Analysis Overview
SHA256
b1720b46bc2d1325a59aef9ddf3a0b1ca27ba6831191a9ad9a565bfe339d9a00
Threat Level: Known bad
The file 2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 17:54
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 17:54
Reported
2024-06-06 17:57
Platform
win7-20231129-en
Max time kernel
133s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pfVQHdl.exe | N/A |
| N/A | N/A | C:\Windows\System\yXLoVcX.exe | N/A |
| N/A | N/A | C:\Windows\System\FOnSPRT.exe | N/A |
| N/A | N/A | C:\Windows\System\wXaxoUr.exe | N/A |
| N/A | N/A | C:\Windows\System\lfbbVRU.exe | N/A |
| N/A | N/A | C:\Windows\System\ooJfaKa.exe | N/A |
| N/A | N/A | C:\Windows\System\rlrnQeV.exe | N/A |
| N/A | N/A | C:\Windows\System\XJAqpqz.exe | N/A |
| N/A | N/A | C:\Windows\System\LwFKJRb.exe | N/A |
| N/A | N/A | C:\Windows\System\DFjiWdv.exe | N/A |
| N/A | N/A | C:\Windows\System\droSepl.exe | N/A |
| N/A | N/A | C:\Windows\System\vziioPw.exe | N/A |
| N/A | N/A | C:\Windows\System\GhcQpio.exe | N/A |
| N/A | N/A | C:\Windows\System\hVkvOlp.exe | N/A |
| N/A | N/A | C:\Windows\System\tVfOgfy.exe | N/A |
| N/A | N/A | C:\Windows\System\jRfmNFb.exe | N/A |
| N/A | N/A | C:\Windows\System\rgOuOdL.exe | N/A |
| N/A | N/A | C:\Windows\System\sjBVXex.exe | N/A |
| N/A | N/A | C:\Windows\System\gNhCHBF.exe | N/A |
| N/A | N/A | C:\Windows\System\FiosYAC.exe | N/A |
| N/A | N/A | C:\Windows\System\eMjeMPe.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pfVQHdl.exe
C:\Windows\System\pfVQHdl.exe
C:\Windows\System\yXLoVcX.exe
C:\Windows\System\yXLoVcX.exe
C:\Windows\System\FOnSPRT.exe
C:\Windows\System\FOnSPRT.exe
C:\Windows\System\wXaxoUr.exe
C:\Windows\System\wXaxoUr.exe
C:\Windows\System\lfbbVRU.exe
C:\Windows\System\lfbbVRU.exe
C:\Windows\System\ooJfaKa.exe
C:\Windows\System\ooJfaKa.exe
C:\Windows\System\rlrnQeV.exe
C:\Windows\System\rlrnQeV.exe
C:\Windows\System\XJAqpqz.exe
C:\Windows\System\XJAqpqz.exe
C:\Windows\System\LwFKJRb.exe
C:\Windows\System\LwFKJRb.exe
C:\Windows\System\DFjiWdv.exe
C:\Windows\System\DFjiWdv.exe
C:\Windows\System\droSepl.exe
C:\Windows\System\droSepl.exe
C:\Windows\System\vziioPw.exe
C:\Windows\System\vziioPw.exe
C:\Windows\System\GhcQpio.exe
C:\Windows\System\GhcQpio.exe
C:\Windows\System\hVkvOlp.exe
C:\Windows\System\hVkvOlp.exe
C:\Windows\System\tVfOgfy.exe
C:\Windows\System\tVfOgfy.exe
C:\Windows\System\jRfmNFb.exe
C:\Windows\System\jRfmNFb.exe
C:\Windows\System\rgOuOdL.exe
C:\Windows\System\rgOuOdL.exe
C:\Windows\System\sjBVXex.exe
C:\Windows\System\sjBVXex.exe
C:\Windows\System\FiosYAC.exe
C:\Windows\System\FiosYAC.exe
C:\Windows\System\gNhCHBF.exe
C:\Windows\System\gNhCHBF.exe
C:\Windows\System\eMjeMPe.exe
C:\Windows\System\eMjeMPe.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2044-0-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2044-1-0x0000000000580000-0x0000000000590000-memory.dmp
\Windows\system\wXaxoUr.exe
| MD5 | 06f067e5e53cceeea22b4b815b147423 |
| SHA1 | df033b82848f07537a8abec1a17506ac92f0d9ab |
| SHA256 | 997d4f65e8f0cf24bde481efc49f16e3168807af969ec22ccff42020e06c2928 |
| SHA512 | b5f8e8505994b8684f6ddfecb72e102d67f4660e66c2625669f4d7afef85c43a1b1b7f9cfa498d8771370525ad656348b54ff4a6ebbe55718225e9737fbb569f |
memory/2044-24-0x000000013F730000-0x000000013FA84000-memory.dmp
\Windows\system\lfbbVRU.exe
| MD5 | a39aadcc26ea53529a3a32e5fc0ee120 |
| SHA1 | 9d39511301c23227a141bfd4d0dfb59e118f653c |
| SHA256 | df7b7f3e7b58e6d0f2f858eed567d595ae052ae550b0c5426f15afa57ae95517 |
| SHA512 | 607153fc270a21d502373fbe71f557f47ce3aa73ddcd32f76cde26b5dcd8c73cdf7f3530fa7f5444583674d5c9bf8c3c019181a1a978b34d1bdd39ab16689fdf |
memory/2000-18-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2044-42-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2588-43-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2684-41-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2044-48-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2044-51-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2572-50-0x000000013FC50000-0x000000013FFA4000-memory.dmp
C:\Windows\system\XJAqpqz.exe
| MD5 | 8bc77e794c83ed02519d7faaa0fc299f |
| SHA1 | 5e7f2c7c0c37248a918d40d59521acf0ed1a3500 |
| SHA256 | b72cd05956270ff3da595aed0d34091d07fef59c555b0e9e979645adc9e677e8 |
| SHA512 | 261b6b9fc0542316a3b501752eb6db2adafb20a897dcd2a22bf9da51def603813a91648a0697a2d5f27e0aaad9d3b33f125e2c254adff32f8a7e16a810a6a0f7 |
\Windows\system\LwFKJRb.exe
| MD5 | eeee13763c75c6097ea1209cec7f8406 |
| SHA1 | 6aec426b51f68873cd14a94b7917d3c09d8eca69 |
| SHA256 | f4e9a4525e893c5ab8a15aef20d3b4b8af0dc1db7edbcbfd1dea0127b537e94e |
| SHA512 | ad8886a03bbd1da36fccb916283882be91033979263dd0270ff27614c0f7cfaaddbf4aae055356f4287bd8f07fdb64d21834aba3ddc9e0387bb2eda6d1d3acec |
\Windows\system\DFjiWdv.exe
| MD5 | c04f00445ec438ba9e5e292b322f69fc |
| SHA1 | 8f08f131135e66824c89e46a29ec5212235f8410 |
| SHA256 | bfeace8c643db85f3b7025d545e44df25f4b277862814c4d62482c1b72f8e789 |
| SHA512 | 73a4b1e9a35cd08bccc0833cb85af1690795849e5f6af5970d75ecaa8eb8485501cc948c0990cf504ec863c59310d9821b12b21af14da31576cd54a964d959e5 |
\Windows\system\droSepl.exe
| MD5 | 9de12147732824a92c00ff514e86b1db |
| SHA1 | cf533d2008957e2f74a21687e066b13c60216917 |
| SHA256 | b28ec1c30b9e8b44f601b614abe9442c5290bd79c75aa1da4306ba9d41d2ee6c |
| SHA512 | 9b08f112f883728297a12941a65ebb0a6af981d2e59972c7c954c13933ea5884766fe243328d0fce15f1b54a3a463650db68e78d7e172cdaa57da926b0d7107f |
C:\Windows\system\jRfmNFb.exe
| MD5 | 5344fadff4cd814279024d1d6291bfb4 |
| SHA1 | 71ab34b14d4d1c87ca1a8e3be41918bfda162ad3 |
| SHA256 | bacf3d928b8e051d6c7bf7526828166d1f8d88b7fc4699def2caa586db39fb6f |
| SHA512 | af62e9584584ecabbefad7946b00705e3401df6949adb02930ffa47855574cd0574051eb3ddb5e40a7b24dccb228722f430ff7ce59df56d50dbe585251535dc7 |
C:\Windows\system\rgOuOdL.exe
| MD5 | 0b4411eb454a98e2e7f63672d5de0ab4 |
| SHA1 | 4fef0b417a3f0fe12b54178ae70fd5e3e0c0d099 |
| SHA256 | 7acf14e37f004fd70c915850d4bd37f17385d9c6f7f18177e4bf7258266bba51 |
| SHA512 | 785f50fae126d312a95af5931248f72f7b0fe4d30e7f1ebbd02c8f2fa88ea5524a5d252e68799b348b4cdd280fdebe3e95fe805e64ffb7ddba7aa960d77eb4c2 |
memory/2044-115-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2044-125-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2044-130-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/1236-124-0x000000013FAF0000-0x000000013FE44000-memory.dmp
\Windows\system\eMjeMPe.exe
| MD5 | 27e9f9ca391183a1e3403016caf290fb |
| SHA1 | a304bc72a76848d50456cedb88b47b0a4c4102f0 |
| SHA256 | 34e8d2e33d19a703ae6d4d347a76bfeb5fa786bbaee4f21349f6414da9f2a4a1 |
| SHA512 | 75ccad9bda316388d02d350eb7a692206e7bf863a7dd9149d2dbc04ead1a46bd080fdac93d69ca0d7b617cffc108648e028dbc07461c914a78605d05b547a755 |
memory/2592-133-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2044-132-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2484-131-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2044-129-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2712-128-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2044-127-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/1924-126-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2044-120-0x0000000002260000-0x00000000025B4000-memory.dmp
C:\Windows\system\FiosYAC.exe
| MD5 | 675a7c2a480063eeb3402191e12b2a95 |
| SHA1 | 3d36fc23ffe4d941a16b1f7370f9573ef533fa93 |
| SHA256 | 244257a97f63e721a7e83a0fb290c057544eb981e7d400b76e5ae1b8bf3238a8 |
| SHA512 | 0c2f3e6824f1313040b7dc700467d4e0ebe37cc244b0743e720effc187f12719c7f4517e3721dcede5c04e96aa856ed623efa2e38eca73d2eb1bf5da2f35fa9f |
memory/2236-116-0x000000013FC60000-0x000000013FFB4000-memory.dmp
C:\Windows\system\gNhCHBF.exe
| MD5 | 5de827543aa6a81c97d1d4c2de7b0058 |
| SHA1 | c2e2441145f9804903809b555e953843c6838825 |
| SHA256 | eb7f9de09ddacdc3f60a4e514280fe01644d5ee64c4fa3b6bf25285857ae4e4f |
| SHA512 | d5e7d37383190e26fdd29793611f0fce429610c9a5e799d65985a6676e76cfce4aad9840f4c4a01df75f1464e7ff15ababaf153486bce34e1bd26e0cd19f11f7 |
C:\Windows\system\sjBVXex.exe
| MD5 | 624c68b9f754b17d9ccdafc417f47485 |
| SHA1 | 5d2df3e2cdd8eb6af6a248de5699e3164e334628 |
| SHA256 | e0ca9c6b3c90c1cb7ee143d2101db81421410ebd2845a3494f1817243e1c196c |
| SHA512 | e804a496544ea38df65e79d461ea1aaa3d048d4d5f48488fd9bb1b6b67e45cbe19d8340d278ea53aba5df699aa64f8c38e86b55277f68acc117b5413a56d11c0 |
C:\Windows\system\tVfOgfy.exe
| MD5 | b11176e6c989c8aae9af9a209398dc56 |
| SHA1 | 852dc2949009b815034bd02d48f14bb9a78f099c |
| SHA256 | fe615218be8529221aeb3e3a65e67d3cfb04417b453efd282a195b3afd89fc5f |
| SHA512 | e5a23fba7c92a0e3caa1d7042f70a76d926a7154157cb8e95eac4ad4b319ed45bbaa761fb6b19617934d7a2bdfd01fc71cae1abdb34c7ae298797b367f47f87b |
C:\Windows\system\GhcQpio.exe
| MD5 | df0a7836d953b170ae502e5652c707d6 |
| SHA1 | 6e0dcabcc048460b3d55224fba56b3eb49888589 |
| SHA256 | 4c55471ea2908d0d3721df1865b9cac9c06636b480f118bee53c87b30cc192d6 |
| SHA512 | 3ded6adf8663a35cf7507ff01875367a9c0253d007aab4d8c4e474941503d43fb348393c647cb4227ec96d3a6ea10395c1020d4a1f1dfd7f3b5a19f32e4c2070 |
C:\Windows\system\hVkvOlp.exe
| MD5 | 51811ec79e5d13ea950dc611e2a6d417 |
| SHA1 | cdd47d6c5c3e30107abd74c0caf4dcdf8b12d891 |
| SHA256 | 2adc005590ba88a77e454f648d532795b375218a74715232db6c3fda59780eac |
| SHA512 | 5522e61e28d69ee57e422d5251af5f1c1ac75599a4d1cf085400f0f377fd1101e2db40a9891174a1859b8d12fe96abdd5bb1ce7e854fb06b7b2531a014c4915e |
C:\Windows\system\vziioPw.exe
| MD5 | f8bd3ec9e121be4400aeca931d8883b6 |
| SHA1 | 0c18449607b194f5bd8b6b2f337840a7c4832e5a |
| SHA256 | d448eec2216d0c4307adf393e59fb9e724b2194083cb5e5f97a94c2a80d2d443 |
| SHA512 | 9d5fb1041e3fdf1189dbfb8a97b5e234a887366827023f7ed791fded5bca28658bb34c860aed16b49a282072a0017dd9880c76ba4f090473241b298735069628 |
memory/2764-67-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2044-62-0x0000000002260000-0x00000000025B4000-memory.dmp
C:\Windows\system\rlrnQeV.exe
| MD5 | b5b7309e3b6345ad437e9c5d67736474 |
| SHA1 | 772592f720c3d574efc0a9b8de0cc6041570ff96 |
| SHA256 | c9e2e93466d5b44d5c290cbbe109ddacec1eda811a5c3ec58acd93a0b71ec74d |
| SHA512 | cb4f4e62311f80dfc604d56ca796c81cc9dc40c0fdda42635c539d4cb909b3a87f564ac3363b664e1e4669f7c2d55709a3105679f8fb40baf1c50ab247c42eba |
memory/1156-40-0x000000013FEF0000-0x0000000140244000-memory.dmp
C:\Windows\system\ooJfaKa.exe
| MD5 | 007c0e40755976cfa49e893b8915f68e |
| SHA1 | 954bcdeece8f8b765a47891b55bcdee49c0e96f5 |
| SHA256 | 5759663996621c68bf288d5dfd1d79cfe733aac455766df7421b456b0175279c |
| SHA512 | 83bce4bdfa4d2bcdb2c88dd82b02faf5a8a1f94ea542fe139f461d0fdb614122ba6a1a69bbb432dba0ab98cc4c465e2c76f6343ab35cd725d5c79527feec3d56 |
memory/2044-34-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2904-33-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2044-32-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2612-31-0x000000013F730000-0x000000013FA84000-memory.dmp
C:\Windows\system\FOnSPRT.exe
| MD5 | ff60e49435d81cd8b58d2353e6fcff04 |
| SHA1 | 1be44c990db708bb102a147da82ada4a91133521 |
| SHA256 | 9077f37ba4f82bbd9daa5decbb58a7028a5288b7628c98a44e2148561da48643 |
| SHA512 | fb42031ebc87fcc1d0a7486fdde6419dfba0ba752a29e44737a35eb2a311ecc4ec4aa29335c067be7cec384ef60dd20748925253a5921efddd8a178388530bec |
C:\Windows\system\yXLoVcX.exe
| MD5 | 8d0c7d649feea21c75f9a4b2b38c00a7 |
| SHA1 | 50b6b0fe5631337c48d4894f2723342264b1b5b9 |
| SHA256 | 13ae55739fb92423ce70b470459184cfc34bc9b497eecd3fb7b44a95f56c6e5d |
| SHA512 | 44965aaed51d7975eadc7e09d1baedc3b213ac8ef0de43297b12ac74f6acebe21ce463c111807bc1cf7a76661085f320faf00b7aa54be4bb047356f166b3b4de |
memory/2044-10-0x0000000002260000-0x00000000025B4000-memory.dmp
C:\Windows\system\pfVQHdl.exe
| MD5 | 271330b58dc8cb19a3239780c4cd4aa5 |
| SHA1 | f20493ac1fcf0937328b0094dc2ddff7527fe6d5 |
| SHA256 | ed842f1e04ff746762484b468505a0c8d40d42362806acb63648d37da6dabc38 |
| SHA512 | aae0be4f9743bb352036e16fbfaf72d0cd6a69517738db97c376bc85a66f21303b4f3a65f3480981e751311b43992cdd557e3d385fece32841b4d506627dbf9d |
memory/2044-136-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/1156-138-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2684-140-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2612-139-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2000-137-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2904-141-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2588-142-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2572-143-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2764-144-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2484-145-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/1924-148-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2236-150-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2712-149-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/1236-147-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2592-146-0x000000013FA30000-0x000000013FD84000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 17:54
Reported
2024-06-06 17:57
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pfVQHdl.exe | N/A |
| N/A | N/A | C:\Windows\System\yXLoVcX.exe | N/A |
| N/A | N/A | C:\Windows\System\FOnSPRT.exe | N/A |
| N/A | N/A | C:\Windows\System\wXaxoUr.exe | N/A |
| N/A | N/A | C:\Windows\System\lfbbVRU.exe | N/A |
| N/A | N/A | C:\Windows\System\ooJfaKa.exe | N/A |
| N/A | N/A | C:\Windows\System\rlrnQeV.exe | N/A |
| N/A | N/A | C:\Windows\System\XJAqpqz.exe | N/A |
| N/A | N/A | C:\Windows\System\LwFKJRb.exe | N/A |
| N/A | N/A | C:\Windows\System\DFjiWdv.exe | N/A |
| N/A | N/A | C:\Windows\System\droSepl.exe | N/A |
| N/A | N/A | C:\Windows\System\vziioPw.exe | N/A |
| N/A | N/A | C:\Windows\System\GhcQpio.exe | N/A |
| N/A | N/A | C:\Windows\System\hVkvOlp.exe | N/A |
| N/A | N/A | C:\Windows\System\tVfOgfy.exe | N/A |
| N/A | N/A | C:\Windows\System\jRfmNFb.exe | N/A |
| N/A | N/A | C:\Windows\System\rgOuOdL.exe | N/A |
| N/A | N/A | C:\Windows\System\sjBVXex.exe | N/A |
| N/A | N/A | C:\Windows\System\FiosYAC.exe | N/A |
| N/A | N/A | C:\Windows\System\gNhCHBF.exe | N/A |
| N/A | N/A | C:\Windows\System\eMjeMPe.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pfVQHdl.exe
C:\Windows\System\pfVQHdl.exe
C:\Windows\System\yXLoVcX.exe
C:\Windows\System\yXLoVcX.exe
C:\Windows\System\FOnSPRT.exe
C:\Windows\System\FOnSPRT.exe
C:\Windows\System\wXaxoUr.exe
C:\Windows\System\wXaxoUr.exe
C:\Windows\System\lfbbVRU.exe
C:\Windows\System\lfbbVRU.exe
C:\Windows\System\ooJfaKa.exe
C:\Windows\System\ooJfaKa.exe
C:\Windows\System\rlrnQeV.exe
C:\Windows\System\rlrnQeV.exe
C:\Windows\System\XJAqpqz.exe
C:\Windows\System\XJAqpqz.exe
C:\Windows\System\LwFKJRb.exe
C:\Windows\System\LwFKJRb.exe
C:\Windows\System\DFjiWdv.exe
C:\Windows\System\DFjiWdv.exe
C:\Windows\System\droSepl.exe
C:\Windows\System\droSepl.exe
C:\Windows\System\vziioPw.exe
C:\Windows\System\vziioPw.exe
C:\Windows\System\GhcQpio.exe
C:\Windows\System\GhcQpio.exe
C:\Windows\System\hVkvOlp.exe
C:\Windows\System\hVkvOlp.exe
C:\Windows\System\tVfOgfy.exe
C:\Windows\System\tVfOgfy.exe
C:\Windows\System\jRfmNFb.exe
C:\Windows\System\jRfmNFb.exe
C:\Windows\System\rgOuOdL.exe
C:\Windows\System\rgOuOdL.exe
C:\Windows\System\sjBVXex.exe
C:\Windows\System\sjBVXex.exe
C:\Windows\System\FiosYAC.exe
C:\Windows\System\FiosYAC.exe
C:\Windows\System\gNhCHBF.exe
C:\Windows\System\gNhCHBF.exe
C:\Windows\System\eMjeMPe.exe
C:\Windows\System\eMjeMPe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4408-0-0x00007FF618DD0000-0x00007FF619124000-memory.dmp
memory/4408-1-0x00000217BDE80000-0x00000217BDE90000-memory.dmp
C:\Windows\System\pfVQHdl.exe
| MD5 | 271330b58dc8cb19a3239780c4cd4aa5 |
| SHA1 | f20493ac1fcf0937328b0094dc2ddff7527fe6d5 |
| SHA256 | ed842f1e04ff746762484b468505a0c8d40d42362806acb63648d37da6dabc38 |
| SHA512 | aae0be4f9743bb352036e16fbfaf72d0cd6a69517738db97c376bc85a66f21303b4f3a65f3480981e751311b43992cdd557e3d385fece32841b4d506627dbf9d |
memory/3632-12-0x00007FF71E820000-0x00007FF71EB74000-memory.dmp
C:\Windows\System\FOnSPRT.exe
| MD5 | ff60e49435d81cd8b58d2353e6fcff04 |
| SHA1 | 1be44c990db708bb102a147da82ada4a91133521 |
| SHA256 | 9077f37ba4f82bbd9daa5decbb58a7028a5288b7628c98a44e2148561da48643 |
| SHA512 | fb42031ebc87fcc1d0a7486fdde6419dfba0ba752a29e44737a35eb2a311ecc4ec4aa29335c067be7cec384ef60dd20748925253a5921efddd8a178388530bec |
C:\Windows\System\yXLoVcX.exe
| MD5 | 8d0c7d649feea21c75f9a4b2b38c00a7 |
| SHA1 | 50b6b0fe5631337c48d4894f2723342264b1b5b9 |
| SHA256 | 13ae55739fb92423ce70b470459184cfc34bc9b497eecd3fb7b44a95f56c6e5d |
| SHA512 | 44965aaed51d7975eadc7e09d1baedc3b213ac8ef0de43297b12ac74f6acebe21ce463c111807bc1cf7a76661085f320faf00b7aa54be4bb047356f166b3b4de |
C:\Windows\System\wXaxoUr.exe
| MD5 | 06f067e5e53cceeea22b4b815b147423 |
| SHA1 | df033b82848f07537a8abec1a17506ac92f0d9ab |
| SHA256 | 997d4f65e8f0cf24bde481efc49f16e3168807af969ec22ccff42020e06c2928 |
| SHA512 | b5f8e8505994b8684f6ddfecb72e102d67f4660e66c2625669f4d7afef85c43a1b1b7f9cfa498d8771370525ad656348b54ff4a6ebbe55718225e9737fbb569f |
memory/1516-21-0x00007FF613840000-0x00007FF613B94000-memory.dmp
memory/4860-8-0x00007FF727910000-0x00007FF727C64000-memory.dmp
C:\Windows\System\lfbbVRU.exe
| MD5 | a39aadcc26ea53529a3a32e5fc0ee120 |
| SHA1 | 9d39511301c23227a141bfd4d0dfb59e118f653c |
| SHA256 | df7b7f3e7b58e6d0f2f858eed567d595ae052ae550b0c5426f15afa57ae95517 |
| SHA512 | 607153fc270a21d502373fbe71f557f47ce3aa73ddcd32f76cde26b5dcd8c73cdf7f3530fa7f5444583674d5c9bf8c3c019181a1a978b34d1bdd39ab16689fdf |
C:\Windows\System\rlrnQeV.exe
| MD5 | b5b7309e3b6345ad437e9c5d67736474 |
| SHA1 | 772592f720c3d574efc0a9b8de0cc6041570ff96 |
| SHA256 | c9e2e93466d5b44d5c290cbbe109ddacec1eda811a5c3ec58acd93a0b71ec74d |
| SHA512 | cb4f4e62311f80dfc604d56ca796c81cc9dc40c0fdda42635c539d4cb909b3a87f564ac3363b664e1e4669f7c2d55709a3105679f8fb40baf1c50ab247c42eba |
C:\Windows\System\ooJfaKa.exe
| MD5 | 007c0e40755976cfa49e893b8915f68e |
| SHA1 | 954bcdeece8f8b765a47891b55bcdee49c0e96f5 |
| SHA256 | 5759663996621c68bf288d5dfd1d79cfe733aac455766df7421b456b0175279c |
| SHA512 | 83bce4bdfa4d2bcdb2c88dd82b02faf5a8a1f94ea542fe139f461d0fdb614122ba6a1a69bbb432dba0ab98cc4c465e2c76f6343ab35cd725d5c79527feec3d56 |
memory/5012-34-0x00007FF669C00000-0x00007FF669F54000-memory.dmp
memory/2596-26-0x00007FF6B3820000-0x00007FF6B3B74000-memory.dmp
C:\Windows\System\XJAqpqz.exe
| MD5 | 8bc77e794c83ed02519d7faaa0fc299f |
| SHA1 | 5e7f2c7c0c37248a918d40d59521acf0ed1a3500 |
| SHA256 | b72cd05956270ff3da595aed0d34091d07fef59c555b0e9e979645adc9e677e8 |
| SHA512 | 261b6b9fc0542316a3b501752eb6db2adafb20a897dcd2a22bf9da51def603813a91648a0697a2d5f27e0aaad9d3b33f125e2c254adff32f8a7e16a810a6a0f7 |
C:\Windows\System\LwFKJRb.exe
| MD5 | eeee13763c75c6097ea1209cec7f8406 |
| SHA1 | 6aec426b51f68873cd14a94b7917d3c09d8eca69 |
| SHA256 | f4e9a4525e893c5ab8a15aef20d3b4b8af0dc1db7edbcbfd1dea0127b537e94e |
| SHA512 | ad8886a03bbd1da36fccb916283882be91033979263dd0270ff27614c0f7cfaaddbf4aae055356f4287bd8f07fdb64d21834aba3ddc9e0387bb2eda6d1d3acec |
memory/1480-65-0x00007FF7072B0000-0x00007FF707604000-memory.dmp
memory/4408-64-0x00007FF618DD0000-0x00007FF619124000-memory.dmp
C:\Windows\System\droSepl.exe
| MD5 | 9de12147732824a92c00ff514e86b1db |
| SHA1 | cf533d2008957e2f74a21687e066b13c60216917 |
| SHA256 | b28ec1c30b9e8b44f601b614abe9442c5290bd79c75aa1da4306ba9d41d2ee6c |
| SHA512 | 9b08f112f883728297a12941a65ebb0a6af981d2e59972c7c954c13933ea5884766fe243328d0fce15f1b54a3a463650db68e78d7e172cdaa57da926b0d7107f |
C:\Windows\System\tVfOgfy.exe
| MD5 | b11176e6c989c8aae9af9a209398dc56 |
| SHA1 | 852dc2949009b815034bd02d48f14bb9a78f099c |
| SHA256 | fe615218be8529221aeb3e3a65e67d3cfb04417b453efd282a195b3afd89fc5f |
| SHA512 | e5a23fba7c92a0e3caa1d7042f70a76d926a7154157cb8e95eac4ad4b319ed45bbaa761fb6b19617934d7a2bdfd01fc71cae1abdb34c7ae298797b367f47f87b |
C:\Windows\System\eMjeMPe.exe
| MD5 | 27e9f9ca391183a1e3403016caf290fb |
| SHA1 | a304bc72a76848d50456cedb88b47b0a4c4102f0 |
| SHA256 | 34e8d2e33d19a703ae6d4d347a76bfeb5fa786bbaee4f21349f6414da9f2a4a1 |
| SHA512 | 75ccad9bda316388d02d350eb7a692206e7bf863a7dd9149d2dbc04ead1a46bd080fdac93d69ca0d7b617cffc108648e028dbc07461c914a78605d05b547a755 |
C:\Windows\System\gNhCHBF.exe
| MD5 | 5de827543aa6a81c97d1d4c2de7b0058 |
| SHA1 | c2e2441145f9804903809b555e953843c6838825 |
| SHA256 | eb7f9de09ddacdc3f60a4e514280fe01644d5ee64c4fa3b6bf25285857ae4e4f |
| SHA512 | d5e7d37383190e26fdd29793611f0fce429610c9a5e799d65985a6676e76cfce4aad9840f4c4a01df75f1464e7ff15ababaf153486bce34e1bd26e0cd19f11f7 |
C:\Windows\System\FiosYAC.exe
| MD5 | 675a7c2a480063eeb3402191e12b2a95 |
| SHA1 | 3d36fc23ffe4d941a16b1f7370f9573ef533fa93 |
| SHA256 | 244257a97f63e721a7e83a0fb290c057544eb981e7d400b76e5ae1b8bf3238a8 |
| SHA512 | 0c2f3e6824f1313040b7dc700467d4e0ebe37cc244b0743e720effc187f12719c7f4517e3721dcede5c04e96aa856ed623efa2e38eca73d2eb1bf5da2f35fa9f |
C:\Windows\System\sjBVXex.exe
| MD5 | 624c68b9f754b17d9ccdafc417f47485 |
| SHA1 | 5d2df3e2cdd8eb6af6a248de5699e3164e334628 |
| SHA256 | e0ca9c6b3c90c1cb7ee143d2101db81421410ebd2845a3494f1817243e1c196c |
| SHA512 | e804a496544ea38df65e79d461ea1aaa3d048d4d5f48488fd9bb1b6b67e45cbe19d8340d278ea53aba5df699aa64f8c38e86b55277f68acc117b5413a56d11c0 |
C:\Windows\System\rgOuOdL.exe
| MD5 | 0b4411eb454a98e2e7f63672d5de0ab4 |
| SHA1 | 4fef0b417a3f0fe12b54178ae70fd5e3e0c0d099 |
| SHA256 | 7acf14e37f004fd70c915850d4bd37f17385d9c6f7f18177e4bf7258266bba51 |
| SHA512 | 785f50fae126d312a95af5931248f72f7b0fe4d30e7f1ebbd02c8f2fa88ea5524a5d252e68799b348b4cdd280fdebe3e95fe805e64ffb7ddba7aa960d77eb4c2 |
C:\Windows\System\jRfmNFb.exe
| MD5 | 5344fadff4cd814279024d1d6291bfb4 |
| SHA1 | 71ab34b14d4d1c87ca1a8e3be41918bfda162ad3 |
| SHA256 | bacf3d928b8e051d6c7bf7526828166d1f8d88b7fc4699def2caa586db39fb6f |
| SHA512 | af62e9584584ecabbefad7946b00705e3401df6949adb02930ffa47855574cd0574051eb3ddb5e40a7b24dccb228722f430ff7ce59df56d50dbe585251535dc7 |
C:\Windows\System\hVkvOlp.exe
| MD5 | 51811ec79e5d13ea950dc611e2a6d417 |
| SHA1 | cdd47d6c5c3e30107abd74c0caf4dcdf8b12d891 |
| SHA256 | 2adc005590ba88a77e454f648d532795b375218a74715232db6c3fda59780eac |
| SHA512 | 5522e61e28d69ee57e422d5251af5f1c1ac75599a4d1cf085400f0f377fd1101e2db40a9891174a1859b8d12fe96abdd5bb1ce7e854fb06b7b2531a014c4915e |
C:\Windows\System\GhcQpio.exe
| MD5 | df0a7836d953b170ae502e5652c707d6 |
| SHA1 | 6e0dcabcc048460b3d55224fba56b3eb49888589 |
| SHA256 | 4c55471ea2908d0d3721df1865b9cac9c06636b480f118bee53c87b30cc192d6 |
| SHA512 | 3ded6adf8663a35cf7507ff01875367a9c0253d007aab4d8c4e474941503d43fb348393c647cb4227ec96d3a6ea10395c1020d4a1f1dfd7f3b5a19f32e4c2070 |
C:\Windows\System\vziioPw.exe
| MD5 | f8bd3ec9e121be4400aeca931d8883b6 |
| SHA1 | 0c18449607b194f5bd8b6b2f337840a7c4832e5a |
| SHA256 | d448eec2216d0c4307adf393e59fb9e724b2194083cb5e5f97a94c2a80d2d443 |
| SHA512 | 9d5fb1041e3fdf1189dbfb8a97b5e234a887366827023f7ed791fded5bca28658bb34c860aed16b49a282072a0017dd9880c76ba4f090473241b298735069628 |
C:\Windows\System\DFjiWdv.exe
| MD5 | c04f00445ec438ba9e5e292b322f69fc |
| SHA1 | 8f08f131135e66824c89e46a29ec5212235f8410 |
| SHA256 | bfeace8c643db85f3b7025d545e44df25f4b277862814c4d62482c1b72f8e789 |
| SHA512 | 73a4b1e9a35cd08bccc0833cb85af1690795849e5f6af5970d75ecaa8eb8485501cc948c0990cf504ec863c59310d9821b12b21af14da31576cd54a964d959e5 |
memory/2120-61-0x00007FF77F870000-0x00007FF77FBC4000-memory.dmp
memory/464-57-0x00007FF6B1890000-0x00007FF6B1BE4000-memory.dmp
memory/3668-52-0x00007FF7FA030000-0x00007FF7FA384000-memory.dmp
memory/4248-48-0x00007FF675850000-0x00007FF675BA4000-memory.dmp
memory/1068-44-0x00007FF73C160000-0x00007FF73C4B4000-memory.dmp
memory/3440-120-0x00007FF630910000-0x00007FF630C64000-memory.dmp
memory/3028-121-0x00007FF79C210000-0x00007FF79C564000-memory.dmp
memory/3952-122-0x00007FF610DE0000-0x00007FF611134000-memory.dmp
memory/4860-119-0x00007FF727910000-0x00007FF727C64000-memory.dmp
memory/816-123-0x00007FF69BB40000-0x00007FF69BE94000-memory.dmp
memory/3620-125-0x00007FF77C5D0000-0x00007FF77C924000-memory.dmp
memory/3284-126-0x00007FF7A0920000-0x00007FF7A0C74000-memory.dmp
memory/1836-124-0x00007FF6A1700000-0x00007FF6A1A54000-memory.dmp
memory/2528-127-0x00007FF7910D0000-0x00007FF791424000-memory.dmp
memory/3836-128-0x00007FF6DE560000-0x00007FF6DE8B4000-memory.dmp
memory/180-129-0x00007FF635480000-0x00007FF6357D4000-memory.dmp
memory/3632-130-0x00007FF71E820000-0x00007FF71EB74000-memory.dmp
memory/5012-131-0x00007FF669C00000-0x00007FF669F54000-memory.dmp
memory/3668-132-0x00007FF7FA030000-0x00007FF7FA384000-memory.dmp
memory/464-133-0x00007FF6B1890000-0x00007FF6B1BE4000-memory.dmp
memory/2120-134-0x00007FF77F870000-0x00007FF77FBC4000-memory.dmp
memory/1480-135-0x00007FF7072B0000-0x00007FF707604000-memory.dmp
memory/4860-136-0x00007FF727910000-0x00007FF727C64000-memory.dmp
memory/3632-137-0x00007FF71E820000-0x00007FF71EB74000-memory.dmp
memory/1516-138-0x00007FF613840000-0x00007FF613B94000-memory.dmp
memory/2596-139-0x00007FF6B3820000-0x00007FF6B3B74000-memory.dmp
memory/4248-142-0x00007FF675850000-0x00007FF675BA4000-memory.dmp
memory/1068-141-0x00007FF73C160000-0x00007FF73C4B4000-memory.dmp
memory/5012-140-0x00007FF669C00000-0x00007FF669F54000-memory.dmp
memory/3668-143-0x00007FF7FA030000-0x00007FF7FA384000-memory.dmp
memory/464-144-0x00007FF6B1890000-0x00007FF6B1BE4000-memory.dmp
memory/2120-145-0x00007FF77F870000-0x00007FF77FBC4000-memory.dmp
memory/3440-147-0x00007FF630910000-0x00007FF630C64000-memory.dmp
memory/1480-146-0x00007FF7072B0000-0x00007FF707604000-memory.dmp
memory/3952-149-0x00007FF610DE0000-0x00007FF611134000-memory.dmp
memory/816-150-0x00007FF69BB40000-0x00007FF69BE94000-memory.dmp
memory/1836-151-0x00007FF6A1700000-0x00007FF6A1A54000-memory.dmp
memory/3620-152-0x00007FF77C5D0000-0x00007FF77C924000-memory.dmp
memory/3284-153-0x00007FF7A0920000-0x00007FF7A0C74000-memory.dmp
memory/3836-155-0x00007FF6DE560000-0x00007FF6DE8B4000-memory.dmp
memory/2528-156-0x00007FF7910D0000-0x00007FF791424000-memory.dmp
memory/180-154-0x00007FF635480000-0x00007FF6357D4000-memory.dmp
memory/3028-148-0x00007FF79C210000-0x00007FF79C564000-memory.dmp