Analysis Overview
SHA256
373605d3ddfbbee1620af6674cb46a695ba0ab2a9ea9fd7dfc95e1d5138039e2
Threat Level: Known bad
The file 2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Detects Reflective DLL injection artifacts
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 02:10
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 02:10
Reported
2024-06-01 02:13
Platform
win7-20240221-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TERVYEf.exe | N/A |
| N/A | N/A | C:\Windows\System\KewUouY.exe | N/A |
| N/A | N/A | C:\Windows\System\fccYcoM.exe | N/A |
| N/A | N/A | C:\Windows\System\oLgkAMg.exe | N/A |
| N/A | N/A | C:\Windows\System\OgGKqJP.exe | N/A |
| N/A | N/A | C:\Windows\System\RmOvWrF.exe | N/A |
| N/A | N/A | C:\Windows\System\mhUDRet.exe | N/A |
| N/A | N/A | C:\Windows\System\CgrxFkV.exe | N/A |
| N/A | N/A | C:\Windows\System\MGAiVsU.exe | N/A |
| N/A | N/A | C:\Windows\System\sukIeVt.exe | N/A |
| N/A | N/A | C:\Windows\System\yKvwNdn.exe | N/A |
| N/A | N/A | C:\Windows\System\qFarsaE.exe | N/A |
| N/A | N/A | C:\Windows\System\yPAXjhg.exe | N/A |
| N/A | N/A | C:\Windows\System\YmXaPId.exe | N/A |
| N/A | N/A | C:\Windows\System\uWOBZed.exe | N/A |
| N/A | N/A | C:\Windows\System\iRsxdZC.exe | N/A |
| N/A | N/A | C:\Windows\System\jqGNxrr.exe | N/A |
| N/A | N/A | C:\Windows\System\BuUSHRF.exe | N/A |
| N/A | N/A | C:\Windows\System\TKHPVVc.exe | N/A |
| N/A | N/A | C:\Windows\System\pifZSGA.exe | N/A |
| N/A | N/A | C:\Windows\System\xxcexFD.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\TERVYEf.exe
C:\Windows\System\TERVYEf.exe
C:\Windows\System\KewUouY.exe
C:\Windows\System\KewUouY.exe
C:\Windows\System\fccYcoM.exe
C:\Windows\System\fccYcoM.exe
C:\Windows\System\oLgkAMg.exe
C:\Windows\System\oLgkAMg.exe
C:\Windows\System\OgGKqJP.exe
C:\Windows\System\OgGKqJP.exe
C:\Windows\System\RmOvWrF.exe
C:\Windows\System\RmOvWrF.exe
C:\Windows\System\mhUDRet.exe
C:\Windows\System\mhUDRet.exe
C:\Windows\System\CgrxFkV.exe
C:\Windows\System\CgrxFkV.exe
C:\Windows\System\MGAiVsU.exe
C:\Windows\System\MGAiVsU.exe
C:\Windows\System\sukIeVt.exe
C:\Windows\System\sukIeVt.exe
C:\Windows\System\yKvwNdn.exe
C:\Windows\System\yKvwNdn.exe
C:\Windows\System\qFarsaE.exe
C:\Windows\System\qFarsaE.exe
C:\Windows\System\yPAXjhg.exe
C:\Windows\System\yPAXjhg.exe
C:\Windows\System\YmXaPId.exe
C:\Windows\System\YmXaPId.exe
C:\Windows\System\uWOBZed.exe
C:\Windows\System\uWOBZed.exe
C:\Windows\System\iRsxdZC.exe
C:\Windows\System\iRsxdZC.exe
C:\Windows\System\jqGNxrr.exe
C:\Windows\System\jqGNxrr.exe
C:\Windows\System\BuUSHRF.exe
C:\Windows\System\BuUSHRF.exe
C:\Windows\System\TKHPVVc.exe
C:\Windows\System\TKHPVVc.exe
C:\Windows\System\pifZSGA.exe
C:\Windows\System\pifZSGA.exe
C:\Windows\System\xxcexFD.exe
C:\Windows\System\xxcexFD.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2980-0-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2980-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\TERVYEf.exe
| MD5 | b94a20d8a56dc08a659696e5f74ddcc8 |
| SHA1 | abeae3319c609c5a9c4a9a2451569464ff41f4db |
| SHA256 | 5fd6e5b530ac429293452020be7c6991f6a6ae37652cda2f2a1c04124c0d1469 |
| SHA512 | 8ed5965277484046d64a9298a2593afd7b70c8c34ea66b3cb4fd61228bec8fa503c8ffaa178c5d9958a6360dcdab20f4c6b2208916684a14720b0dfe7b1484f7 |
\Windows\system\KewUouY.exe
| MD5 | ed4e42b18e2effbb5fe50117c40260f1 |
| SHA1 | 2f2690d7a13746be738269a1d7ffc6de9b77edc7 |
| SHA256 | 2e3b717855d0d86f9a866263eadb9be6ac72cf5e374772d118a48c3ede343d9a |
| SHA512 | a0bca83e331b127638dd4dd6647115e22ec0d436558ce2d9acedfdaea799eee261bc22a68ad5eec04d3becf799788cc346cf76bd94ce226b70ad656906f6315d |
memory/2980-16-0x000000013F0D0000-0x000000013F424000-memory.dmp
C:\Windows\system\OgGKqJP.exe
| MD5 | bbf646601131b01db21d0f94aa575cd3 |
| SHA1 | c501d13011676315243fa3bac4292044878c5eac |
| SHA256 | c2cb346783130c6db76c1316ff986a0bcd9bcc6439e10f0ade3c55fcb995c26f |
| SHA512 | 708f3b1724e99b432df150cd66ca68858171ca99cdb738103b6d58d18441c3743679d1c00e73c17355db69279253d04984a403780472def29a97a7a15fb49093 |
C:\Windows\system\oLgkAMg.exe
| MD5 | 885caff8d90f2d4e8c04fc98ca299bd3 |
| SHA1 | 47433eceabcc65eea1fd65fc46572b7d7d7b4c10 |
| SHA256 | c9e74d82458134e7e35fa28825768e411b9d1bc675c84004d9b973c86f6cceeb |
| SHA512 | d930c6450d68c2f89ec4f008e644c55ed5afb92a9127a91f18ff73fbbe88881630683c847b950bec0e01ec6c1534030ea196ab60be395dc82180300679844358 |
C:\Windows\system\RmOvWrF.exe
| MD5 | 85a52ecb7d8bfc442f3b75ebb59ff723 |
| SHA1 | e0c9c19c82ed4ad3847ffe6a45e00ece84d6059d |
| SHA256 | f505e5b55d1c4d57995c0c4ac905d3e45050e155fb4211820a91781873b175ea |
| SHA512 | a168caf5f36a4b4224cf06da5742ec90c73728592866f5cf580810ac17be7adb7eabd862cab98e23c122886923d9d6ee81dbdf2cd2af3b0a9e8100b56da50a68 |
C:\Windows\system\mhUDRet.exe
| MD5 | 5252b6d3e88d9fe65227deceed8e8f8f |
| SHA1 | 6cb6dbeb6706c267489706c83976438744b952e3 |
| SHA256 | b0dc6888af551d56d0429524561fdd8493734876a8450540948e640fe6c89a2f |
| SHA512 | 10ea1afbd3e3b6a77037972248ea1d56c5349c2df8708a66320a2f04791e6b5add67a2a00e54ffad004cd72d4691607cc45cdb8aef697521166566514f33469c |
C:\Windows\system\MGAiVsU.exe
| MD5 | dd0849fd19614fcafc7acf5d0f22fabc |
| SHA1 | 0f53ffa5d0e8bc5787fe03fdb27576cbe84edf03 |
| SHA256 | 38313b73fe314617040c9b0fbbcd380b905ed350a1b419a904369a769074ceef |
| SHA512 | b5ae533372dcdf495986f3ee7b4bdbf65484021b8a4209578b60b37cb4d0a0c4370e0a13c0e0e9ac10a56fe15a80ddb483f15a2deb04a7947116cdb6b9a67e56 |
C:\Windows\system\qFarsaE.exe
| MD5 | b2cf75e7010f3a2a98e76df10048849d |
| SHA1 | 7ecb0c45b8fe718d35f8ee7682ba93eb3c9a5ca2 |
| SHA256 | 0bec958d59c164f45ce0d4b8e24e477202e1e5ff2b5d406faecce343b9068d74 |
| SHA512 | baa28348e81342e51e319a0b689a1ba4d5594c0fd4ba2645da80fdc94f4a086a735a2604a6ebea31487fbd37764677baac728042605a3859c2677616ff5ab7cb |
C:\Windows\system\uWOBZed.exe
| MD5 | 8efc04cce09a6276596809c4dce436cb |
| SHA1 | 766612f2cd9dd8779985a301d542321f6bb184a2 |
| SHA256 | 3785d3549287fe895670b0d43a4eafd75c9692f0f8758e4e46d44652d97c9fdd |
| SHA512 | 338697430f7ea277f7efb5751e93ca7755f93042d2035966b7fa94da1667d7967f99c52a0d9c68cc1f0cd92e2dfa81ef5ac05e3fd5728cd432c78a13250e4d20 |
C:\Windows\system\xxcexFD.exe
| MD5 | 2ea97e6e78dec58b077cce0c899b587b |
| SHA1 | 4b4b0af25a4c999f8ddc93efe342408d09a5d926 |
| SHA256 | 77566eaf56b4e1bc8e76e2340970c7f44ab6adfac9866ec31db08dcccc3f1b9d |
| SHA512 | e18a1d1bee2c4de16a29d4c1706d624181bda91bd7876bec761383c08ec2258ed106c50ead247f847476f44f72ef173dcea031a42062490bd5e40efbc1a0b079 |
C:\Windows\system\pifZSGA.exe
| MD5 | 8e39214023ace2079f3980144dc30989 |
| SHA1 | f004999080af1b26c5a9c6721038410c6a7d9ce8 |
| SHA256 | a3a677e0add3fe64d97d1178206803fe92994ac74aeefdf02958249badb78730 |
| SHA512 | ff94127244719b4006b5c4e1cc1f4fd49360a391f692b7379f5a2730ae31145efb201468151ad4298916e79c71523cc6d96490ef8eb0e9a73698203535526521 |
C:\Windows\system\TKHPVVc.exe
| MD5 | 180b0eda0fe360a0046334f408abceb7 |
| SHA1 | 6d43e47dc45848762c3a7f29b95aade2a675ecc3 |
| SHA256 | 7e74f948527b8a0857f2737e9fb07725813707d03a911760ccfd1a2327b15f5a |
| SHA512 | 63ca8ec716a1d2ea487266a0e684f713a2a36d39a90cb3b3a7a36078feb6e053dae7ffa53faedb8ee8c3580a0176fe07ed68c77e6f78b2795ba096048cae87d0 |
memory/2112-89-0x000000013F0D0000-0x000000013F424000-memory.dmp
C:\Windows\system\BuUSHRF.exe
| MD5 | dfd02e282dbb427c1309100ffe31c6b4 |
| SHA1 | e045376b1f09ed765dfa0d22824ea99e9ef47175 |
| SHA256 | deedcd4518705eff5ddbebfe8f5d7ab3b9e3672b799b368d6f59fc0dc5eec66c |
| SHA512 | 671271c121a1d8ab7b87909b3a1357ceb051c99bc467b6f51c28e3018456eee22aba65962ba8d61f723afa20144ce7262e34193ee23c5b3a5368037162bbf002 |
C:\Windows\system\jqGNxrr.exe
| MD5 | 7a6c190b3f5c2b1f264c35fd2f70d927 |
| SHA1 | f2db4093946742054ade34e6c6529920cce9927e |
| SHA256 | 8bfc8721920549a1ffb9dd3863b536409ab47e6af4187d8349c831112150522e |
| SHA512 | 993e832aec3946b28328a2754e2d1bdedb432d9208d68c51ba98ff86baf6a047a83b0a579898c851f899f3a169dea3ad25e8b7780d8d89a1245e15306296c093 |
C:\Windows\system\iRsxdZC.exe
| MD5 | d471f5e54f34b7bb01161d61b43b0635 |
| SHA1 | 4ef1c9b6ef6c0f2d9d99205cd7b404e634a6d3c0 |
| SHA256 | 7d611cc48da99f521cd9483463eadeff54cb63495e1f08a5dd8eec27e65da0eb |
| SHA512 | edc64be65bda5b0dda1671fbf65eacb5502809a6af01d82d59cf819352727c873b65a589f3e9d0aa43b177d3d49e7a9004a566896b098c860ec2c8e038ad04b3 |
C:\Windows\system\YmXaPId.exe
| MD5 | 3ece44a9b8e51148c4d03d9f5188d46a |
| SHA1 | 3c375449ae868cf9057c29364c1c7d9718c21839 |
| SHA256 | 441d0d1736ee1533d2693bfab12ddc5e31595833ae526016163b29893bb53f4d |
| SHA512 | b045fdf4af95fc05da7f4fc5b0222f640be724b3c883fe334c9dfc5bc7b262a8b8b45838c0f71de077dcaf806ff6859144f4aaf7d7e770f9997b99c3645b4451 |
C:\Windows\system\yPAXjhg.exe
| MD5 | 54786916a293bfd485dc02570828a88a |
| SHA1 | 9947749694007997d6c070f586356e8ae7e3ac64 |
| SHA256 | 076d4a9ec599a158bb83a1660a964c446f53644bee159688d4cc774ba65bb079 |
| SHA512 | 4e7d3df950d938fed43795c3062499fa75cccbfc8c1ac6275f098d5899d5651eb8c786d6055387eea8c78882d8966eec9e49e13da380df03a830268b6b88169a |
C:\Windows\system\yKvwNdn.exe
| MD5 | 9ffa3d8e2ca69b339909cd547427b7f5 |
| SHA1 | 42e3875f1b8e0ce6bda1b61c1b84f9eedaaf78d9 |
| SHA256 | e46819c0a745bf91c6f7236be1e534a6968075c7119bd17c65d1e529520b4125 |
| SHA512 | 9a9ec88763eba38d59cebd4e543be373cb0dddf986fd33aa8257b987507a3b1ac37c5a88075dc1e160b44b7657a4b4dbc955c9ae3eb39b8325187179ef85669c |
C:\Windows\system\sukIeVt.exe
| MD5 | aeea2048c4be40756bf9e7fdc9cad2f2 |
| SHA1 | 267500ea50ce8b8b2b8291e53e9493bc80b38eae |
| SHA256 | c4d8c8c9d1cadca4a4c281f6b215c33bc115ba876a719c1b5542d13063f9f1fa |
| SHA512 | d695ec83b1cb1d26e9602f03cc38dde0e7ccb4205d07ab239e28e22f8c44727c03dccdf8c509e114743e3de50f493f700ba00110dafbc68d9d39a7efa23bde72 |
C:\Windows\system\CgrxFkV.exe
| MD5 | c60a7f449507e6ecf8f22fbb4a87eec1 |
| SHA1 | c19a7e351efd42d1ab93ada326c5be2b0aa27243 |
| SHA256 | 34ca22ed916d514a7e38f5ad98da340e0da7bff49cbbdb7af8e9db572fc0f998 |
| SHA512 | ab9e797be3bed823d7cff6b766d1452e838e79c8094b14438c5571b765fcd47fc4cde9cd8614cfedf12e91a10414a15f1dca949bb6a281cbb3072ee9e9f42d55 |
C:\Windows\system\fccYcoM.exe
| MD5 | b57a2982b5ce8b6ca16eb229910f2913 |
| SHA1 | 974a78a13acaabe3bd9792d0e4c67e3ecc9ba0f4 |
| SHA256 | 8625ef80301852a79dea141d0666086913e279324d2edc4a9f632b1ea223b97d |
| SHA512 | c131f4eefc4414acb979276c70aa86f22831ad11f4be2442621ecf71f18b50adfe0538ea47ad331b78b312f85be654d93687b4a4ac75de86e509a797ff0a6705 |
memory/2980-95-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/2688-113-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2980-111-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2980-117-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2580-116-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2980-114-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/2584-107-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2980-119-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2460-122-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2980-121-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/2624-128-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2980-127-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/2980-134-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2980-135-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/2980-133-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2548-132-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2980-131-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/2444-130-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2980-129-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/2592-126-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2980-125-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/2620-124-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2980-123-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2772-120-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2432-118-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2992-98-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2920-94-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2980-136-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2980-137-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2920-138-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2980-139-0x00000000021B0000-0x0000000002504000-memory.dmp
memory/2584-140-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2980-141-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2112-142-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2992-143-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2432-145-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2460-146-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2688-144-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2592-147-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2580-151-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2584-150-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2920-149-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2444-148-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2548-153-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2772-155-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2620-154-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2624-152-0x000000013F470000-0x000000013F7C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 02:10
Reported
2024-06-01 02:13
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jOmexhm.exe | N/A |
| N/A | N/A | C:\Windows\System\tFQjzyV.exe | N/A |
| N/A | N/A | C:\Windows\System\hmgXtoc.exe | N/A |
| N/A | N/A | C:\Windows\System\fSZtAuU.exe | N/A |
| N/A | N/A | C:\Windows\System\ybkklFw.exe | N/A |
| N/A | N/A | C:\Windows\System\lFKmwvO.exe | N/A |
| N/A | N/A | C:\Windows\System\buyUdOX.exe | N/A |
| N/A | N/A | C:\Windows\System\OQaOiuV.exe | N/A |
| N/A | N/A | C:\Windows\System\sgdlyLo.exe | N/A |
| N/A | N/A | C:\Windows\System\XfDPQph.exe | N/A |
| N/A | N/A | C:\Windows\System\OZAAIoO.exe | N/A |
| N/A | N/A | C:\Windows\System\iYFfEad.exe | N/A |
| N/A | N/A | C:\Windows\System\eFldnIe.exe | N/A |
| N/A | N/A | C:\Windows\System\BdzXCAN.exe | N/A |
| N/A | N/A | C:\Windows\System\hLihZjl.exe | N/A |
| N/A | N/A | C:\Windows\System\jweaeeA.exe | N/A |
| N/A | N/A | C:\Windows\System\OCzxLCA.exe | N/A |
| N/A | N/A | C:\Windows\System\vkKhDdq.exe | N/A |
| N/A | N/A | C:\Windows\System\FGASqSa.exe | N/A |
| N/A | N/A | C:\Windows\System\FYASsoQ.exe | N/A |
| N/A | N/A | C:\Windows\System\CRHZbAz.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jOmexhm.exe
C:\Windows\System\jOmexhm.exe
C:\Windows\System\tFQjzyV.exe
C:\Windows\System\tFQjzyV.exe
C:\Windows\System\hmgXtoc.exe
C:\Windows\System\hmgXtoc.exe
C:\Windows\System\fSZtAuU.exe
C:\Windows\System\fSZtAuU.exe
C:\Windows\System\ybkklFw.exe
C:\Windows\System\ybkklFw.exe
C:\Windows\System\lFKmwvO.exe
C:\Windows\System\lFKmwvO.exe
C:\Windows\System\buyUdOX.exe
C:\Windows\System\buyUdOX.exe
C:\Windows\System\sgdlyLo.exe
C:\Windows\System\sgdlyLo.exe
C:\Windows\System\OQaOiuV.exe
C:\Windows\System\OQaOiuV.exe
C:\Windows\System\XfDPQph.exe
C:\Windows\System\XfDPQph.exe
C:\Windows\System\OZAAIoO.exe
C:\Windows\System\OZAAIoO.exe
C:\Windows\System\iYFfEad.exe
C:\Windows\System\iYFfEad.exe
C:\Windows\System\eFldnIe.exe
C:\Windows\System\eFldnIe.exe
C:\Windows\System\BdzXCAN.exe
C:\Windows\System\BdzXCAN.exe
C:\Windows\System\hLihZjl.exe
C:\Windows\System\hLihZjl.exe
C:\Windows\System\jweaeeA.exe
C:\Windows\System\jweaeeA.exe
C:\Windows\System\OCzxLCA.exe
C:\Windows\System\OCzxLCA.exe
C:\Windows\System\vkKhDdq.exe
C:\Windows\System\vkKhDdq.exe
C:\Windows\System\FGASqSa.exe
C:\Windows\System\FGASqSa.exe
C:\Windows\System\FYASsoQ.exe
C:\Windows\System\FYASsoQ.exe
C:\Windows\System\CRHZbAz.exe
C:\Windows\System\CRHZbAz.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.227.11:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/1848-0-0x00007FF6A3F10000-0x00007FF6A4264000-memory.dmp
memory/1848-1-0x00000215FB8E0000-0x00000215FB8F0000-memory.dmp
C:\Windows\System\jOmexhm.exe
| MD5 | 84870a002b4cfab8c5617f6a9941494d |
| SHA1 | 1501d09929e93fa690b180432591b4819ddf7aa3 |
| SHA256 | 19446a126ee5efcd7cb001a5b69cf013383fa1cf0a18bbd5096f00a9a14b081d |
| SHA512 | 1a6003fb001e8dd924ff52ada1107f1433ba64ef958652665f58224fb2470f3e6b1e726e18e20d33d88b919964d3523c5d695bb10cf628e8c8af4f9123549acb |
C:\Windows\System\tFQjzyV.exe
| MD5 | e62b34a00701d39bb4b80c129665e25e |
| SHA1 | 13516ab1fcbf399855ee7d53bbd7daaa35c66b48 |
| SHA256 | c622defd6927a02ef99b2745fac84c62292d94a0caeba2d452721e6a45305229 |
| SHA512 | 40540e8c468100b6a0243d162a76c0b468006ff9178d81843ffa7ef996d97622a470d34c24a49534a2c7394c575cac8d251361fd312f920d61b6ab56fd02a189 |
C:\Windows\System\hmgXtoc.exe
| MD5 | a9bfb3ad3cfc99ca2d29ee3f203a232c |
| SHA1 | c83f28fd2ac599ee41a31fafd4c4953cc8c9050a |
| SHA256 | 9f2f5b27d5f4eedee9672355de87fae21e5cdf5b600f7a3efb20e5773b94e6a1 |
| SHA512 | fb55449ae26e93ddce5f99506ca9bd8d3f9b0588873198b06a9bb85e22121b6aef7b7ecd858b9c8649f22557857a15145ba5950562844815885b545b7b6830b8 |
memory/3968-8-0x00007FF7025E0000-0x00007FF702934000-memory.dmp
C:\Windows\System\ybkklFw.exe
| MD5 | 8c15def02dfe23e5a9a3a6f731910d9d |
| SHA1 | b537fb2f3473b7746da45147615779f3d2e1812b |
| SHA256 | a4025228420d55c99d11246f6a0eed8ef464ccac4039c9f28215d1390426f7fa |
| SHA512 | e7707147c442c2af1b20ebe63f81574754673497d2d49e837f4ba7433fc774c54a247372dea48058eb28d92e584381fcfcb6681381edc034a4b93f201cd94ee0 |
C:\Windows\System\fSZtAuU.exe
| MD5 | 773ccec6d399405742fcd1af091d4b58 |
| SHA1 | c09c9fca96a8f865a170852cfdc81c9ba3f5e659 |
| SHA256 | 4f644e2658c0b8fd60fbcf7ca2d7a604f9dfc00804af62537fe7f62164b96f12 |
| SHA512 | 8684a9cbac436365e2c90daca202a9d1f515a7ae8914b56f6e686ea9ed760a893721b81913298e7364bedf11e6a52c39118ecc8a790c2749bbc62dc68ea58869 |
memory/2152-30-0x00007FF7FE350000-0x00007FF7FE6A4000-memory.dmp
C:\Windows\System\lFKmwvO.exe
| MD5 | 1534587dcce010610b5a4317a422a325 |
| SHA1 | 9dc5ef7532d5baa3000d02f3b95c277a259322b8 |
| SHA256 | a7ceeafe80eba7d831229bcf8a5fffb8430dc8af2bbb4ffb0ce4c669d9b18114 |
| SHA512 | 97ca965656d47c05e4d3ac93db3f95ff53657361552ffb9c322e98a1a4cb02171b0b1f505be45a4e32e7eae62e3ca378a96afa3f005af4fe8bc35900786547ac |
C:\Windows\System\buyUdOX.exe
| MD5 | 44b52ef97de23990940f3efeb590f81e |
| SHA1 | 4f485e49a69659eac8688f8dedd05f9beeff6a45 |
| SHA256 | e1cec3a74570f571f469c5af47b5001d6e9506ca3384b83a7db3acedfa70d4c9 |
| SHA512 | 8b107c8b41f661f63648806a0fcd01663471ea883b0358683b63b1a5e22f1f8003cb234d4d403c8b72b9b3a26b22145a48a9bad174659c4d8e6a9bbbd8cb320b |
C:\Windows\System\OQaOiuV.exe
| MD5 | 0deb33d3cafe5bf6d24001defef375e1 |
| SHA1 | 99435522c994cf929608d3d3e5aef1c064d8a7ea |
| SHA256 | 6cbe5587fa3199859687d59c3bf88b7751895bfa00b37030975c9c2f2f2f8dbf |
| SHA512 | a5f72a294022e1a8c3869a431bcd8b3aad27be7e7c06eccc5940e83d210820ef00230349e9959d9800a8d9ffe82f8574824be8a8a05369c3a85d6c18c39e69ce |
C:\Windows\System\sgdlyLo.exe
| MD5 | 2e1c9c8e4004856035679b2777ffe88a |
| SHA1 | bc7f853882f36b6d1d245e07bfb2de0036dce7ed |
| SHA256 | 9c3126d7ff759deb78aa2d07f70a1d06684e661374646679860c5932a2f1087e |
| SHA512 | ba53dea9b7e8ce1427ef2ffcb01dbb2a2a4bd47df7a5655472e8d5ed1cd4704e8d10b73fcbd748e2928f8c8ddc6a3d8d048270058bc505e3fa5a9e0eebad8baa |
C:\Windows\System\OZAAIoO.exe
| MD5 | e0a6eef328a2ca94c54d0f673d8948ed |
| SHA1 | cdcea59f60ca55ff554db292d5de854d5d8a8358 |
| SHA256 | 325db1219131a4b0f764e813b93bb0d5da5afe20b217cc051e4abc79c0bc32eb |
| SHA512 | 0f38d97d3ffa2da7adf0d4b0c783c7b632e9a3570ea3670678bb0530b2603faa6282dd8a07635334ecbc4fbd14464d2d86b6415254205567365859a1966dd9aa |
C:\Windows\System\iYFfEad.exe
| MD5 | 2796cf7a87b025878c9455bc46bd5a18 |
| SHA1 | b2f1ae76898778acad2b8df34974d7292a3e79af |
| SHA256 | 3c93387ac93f780e95e2ab93f25052560ed35bab105034b00c7edf22f41d0fb8 |
| SHA512 | aa44562eac6a538f6c29fe896bab3231428fce47d0d453748abdc8ace8064cdf2c95a7783da9c72bb197e623af432ea01f42464b45ca5923506ecd18d9493322 |
memory/2272-76-0x00007FF6B2120000-0x00007FF6B2474000-memory.dmp
memory/388-83-0x00007FF70A050000-0x00007FF70A3A4000-memory.dmp
memory/632-85-0x00007FF7DAB50000-0x00007FF7DAEA4000-memory.dmp
C:\Windows\System\BdzXCAN.exe
| MD5 | c66ba6e8c31801312abad37deb533242 |
| SHA1 | 60b194deed27fe468b822a411b7aeba621d54082 |
| SHA256 | 31dc1875ce9260726a39cc2bc4f552b8964fdc991cdbb82ad3b86bf8d2da78a7 |
| SHA512 | 0618367a34081b1b3cc9de425a8ec62812618168c0d282322bf0a531530f4a85d204350f14670ba9d01d1269350edf85685c9773a8bc0d03f798b8f5618b1a01 |
memory/1848-84-0x00007FF6A3F10000-0x00007FF6A4264000-memory.dmp
memory/804-82-0x00007FF6583C0000-0x00007FF658714000-memory.dmp
C:\Windows\System\eFldnIe.exe
| MD5 | 9e6fdad08db46894c0c2c2274d720199 |
| SHA1 | fb587171332866571e97b2f864e47da5d449f41d |
| SHA256 | 17acfb3e8820cec637a42a97d27483660764a6741017bebc411c5055da78dcc9 |
| SHA512 | 5e5871b41ab659b3c3f4e8c04af450e81832f21b3856646891378bda135a82f560ac8243a4f2b99a8ebb5d8b2b53f29c0c684e057f91508e865c9e387f2062d9 |
memory/856-71-0x00007FF6589C0000-0x00007FF658D14000-memory.dmp
memory/2656-66-0x00007FF690AD0000-0x00007FF690E24000-memory.dmp
C:\Windows\System\XfDPQph.exe
| MD5 | 594e579008375fb11ab368e5b5f1708b |
| SHA1 | e478727f60cbc82a7eecc65e715b0b78791a9a9d |
| SHA256 | 761a99623799098e7ea2cf81a6aec15d62dccd1b8b81e69a3a31c3fef48bbe3a |
| SHA512 | a3dd66279db6b750c1df2743562adce1c12fb74518a14195c79eac66eea57102b75b51ad7bae92a83171197413a7eaf071a260d30d5aae58f7263b6f5b8afe90 |
memory/4696-53-0x00007FF7F4E30000-0x00007FF7F5184000-memory.dmp
memory/3324-45-0x00007FF7D0490000-0x00007FF7D07E4000-memory.dmp
memory/2508-35-0x00007FF6FA070000-0x00007FF6FA3C4000-memory.dmp
memory/4224-27-0x00007FF6C86D0000-0x00007FF6C8A24000-memory.dmp
memory/4068-22-0x00007FF704EC0000-0x00007FF705214000-memory.dmp
memory/3020-14-0x00007FF7B2B20000-0x00007FF7B2E74000-memory.dmp
memory/3968-91-0x00007FF7025E0000-0x00007FF702934000-memory.dmp
C:\Windows\System\jweaeeA.exe
| MD5 | 7d90ab526ea2f72ef14894994c7cd6bd |
| SHA1 | 849eea85f6967e54ace334be3b2e42a9ebbe35d9 |
| SHA256 | 65c0976986047ef2d921059c870193564a40e7a668d151670541855c0aa59114 |
| SHA512 | f5f143ccb7f2d64f8af347cb5564fc4d86e6055b23fe4177b2e370a2498fe8e11600d7c86482c6d2ff4a18fff6648341a36af5eee6ab7bb3157373a17f357600 |
memory/4232-111-0x00007FF6F0710000-0x00007FF6F0A64000-memory.dmp
C:\Windows\System\vkKhDdq.exe
| MD5 | 2cc66b714904a63c9b1f2d1076dfb70d |
| SHA1 | cfc33a163aec6bf165345d3de3694814aaabc68b |
| SHA256 | 4fa8dfe2a4c09d8c7b6712bd93b9632b58941d42e9ed36c7aa097619742bce17 |
| SHA512 | 8aad97fb1ba8e0fe8bc89657570663a476ed95940be13c829a951d60611875344ea1511e01919e64200bb2fecc76384405dad4935159f9a505be6d6552923e6c |
memory/1012-120-0x00007FF7CB7E0000-0x00007FF7CBB34000-memory.dmp
memory/3928-121-0x00007FF7342B0000-0x00007FF734604000-memory.dmp
C:\Windows\System\FGASqSa.exe
| MD5 | 8b29b9f08e1a44bc6c182e151978430c |
| SHA1 | a827fa29ad04d8062747ff794fd7d3f83f42c2d6 |
| SHA256 | 5c616e8bb75898f76cd7a4c42bdb096891a62dff62c9e7e1846c0d665fc0a32e |
| SHA512 | 9a908e0a30ec7431af10a61089b7f953eab79a5e8d26b4601eb190eb413c9080c9cbfd4b0683453296dd4ccabc11c3b750965f75cbb468ca59078d1c10d4d2b5 |
C:\Windows\System\CRHZbAz.exe
| MD5 | 0628f6b2b3c73c58f0f47a34f7980f3f |
| SHA1 | 92f5ecf1efed1bfe05b90d4f6aad2cd8f8330ef0 |
| SHA256 | 1d281b7b145e4df4a96cd20dd11cff6fed0422a6cccf601f202fe7ae2d2648f2 |
| SHA512 | f6e5f688ec0b82e80833a6e35f5e40d408a56983ab60599171132cf48ef69899533d4439dc16019b8b1d605a4cbafa40b6936d549bf513b48a879c9239774368 |
C:\Windows\System\FYASsoQ.exe
| MD5 | 2f60aa07270c18743e948889752ba7f4 |
| SHA1 | a8e0b7af7f87f972d4e79fc43c5966f677e9eed4 |
| SHA256 | cd66ee14ed021ed2664a7892d99929d1653078044791946bb92004d69003c970 |
| SHA512 | 526d220737c3e3993c18caa4de9f5cc19701763996a66c965b6df24c488acee2dbb8813b2c7d2fba94ac0ec76ff775f0473cee9ddf11a478bc51c6353d67db1c |
memory/4224-112-0x00007FF6C86D0000-0x00007FF6C8A24000-memory.dmp
C:\Windows\System\OCzxLCA.exe
| MD5 | 20dd476aa2cbd01285fb68769d6e3f39 |
| SHA1 | c2914f4f8805a093e337e33b3d2e782355a7ccc1 |
| SHA256 | 9b37e1eb4892e242a388ee667ab25be116fd82958efe27dfb08b8447aadd9a7b |
| SHA512 | d494e5dbfce9bac3aae5355dd9f4f27bd05eab8c338e020cb5fc8ef64a0a78ad8abb18dbdb3cb25d7314efc7e5da5a72358a6a9e93ab9b478e9dd649481c7d2c |
memory/1200-106-0x00007FF6241D0000-0x00007FF624524000-memory.dmp
C:\Windows\System\hLihZjl.exe
| MD5 | 0271029edffec6f0ffd9ba81405df508 |
| SHA1 | 768b3fab0757282a9db753cbe140cf15179e6d89 |
| SHA256 | a78a7618df7166bb3784814ac8757cc720b55de4c8592dfc04644914473f10c4 |
| SHA512 | bcdafe613e0add9d8760f8671eca8759189b70b9acec69d5040b0ff97b748332bb24a2ed50f9681c0f5143a3b52c4b91653d73c1980e0ed7c511714a4e27bd08 |
memory/2624-96-0x00007FF6C3660000-0x00007FF6C39B4000-memory.dmp
memory/2152-129-0x00007FF7FE350000-0x00007FF7FE6A4000-memory.dmp
memory/3372-131-0x00007FF759710000-0x00007FF759A64000-memory.dmp
memory/2348-130-0x00007FF7A0F60000-0x00007FF7A12B4000-memory.dmp
memory/2508-132-0x00007FF6FA070000-0x00007FF6FA3C4000-memory.dmp
memory/4696-134-0x00007FF7F4E30000-0x00007FF7F5184000-memory.dmp
memory/856-135-0x00007FF6589C0000-0x00007FF658D14000-memory.dmp
memory/3324-133-0x00007FF7D0490000-0x00007FF7D07E4000-memory.dmp
memory/2624-137-0x00007FF6C3660000-0x00007FF6C39B4000-memory.dmp
memory/632-136-0x00007FF7DAB50000-0x00007FF7DAEA4000-memory.dmp
memory/1200-138-0x00007FF6241D0000-0x00007FF624524000-memory.dmp
memory/4232-139-0x00007FF6F0710000-0x00007FF6F0A64000-memory.dmp
memory/3968-140-0x00007FF7025E0000-0x00007FF702934000-memory.dmp
memory/3020-141-0x00007FF7B2B20000-0x00007FF7B2E74000-memory.dmp
memory/4068-142-0x00007FF704EC0000-0x00007FF705214000-memory.dmp
memory/4224-143-0x00007FF6C86D0000-0x00007FF6C8A24000-memory.dmp
memory/2152-144-0x00007FF7FE350000-0x00007FF7FE6A4000-memory.dmp
memory/2508-145-0x00007FF6FA070000-0x00007FF6FA3C4000-memory.dmp
memory/3324-146-0x00007FF7D0490000-0x00007FF7D07E4000-memory.dmp
memory/4696-148-0x00007FF7F4E30000-0x00007FF7F5184000-memory.dmp
memory/2656-147-0x00007FF690AD0000-0x00007FF690E24000-memory.dmp
memory/2272-149-0x00007FF6B2120000-0x00007FF6B2474000-memory.dmp
memory/804-150-0x00007FF6583C0000-0x00007FF658714000-memory.dmp
memory/856-151-0x00007FF6589C0000-0x00007FF658D14000-memory.dmp
memory/388-152-0x00007FF70A050000-0x00007FF70A3A4000-memory.dmp
memory/632-153-0x00007FF7DAB50000-0x00007FF7DAEA4000-memory.dmp
memory/2624-154-0x00007FF6C3660000-0x00007FF6C39B4000-memory.dmp
memory/1200-155-0x00007FF6241D0000-0x00007FF624524000-memory.dmp
memory/1012-156-0x00007FF7CB7E0000-0x00007FF7CBB34000-memory.dmp
memory/4232-157-0x00007FF6F0710000-0x00007FF6F0A64000-memory.dmp
memory/3928-158-0x00007FF7342B0000-0x00007FF734604000-memory.dmp
memory/2348-160-0x00007FF7A0F60000-0x00007FF7A12B4000-memory.dmp
memory/3372-159-0x00007FF759710000-0x00007FF759A64000-memory.dmp