Analysis Overview
SHA256
a87aee5308f8cd80e372e6080c2d2205416adc353a4366d19f9e19894e29833b
Threat Level: Known bad
The file 2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
Cobaltstrike
XMRig Miner payload
Xmrig family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 18:26
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 18:26
Reported
2024-06-06 18:29
Platform
win7-20231129-en
Max time kernel
137s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WvRESix.exe | N/A |
| N/A | N/A | C:\Windows\System\KkGxvbU.exe | N/A |
| N/A | N/A | C:\Windows\System\XyeVUPQ.exe | N/A |
| N/A | N/A | C:\Windows\System\cnFZSiN.exe | N/A |
| N/A | N/A | C:\Windows\System\SfbSlCL.exe | N/A |
| N/A | N/A | C:\Windows\System\ZrKfPeP.exe | N/A |
| N/A | N/A | C:\Windows\System\lPQuYoe.exe | N/A |
| N/A | N/A | C:\Windows\System\wBzXAsr.exe | N/A |
| N/A | N/A | C:\Windows\System\KMXyOmU.exe | N/A |
| N/A | N/A | C:\Windows\System\pSDMCei.exe | N/A |
| N/A | N/A | C:\Windows\System\nrGVCHm.exe | N/A |
| N/A | N/A | C:\Windows\System\QkGbwKL.exe | N/A |
| N/A | N/A | C:\Windows\System\PCkuouv.exe | N/A |
| N/A | N/A | C:\Windows\System\ltrszQf.exe | N/A |
| N/A | N/A | C:\Windows\System\fssZGBv.exe | N/A |
| N/A | N/A | C:\Windows\System\uzPKCFI.exe | N/A |
| N/A | N/A | C:\Windows\System\WIGOAgE.exe | N/A |
| N/A | N/A | C:\Windows\System\SAKlEpJ.exe | N/A |
| N/A | N/A | C:\Windows\System\PNfzQTz.exe | N/A |
| N/A | N/A | C:\Windows\System\oEkQltv.exe | N/A |
| N/A | N/A | C:\Windows\System\KKLvPXB.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\WvRESix.exe
C:\Windows\System\WvRESix.exe
C:\Windows\System\KkGxvbU.exe
C:\Windows\System\KkGxvbU.exe
C:\Windows\System\XyeVUPQ.exe
C:\Windows\System\XyeVUPQ.exe
C:\Windows\System\cnFZSiN.exe
C:\Windows\System\cnFZSiN.exe
C:\Windows\System\SfbSlCL.exe
C:\Windows\System\SfbSlCL.exe
C:\Windows\System\ZrKfPeP.exe
C:\Windows\System\ZrKfPeP.exe
C:\Windows\System\lPQuYoe.exe
C:\Windows\System\lPQuYoe.exe
C:\Windows\System\KMXyOmU.exe
C:\Windows\System\KMXyOmU.exe
C:\Windows\System\wBzXAsr.exe
C:\Windows\System\wBzXAsr.exe
C:\Windows\System\pSDMCei.exe
C:\Windows\System\pSDMCei.exe
C:\Windows\System\nrGVCHm.exe
C:\Windows\System\nrGVCHm.exe
C:\Windows\System\QkGbwKL.exe
C:\Windows\System\QkGbwKL.exe
C:\Windows\System\PCkuouv.exe
C:\Windows\System\PCkuouv.exe
C:\Windows\System\ltrszQf.exe
C:\Windows\System\ltrszQf.exe
C:\Windows\System\fssZGBv.exe
C:\Windows\System\fssZGBv.exe
C:\Windows\System\uzPKCFI.exe
C:\Windows\System\uzPKCFI.exe
C:\Windows\System\WIGOAgE.exe
C:\Windows\System\WIGOAgE.exe
C:\Windows\System\SAKlEpJ.exe
C:\Windows\System\SAKlEpJ.exe
C:\Windows\System\PNfzQTz.exe
C:\Windows\System\PNfzQTz.exe
C:\Windows\System\oEkQltv.exe
C:\Windows\System\oEkQltv.exe
C:\Windows\System\KKLvPXB.exe
C:\Windows\System\KKLvPXB.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3004-1-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/3004-0-0x000000013FB20000-0x000000013FE74000-memory.dmp
C:\Windows\system\KkGxvbU.exe
| MD5 | ca566a3166959ce4a3ca9ab8b0afd3e4 |
| SHA1 | b83bda7eb4a64f0e1e68ebe6408228ae60a23c9d |
| SHA256 | 69ad44b8676cad71bdfb77470abb70fbf628a50c6a369839766871c0fbd6d5f9 |
| SHA512 | e1e5ade875a6b72d3701b76d88cf294c061e1add42bcea477fd574cad846e6d84b6328165a36a0c49a70c8a6434343b89dc7587d28494d3df32c9bf0c4827cb0 |
memory/2656-25-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/3004-32-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2664-40-0x000000013FE80000-0x00000001401D4000-memory.dmp
C:\Windows\system\wBzXAsr.exe
| MD5 | 9e31e2d931f7f443c119ee77df9ddf78 |
| SHA1 | 8eef4cce49339f3ffb197e5ce37fd23e150a0db2 |
| SHA256 | 8c43cdb97d856fda4e5eb7de527026ec0e14dd9b54ac4872c46d8cb501137d4b |
| SHA512 | aa150d85526753abe890c48457b1610e151286f01f67e0194ddddbc1f200955ef0a4f322e806deeae4c409e08a3fdab1ba587a8cb838ee9be33159be4930983f |
\Windows\system\KMXyOmU.exe
| MD5 | 38b6b422e8588d63cf6345f17b8ffd55 |
| SHA1 | a223c54ed8480cd5573a28eba063c9e7f81141a5 |
| SHA256 | 4b71c9ca63230be5382c36b6c992e491e0eb7b89a746c5bbf19319e036ac2d17 |
| SHA512 | 9be5148803032875b173dda7e8b7c92754c231061e485fc22816c4689f151313cda13246d385190cd6f97d4369e038f2122f09a5718057eba008277ed8397a58 |
memory/2476-62-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2776-63-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/3004-68-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2648-70-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/3004-75-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2968-77-0x000000013FCE0000-0x0000000140034000-memory.dmp
C:\Windows\system\nrGVCHm.exe
| MD5 | 1ede9bc1c5e34410bf0b6c6f5d3a5722 |
| SHA1 | 457820a20785136508d114737a23d9692f8005e8 |
| SHA256 | 0b1a359887213d01706caf0570e195c8fb27fcaee40f3d5c90bae7e2f74b7b46 |
| SHA512 | 34aaf71e9d3a26cb147e7532d8a77e7848ede9e868318a1d964bd407dacb0d7134848b973d92efbc3171a86adeaf246931e8d20d8a78b70637882bca1d09e2ab |
C:\Windows\system\QkGbwKL.exe
| MD5 | f2b62a051e67cec046a5b6beaaefc867 |
| SHA1 | 0b3f206b338d65789eb3a94730377b2b3d99812d |
| SHA256 | 69b333059617ed2d8e0066c78c91e077720ef1afc1fb4180f871790fe2ec2f4d |
| SHA512 | 703ae3263aa8928086aedfe3b70b1491fa3db752197092757848020c6d1a58e032740a8488dfb0d7355bf6a47f9a66de06d61a3973aea3ef02e97c4837c1aea3 |
memory/536-82-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/3004-89-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/3004-92-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
\Windows\system\ltrszQf.exe
| MD5 | a978b35ce520d17be377bfeb3ba5e622 |
| SHA1 | 091421fed0c6febf76a6ae925598f23f1d3814a2 |
| SHA256 | 8b27946fd13723aac998b3bbed6ccf96b945c4180386a7551361f6e37ef3509d |
| SHA512 | 62f815d14c9900a616bd47f0cb6d4856d1b23adc48d5aa605684caba213d72ba9452b13bda460741c72d6dc903c65d86159ca1aefcd39e8c7bbb501fdc4ce79f |
memory/784-90-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\PCkuouv.exe
| MD5 | 73a95c034a5e948a4b8895f38ffb9138 |
| SHA1 | c8f1f2745061443c2e9f58842ce21ff4300a07dc |
| SHA256 | cbcdb2371267a0b08e787c1aa41ad02a40e378183fd4e8479bb02a7ada86044f |
| SHA512 | 292cb0fb67627c9a6fbd8f84615ad4d887831f4c5603074c53795533851fe313778dae98b061b21bda13edad7db8e8a830ad692b7699bf87296dc375d4b738f1 |
memory/3004-69-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/3004-67-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2268-66-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/3004-65-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2756-64-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/1060-96-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
\Windows\system\fssZGBv.exe
| MD5 | ef9fa413cbf21a8690036633a622b904 |
| SHA1 | 084cae4ee3207b9124d87f6e562aed3d9478d6b2 |
| SHA256 | 3f73b642fb1b0c66ec944823845bfbfed3e07148b04829b3135d27cea32a631b |
| SHA512 | f3e4998b44816baa3bb458d3a76bc97c066d422b26c10e44b54dc9c24e528c48ab910d69bbfe140d486903de4e7838eb0dd8a7d498d322c357503cd6ca5af42e |
C:\Windows\system\uzPKCFI.exe
| MD5 | ba0f4d2a5390060d92bb83eee75d2689 |
| SHA1 | 9572a0602d0b0ebec6cafc428c574ba57fa68d40 |
| SHA256 | 870939d47dd84e55bf481da9e93e2447ced9f81a9de06ebe7ec9551b67e3e4a9 |
| SHA512 | ccb6d2f79d49d11e90ce26a40fc27f1550c92d4f65f97d39d62ebef8a70c8af3e45f41963f1445d49a8402ba7d8ed993f22db80325053bc276dbc04bee801e22 |
C:\Windows\system\KKLvPXB.exe
| MD5 | 2e0034ce9bb3ea359612c829f789cbea |
| SHA1 | b6697694547ca3dc38709778c2ab15d365aa71ee |
| SHA256 | 2eb26ec5fbefa34d201dc41c62e5b6de0ca6e3baba6c4059b9e16e149e0c22f6 |
| SHA512 | 2b8f528507dd703cc2085663aa8903b462fe5ed7e5c1583eae37dfe9407dfd3e40a3c5e2d961e91d2665e7323571ca4b8e7d04190740a49fef42904783bc857a |
C:\Windows\system\oEkQltv.exe
| MD5 | 79cabda8feb180281e62ce74cd717ea0 |
| SHA1 | 5d3142952f3d37b586ce4e1bb6ea9871f24d8bf1 |
| SHA256 | e87604b50d7a22e477a952639047c2250f85fc1045b4ec21a830736dd1aafc28 |
| SHA512 | 160b13d4411fd633af648b21f409a5efbb3eb9da2fa613b5841f5d51464bb346352571949a54034f0abd3a1dd0431a7c2732f8670deb657daa4b1eea7e386116 |
C:\Windows\system\SAKlEpJ.exe
| MD5 | 33681d4c819e4ce13510e2c763db35f7 |
| SHA1 | ba640777724418d191d5517775ef8166fe112e0f |
| SHA256 | 91cb8c1d53109a046b4a725a4f8a3ac315b538a4c9e24b7eb32ef2a72837b1d6 |
| SHA512 | 10508a4452e783976af3eecad9190af651b191fc131b91473560511ec859c7be32df347d958b8877f7db6db2f47ffbbe51ffdf02ef117d849f74643259904789 |
C:\Windows\system\PNfzQTz.exe
| MD5 | 13173673d0b02d6784fd1cdb138a064f |
| SHA1 | 8af5b58eb722e41f5e480483f7fb47852bb50dea |
| SHA256 | 3c94bd5d2f6ad6dca3f386d9e412483a6b2231f78fd2cfdc21e38c36c17a2a5f |
| SHA512 | c8a965e6d5334a221af348c3b0e8bc7b6bd44b4b5770057ecd3e92f49b1e29fbcd9e4da7042d71617ba5e9f7abc4a5c7913b86180d47248b60a975f32252c834 |
C:\Windows\system\WIGOAgE.exe
| MD5 | fb79176b0a1e9d876ede79e65c79eb00 |
| SHA1 | 7b3952fe82bde07421d44dde204f5fdf317e274b |
| SHA256 | aa5e33c181f8fdbef8fb64a277ab6c183097ab581de3637ac7992d6715543b69 |
| SHA512 | 0d3ac852045b1641374a3cb77f8058fedd2d6f6fbbc01c54f1255bde0f98082ca0dc8ad96c8169a3b98e905e22a8165b2eeb9ad5f47d9ba8a5290c63c7154c60 |
C:\Windows\system\pSDMCei.exe
| MD5 | d0d4b3d80abc297fc1e85ebc63ca6ffa |
| SHA1 | df230c5dd0c6e085c655ddfee330d4a499bb86e8 |
| SHA256 | cd59b6a69805e69d4a9fc37001f7978fde90479dc1866ba7fbd4be4116a690c8 |
| SHA512 | a0c6de26464b4056edf9832c674e7cc51487e9e43af9f7e005b8f9f94a9d72d19152403647c4c6b2ce8b92420d6e86af5e05864884956aa791c4a3d87e96e66c |
memory/3004-45-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
C:\Windows\system\lPQuYoe.exe
| MD5 | 466727dc66e574e69b9051ab36b69a17 |
| SHA1 | c537a7fe54b57de03f2361848be4aa82d722eb75 |
| SHA256 | be9b5ee098160db2bbf5739b7db719ba53c3b026d4460859453663d571ef8366 |
| SHA512 | 0eba0116c7cc1ef21c07cdc68fc2641b90563f4016f4b294d37a8c82e81436158197ad2936a45e464c542fabd96d4420345145a8be8b0f0623a5c39b732b560f |
memory/3004-39-0x00000000023D0000-0x0000000002724000-memory.dmp
C:\Windows\system\ZrKfPeP.exe
| MD5 | d1c19db3170c421e28978bc6e36c7a06 |
| SHA1 | 4e7273e05d9cbe68d21b656104a0d12a2560ae82 |
| SHA256 | fb6308163915e045e94a5c0fc4d950454363ae32e42430c026337644e607558a |
| SHA512 | 97d374a1f0ab7eeebd4039282befb543413d1d53f95733ffbe8e1487d2fe8977805f766e328e9f9ce87f107b993c4be1ebe6a0005f3634f34092b7c17c36db1b |
memory/2892-33-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2576-30-0x000000013FDC0000-0x0000000140114000-memory.dmp
C:\Windows\system\SfbSlCL.exe
| MD5 | a9ac47597c004bd88a04208a32dbb314 |
| SHA1 | 5f177ff36b6974e9b507d158836fcc967acc403f |
| SHA256 | 6d53f35d415018e28b2598eec3eb10e2d7802874d452384bbb04ce5cb41ce948 |
| SHA512 | 0e4ec3941f11a91c185c8713695724e615ed6bfa52d542af4809e206855c2b858a581d0e37962a0d867fb0bf8286f19b0ad3f9a7034920282d569287af282ee5 |
\Windows\system\cnFZSiN.exe
| MD5 | 12e3127811cbe41201470838e666b38f |
| SHA1 | f2ed7b4f8d5b236ebef6e5eebb6827bf6cd10a13 |
| SHA256 | e8b9f85b5c4b426598039a4f12888b9582953d26c64bedde1ad8ae4c41c225c7 |
| SHA512 | 5ea73ec2192b03b0f86e9571aaaa673e5d0a1bd70334c8164aad058e15186e3d351ee9d219f5038dbc0ef8bf9f4844a22eb7ab187fe1b08171dc820e23b79b55 |
memory/2784-18-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/3004-126-0x000000013FB20000-0x000000013FE74000-memory.dmp
C:\Windows\system\XyeVUPQ.exe
| MD5 | b5b8502991ae567eed8240fe1c28efd5 |
| SHA1 | 62d4f2092fa25c10907c06c3c2ce6363181d2b04 |
| SHA256 | b5c4d960732e23018abd02b7bd90373ed2ad882ea91ba16270a73be69239111d |
| SHA512 | f7ec6e096eb7c7b97a38e8735fc2a00bfe4b688c608f9730abefcb07879b38ced0dcbf1245edbaf6e6be592c5cbdaaec406af55c2d24a4b652aba1d4d4b2431e |
memory/3004-12-0x000000013F4D0000-0x000000013F824000-memory.dmp
C:\Windows\system\WvRESix.exe
| MD5 | 8783ac76802a2c648278d16157a8651a |
| SHA1 | f32a73379c47fdf37988b79ae02113e269bf4946 |
| SHA256 | 4f3194abc62422c91c6c128a4d0117580a2a11f3a502a71e733041436e008999 |
| SHA512 | 2bd21a9df9abb46546724a5c910b1abaff3a260dfc748122e5778adf093701c722e3f5bc34008f32d564eb1501161ace42a212bb84775f9eb1959797d1ac7927 |
memory/3004-134-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/3004-133-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/3004-135-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2968-136-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/536-138-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/3004-137-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2784-139-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2892-143-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2476-144-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2268-147-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2648-148-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2756-146-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2968-149-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2776-145-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/784-151-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/536-150-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2664-142-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2576-141-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2656-140-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/1060-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 18:26
Reported
2024-06-06 18:29
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WvRESix.exe | N/A |
| N/A | N/A | C:\Windows\System\KkGxvbU.exe | N/A |
| N/A | N/A | C:\Windows\System\XyeVUPQ.exe | N/A |
| N/A | N/A | C:\Windows\System\cnFZSiN.exe | N/A |
| N/A | N/A | C:\Windows\System\SfbSlCL.exe | N/A |
| N/A | N/A | C:\Windows\System\ZrKfPeP.exe | N/A |
| N/A | N/A | C:\Windows\System\lPQuYoe.exe | N/A |
| N/A | N/A | C:\Windows\System\KMXyOmU.exe | N/A |
| N/A | N/A | C:\Windows\System\wBzXAsr.exe | N/A |
| N/A | N/A | C:\Windows\System\pSDMCei.exe | N/A |
| N/A | N/A | C:\Windows\System\nrGVCHm.exe | N/A |
| N/A | N/A | C:\Windows\System\QkGbwKL.exe | N/A |
| N/A | N/A | C:\Windows\System\PCkuouv.exe | N/A |
| N/A | N/A | C:\Windows\System\ltrszQf.exe | N/A |
| N/A | N/A | C:\Windows\System\fssZGBv.exe | N/A |
| N/A | N/A | C:\Windows\System\uzPKCFI.exe | N/A |
| N/A | N/A | C:\Windows\System\WIGOAgE.exe | N/A |
| N/A | N/A | C:\Windows\System\SAKlEpJ.exe | N/A |
| N/A | N/A | C:\Windows\System\PNfzQTz.exe | N/A |
| N/A | N/A | C:\Windows\System\oEkQltv.exe | N/A |
| N/A | N/A | C:\Windows\System\KKLvPXB.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\WvRESix.exe
C:\Windows\System\WvRESix.exe
C:\Windows\System\KkGxvbU.exe
C:\Windows\System\KkGxvbU.exe
C:\Windows\System\XyeVUPQ.exe
C:\Windows\System\XyeVUPQ.exe
C:\Windows\System\cnFZSiN.exe
C:\Windows\System\cnFZSiN.exe
C:\Windows\System\SfbSlCL.exe
C:\Windows\System\SfbSlCL.exe
C:\Windows\System\ZrKfPeP.exe
C:\Windows\System\ZrKfPeP.exe
C:\Windows\System\lPQuYoe.exe
C:\Windows\System\lPQuYoe.exe
C:\Windows\System\KMXyOmU.exe
C:\Windows\System\KMXyOmU.exe
C:\Windows\System\wBzXAsr.exe
C:\Windows\System\wBzXAsr.exe
C:\Windows\System\pSDMCei.exe
C:\Windows\System\pSDMCei.exe
C:\Windows\System\nrGVCHm.exe
C:\Windows\System\nrGVCHm.exe
C:\Windows\System\QkGbwKL.exe
C:\Windows\System\QkGbwKL.exe
C:\Windows\System\PCkuouv.exe
C:\Windows\System\PCkuouv.exe
C:\Windows\System\ltrszQf.exe
C:\Windows\System\ltrszQf.exe
C:\Windows\System\fssZGBv.exe
C:\Windows\System\fssZGBv.exe
C:\Windows\System\uzPKCFI.exe
C:\Windows\System\uzPKCFI.exe
C:\Windows\System\WIGOAgE.exe
C:\Windows\System\WIGOAgE.exe
C:\Windows\System\SAKlEpJ.exe
C:\Windows\System\SAKlEpJ.exe
C:\Windows\System\PNfzQTz.exe
C:\Windows\System\PNfzQTz.exe
C:\Windows\System\oEkQltv.exe
C:\Windows\System\oEkQltv.exe
C:\Windows\System\KKLvPXB.exe
C:\Windows\System\KKLvPXB.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/380-0-0x00007FF646170000-0x00007FF6464C4000-memory.dmp
memory/380-1-0x00000259EC040000-0x00000259EC050000-memory.dmp
C:\Windows\System\WvRESix.exe
| MD5 | 8783ac76802a2c648278d16157a8651a |
| SHA1 | f32a73379c47fdf37988b79ae02113e269bf4946 |
| SHA256 | 4f3194abc62422c91c6c128a4d0117580a2a11f3a502a71e733041436e008999 |
| SHA512 | 2bd21a9df9abb46546724a5c910b1abaff3a260dfc748122e5778adf093701c722e3f5bc34008f32d564eb1501161ace42a212bb84775f9eb1959797d1ac7927 |
C:\Windows\System\KkGxvbU.exe
| MD5 | ca566a3166959ce4a3ca9ab8b0afd3e4 |
| SHA1 | b83bda7eb4a64f0e1e68ebe6408228ae60a23c9d |
| SHA256 | 69ad44b8676cad71bdfb77470abb70fbf628a50c6a369839766871c0fbd6d5f9 |
| SHA512 | e1e5ade875a6b72d3701b76d88cf294c061e1add42bcea477fd574cad846e6d84b6328165a36a0c49a70c8a6434343b89dc7587d28494d3df32c9bf0c4827cb0 |
C:\Windows\System\XyeVUPQ.exe
| MD5 | b5b8502991ae567eed8240fe1c28efd5 |
| SHA1 | 62d4f2092fa25c10907c06c3c2ce6363181d2b04 |
| SHA256 | b5c4d960732e23018abd02b7bd90373ed2ad882ea91ba16270a73be69239111d |
| SHA512 | f7ec6e096eb7c7b97a38e8735fc2a00bfe4b688c608f9730abefcb07879b38ced0dcbf1245edbaf6e6be592c5cbdaaec406af55c2d24a4b652aba1d4d4b2431e |
C:\Windows\System\cnFZSiN.exe
| MD5 | 12e3127811cbe41201470838e666b38f |
| SHA1 | f2ed7b4f8d5b236ebef6e5eebb6827bf6cd10a13 |
| SHA256 | e8b9f85b5c4b426598039a4f12888b9582953d26c64bedde1ad8ae4c41c225c7 |
| SHA512 | 5ea73ec2192b03b0f86e9571aaaa673e5d0a1bd70334c8164aad058e15186e3d351ee9d219f5038dbc0ef8bf9f4844a22eb7ab187fe1b08171dc820e23b79b55 |
memory/4420-27-0x00007FF6EE560000-0x00007FF6EE8B4000-memory.dmp
C:\Windows\System\SfbSlCL.exe
| MD5 | a9ac47597c004bd88a04208a32dbb314 |
| SHA1 | 5f177ff36b6974e9b507d158836fcc967acc403f |
| SHA256 | 6d53f35d415018e28b2598eec3eb10e2d7802874d452384bbb04ce5cb41ce948 |
| SHA512 | 0e4ec3941f11a91c185c8713695724e615ed6bfa52d542af4809e206855c2b858a581d0e37962a0d867fb0bf8286f19b0ad3f9a7034920282d569287af282ee5 |
C:\Windows\System\ZrKfPeP.exe
| MD5 | d1c19db3170c421e28978bc6e36c7a06 |
| SHA1 | 4e7273e05d9cbe68d21b656104a0d12a2560ae82 |
| SHA256 | fb6308163915e045e94a5c0fc4d950454363ae32e42430c026337644e607558a |
| SHA512 | 97d374a1f0ab7eeebd4039282befb543413d1d53f95733ffbe8e1487d2fe8977805f766e328e9f9ce87f107b993c4be1ebe6a0005f3634f34092b7c17c36db1b |
C:\Windows\System\lPQuYoe.exe
| MD5 | 466727dc66e574e69b9051ab36b69a17 |
| SHA1 | c537a7fe54b57de03f2361848be4aa82d722eb75 |
| SHA256 | be9b5ee098160db2bbf5739b7db719ba53c3b026d4460859453663d571ef8366 |
| SHA512 | 0eba0116c7cc1ef21c07cdc68fc2641b90563f4016f4b294d37a8c82e81436158197ad2936a45e464c542fabd96d4420345145a8be8b0f0623a5c39b732b560f |
C:\Windows\System\wBzXAsr.exe
| MD5 | 9e31e2d931f7f443c119ee77df9ddf78 |
| SHA1 | 8eef4cce49339f3ffb197e5ce37fd23e150a0db2 |
| SHA256 | 8c43cdb97d856fda4e5eb7de527026ec0e14dd9b54ac4872c46d8cb501137d4b |
| SHA512 | aa150d85526753abe890c48457b1610e151286f01f67e0194ddddbc1f200955ef0a4f322e806deeae4c409e08a3fdab1ba587a8cb838ee9be33159be4930983f |
C:\Windows\System\pSDMCei.exe
| MD5 | d0d4b3d80abc297fc1e85ebc63ca6ffa |
| SHA1 | df230c5dd0c6e085c655ddfee330d4a499bb86e8 |
| SHA256 | cd59b6a69805e69d4a9fc37001f7978fde90479dc1866ba7fbd4be4116a690c8 |
| SHA512 | a0c6de26464b4056edf9832c674e7cc51487e9e43af9f7e005b8f9f94a9d72d19152403647c4c6b2ce8b92420d6e86af5e05864884956aa791c4a3d87e96e66c |
C:\Windows\System\nrGVCHm.exe
| MD5 | 1ede9bc1c5e34410bf0b6c6f5d3a5722 |
| SHA1 | 457820a20785136508d114737a23d9692f8005e8 |
| SHA256 | 0b1a359887213d01706caf0570e195c8fb27fcaee40f3d5c90bae7e2f74b7b46 |
| SHA512 | 34aaf71e9d3a26cb147e7532d8a77e7848ede9e868318a1d964bd407dacb0d7134848b973d92efbc3171a86adeaf246931e8d20d8a78b70637882bca1d09e2ab |
C:\Windows\System\QkGbwKL.exe
| MD5 | f2b62a051e67cec046a5b6beaaefc867 |
| SHA1 | 0b3f206b338d65789eb3a94730377b2b3d99812d |
| SHA256 | 69b333059617ed2d8e0066c78c91e077720ef1afc1fb4180f871790fe2ec2f4d |
| SHA512 | 703ae3263aa8928086aedfe3b70b1491fa3db752197092757848020c6d1a58e032740a8488dfb0d7355bf6a47f9a66de06d61a3973aea3ef02e97c4837c1aea3 |
C:\Windows\System\fssZGBv.exe
| MD5 | ef9fa413cbf21a8690036633a622b904 |
| SHA1 | 084cae4ee3207b9124d87f6e562aed3d9478d6b2 |
| SHA256 | 3f73b642fb1b0c66ec944823845bfbfed3e07148b04829b3135d27cea32a631b |
| SHA512 | f3e4998b44816baa3bb458d3a76bc97c066d422b26c10e44b54dc9c24e528c48ab910d69bbfe140d486903de4e7838eb0dd8a7d498d322c357503cd6ca5af42e |
C:\Windows\System\uzPKCFI.exe
| MD5 | ba0f4d2a5390060d92bb83eee75d2689 |
| SHA1 | 9572a0602d0b0ebec6cafc428c574ba57fa68d40 |
| SHA256 | 870939d47dd84e55bf481da9e93e2447ced9f81a9de06ebe7ec9551b67e3e4a9 |
| SHA512 | ccb6d2f79d49d11e90ce26a40fc27f1550c92d4f65f97d39d62ebef8a70c8af3e45f41963f1445d49a8402ba7d8ed993f22db80325053bc276dbc04bee801e22 |
memory/2932-92-0x00007FF68B1E0000-0x00007FF68B534000-memory.dmp
C:\Windows\System\WIGOAgE.exe
| MD5 | fb79176b0a1e9d876ede79e65c79eb00 |
| SHA1 | 7b3952fe82bde07421d44dde204f5fdf317e274b |
| SHA256 | aa5e33c181f8fdbef8fb64a277ab6c183097ab581de3637ac7992d6715543b69 |
| SHA512 | 0d3ac852045b1641374a3cb77f8058fedd2d6f6fbbc01c54f1255bde0f98082ca0dc8ad96c8169a3b98e905e22a8165b2eeb9ad5f47d9ba8a5290c63c7154c60 |
memory/1208-111-0x00007FF711410000-0x00007FF711764000-memory.dmp
C:\Windows\System\SAKlEpJ.exe
| MD5 | 33681d4c819e4ce13510e2c763db35f7 |
| SHA1 | ba640777724418d191d5517775ef8166fe112e0f |
| SHA256 | 91cb8c1d53109a046b4a725a4f8a3ac315b538a4c9e24b7eb32ef2a72837b1d6 |
| SHA512 | 10508a4452e783976af3eecad9190af651b191fc131b91473560511ec859c7be32df347d958b8877f7db6db2f47ffbbe51ffdf02ef117d849f74643259904789 |
C:\Windows\System\PNfzQTz.exe
| MD5 | 13173673d0b02d6784fd1cdb138a064f |
| SHA1 | 8af5b58eb722e41f5e480483f7fb47852bb50dea |
| SHA256 | 3c94bd5d2f6ad6dca3f386d9e412483a6b2231f78fd2cfdc21e38c36c17a2a5f |
| SHA512 | c8a965e6d5334a221af348c3b0e8bc7b6bd44b4b5770057ecd3e92f49b1e29fbcd9e4da7042d71617ba5e9f7abc4a5c7913b86180d47248b60a975f32252c834 |
C:\Windows\System\oEkQltv.exe
| MD5 | 79cabda8feb180281e62ce74cd717ea0 |
| SHA1 | 5d3142952f3d37b586ce4e1bb6ea9871f24d8bf1 |
| SHA256 | e87604b50d7a22e477a952639047c2250f85fc1045b4ec21a830736dd1aafc28 |
| SHA512 | 160b13d4411fd633af648b21f409a5efbb3eb9da2fa613b5841f5d51464bb346352571949a54034f0abd3a1dd0431a7c2732f8670deb657daa4b1eea7e386116 |
C:\Windows\System\KKLvPXB.exe
| MD5 | 2e0034ce9bb3ea359612c829f789cbea |
| SHA1 | b6697694547ca3dc38709778c2ab15d365aa71ee |
| SHA256 | 2eb26ec5fbefa34d201dc41c62e5b6de0ca6e3baba6c4059b9e16e149e0c22f6 |
| SHA512 | 2b8f528507dd703cc2085663aa8903b462fe5ed7e5c1583eae37dfe9407dfd3e40a3c5e2d961e91d2665e7323571ca4b8e7d04190740a49fef42904783bc857a |
memory/2948-126-0x00007FF7164E0000-0x00007FF716834000-memory.dmp
memory/4420-125-0x00007FF6EE560000-0x00007FF6EE8B4000-memory.dmp
memory/2208-118-0x00007FF6948F0000-0x00007FF694C44000-memory.dmp
memory/2820-115-0x00007FF69BBF0000-0x00007FF69BF44000-memory.dmp
memory/4636-132-0x00007FF781190000-0x00007FF7814E4000-memory.dmp
memory/2960-114-0x00007FF76F340000-0x00007FF76F694000-memory.dmp
memory/1088-112-0x00007FF624D00000-0x00007FF625054000-memory.dmp
memory/4824-102-0x00007FF6EB4D0000-0x00007FF6EB824000-memory.dmp
memory/1676-101-0x00007FF7C6890000-0x00007FF7C6BE4000-memory.dmp
memory/2740-94-0x00007FF6893A0000-0x00007FF6896F4000-memory.dmp
memory/380-93-0x00007FF646170000-0x00007FF6464C4000-memory.dmp
C:\Windows\System\ltrszQf.exe
| MD5 | a978b35ce520d17be377bfeb3ba5e622 |
| SHA1 | 091421fed0c6febf76a6ae925598f23f1d3814a2 |
| SHA256 | 8b27946fd13723aac998b3bbed6ccf96b945c4180386a7551361f6e37ef3509d |
| SHA512 | 62f815d14c9900a616bd47f0cb6d4856d1b23adc48d5aa605684caba213d72ba9452b13bda460741c72d6dc903c65d86159ca1aefcd39e8c7bbb501fdc4ce79f |
memory/1360-89-0x00007FF616F20000-0x00007FF617274000-memory.dmp
memory/784-87-0x00007FF7AA6B0000-0x00007FF7AAA04000-memory.dmp
memory/816-86-0x00007FF688680000-0x00007FF6889D4000-memory.dmp
memory/3628-81-0x00007FF7463B0000-0x00007FF746704000-memory.dmp
C:\Windows\System\PCkuouv.exe
| MD5 | 73a95c034a5e948a4b8895f38ffb9138 |
| SHA1 | c8f1f2745061443c2e9f58842ce21ff4300a07dc |
| SHA256 | cbcdb2371267a0b08e787c1aa41ad02a40e378183fd4e8479bb02a7ada86044f |
| SHA512 | 292cb0fb67627c9a6fbd8f84615ad4d887831f4c5603074c53795533851fe313778dae98b061b21bda13edad7db8e8a830ad692b7699bf87296dc375d4b738f1 |
memory/3404-67-0x00007FF691250000-0x00007FF6915A4000-memory.dmp
memory/1748-57-0x00007FF78A0A0000-0x00007FF78A3F4000-memory.dmp
C:\Windows\System\KMXyOmU.exe
| MD5 | 38b6b422e8588d63cf6345f17b8ffd55 |
| SHA1 | a223c54ed8480cd5573a28eba063c9e7f81141a5 |
| SHA256 | 4b71c9ca63230be5382c36b6c992e491e0eb7b89a746c5bbf19319e036ac2d17 |
| SHA512 | 9be5148803032875b173dda7e8b7c92754c231061e485fc22816c4689f151313cda13246d385190cd6f97d4369e038f2122f09a5718057eba008277ed8397a58 |
memory/2420-48-0x00007FF6C0A50000-0x00007FF6C0DA4000-memory.dmp
memory/4796-39-0x00007FF7A7C50000-0x00007FF7A7FA4000-memory.dmp
memory/2972-29-0x00007FF648890000-0x00007FF648BE4000-memory.dmp
memory/2820-21-0x00007FF69BBF0000-0x00007FF69BF44000-memory.dmp
memory/1208-16-0x00007FF711410000-0x00007FF711764000-memory.dmp
memory/4824-7-0x00007FF6EB4D0000-0x00007FF6EB824000-memory.dmp
memory/2972-133-0x00007FF648890000-0x00007FF648BE4000-memory.dmp
memory/4796-134-0x00007FF7A7C50000-0x00007FF7A7FA4000-memory.dmp
memory/3404-135-0x00007FF691250000-0x00007FF6915A4000-memory.dmp
memory/2932-136-0x00007FF68B1E0000-0x00007FF68B534000-memory.dmp
memory/1676-137-0x00007FF7C6890000-0x00007FF7C6BE4000-memory.dmp
memory/2960-138-0x00007FF76F340000-0x00007FF76F694000-memory.dmp
memory/2208-139-0x00007FF6948F0000-0x00007FF694C44000-memory.dmp
memory/2948-140-0x00007FF7164E0000-0x00007FF716834000-memory.dmp
memory/4824-141-0x00007FF6EB4D0000-0x00007FF6EB824000-memory.dmp
memory/2972-145-0x00007FF648890000-0x00007FF648BE4000-memory.dmp
memory/4796-146-0x00007FF7A7C50000-0x00007FF7A7FA4000-memory.dmp
memory/2420-147-0x00007FF6C0A50000-0x00007FF6C0DA4000-memory.dmp
memory/1748-148-0x00007FF78A0A0000-0x00007FF78A3F4000-memory.dmp
memory/4420-144-0x00007FF6EE560000-0x00007FF6EE8B4000-memory.dmp
memory/784-150-0x00007FF7AA6B0000-0x00007FF7AAA04000-memory.dmp
memory/816-149-0x00007FF688680000-0x00007FF6889D4000-memory.dmp
memory/3404-151-0x00007FF691250000-0x00007FF6915A4000-memory.dmp
memory/1360-153-0x00007FF616F20000-0x00007FF617274000-memory.dmp
memory/3628-152-0x00007FF7463B0000-0x00007FF746704000-memory.dmp
memory/2820-143-0x00007FF69BBF0000-0x00007FF69BF44000-memory.dmp
memory/1208-142-0x00007FF711410000-0x00007FF711764000-memory.dmp
memory/2740-154-0x00007FF6893A0000-0x00007FF6896F4000-memory.dmp
memory/2932-156-0x00007FF68B1E0000-0x00007FF68B534000-memory.dmp
memory/1088-157-0x00007FF624D00000-0x00007FF625054000-memory.dmp
memory/1676-155-0x00007FF7C6890000-0x00007FF7C6BE4000-memory.dmp
memory/2960-158-0x00007FF76F340000-0x00007FF76F694000-memory.dmp
memory/2208-159-0x00007FF6948F0000-0x00007FF694C44000-memory.dmp
memory/4636-160-0x00007FF781190000-0x00007FF7814E4000-memory.dmp
memory/2948-161-0x00007FF7164E0000-0x00007FF716834000-memory.dmp