Analysis Overview
SHA256
ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20
Threat Level: Known bad
The file ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20 was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
Cobaltstrike
Xmrig family
Cobaltstrike family
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 11:33
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 11:33
Reported
2024-06-01 11:35
Platform
win7-20240508-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FnINxgE.exe | N/A |
| N/A | N/A | C:\Windows\System\YSeYTsA.exe | N/A |
| N/A | N/A | C:\Windows\System\xvXFzjL.exe | N/A |
| N/A | N/A | C:\Windows\System\yhlmKdw.exe | N/A |
| N/A | N/A | C:\Windows\System\KLYivic.exe | N/A |
| N/A | N/A | C:\Windows\System\HtVZlXe.exe | N/A |
| N/A | N/A | C:\Windows\System\QtFqLYm.exe | N/A |
| N/A | N/A | C:\Windows\System\kcAnWhn.exe | N/A |
| N/A | N/A | C:\Windows\System\hbIphxY.exe | N/A |
| N/A | N/A | C:\Windows\System\hbEIaap.exe | N/A |
| N/A | N/A | C:\Windows\System\GriFaZh.exe | N/A |
| N/A | N/A | C:\Windows\System\DUTJTzR.exe | N/A |
| N/A | N/A | C:\Windows\System\OFOUWtg.exe | N/A |
| N/A | N/A | C:\Windows\System\Vuhtkcm.exe | N/A |
| N/A | N/A | C:\Windows\System\qqITEfC.exe | N/A |
| N/A | N/A | C:\Windows\System\hAKCWtv.exe | N/A |
| N/A | N/A | C:\Windows\System\cCUcSdo.exe | N/A |
| N/A | N/A | C:\Windows\System\tVBwLRF.exe | N/A |
| N/A | N/A | C:\Windows\System\YQBjmgp.exe | N/A |
| N/A | N/A | C:\Windows\System\WoYjZNh.exe | N/A |
| N/A | N/A | C:\Windows\System\FernKRV.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe
"C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe"
C:\Windows\System\FnINxgE.exe
C:\Windows\System\FnINxgE.exe
C:\Windows\System\xvXFzjL.exe
C:\Windows\System\xvXFzjL.exe
C:\Windows\System\YSeYTsA.exe
C:\Windows\System\YSeYTsA.exe
C:\Windows\System\yhlmKdw.exe
C:\Windows\System\yhlmKdw.exe
C:\Windows\System\KLYivic.exe
C:\Windows\System\KLYivic.exe
C:\Windows\System\HtVZlXe.exe
C:\Windows\System\HtVZlXe.exe
C:\Windows\System\QtFqLYm.exe
C:\Windows\System\QtFqLYm.exe
C:\Windows\System\kcAnWhn.exe
C:\Windows\System\kcAnWhn.exe
C:\Windows\System\hbIphxY.exe
C:\Windows\System\hbIphxY.exe
C:\Windows\System\hbEIaap.exe
C:\Windows\System\hbEIaap.exe
C:\Windows\System\GriFaZh.exe
C:\Windows\System\GriFaZh.exe
C:\Windows\System\DUTJTzR.exe
C:\Windows\System\DUTJTzR.exe
C:\Windows\System\OFOUWtg.exe
C:\Windows\System\OFOUWtg.exe
C:\Windows\System\Vuhtkcm.exe
C:\Windows\System\Vuhtkcm.exe
C:\Windows\System\qqITEfC.exe
C:\Windows\System\qqITEfC.exe
C:\Windows\System\hAKCWtv.exe
C:\Windows\System\hAKCWtv.exe
C:\Windows\System\cCUcSdo.exe
C:\Windows\System\cCUcSdo.exe
C:\Windows\System\tVBwLRF.exe
C:\Windows\System\tVBwLRF.exe
C:\Windows\System\YQBjmgp.exe
C:\Windows\System\YQBjmgp.exe
C:\Windows\System\WoYjZNh.exe
C:\Windows\System\WoYjZNh.exe
C:\Windows\System\FernKRV.exe
C:\Windows\System\FernKRV.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2216-0-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2216-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\FnINxgE.exe
| MD5 | 69a572365fef69db87ad39b7db3dc2ac |
| SHA1 | 81cf6cde5d4d43983d8167742023396bbc369cd0 |
| SHA256 | 79f0daaa042f33edd1909790d4a40bf4e1595f86b19ec1e0ca60eb087e221f6f |
| SHA512 | eaaab684cb8976d091788603a784bb522dda621ebd1f0704c5f034e87103f8b90ab0089a4590ad16a74fac1b0c5794508393bfd966cd2941f55cb2310fe8e677 |
\Windows\system\xvXFzjL.exe
| MD5 | bce92dcf122e930ae8f4c62f595c0ded |
| SHA1 | 6ced4e69304248acad9e3e01fbd470109f2b5268 |
| SHA256 | 155b3362f5ca4ced5c3632443d7352507ad4ac0b319be0b678ab278eb02100da |
| SHA512 | b58d9c0b96f75be360958a0c20e37e9d276e7e3562c9b5c95e87eecb0677cfb6625261e241e38586409c18aeed261ddcbb45ee86571807424e8bada3ed714f9d |
C:\Windows\system\yhlmKdw.exe
| MD5 | ef380cefed0642ce5af5bf2fb8b3452f |
| SHA1 | b44d0a2ce88a97b2029807a1936b6a9b637d6cdd |
| SHA256 | 4266a9c3967f0f21dd9f27be39dc100e7718511b83dd599d5ee6086dd2f310a5 |
| SHA512 | 355d584e3fa7ac8cd97181b59428a1f280cfb7eccd83d4235e4271e969dfd360c2c582dcf205f2129c53c01eee604a7c3d00da3928dc1394ced59f2b756e0669 |
memory/2608-27-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1632-29-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2216-15-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2804-28-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2216-23-0x000000013F710000-0x000000013FA64000-memory.dmp
C:\Windows\system\HtVZlXe.exe
| MD5 | e15734d50ef2495add2b32f0e2007c2d |
| SHA1 | 949587650e27c8e1557549fddba451da1528f5a6 |
| SHA256 | b17a67c33601a36a04ed15d98a1e965dae95e8b22ad1292601acd5ad7dc27590 |
| SHA512 | 9c71ac4af28f6068e459537559a86b04b4f06d32c11e5996a791a7fb31d90c9df58593e5c85dcb9851f46dbd55db8ae88150a2fa76ff82891f3cc290e2c489cb |
memory/2216-38-0x000000013F660000-0x000000013F9B4000-memory.dmp
C:\Windows\system\KLYivic.exe
| MD5 | 815fae26d1a06e639c445a09a769809f |
| SHA1 | 2321eefd2040be08775d350c532ca83ef6de4687 |
| SHA256 | 06eff60334055d1d38f501e2edbfa8de1958efcb067842fbb94dde72c560a08a |
| SHA512 | 09e5cdc2c9e4a6bfa1bf92112edd36db9d9a894d6f425135ed40d3e334125b60787d16ba895d02a3fdb36830bfe30587bb3158a6c12e8937140a2ca0ad15644f |
memory/2708-41-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2724-37-0x000000013F770000-0x000000013FAC4000-memory.dmp
C:\Windows\system\YSeYTsA.exe
| MD5 | a897d02bd21b9a29c67cdcfead21dd6a |
| SHA1 | 3d1ac5ba0a37acd8aa9400da99d11c7b0b2d5b39 |
| SHA256 | 0a54bc025ab361b0b3b0738ac73a610124057bd564f7cdd2b586d37e648f2dea |
| SHA512 | 7a708e730501f2231689f7ef2ddb737f5049bba0b5870a25c4e33edc378f65834d1ff914f46719bd6b7cfd8bee55e2715674303fce3233cbdbcafed3dcace8eb |
memory/2216-20-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2200-10-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\QtFqLYm.exe
| MD5 | 0ca3e126242cfbb5258fa995f876babc |
| SHA1 | 7718dfb5470ab6d5983c45b8f121e7aa1e6d4986 |
| SHA256 | fbf8f617cfdb6baa5f1f146349906444976cfb34e8416c5cc912d3e4874e4cd2 |
| SHA512 | efaba09ded86e659c8ea87228edbe17f38f61ce148246ea79450381b28a82504d041581d02cbd273ec76921c9793691be04129ba20ebb372ffcb76faf7c16d98 |
memory/2200-57-0x000000013F670000-0x000000013F9C4000-memory.dmp
\Windows\system\hbIphxY.exe
| MD5 | a216d49f7935e5c699ca0ad9c617ea3f |
| SHA1 | 1da68ac8d33fbe4290a3db4d2eccd0b2c5c9b4f7 |
| SHA256 | 75d1e42a5cfecac64f8d0aa82e87916be3d4456cbd3ea13b638f92c327f67659 |
| SHA512 | cc61447fa2f2a0e6eb2aadfebaeaee070a1032c18637d7d661bd1a50f9da3d8ccfddfd6d5e9a74ec7073405c65fa2babc5575bbdb1315da35689866fe6039421 |
memory/2652-55-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2548-48-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2216-54-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
C:\Windows\system\kcAnWhn.exe
| MD5 | 2aee640301f7425908ab3a57b5b21a5f |
| SHA1 | 485ca961bb6c3569810d55053727cc20743503c0 |
| SHA256 | dccf8f8044e46be02e960e20da4a99c6e8431cdda9d18a9df922b5228db80632 |
| SHA512 | e6ab1deb512f6170ac75fd23aeeb8a750f608c6016ed51be09a4b32d6f8c378e28fc5c0fcfb4a2435a039cb77c138468c71d38b5075831eacd16e44aa53fc061 |
memory/2784-63-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2216-62-0x000000013FE90000-0x00000001401E4000-memory.dmp
C:\Windows\system\hbEIaap.exe
| MD5 | e4f6222b3dccadd5d2ae74a4dcdbcf5d |
| SHA1 | 7dfa15fb58e5c189ae89fd10d0e7a44b98a65e81 |
| SHA256 | 88762e284686d577626a22f63da5619ec8b871874ea7a07ddc370ac7d0df59cf |
| SHA512 | 018a183c07b0ecddec27d84b0d4a9ae8412f6704e18cb05658a11d47d79f9098df32acf4c0ca5bee3cca038dbdb448b9bcfeb01be9505d09905f964cae3e2e0b |
memory/2608-69-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2588-71-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2216-70-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\DUTJTzR.exe
| MD5 | 9a4d39d9958f3152d907aebd56757867 |
| SHA1 | 95fd1d5063a5ce3a06945df8ce1a295401839410 |
| SHA256 | 68e365d737594104ff8567fdaabef11249cceeaf31a5efd4d8ad4046e729ac99 |
| SHA512 | 949dec73ce848f1bf443339edc958bd702aa8c5261c024356a619b26c999a0fca53bf8e6f2c46d35cfcc404deb9bd275dd318c3971f24411e63cd7e04b494425 |
memory/2724-82-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2216-84-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2824-85-0x000000013F1F0000-0x000000013F544000-memory.dmp
C:\Windows\system\Vuhtkcm.exe
| MD5 | 01d5deea598e106ab27c148f998afb6c |
| SHA1 | 54ce55a8da08abe923be9702459ec77b7189ee76 |
| SHA256 | f12e6c47f60a5e27a1fd4f3d5e5007fa29507cd5145ff8b452eb6ac0f615c780 |
| SHA512 | 11a816c13f1d590a8effb75bf4f284296c48009edf4ebbf719439772e5d237213824235cdfc0bfeac747a949e7e4294ec128e1828633b6815a778e39da67acc9 |
C:\Windows\system\qqITEfC.exe
| MD5 | 3f66a65916c3e8ecb23720d99926222d |
| SHA1 | 92747dcc5b7b2c1e4527b905d63699ae9e4a4cd8 |
| SHA256 | 8d016c96ba8324756690c6d100f6b86ae6fc4f40f6e5aef759aa0e22cb8c0225 |
| SHA512 | f49a519955032adcca5fac28bf29a6a46aff7cdb96f3668afc29f4027b9fdc5d0b6bde2071f77f4431df521f2465c2c0a7c9747d0ea4ec000712e5bd9128b215 |
C:\Windows\system\hAKCWtv.exe
| MD5 | 25bf4b13a42ec491eab1245d5b2adcdc |
| SHA1 | cb35c482af43fddc8fffc81dea8033ed1ab9757b |
| SHA256 | 25733bae9dd2d27fb2f5773f603ea7d80072c93e53aa9e82e0ba5ef70e790b80 |
| SHA512 | 110fdb79b33890e85153514b317cffe452ff5d3545dbaeead5bcb0ee8072bff0f359ab175bca9b88437db4f1ce0b6236994378eb9d685d38c18a9c4369d102f1 |
C:\Windows\system\WoYjZNh.exe
| MD5 | 1a771f45820f42442bccc37db94b4801 |
| SHA1 | b7c45170861460bbe7782b724f8d3182aee8453b |
| SHA256 | 4e59ef56e0e0c859389d5b6129c173cdf402d0e290a859fcc7c1bacafa674f65 |
| SHA512 | 7aac45ec8a2c35d11cca3378eac37cca15dbed4b71511b8086dd231b167edc60dd91c1e3086eb055fb295b80584311d30bfe57dbd4e03f9c9c47095428620953 |
\Windows\system\FernKRV.exe
| MD5 | ea263910db97589ec29e93b67c88154b |
| SHA1 | 993bcaaf46e0deeb40b959bd41df4126cc60d0e3 |
| SHA256 | d5d24085071fa3e33c48b000b48f13b815bd6f3bbbebc554fd86598b10f14d9d |
| SHA512 | df121a89d2102fb252c694914ec7c8379e0a17b3437b7f47afd35361f0e00c230f632d16e75d28e13bd354c337f585d48ec4257db3d9ec2626770ecc826984c4 |
C:\Windows\system\YQBjmgp.exe
| MD5 | 3585ddfc4bb46187b9022013ab09a378 |
| SHA1 | 0c52ccb8f1a34b01fbd53be8d38696189ff4a56c |
| SHA256 | 6c46b492d1c30fdf0b4ca58bf432e87d04f1bc55b1647ae0f7702574c1c87487 |
| SHA512 | a41e650fb89e7f17217b299ae4dd9e7bae839d6604495386a85d984e44f14a4104ea2f3bda33279b3e15f7db3007b2c1b38e7792c2ac7ee7a2bd4e5fabd9ec85 |
C:\Windows\system\tVBwLRF.exe
| MD5 | a0f4f6ead03085f972a61a738578fe7e |
| SHA1 | f1429b9a1e2df6b9c65ce02535b95c1d20169291 |
| SHA256 | 3393796e89c2597916c8435990311114f9bd02c0aabbbb906dfd65ba1ee00b86 |
| SHA512 | 361133211a15e5371aa5f1a60b6e04a34c0725b62548f60726cd2a8b559d5be82c6a1ae3053c250be630af987cc95228164eed43cc2ab282c88a31a0fc572952 |
C:\Windows\system\cCUcSdo.exe
| MD5 | 86cdc0230d2c21d5b9be3c6241928346 |
| SHA1 | 46701ffb0430d855d6d74c489ee5af4d7b14026b |
| SHA256 | d595ed606471dba070a42f37bb6e63cf9b3cad1ee3d690c3ccb5915b5df940a8 |
| SHA512 | 5e33d34d2203d414a01ae8c31c481de4545bffbfd9945e43c14a7bcdf59f32edf83f6cca241a6f158f9e0305b5a5a6eea3fea151d2e044fb09f61933f398ff1e |
memory/2264-98-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2552-92-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2216-97-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\OFOUWtg.exe
| MD5 | f51055f0133f40490e3c62a9a06b6fff |
| SHA1 | 12b63ec60eff47fadbbc960c58b0e87a4961eaef |
| SHA256 | 7c8cde508d4713e50d46ef93a458995342f6be2298861b78d190f96f832616ea |
| SHA512 | 37ca655fee1d4f55f99129fc761b1ce662b71d67d51740c78ac41841b9aaebd237d44a94220fdf2ae535ad64b6e599889e029ef9708948ea38d32f88e6f4562d |
memory/2708-83-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2332-76-0x000000013F920000-0x000000013FC74000-memory.dmp
C:\Windows\system\GriFaZh.exe
| MD5 | 0ddc56e22a1651040f78998a490f1980 |
| SHA1 | 5a10ef5762307eabe6c3f78a3b2c74e637520cc5 |
| SHA256 | 425a397f9b2ef4fa86cd7b8953eee563c5bd8d1fdb10ca6b6330783bb2166876 |
| SHA512 | 25efc32a1a084673f836646a1b393d34a4dccaad72d1190864b16482a53026e3c3e814e4c0e087e7043b925ba665cd4179af2d3c288d38cb398f94d39ddeb822 |
memory/2216-74-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2216-135-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2216-136-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2332-137-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2216-138-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2824-139-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2552-140-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2264-141-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2804-142-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2200-143-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1632-145-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2608-144-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2708-146-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2724-147-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2548-148-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2652-149-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2784-150-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2588-151-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2332-152-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2824-153-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2264-154-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2552-155-0x000000013F960000-0x000000013FCB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 11:33
Reported
2024-06-01 11:35
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MzEgahp.exe | N/A |
| N/A | N/A | C:\Windows\System\mVKNEup.exe | N/A |
| N/A | N/A | C:\Windows\System\iBpitNG.exe | N/A |
| N/A | N/A | C:\Windows\System\GpAQsob.exe | N/A |
| N/A | N/A | C:\Windows\System\zVKYlqZ.exe | N/A |
| N/A | N/A | C:\Windows\System\MTfBNmC.exe | N/A |
| N/A | N/A | C:\Windows\System\kHrKwvw.exe | N/A |
| N/A | N/A | C:\Windows\System\VzefQtl.exe | N/A |
| N/A | N/A | C:\Windows\System\Elnhkiu.exe | N/A |
| N/A | N/A | C:\Windows\System\doATtpU.exe | N/A |
| N/A | N/A | C:\Windows\System\yOuvAHW.exe | N/A |
| N/A | N/A | C:\Windows\System\vNKhfPq.exe | N/A |
| N/A | N/A | C:\Windows\System\TVCrLEM.exe | N/A |
| N/A | N/A | C:\Windows\System\SFADwmX.exe | N/A |
| N/A | N/A | C:\Windows\System\oudOCAN.exe | N/A |
| N/A | N/A | C:\Windows\System\HDnKsLs.exe | N/A |
| N/A | N/A | C:\Windows\System\KLnuRbz.exe | N/A |
| N/A | N/A | C:\Windows\System\vOLEbOZ.exe | N/A |
| N/A | N/A | C:\Windows\System\uYBJbRg.exe | N/A |
| N/A | N/A | C:\Windows\System\sRorSFq.exe | N/A |
| N/A | N/A | C:\Windows\System\cRGZRfL.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe
"C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe"
C:\Windows\System\MzEgahp.exe
C:\Windows\System\MzEgahp.exe
C:\Windows\System\mVKNEup.exe
C:\Windows\System\mVKNEup.exe
C:\Windows\System\iBpitNG.exe
C:\Windows\System\iBpitNG.exe
C:\Windows\System\GpAQsob.exe
C:\Windows\System\GpAQsob.exe
C:\Windows\System\zVKYlqZ.exe
C:\Windows\System\zVKYlqZ.exe
C:\Windows\System\MTfBNmC.exe
C:\Windows\System\MTfBNmC.exe
C:\Windows\System\kHrKwvw.exe
C:\Windows\System\kHrKwvw.exe
C:\Windows\System\VzefQtl.exe
C:\Windows\System\VzefQtl.exe
C:\Windows\System\doATtpU.exe
C:\Windows\System\doATtpU.exe
C:\Windows\System\Elnhkiu.exe
C:\Windows\System\Elnhkiu.exe
C:\Windows\System\yOuvAHW.exe
C:\Windows\System\yOuvAHW.exe
C:\Windows\System\vNKhfPq.exe
C:\Windows\System\vNKhfPq.exe
C:\Windows\System\TVCrLEM.exe
C:\Windows\System\TVCrLEM.exe
C:\Windows\System\SFADwmX.exe
C:\Windows\System\SFADwmX.exe
C:\Windows\System\oudOCAN.exe
C:\Windows\System\oudOCAN.exe
C:\Windows\System\HDnKsLs.exe
C:\Windows\System\HDnKsLs.exe
C:\Windows\System\KLnuRbz.exe
C:\Windows\System\KLnuRbz.exe
C:\Windows\System\vOLEbOZ.exe
C:\Windows\System\vOLEbOZ.exe
C:\Windows\System\uYBJbRg.exe
C:\Windows\System\uYBJbRg.exe
C:\Windows\System\sRorSFq.exe
C:\Windows\System\sRorSFq.exe
C:\Windows\System\cRGZRfL.exe
C:\Windows\System\cRGZRfL.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/1032-0-0x00007FF635260000-0x00007FF6355B4000-memory.dmp
memory/1032-1-0x000002190AA80000-0x000002190AA90000-memory.dmp
C:\Windows\System\MzEgahp.exe
| MD5 | 51c7c09a1d90d157b2f28b85b11f265f |
| SHA1 | da8b980d2edea04aff592f7ece48e3a45c5ce925 |
| SHA256 | f479233bd9dcd3909ee5afa6fb11e945a0b6ef584d56e7c24740bd2d460a34f5 |
| SHA512 | 4d9ae623097aa60822f9bd3f17bb9f85e302daad0ef171648d8c33e9f739c1dab868080885da7d255e393dd5739ec06cb0d7b34e0c9c6ddaffdadbf74154589d |
C:\Windows\System\iBpitNG.exe
| MD5 | aaf6c463734a263114e907989a665a26 |
| SHA1 | e72eab7d18f2b605320f9c4e4593d6357c8046cc |
| SHA256 | 54d5428924c3b27a63d38b33e2e2e2d027a3d5c32a248d5ee51fbe85dfa1e674 |
| SHA512 | c78e403d09617218d24a97907d35799b631c306f768a47bc19a78cccd652602da08f4e74bffe056d5a7838fc26845ffac290f0eb8ed20634436ca286dd41126c |
C:\Windows\System\mVKNEup.exe
| MD5 | 1a0adad33d47b1e150e1c5573c3f8a59 |
| SHA1 | 32c4ed70ccd4a5978e37fe35818da086979271c7 |
| SHA256 | 935b73a73665a9ea182cf59ceac0318542ed4b4bcffb75aa0f499538efc9d285 |
| SHA512 | 043890e2a3fc76fcbc1832fb73721a7410cc7d8f1e0bfe234853c7243b64ad7f034c4d66d9ec9e17ee3eed554ca8d383c47ed3dedbb59e62ded80404001fcfa6 |
memory/4488-17-0x00007FF7D7660000-0x00007FF7D79B4000-memory.dmp
memory/4172-18-0x00007FF624D40000-0x00007FF625094000-memory.dmp
memory/336-7-0x00007FF6DEAA0000-0x00007FF6DEDF4000-memory.dmp
C:\Windows\System\GpAQsob.exe
| MD5 | 0af182324d2a5285f45161a997e0ce07 |
| SHA1 | 73eeeb30ca40bb55ea6271bd3d148bd40ef4b1d8 |
| SHA256 | 7cf0ac87ed896bcfbe2776136ba4b012086a8c945ae9d19d18cde04ebb7f5a57 |
| SHA512 | 8d373c04338c0778753d6c138bd9c6719d78146fe65f01a04f90c045cf13a594ea4d1e60969339f76d373a8948a2e75745b62465c3f80d6fc2aa92c1cb552847 |
memory/4500-26-0x00007FF7D8E30000-0x00007FF7D9184000-memory.dmp
C:\Windows\System\zVKYlqZ.exe
| MD5 | a1431990a4e08dd470a12cb167043c50 |
| SHA1 | ab11dce1bfae8a612d61c3671aa12c52ff8bc73f |
| SHA256 | ff44b580bf96af66f51caec9e97101fa03f27c5acd4adb6515b40387a9ca06d1 |
| SHA512 | 3eda26a990268589b107a50706e6b8633eca5bb912242687543465bdfaa02330a0b3a42b2a8d0e3cbfb5124ab3eebab8d930b47d2b1fe4e84c9da600f51a8218 |
C:\Windows\System\MTfBNmC.exe
| MD5 | 2e50e67b0bfcb02068b9a218ad5fbf39 |
| SHA1 | 4bcbe72e6258b069d67c48eb9ae88eb5d4cd6cf7 |
| SHA256 | e5b6a451638830a0eb75ce92bbfa08d9a7e8f7d72657b6d9e7e5889aa91a9622 |
| SHA512 | 5b9134d1c823a72710f5da8519fdf2fe25d684167b9d9c4269338f1ab413de45bd364a50114e4ed84acb535bc1fa4222444ed6f8f4fc355dcec1bf58162b6037 |
memory/3036-33-0x00007FF7792B0000-0x00007FF779604000-memory.dmp
memory/4656-39-0x00007FF7DF4C0000-0x00007FF7DF814000-memory.dmp
C:\Windows\System\kHrKwvw.exe
| MD5 | 5234d740745b2ab48353f4efda2d4208 |
| SHA1 | 3df4ce29f235a9024a31f1e42258b99b67ac0bd2 |
| SHA256 | 633536106312c8e892d6e3b0f0362cec5d014e0f6a12b8e4d3a6b6cbc029d6a9 |
| SHA512 | 07abc0794764367c42e12e1272e379082eed0b51374ffd6ea1a11e780c985ae4998d3d470dcf40ddb4f82d2a72c730f602472c8810fab93d3dc061b24de67535 |
C:\Windows\System\VzefQtl.exe
| MD5 | e893b63a5189ab79dac5349ca9443263 |
| SHA1 | de8e974dd57fcaf17340629b3902469c31e5a2d2 |
| SHA256 | 377d5f3ffada57a3f587fe8c558ddcad678167289f40290bf7f37023c15d6759 |
| SHA512 | 9de8ecb23b3e5d94a2a0288838d99527ff9c3bcfe25499815272596b4fcd3041cc3bdfb6966166be3e37475b88e1b3180b608212b6eeeaec30bf9e4ab5d9356d |
memory/5084-54-0x00007FF714CF0000-0x00007FF715044000-memory.dmp
memory/1020-57-0x00007FF71B1F0000-0x00007FF71B544000-memory.dmp
memory/5064-59-0x00007FF7808C0000-0x00007FF780C14000-memory.dmp
C:\Windows\System\doATtpU.exe
| MD5 | 0f1b20567d6905b4ef9bb89a7954b0bf |
| SHA1 | 13e5eb6b6d4c3624a8c6540f3f6d1f6e535b7c30 |
| SHA256 | 7180e2b088c70d32d65fda008e52003345eb221055a08317ed4b55d7580991a2 |
| SHA512 | 93c432bd2170dcce872c95c70f5433eb52468c19f60a46819a1354d02b84862445069d9f2a8b8d2b2275b9dbc868892eb34cf31ebebb8cacbcc4c93034b117ed |
C:\Windows\System\vNKhfPq.exe
| MD5 | 8cf26005b8f9b4dca3ef44d2e09204c0 |
| SHA1 | 207518dd0602ab7805881097e10f6f000efe5f4e |
| SHA256 | eadc7569faa8b92a4fd9ade0802246aef26a0f16a283ada936d90017bc8838af |
| SHA512 | 58d98d7243fb16813d113a6e1c8bbda06fb60fa8c330ed2987fd27e190c22840f84639dabf602b1f8f552cf17f1a8a248c49f50e0b244b3752f5ee0d4cf675d0 |
C:\Windows\System\vOLEbOZ.exe
| MD5 | 8eb6f0813b77d2d9a3a8f744843a1659 |
| SHA1 | c282f2a38aacfe6a4608616dcf38059f837ba63c |
| SHA256 | cf6003daa43207598e437a749ffb3fc09469311151bdda33738512c8bc3f3d08 |
| SHA512 | 5325a26a481905ead42098d580de859589392f5439b51f1bba5a4bf814e24510bd6cb49d47c233aec135fcc775ce8b60a165b994e6a4ebc3d6c394a01327c600 |
C:\Windows\System\cRGZRfL.exe
| MD5 | eb53d84d01e29703b97fbba4102a82c8 |
| SHA1 | adcb1d3f6be9acaf2ebc470be75c6248d144ce67 |
| SHA256 | 77b90d4974e2afd64095d5f98f9fa3ed6f3be3cf76c64bed5b69f6d5441cda4c |
| SHA512 | 32948656574a1a29b4657a2b5f2a09496e34930fe2854dd6cb6cbfe30594106f32bcec22a8d52b63e8150715786fa91a51a87e37b716e6348d5a4269fae3d168 |
C:\Windows\System\sRorSFq.exe
| MD5 | 61cc153e8129e57215a3c0a02a3321c1 |
| SHA1 | 07fa8269b046cb76ed80a43f72ac9e0362814952 |
| SHA256 | 8e281dd8d9952606b02c2fbf105e7c099ed9c6c4c4ad6e3bf9e41ede8ce9987d |
| SHA512 | 37c792d4e9fe07e053e62596d91fa3980c9b9f79db6ae9686b3b90de16e7be4fa9bde888d6002ab091e93730cdba958cd72c9ab18f5776c7f8b460deb40b0b08 |
C:\Windows\System\uYBJbRg.exe
| MD5 | 052decb94e795b3548bbfeeb6190f077 |
| SHA1 | 3eafaefe1388de40193db28a3b0313fc466a7c8b |
| SHA256 | 5bdd80479b6fd36f38126012b2ee66f11da506435e5666b2d2aa1fa11d54de8f |
| SHA512 | 79ef098491c47a373163c2bfc8bd560fc13d16bc300e8fbe1c1fa808ef370c1294b3fc92b442651ff6a4bbbcb281f6291f6be6f4978386f5ab04174175b4ca13 |
C:\Windows\System\KLnuRbz.exe
| MD5 | 6ba8503a1dd333db0c2646cd8af04582 |
| SHA1 | dad545569715fe002730789f5f14c3394ddbb11e |
| SHA256 | 75732e6cd6d8c2e38315272efa7ff8bf2a196f5adf1c2ce36a806af51747b724 |
| SHA512 | 978963cd3199cb035e773cd7774c34a4e3f00ddebeaf80c98bce0bbd78f05783b93e8a7321c84f2f85c9f1132cb06ce56cb7bdc57fe1f7ca876febc46bff4593 |
C:\Windows\System\HDnKsLs.exe
| MD5 | a33d11710829823899ec03dd5d2c924d |
| SHA1 | 1bd85af18979591c28f7efb3bbbace84feda2a16 |
| SHA256 | c51530bf8a8b8cac27c9fc9516e16fbc633f37ca6ad420640d7a331cc5ddf423 |
| SHA512 | c9e07f8f6f7f27311dce23d5f486b182db4aab3028d71af26bfdf565047940da0433298102e0c00b118a30365650c42cf1430c47359bee1207da52977f58ca93 |
C:\Windows\System\oudOCAN.exe
| MD5 | 7f430e0b9b725f7bec921381772e5962 |
| SHA1 | 13710cf54c6b8f4003615512041eb8bcaffaf772 |
| SHA256 | 9293954ff891f9ca033d0baee270b38c5172836433d9bfffc3aa3150dac1f892 |
| SHA512 | 376213a76e68934b6dfe7543a1f96ec75d5868758bf4d3a3c5153f3e3e75995eafabdbbd6ff008488fd1f2512f7c05856f1aa08e43f0d5c1879b18798efc0bcc |
C:\Windows\System\SFADwmX.exe
| MD5 | e3ff768f9f4a5a1350ee463301af0fea |
| SHA1 | e5f78ce9a24ea8fd8632e8a038a1ff957af5c2b8 |
| SHA256 | f03117384d55dec40502f0dc6cee88fee7ecbccbb97c5f153c4528fe1467c236 |
| SHA512 | 38d9b84f7f092cd7818b2e0831637295042955c17961c9aee16d3d97a667bf8324fdb82534dd666d1d88f0c220e1f4ac0ef7b16839e98407f811aeab2383fbff |
C:\Windows\System\TVCrLEM.exe
| MD5 | d67aa2253b4cd2335f52bc9c5e36aa70 |
| SHA1 | 68f7c34ec39db43d400b14a886cba8b7500725fc |
| SHA256 | 92b9296eb5e5a8b17093391aab50dd61f71e3920634b39b7533bb0dc366dc09d |
| SHA512 | c070e80612647f3ccabfe3129de6e10fd99b9d1ea0b60c9c058b45c8893304c8dd6bbcad303fd26ce6dd77c22659f8eedea1d52839c2b1c1bd69e32cd8d522b9 |
C:\Windows\System\yOuvAHW.exe
| MD5 | 8cabc4814adc5ba204df8aa8f57fe7eb |
| SHA1 | 526ec3fd439d6c1ab516760e02e3fb1bccd664c5 |
| SHA256 | b5e84a6fc4d6c72e9f708ced9aa60100025f8861fddb1c4dae1a64f56c856db3 |
| SHA512 | 89bcd6ef384a972a7d1e1cdc14f203f45506d2e4ed3bbd45b90475f2f973164b6bf0faf251fa0ec57d3526359e0606d5f9623bfe9bfaede94c48b4e4f3a6b075 |
C:\Windows\System\Elnhkiu.exe
| MD5 | 33f04b34280b3dc0e026a8288fc6d2ff |
| SHA1 | fb82dbc0801d19c2defd4d46ab5cade159502302 |
| SHA256 | 94d6464304387ea7565dd2fa552d07abd556410d728b6eca7b7270b73fbfa5b1 |
| SHA512 | 42c5deb10416f75925012bfa23e57e831226997f5c39d30fb5c690c424aaa237e7e3ce8400e7565e8d1478696b99abb0cb27b2e585bff9a56f4750695a5a5906 |
memory/4992-55-0x00007FF7DC3A0000-0x00007FF7DC6F4000-memory.dmp
memory/1032-117-0x00007FF635260000-0x00007FF6355B4000-memory.dmp
memory/4916-120-0x00007FF6778E0000-0x00007FF677C34000-memory.dmp
memory/4380-119-0x00007FF7552C0000-0x00007FF755614000-memory.dmp
memory/4624-122-0x00007FF79A750000-0x00007FF79AAA4000-memory.dmp
memory/4864-123-0x00007FF703950000-0x00007FF703CA4000-memory.dmp
memory/4872-124-0x00007FF607C60000-0x00007FF607FB4000-memory.dmp
memory/4984-121-0x00007FF6032F0000-0x00007FF603644000-memory.dmp
memory/3860-118-0x00007FF7DB9F0000-0x00007FF7DBD44000-memory.dmp
memory/396-125-0x00007FF67F650000-0x00007FF67F9A4000-memory.dmp
memory/2312-126-0x00007FF6673F0000-0x00007FF667744000-memory.dmp
memory/1388-127-0x00007FF624F50000-0x00007FF6252A4000-memory.dmp
memory/5012-128-0x00007FF77CA60000-0x00007FF77CDB4000-memory.dmp
memory/336-129-0x00007FF6DEAA0000-0x00007FF6DEDF4000-memory.dmp
memory/4172-130-0x00007FF624D40000-0x00007FF625094000-memory.dmp
memory/4500-131-0x00007FF7D8E30000-0x00007FF7D9184000-memory.dmp
memory/3036-132-0x00007FF7792B0000-0x00007FF779604000-memory.dmp
memory/4656-133-0x00007FF7DF4C0000-0x00007FF7DF814000-memory.dmp
memory/5084-134-0x00007FF714CF0000-0x00007FF715044000-memory.dmp
memory/4992-135-0x00007FF7DC3A0000-0x00007FF7DC6F4000-memory.dmp
memory/5064-136-0x00007FF7808C0000-0x00007FF780C14000-memory.dmp
memory/336-137-0x00007FF6DEAA0000-0x00007FF6DEDF4000-memory.dmp
memory/4488-138-0x00007FF7D7660000-0x00007FF7D79B4000-memory.dmp
memory/4172-139-0x00007FF624D40000-0x00007FF625094000-memory.dmp
memory/4500-140-0x00007FF7D8E30000-0x00007FF7D9184000-memory.dmp
memory/3036-141-0x00007FF7792B0000-0x00007FF779604000-memory.dmp
memory/4656-142-0x00007FF7DF4C0000-0x00007FF7DF814000-memory.dmp
memory/5084-143-0x00007FF714CF0000-0x00007FF715044000-memory.dmp
memory/1020-144-0x00007FF71B1F0000-0x00007FF71B544000-memory.dmp
memory/4992-145-0x00007FF7DC3A0000-0x00007FF7DC6F4000-memory.dmp
memory/5064-146-0x00007FF7808C0000-0x00007FF780C14000-memory.dmp
memory/3860-148-0x00007FF7DB9F0000-0x00007FF7DBD44000-memory.dmp
memory/4380-147-0x00007FF7552C0000-0x00007FF755614000-memory.dmp
memory/4984-150-0x00007FF6032F0000-0x00007FF603644000-memory.dmp
memory/4872-152-0x00007FF607C60000-0x00007FF607FB4000-memory.dmp
memory/396-153-0x00007FF67F650000-0x00007FF67F9A4000-memory.dmp
memory/4916-154-0x00007FF6778E0000-0x00007FF677C34000-memory.dmp
memory/4864-151-0x00007FF703950000-0x00007FF703CA4000-memory.dmp
memory/4624-149-0x00007FF79A750000-0x00007FF79AAA4000-memory.dmp
memory/1388-156-0x00007FF624F50000-0x00007FF6252A4000-memory.dmp
memory/2312-157-0x00007FF6673F0000-0x00007FF667744000-memory.dmp
memory/5012-155-0x00007FF77CA60000-0x00007FF77CDB4000-memory.dmp