419 |
| SHA256 | 839f23845ff5649b7c833d0381f9cc881d4cc43ceab9aab6f1854640444ad48e |
| SHA512 | 751f96100d0f54f7325dbc3b2b361bafd4b49a4e4a4a5dab9fe7b6ed956e6d0f5a13754dc65793e2678ca3f3bc9ef4eeaa7ffaf96c8ea98e5262990e1850a1eb |
memory/1544-23-0x00007FF6FF7E0000-0x00007FF6FFB31000-memory.dmp
C:\Windows\System\OXAAeJO.exe
| MD5 | d5c476113d41c256ebc21297344af4bb |
| SHA1 | 2406941bff47a6fae37ab9e34aed0254fd87b98f |
| SHA256 | 9400a71c7e11a253c9360a6bc3a3273b6ed0c1c5e4774e32dd4b64ce456a4e33 |
| SHA512 | 20ef62a57060384613ce7458b8cfa3da487cb7622db132a14125a490b2e9ef3f36d2c322e4325f7ca4a112e8c335f9d750f2431c1528cfe1e43866de3f29b5ef |
C:\Windows\System\giGiaUy.exe
| MD5 | 493b922c6681f141b7f8b638c8caba2b |
| SHA1 | 2aabf57925d08d4e0e0827448e156c04400f458a |
| SHA256 | 20b7321e969f9f2b1e9ac68ba68ea78ef32370022f1d0e7e9e9958cc19796264 |
| SHA512 | de022f04cd1f0e62b2fd2a8161882a82c487d7bde5aecdbc0abfe83b79184f8c8dd947d5a20b311a8b570f48d1aa5c16e4c44365e4192a9a1bf7b8d99b857871 |
C:\Windows\System\JSfBQPc.exe
| MD5 | 91df922314a4caab432bba0c590ca3c0 |
| SHA1 | b91e20ca4d9be7c8e6fd75ac2830eb878c22eb76 |
| SHA256 | 0cf813b51717aab8d4bf85c804cd17451a9e8a3cc11f9cb8db55a7f62fc7b809 |
| SHA512 | 41834d81c15003ab88fdc17f65dd4d58bf778aa7f748c1778b8b4cf1f00ba4e25cbf41434779e3783c6b2862972c82761d5a6dbf80e22770db840e6a09a40184 |
memory/4324-30-0x00007FF60BB00000-0x00007FF60BE51000-memory.dmp
memory/4916-27-0x00007FF67EE50000-0x00007FF67F1A1000-memory.dmp
C:\Windows\System\JSfBQPc.exe
| MD5 | 81e2929b75563211c1a50459e3381f8e |
| SHA1 | c0e3cc0d53ababb6a6b1c52c81e23009e016c583 |
| SHA256 | 744562ffe4d78d45cb867d8b360243ef34dcefec52f11260a82ec358c7e80bde |
| SHA512 | faa26b00f78064536f7adc5c712d743738d6dc78d184255142e9aee23689c53d1a716acf7c532cfcb920be03769551ecf8f83772029e77074b5d6874dd30f9df |
C:\Windows\System\TCTMJQs.exe
| MD5 | 019ddcf396cd93c990aa49d4c0033455 |
| SHA1 | d3e7a5d035f42ec9689294f0dc7bdb3c289f050f |
| SHA256 | aec148d5630b74d8211a1561f3d66744328305fa12d51536534705e629d3df98 |
| SHA512 | 8079e3acfc8ddb061e05d81a3ec5e2a36105812bc55a12faa5961a91cdcdecf7ed8facac7dd2fe610a91a9c673efd64bd3710908bf1cd394ac6a27688ba86101 |
memory/4600-19-0x00007FF7DE820000-0x00007FF7DEB71000-memory.dmp
memory/64-8-0x00007FF718410000-0x00007FF718761000-memory.dmp
C:\Windows\System\zXHLjEq.exe
| MD5 | a088c8c47bb5a2d948c6bc7ebe271edb |
| SHA1 | d7a031eb65e9ea603ae4af06ea3e9e1c384d589b |
| SHA256 | b48b028981f773182978cc3aa230f3fc61f75f8abb154846cd38efbb113def3d |
| SHA512 | a0c54f85249a34d233c6680edaab330849ec71bc1a4715307f465a30e92e8311022de103391097cd3d19092305607edd35678473bfc252c2fb2e818bbc98f36c |
memory/2592-39-0x00007FF70BDE0000-0x00007FF70C131000-memory.dmp
memory/1020-42-0x00007FF67F0E0000-0x00007FF67F431000-memory.dmp
C:\Windows\System\zqoDnrC.exe
| MD5 | 5964b58059889dd9859491f96bd10d8d |
| SHA1 | 69197c11984b535cd20c8bcc09ea32dab72123cd |
| SHA256 | 0eb24c85af0ced3d774af6420787f28be7fd78dfae18310c977a948a3104b6bf |
| SHA512 | 715abd74760a8056af3e38e64d77dc59bbe887a35340efe1ad3cfc3f801a5e8afd453a39bace57b12f44e7d1d33399aabf7cb283534ece4c7f5c9dc46c225bbb |
C:\Windows\System\WDuqChN.exe
| MD5 | 945ff60fda5ba3daa8cfea70f362b9d4 |
| SHA1 | 02579ddefa461d950cf1422a6d546a34bf5f0850 |
| SHA256 | 0130cddde078ae99d5e6f091fb7ee9103610608e24a3c6245902ae275fb4692a |
| SHA512 | 66123bb61af2e4c8246580bc441a6185aec2e33d03aa20c4375ab9410e17855d93b871ed318bd2ff3d3647e20923a9ad850f4d764972d97c52e916cfbbd74851 |
memory/4092-49-0x00007FF779160000-0x00007FF7794B1000-memory.dmp
C:\Windows\System\JJerXRV.exe
| MD5 | 1ef535470e3191b18c1c97f3a131c30e |
| SHA1 | e43a11aa0c49faaec307a08d00501194aa58ab99 |
| SHA256 | 89343e0dbba48ecbb84302ff95ba984551b5864f3e3987bbeeb8253002df28d2 |
| SHA512 | 5d5b6149bf4f717f8b2f9c12f95246bde709349c8124c328bd730458106e329857fb1511f4876e8ec9eb55153f574e703613635b6cf8c1a76a52b401438256a6 |
C:\Windows\System\fdgzivV.exe
| MD5 | 19706a86f897175c5888bbf351da42a0 |
| SHA1 | c3ffaebd6c326825a4d46cff1ced9c0954477879 |
| SHA256 | a3bd6aa4a4ec199fbbb0d4967ffc15fb569125bea2500600e90f6227d9ba03fd |
| SHA512 | d4e562641f026203f74ff649853eb1d6b927d7c79c50f1dd53778ae10841985af0edd6aed0daf787eece7e319601f82f0321e778f6a5147c981ad4e29c81585f |
memory/4060-68-0x00007FF7D2CB0000-0x00007FF7D3001000-memory.dmp
C:\Windows\System\isXFKMv.exe
| MD5 | feb045a32085a1f34e58f30fda1695e7 |
| SHA1 | 4bf7c50178395779b614a17bf10cff5239514c8e |
| SHA256 | c78a5fd68f9713c32af40a1a511f2f69402367c42702e9f85c0bacb262f874bb |
| SHA512 | 55818cec08b455c43d1cddb282f26a2f7816dc53579143072dd50e09f7c545088a1f7a7409683f89f7d55be6fe0606552a127c9d514c431f42ce08e5f1bb13c3 |
memory/1712-89-0x00007FF6C4E30000-0x00007FF6C5181000-memory.dmp
C:\Windows\System\lbckSTS.exe
| MD5 | 5ebfc77ec0168868b1e4c96e57a61dd7 |
| SHA1 | 599584eaa4d7f84e0b5b578326b805d407e28d77 |
| SHA256 | edd4576ae412d8d7f883d66db9a4eabc3be3fb5329312f33c06091d613ca2b92 |
| SHA512 | 2ece8589a57b80df7efa8e9b170d27f179b761e688768e225b167aa3c31c69cb5c8a2e978cabfe0b44d9e47f57f97aca6ed9456f9e3cad588ff08a4e38acaf39 |
C:\Windows\System\CRPzXLc.exe
| MD5 | 0a451739471457a3e89581f9fef700b5 |
| SHA1 | 1cebf4fabbd3fdc015ebecbb45ed4bc520de4ccb |
| SHA256 | 251b668626baa383fbd3025d79dbfb55be2eec37270a7a6f0cf5a5216c39e72f |
| SHA512 | 69e002a0a718d2f5475aff0f873e674999bdaeaa7f54f57404e0e481eba0261c6ec2da08bafab1c0bc8a654389148539be1ad1e623927b7b7d11a874299d84d9 |
memory/4324-114-0x00007FF60BB00000-0x00007FF60BE51000-memory.dmp
memory/3324-119-0x00007FF629850000-0x00007FF629BA1000-memory.dmp
C:\Windows\System\FnNZMew.exe
| MD5 | 91792ea02e2b32834667fc566277504d |
| SHA1 | 230a5510c05ab95ad906e538cb8f9c247a431a61 |
| SHA256 | 175ef208ab40b998dd17ff6b0d032e78b6d37b9725ef1c38612edee2063687cd |
| SHA512 | 4adfcc7e7dd908a940607dc313aa508ae5fb7158e9631a6826d5cfb8a36b129a0347116d5f2ec39e2a8a5ad2fb363da22f7c200ba80be813c2b47b27a3fe9a11 |
memory/3772-115-0x00007FF6DFC70000-0x00007FF6DFFC1000-memory.dmp
C:\Windows\System\MZjoCLb.exe
| MD5 | e4a475a2956bf1ccf47323230587339e |
| SHA1 | 37f9143dab12940d1746a09f383190caa85cd43f |
| SHA256 | 3de9afca2561c1ad7e35de39651552502096010d7775545f69deb7e9fe6306d7 |
| SHA512 | a13803183fa08942f08dc22f8c079a233e6be92927235ab7aca3ff17f1a9ce5ef418239007ad65711cfbf94ddda837ade7f257d2a01372069fbee98b2f0d97dd |
memory/2932-108-0x00007FF718CA0000-0x00007FF718FF1000-memory.dmp
memory/2360-105-0x00007FF7615D0000-0x00007FF761921000-memory.dmp
memory/2032-107-0x00007FF7C2F60000-0x00007FF7C32B1000-memory.dmp
C:\Windows\System\BvnBbFQ.exe
| MD5 | f6e3f820152dabcdb658d2cbe2a9563f |
| SHA1 | 0b312f14cacd2e449029fb695c3dfd6c4508875e |
| SHA256 | bdf637d46dca2a14edef29619de08575f8d77e3c254a9d8c0ccdd9607b7dfb31 |
| SHA512 | 09c51315e4bf1df921cf450325e9d91d0d68cbb3898c28b129e28a210358e7b6d771e63cb72631770f694412d56fd4444d56dc1b1cc45050364533dcf5b8d630 |
memory/4916-88-0x00007FF67EE50000-0x00007FF67F1A1000-memory.dmp
C:\Windows\System\QfeJhGW.exe
| MD5 | b6921bdf45c9be045a1a4aca3b2fab2d |
| SHA1 | 17f7068a0c52eda278b79c762710cd0bdd351661 |
| SHA256 | bb4591c1f99b62f6d3e12432e95255f5fc9d8a112f5e284d7f845a45833e1707 |
| SHA512 | 15a78d97e4531d19065a6fbf79855e8cd7da68ff5b93f62eb91f979c299ed5e57f2d9cdc9c123ad87eb9e8dbe814e5fe736b0c8df10ef97d131d43334ae1c774 |
C:\Windows\System\BXFmkyx.exe
| MD5 | 70a2433a1e0593ef15674f16598a6417 |
| SHA1 | 978e38c5d74f66d7abf6c80f5a239400a7cef7ad |
| SHA256 | 988b9d7231749fb22e0fe3e3ed540df0bd424a0f828b59ab0b4cf10fbbe02d6a |
| SHA512 | cddcbbe62215750089638abc32fdfaf48e2f46c10a73805cdbf5624fec77b7c9e35279bd2428d9a4dda4fc71b8b28a065ad5eea1f7af3798368d6a268b19f26c |
memory/4036-82-0x00007FF66ABD0000-0x00007FF66AF21000-memory.dmp
memory/1544-79-0x00007FF6FF7E0000-0x00007FF6FFB31000-memory.dmp
memory/3032-77-0x00007FF7C5B00000-0x00007FF7C5E51000-memory.dmp
memory/992-75-0x00007FF7F8770000-0x00007FF7F8AC1000-memory.dmp
memory/64-74-0x00007FF718410000-0x00007FF718761000-memory.dmp
memory/1320-62-0x00007FF6BB7C0000-0x00007FF6BBB11000-memory.dmp
memory/732-61-0x00007FF6C8F10000-0x00007FF6C9261000-memory.dmp
C:\Windows\System\RlbtPwF.exe
| MD5 | 7e05c8b2fb0feeab1efbec8d54fd2034 |
| SHA1 | 19532590ef80ddbf974ba79ad0bf53f1157628ec |
| SHA256 | 5d7e3ddf154b0a8167d6fe031d71a5b1a8ef81c747bbc85438a938053e266833 |
| SHA512 | 9e0c1cc1ee88c4fdb3e561d4f6be0ae3a8fccd045401c5107168976d099d4a150d31a525d960b549294a4429f8fe476dfaa269efde80b444f14718a911e47c7e |
C:\Windows\System\ZydCZLz.exe
| MD5 | 8f40f22096882c05916004a5ecefed03 |
| SHA1 | 0047794ccad9fbcd12d8ce6ba66aaf7f814e4baf |
| SHA256 | bad785dbf83d980d59f896a2d2d7baf1881d561e1465504ff36a70b0f43d70f6 |
| SHA512 | 2e0d5fdea93f304515b05f6696a1e21a49bf450311b9ff59d750d6d4fc3aa55788c825108b8e0975ba0190c0a883ceb8d71e0460a649a670056c5c001638f333 |
memory/732-133-0x00007FF6C8F10000-0x00007FF6C9261000-memory.dmp
memory/4788-135-0x00007FF75F710000-0x00007FF75FA61000-memory.dmp
memory/4092-131-0x00007FF779160000-0x00007FF7794B1000-memory.dmp
memory/1020-125-0x00007FF67F0E0000-0x00007FF67F431000-memory.dmp
memory/4840-127-0x00007FF772690000-0x00007FF7729E1000-memory.dmp
memory/1320-136-0x00007FF6BB7C0000-0x00007FF6BBB11000-memory.dmp
memory/3032-148-0x00007FF7C5B00000-0x00007FF7C5E51000-memory.dmp
memory/4840-156-0x00007FF772690000-0x00007FF7729E1000-memory.dmp
memory/3772-154-0x00007FF6DFC70000-0x00007FF6DFFC1000-memory.dmp
memory/4036-149-0x00007FF66ABD0000-0x00007FF66AF21000-memory.dmp
memory/3324-155-0x00007FF629850000-0x00007FF629BA1000-memory.dmp
memory/2932-153-0x00007FF718CA0000-0x00007FF718FF1000-memory.dmp
memory/1320-158-0x00007FF6BB7C0000-0x00007FF6BBB11000-memory.dmp
memory/64-203-0x00007FF718410000-0x00007FF718761000-memory.dmp
memory/4600-205-0x00007FF7DE820000-0x00007FF7DEB71000-memory.dmp
memory/1544-207-0x00007FF6FF7E0000-0x00007FF6FFB31000-memory.dmp
memory/4916-209-0x00007FF67EE50000-0x00007FF67F1A1000-memory.dmp
memory/4324-212-0x00007FF60BB00000-0x00007FF60BE51000-memory.dmp
memory/2592-213-0x00007FF70BDE0000-0x00007FF70C131000-memory.dmp
memory/1020-230-0x00007FF67F0E0000-0x00007FF67F431000-memory.dmp
memory/4092-232-0x00007FF779160000-0x00007FF7794B1000-memory.dmp
memory/732-234-0x00007FF6C8F10000-0x00007FF6C9261000-memory.dmp
memory/4060-236-0x00007FF7D2CB0000-0x00007FF7D3001000-memory.dmp
memory/992-238-0x00007FF7F8770000-0x00007FF7F8AC1000-memory.dmp
memory/4036-240-0x00007FF66ABD0000-0x00007FF66AF21000-memory.dmp
memory/1712-242-0x00007FF6C4E30000-0x00007FF6C5181000-memory.dmp
memory/3032-244-0x00007FF7C5B00000-0x00007FF7C5E51000-memory.dmp
memory/2360-246-0x00007FF7615D0000-0x00007FF761921000-memory.dmp
memory/2032-248-0x00007FF7C2F60000-0x00007FF7C32B1000-memory.dmp
memory/2932-250-0x00007FF718CA0000-0x00007FF718FF1000-memory.dmp
memory/3772-252-0x00007FF6DFC70000-0x00007FF6DFFC1000-memory.dmp
memory/3324-254-0x00007FF629850000-0x00007FF629BA1000-memory.dmp
memory/4840-257-0x00007FF772690000-0x00007FF7729E1000-memory.dmp
memory/4788-258-0x00007FF75F710000-0x00007FF75FA61000-memory.dmp