Analysis Overview
SHA256
6c1f3727b46fd53a760d9c10c4df5305546c5ba3d77a0b8d828698b452c47984
Threat Level: Known bad
The file 2024-06-08_fed0ae1e489be3e5e86e25a6c520a989_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike family
XMRig Miner payload
Xmrig family
xmrig
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 17:30
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 17:30
Reported
2024-06-08 17:34
Platform
win7-20240508-en
Max time kernel
134s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IbGRbTA.exe | N/A |
| N/A | N/A | C:\Windows\System\lRvYHQy.exe | N/A |
| N/A | N/A | C:\Windows\System\MoXhKvP.exe | N/A |
| N/A | N/A | C:\Windows\System\LVrvIfp.exe | N/A |
| N/A | N/A | C:\Windows\System\ucriGrd.exe | N/A |
| N/A | N/A | C:\Windows\System\BsXRcsi.exe | N/A |
| N/A | N/A | C:\Windows\System\RqyJZYr.exe | N/A |
| N/A | N/A | C:\Windows\System\Llwnecy.exe | N/A |
| N/A | N/A | C:\Windows\System\YyVNHfT.exe | N/A |
| N/A | N/A | C:\Windows\System\cBXFwHO.exe | N/A |
| N/A | N/A | C:\Windows\System\iGNoUvz.exe | N/A |
| N/A | N/A | C:\Windows\System\GVfGBry.exe | N/A |
| N/A | N/A | C:\Windows\System\okNFTaL.exe | N/A |
| N/A | N/A | C:\Windows\System\sUCQPwZ.exe | N/A |
| N/A | N/A | C:\Windows\System\gUUyPXs.exe | N/A |
| N/A | N/A | C:\Windows\System\pfxjDFG.exe | N/A |
| N/A | N/A | C:\Windows\System\kTwSLCq.exe | N/A |
| N/A | N/A | C:\Windows\System\yIqaCqE.exe | N/A |
| N/A | N/A | C:\Windows\System\dwoVTBs.exe | N/A |
| N/A | N/A | C:\Windows\System\AWyewrE.exe | N/A |
| N/A | N/A | C:\Windows\System\ZKsHHXn.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_fed0ae1e489be3e5e86e25a6c520a989_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_fed0ae1e489be3e5e86e25a6c520a989_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_fed0ae1e489be3e5e86e25a6c520a989_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fed0ae1e489be3e5e86e25a6c520a989_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\IbGRbTA.exe
C:\Windows\System\IbGRbTA.exe
C:\Windows\System\lRvYHQy.exe
C:\Windows\System\lRvYHQy.exe
C:\Windows\System\MoXhKvP.exe
C:\Windows\System\MoXhKvP.exe
C:\Windows\System\LVrvIfp.exe
C:\Windows\System\LVrvIfp.exe
C:\Windows\System\ucriGrd.exe
C:\Windows\System\ucriGrd.exe
C:\Windows\System\YyVNHfT.exe
C:\Windows\System\YyVNHfT.exe
C:\Windows\System\BsXRcsi.exe
C:\Windows\System\BsXRcsi.exe
C:\Windows\System\GVfGBry.exe
C:\Windows\System\GVfGBry.exe
C:\Windows\System\RqyJZYr.exe
C:\Windows\System\RqyJZYr.exe
C:\Windows\System\pfxjDFG.exe
C:\Windows\System\pfxjDFG.exe
C:\Windows\System\Llwnecy.exe
C:\Windows\System\Llwnecy.exe
C:\Windows\System\kTwSLCq.exe
C:\Windows\System\kTwSLCq.exe
C:\Windows\System\cBXFwHO.exe
C:\Windows\System\cBXFwHO.exe
C:\Windows\System\yIqaCqE.exe
C:\Windows\System\yIqaCqE.exe
C:\Windows\System\iGNoUvz.exe
C:\Windows\System\iGNoUvz.exe
C:\Windows\System\dwoVTBs.exe
C:\Windows\System\dwoVTBs.exe
C:\Windows\System\okNFTaL.exe
C:\Windows\System\okNFTaL.exe
C:\Windows\System\AWyewrE.exe
C:\Windows\System\AWyewrE.exe
C:\Windows\System\sUCQPwZ.exe
C:\Windows\System\sUCQPwZ.exe
C:\Windows\System\ZKsHHXn.exe
C:\Windows\System\ZKsHHXn.exe
C:\Windows\System\gUUyPXs.exe
C:\Windows\System\gUUyPXs.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1368-0-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/1368-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\IbGRbTA.exe
| MD5 | 6d96d9a62ea0ff3a0a082f8c6eaa11bd |
| SHA1 | 262cff25abc25a7af4aaa35a4404e295da4bcf49 |
| SHA256 | e39c8f7b9f0a823429a60a7b92995d9f027ef5edf56594e6d0fb59c3040ad188 |
| SHA512 | 0fe405c271616cc45646ea1b2e896289a20b08e9d3c479862c8f19e23c233b5569181d45013d0b0ff26d1bfc9ccde69723bb7bba1025e5c6903e43c3a137c0ea |
\Windows\system\lRvYHQy.exe
| MD5 | 7a3895589d4af9f82e3d114383028a27 |
| SHA1 | 9cdf42d791cac1b8616a962f22abd50f9066eb36 |
| SHA256 | 15f85bb887d08bd5e05181530d9afb4e05ae33bcac9d33e727152768872d7e70 |
| SHA512 | 51f3add053017517e61c036236ef5f75f8293dd827437f15c02b144b069a4ebc9792c651589fcfc703936683295a3cc4c7a14373b99b8e1772f281146abbefe3 |
C:\Windows\system\MoXhKvP.exe
| MD5 | e375ab920bf3394ca9b7eef93864211f |
| SHA1 | d2cced4129212c34d2033377ecc943fd3f2f7afd |
| SHA256 | 90485930b592b68561cc215dc0ab3fb3ca399b10f05b52f8ebb04ca5838f89bf |
| SHA512 | b4da1722ea48f99c93c0d03f023c27aa14952b8fb4a584c877fb424a451bb978b34136c4621e470c681fb8e019aaf372429a5bbed366cb3e85c32ad9ac2917b3 |
memory/1984-17-0x000000013F810000-0x000000013FB64000-memory.dmp
\Windows\system\LVrvIfp.exe
| MD5 | b419b79a7454b9fa684b190240652266 |
| SHA1 | bed0708aa50a571ddea1773b2a7c39ffe12a3fa5 |
| SHA256 | 7dba4ea0ff813185ac90bb61ed3c7b63aca481646c27478943109da81dd5e29a |
| SHA512 | e5a46cb7c06e15bb1c1ab9453a8fc5effe5d1dfb1382231dd176739fec6b9ef5de9faffcc63ccf037689dacf840c126dde1c0e46b55a4dbe0927441150ded84e |
memory/2688-13-0x000000013FE30000-0x0000000140184000-memory.dmp
C:\Windows\system\ucriGrd.exe
| MD5 | 4663abe8f8d2b5f55283105cd7d9c329 |
| SHA1 | 0cc8d9f72601d008959407dd96c74e66e45742ea |
| SHA256 | e9532271e4ce9fb396d11492065631e1df1405dc4e0026f21bd82b172f19f5b8 |
| SHA512 | 41d40d6c63b6ee31362b798bb01f242a6ea4850fc73049444473e5dcd76212a31bf746e8cc3bfa1005d46ab54d22bed6ea1370415f270807228a57793389dbb0 |
memory/2648-55-0x000000013FF20000-0x0000000140274000-memory.dmp
\Windows\system\Llwnecy.exe
| MD5 | ccdf0edf39a196983d985777fcee992a |
| SHA1 | 6bbe05d8123c637f524996054d60806ae102286d |
| SHA256 | 9fc1049c2fbdb8566fa693abe358963bdc8f764e83af6e4a7a5e85b55c8a0b7b |
| SHA512 | 3a28eaddaaed0b3b2fbac89e67d5856d3b7f496d82d246dd1958bb821dd4ef826f966887476822073f13bcb7d2b2040ffe2b65bfb4d48b0d44a02bc2d2770a96 |
C:\Windows\system\RqyJZYr.exe
| MD5 | ef1c0287f14295ef40f516016db66f65 |
| SHA1 | 6e93c1525b7ce1579133986a0f10c5e5353e3cc5 |
| SHA256 | 13ac8d9db781e1cd6afd318634c64fb81c41a05fe328aaea8fa79561e7b60703 |
| SHA512 | 5bdfd053c1280d59c5ab9bbda6300c40322642f4c9d19887078dc683da86096594a2783b777d83ecc4dcf8f346d98875c8f0f79934f68fcba64fd9bca88a02f5 |
C:\Windows\system\BsXRcsi.exe
| MD5 | fe08c3c2651a9affde0b27721bc52b83 |
| SHA1 | 829fda936175e76900361335be5814b44f8f9068 |
| SHA256 | 364f246d69a52eac2c845250f2542f057e2919939dde8d71394473445f60cf5e |
| SHA512 | 854f21d4f232f7764477f57ccfe65937d1d568e73ed842f961be29b7cdab33df90aba45461b2b26459edbb78a64d7631dd5eac21e3cee19a473d7f3cfb2a1184 |
\Windows\system\YyVNHfT.exe
| MD5 | 11ff62d69af8ee7f08381b55b39275d1 |
| SHA1 | 50dd890b9b4aa6b6bdcc5ab4cfb193eeb1b2b638 |
| SHA256 | 3ad1213430f19ea7fb74dd89f8a96983a8bbad9b891005f33fef7f649e6b7811 |
| SHA512 | f0e5283f65c0c3fe0687a6f66fbb1dcb1a6e08c94725de87948a83dabfc1c252d4b5f2b7badde9ae7be2b821a9cf9fd792baccedd140a951537606d6628c86b7 |
memory/1368-23-0x0000000002420000-0x0000000002774000-memory.dmp
memory/1368-28-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2960-117-0x000000013F0F0000-0x000000013F444000-memory.dmp
\Windows\system\AWyewrE.exe
| MD5 | 39550ab01b808f6782e3b6219c8704e8 |
| SHA1 | f891f7c6e08b90732fee9ef1db526b43fc9efb44 |
| SHA256 | 926cf4cf9fd775ed2a829a881988a4bdaab758b01fc27b9b227d33996574ff77 |
| SHA512 | 8c5771eb98be0c00b91bbf124be6346e5e218007e452a8d2dcde353139456af84f52016940b1def50fb2e25a17b785d14daa8e4a307de6461680045b0c0858ee |
\Windows\system\ZKsHHXn.exe
| MD5 | 36301bcfb0c9e405891cb103ecb10b79 |
| SHA1 | b91131a3b418fbfcedaa2ed542002bf9bd3b7ef6 |
| SHA256 | fd7fe6abddd6526d87f40d2e692d0725470db8ca6c595b92ff71b2b8b2e3db5c |
| SHA512 | 6be1ad12d0e79b57f2aed41164d545aec5aa06b09417982e3b6e546aac700fcd7fa9f1b8782af8ddf339702f708d0714cbc4d95047899015c0e650fb1b3b4d9e |
C:\Windows\system\iGNoUvz.exe
| MD5 | df1b89282fe66cbfc29b936c3de7dc44 |
| SHA1 | 722aa946cb8b5c877d3f6abf2e72dc3cd38afe6c |
| SHA256 | 1c2d462ceeebbfa8797a2929f0f10e267c829a94f8d51b314087b1e11f12e5e5 |
| SHA512 | 67796afc80cd0b1043941d061b66e214a8e1058bf1265b161bfc9477d78e865e9d084f38ada71d636b5fbee84cb177f61afc73fe93a5f176a1ecc798a6a73226 |
C:\Windows\system\cBXFwHO.exe
| MD5 | 0ca835bd130ba1f00d764bff1f3dc8fb |
| SHA1 | 3d0c8054c13108d64e8709a0f6f105e031752c84 |
| SHA256 | 895c7b40f863d5a6ab4a2c13042ebd04fe5584c9673a806e6011e2346dd6ba28 |
| SHA512 | ce96108c71d97a772392e000dd5543c8d13d29e2e35b847eb27b8288668cec1168a297cda7e4498fc6893d324e46773c5448fccf90301dc0aea00152076ce27f |
memory/2728-73-0x000000013FFA0000-0x00000001402F4000-memory.dmp
\Windows\system\dwoVTBs.exe
| MD5 | 188cba93ee5c823c4f71d987b14b2233 |
| SHA1 | 354f806795eb77a2086f0487b088f52bab668142 |
| SHA256 | 34d6e7c6b298f4c12ee3a914e5ce049d3fdabc4e57a719b499d64cd73b976a94 |
| SHA512 | bbbaf67fc0a739a000aeaf5b6b0f5c45efcf41e1993d49db440a41b13790bace8e821c73079ed93e93b9ebcb91ea37cbac421b39f9c45c92d29eca5b1fdb76f2 |
\Windows\system\yIqaCqE.exe
| MD5 | 1489a00ad15c33663edd1b22d223a179 |
| SHA1 | bf3333f0e2fbb0d37c16ea77286d500d23ccd1e0 |
| SHA256 | c9978ce543eff94c3ed72e8160a8e60ec30cbbfd58fbebc6d72db583cfcedaa0 |
| SHA512 | 49c5dbd01d1d6d5ed03298351c4aee1ac98ed50515c9ae7abf7b9cbbb411619f1d8adb20c728a8ebc67e7fb403129a2d5e8cde958a9652f8f8dda506cb484614 |
\Windows\system\kTwSLCq.exe
| MD5 | ec911a0caecf32505d966e50cb777f8d |
| SHA1 | 5073583bf4a292e52a4387b3ab6729e90c6eebe1 |
| SHA256 | c54de0d30b8e22792d0e569be9b7fc1c8f5fa1524095e8bffd2db144dc50c45b |
| SHA512 | af5d804fbca319c313b2ef013092686580d5a9d6f7b4d610ebac8d24aad4cecafff3b9d0624650c997f3f110a3d006e962f96066df024b9b3435af2179767042 |
\Windows\system\pfxjDFG.exe
| MD5 | fe0d8cf23910b2601ffba564f4aaae0d |
| SHA1 | 28c8dc571334d0a6306b243497612c8c47a3a281 |
| SHA256 | add85eebccc56883f5f30d0b08ece4110833c8cfe2b2774909a84713355394ab |
| SHA512 | da296a525e78f074a293eacf80ea317159101cb60e1b68168384a1741e7097d87529d11463c277622b90e76784341f13a107bdf8b2a74ae710f8444e39f0bd09 |
memory/2564-116-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2536-115-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/1368-114-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/1368-113-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/1976-112-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/1368-111-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/1368-110-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2684-109-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/1368-108-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/1368-107-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/1368-106-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2636-105-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/1368-104-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2776-103-0x000000013F3B0000-0x000000013F704000-memory.dmp
C:\Windows\system\gUUyPXs.exe
| MD5 | c272e12463543193e728747ac9b443f1 |
| SHA1 | 03cd017920dcfcf6cee5d83ab7fd20d4eea97c36 |
| SHA256 | 2a2d5969a3bb3bc35b206118b8f64655f803dd1a89f907c6c8d738e23359996e |
| SHA512 | 0ea77b789eff8d7d01fed798d9bf454b1cd08f4cb3dee6a2a98162d8cf7d33a828abfa1fbfad363b71ad04c1dabaeddf9c30a014dc5031b71eb2310cdc0dc5c9 |
C:\Windows\system\sUCQPwZ.exe
| MD5 | 01f6d5edf8368db20e0ec33e23ab4435 |
| SHA1 | 58a23dc3ad80ab8981603c49589e90ca87f49574 |
| SHA256 | b1bebc713632441196ad9ba74bc59bcb7804f740616071f227595d77c6661dd9 |
| SHA512 | af92e5d294531e364112344e610a39309e043f0c94907823e1b2390bb61e833c24d0fa7208fc6ddd6781cf19999484386b54023e3cd2bbc7f1c29cf29d1a1309 |
C:\Windows\system\okNFTaL.exe
| MD5 | 0d7841ddfe746a9edf36ce0cb1fa2921 |
| SHA1 | 47da7fa775ba0bf71b6b830a8711d36da58f08b8 |
| SHA256 | 42f0c5fa640d32408aac1f36c6eed337173a0b0490530587e5d39a00ec8c4f0d |
| SHA512 | 378b7c952974e658eb62f759b765286299862358868251b7484d33d35af500237125b7e8d5e4cc84455fb7fac8ce27462f716f6bbdc66ef1dc028a2dc2c60fcc |
memory/1368-95-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\GVfGBry.exe
| MD5 | 80a0b8e9936ba0a3d82994499256e617 |
| SHA1 | 74958e401e4b4abbfa37d20a611b30d96d70aaa1 |
| SHA256 | 9311d25e89ec31baba9c1ee067297590de04c770a4ddaf3c1d98ed69427dc1de |
| SHA512 | 5038ba572995a8bb980be0f71b70aca7ad14353e5f422737bdc3156bc0ee6f54b83dc9cfcd487e0571b74211d8a685d203122c7d1e73b7a5485138c375c8028f |
memory/1368-41-0x0000000002420000-0x0000000002774000-memory.dmp
memory/1368-130-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2688-131-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2688-132-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/1984-133-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2648-134-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2728-135-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2776-136-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2636-137-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2536-138-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2564-139-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2684-140-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2960-141-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/1976-142-0x000000013F6F0000-0x000000013FA44000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 17:30
Reported
2024-06-08 17:34
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ydiTgrf.exe | N/A |
| N/A | N/A | C:\Windows\System\jIPRBXf.exe | N/A |
| N/A | N/A | C:\Windows\System\TMmsTHG.exe | N/A |
| N/A | N/A | C:\Windows\System\dNGHxAZ.exe | N/A |
| N/A | N/A | C:\Windows\System\qrIxCKl.exe | N/A |
| N/A | N/A | C:\Windows\System\JGhyJii.exe | N/A |
| N/A | N/A | C:\Windows\System\XBgUAfP.exe | N/A |
| N/A | N/A | C:\Windows\System\CsQKKcW.exe | N/A |
| N/A | N/A | C:\Windows\System\LtPIgOt.exe | N/A |
| N/A | N/A | C:\Windows\System\xvxJctY.exe | N/A |
| N/A | N/A | C:\Windows\System\olwZJzV.exe | N/A |
| N/A | N/A | C:\Windows\System\ttJCLLj.exe | N/A |
| N/A | N/A | C:\Windows\System\RkTVnqx.exe | N/A |
| N/A | N/A | C:\Windows\System\ZkRlkAx.exe | N/A |
| N/A | N/A | C:\Windows\System\tVHDaLM.exe | N/A |
| N/A | N/A | C:\Windows\System\CNeApHs.exe | N/A |
| N/A | N/A | C:\Windows\System\qaowyOV.exe | N/A |
| N/A | N/A | C:\Windows\System\IhSXPUf.exe | N/A |
| N/A | N/A | C:\Windows\System\dfJmjsS.exe | N/A |
| N/A | N/A | C:\Windows\System\gxvVZiZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ynwpAym.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_fed0ae1e489be3e5e86e25a6c520a989_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_fed0ae1e489be3e5e86e25a6c520a989_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_fed0ae1e489be3e5e86e25a6c520a989_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fed0ae1e489be3e5e86e25a6c520a989_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ydiTgrf.exe
C:\Windows\System\ydiTgrf.exe
C:\Windows\System\jIPRBXf.exe
C:\Windows\System\jIPRBXf.exe
C:\Windows\System\TMmsTHG.exe
C:\Windows\System\TMmsTHG.exe
C:\Windows\System\dNGHxAZ.exe
C:\Windows\System\dNGHxAZ.exe
C:\Windows\System\qrIxCKl.exe
C:\Windows\System\qrIxCKl.exe
C:\Windows\System\JGhyJii.exe
C:\Windows\System\JGhyJii.exe
C:\Windows\System\XBgUAfP.exe
C:\Windows\System\XBgUAfP.exe
C:\Windows\System\CsQKKcW.exe
C:\Windows\System\CsQKKcW.exe
C:\Windows\System\LtPIgOt.exe
C:\Windows\System\LtPIgOt.exe
C:\Windows\System\xvxJctY.exe
C:\Windows\System\xvxJctY.exe
C:\Windows\System\olwZJzV.exe
C:\Windows\System\olwZJzV.exe
C:\Windows\System\ttJCLLj.exe
C:\Windows\System\ttJCLLj.exe
C:\Windows\System\RkTVnqx.exe
C:\Windows\System\RkTVnqx.exe
C:\Windows\System\ZkRlkAx.exe
C:\Windows\System\ZkRlkAx.exe
C:\Windows\System\tVHDaLM.exe
C:\Windows\System\tVHDaLM.exe
C:\Windows\System\CNeApHs.exe
C:\Windows\System\CNeApHs.exe
C:\Windows\System\qaowyOV.exe
C:\Windows\System\qaowyOV.exe
C:\Windows\System\IhSXPUf.exe
C:\Windows\System\IhSXPUf.exe
C:\Windows\System\dfJmjsS.exe
C:\Windows\System\dfJmjsS.exe
C:\Windows\System\gxvVZiZ.exe
C:\Windows\System\gxvVZiZ.exe
C:\Windows\System\ynwpAym.exe
C:\Windows\System\ynwpAym.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1580-0-0x00007FF6FE980000-0x00007FF6FECD4000-memory.dmp
memory/1580-1-0x0000023001D40000-0x0000023001D50000-memory.dmp
C:\Windows\System\ydiTgrf.exe
| MD5 | 339b8f52a81672efe0f9a049c9b2e18f |
| SHA1 | cdd22dff7edbc464636d65078be9f5ab695aec41 |
| SHA256 | f760f9a892b0baf0ee890c01e46059c2769707d5a4c144bab80b91000dc0be55 |
| SHA512 | f19b7f34eebc4af96fb1fe8e1f9f40865784946548533c729685787cf6ec74170a2c44079443f9a3e4a5de89b77d79184e1259ab0ddab3dedf8760f1a0f4caed |
memory/4768-8-0x00007FF7A8150000-0x00007FF7A84A4000-memory.dmp
C:\Windows\System\TMmsTHG.exe
| MD5 | b4ad63e14529f8de26a66dd011953e35 |
| SHA1 | 3fad63ed42b3448bd93932d8f2243be5e809748b |
| SHA256 | 0208fb1aa1c220f9bb37bedd0b4abd8fd13f5beb9fc1981688bb84321b97d494 |
| SHA512 | a688890f869894d219a2f985e7fb9f3d3c59d6411911aa4fb067453c315011199e88833f9db7ac429d70b0ccc4b1ab2a1c19d00cf1241d248ca9b57616bc1d97 |
C:\Windows\System\jIPRBXf.exe
| MD5 | 577575d15b00e3863b2049e55de921eb |
| SHA1 | 12175422779478235eee9dddf2fc61eb0840185a |
| SHA256 | 6ca429dda1f9eeabca4f8e2a48cec6dceef7ff6993d215c2e352469c7c7013df |
| SHA512 | 1593e4fc31a0cc8dbd49ecc6fc7f2489c8051e9486a314a37e0f5fea271d53f14ca54a1792ec0e879d641b89901b8f916e6faa3fcca5f0ecc29cd13bad7caba0 |
C:\Windows\System\dNGHxAZ.exe
| MD5 | 4fe4f355bd1721cb685804e0e86ac5e6 |
| SHA1 | cd92fda0b5016392e5e5d18c7dfd2e1060267c63 |
| SHA256 | 58d01b9a23baf067c46719549f40fd6b2f93d8810e1172cf2d1f017cab17dfb0 |
| SHA512 | 238a3ad3d89257dc03ec0ed136e5ddccdf7be2bc9d37e78bfc07d7cc2cff192de4ca0b987a5c67ea53c1aa9f6471bb9adc206f7dda280cfecdca22852547b140 |
C:\Windows\System\qrIxCKl.exe
| MD5 | 66049e09c13ad19fa6cdc66d88449b25 |
| SHA1 | ab9c71bf29821b1596877e6d86a9cd33c5e9bd8e |
| SHA256 | 966e0af27e760372620fdd4bce65d503b3d647b5927b197ffeafd70c90b3cfcc |
| SHA512 | ceb76b9dc1d035b1db8efacd8ffbb738f9d2d048f8a2f55ffded7a020ac5f6c6c47b1ff5699526d9c8a6c3b1c0f54f80530ad9c740944662208067ae5654e5ae |
C:\Windows\System\JGhyJii.exe
| MD5 | 458092dea6cd1fa3a3089ff1b9d7a459 |
| SHA1 | a09961948b80058ffc9a69b10811a6755a1c57a3 |
| SHA256 | bc5412cd1e05a8ce146e24ae5e2252fcec876051b5fb4b498721655bb7eea327 |
| SHA512 | 5760fd0897c2cb5e66d5b0762eaa89026ed0684eaa5693a898c23aa5cb33f68f0f5d69c4def1f76330cd757491d1156e4a61e647c7d01e480a7f9d671a946eea |
C:\Windows\System\XBgUAfP.exe
| MD5 | 087fc81ab4d0517ec7d75e5994771f1e |
| SHA1 | f6df93758c0608fc9f6ea62fa0557fd978ef71f1 |
| SHA256 | 9542c034fbe2090a26e92b0d597193d9475bc7fac930dcb5d3c3edd0446d902d |
| SHA512 | f45efe18182df748183cf29c55147f06f3e1329e0d56fe5be081c3ec9e15273ff33dc01acc183900a8d3a568d3d6fd10480ed0fe996ef860b7ec8a785843ad64 |
C:\Windows\System\CsQKKcW.exe
| MD5 | 645ee983113af777b99aa0902610cfb0 |
| SHA1 | 40c5015eec629e98ef9c09ea8cc262b51e1d05cb |
| SHA256 | c9e1d6130d7fcfc017fdfdda4a982a84f7e88e02ab024a688e1654c74f736828 |
| SHA512 | 3aa082ed2ab03140f8ea075ec48ef220b0c98535e7bd21d246242fc2a3586bfb774fd40c66d74cecdac92adb5afd681ec1daa5a6918bf590fa5173bd41502107 |
C:\Windows\System\xvxJctY.exe
| MD5 | 07782fe7ca4c61a2b75be53698231805 |
| SHA1 | ac89817a6c44410f26d9a964ce075be360cf4bfa |
| SHA256 | 9197f8ae2d2b5daf46a64c5290a0074b71f77b0201f87fcaa2d58978cfb11851 |
| SHA512 | a2527dbd393a5957730593a8acdc3fd94ac1f747a72a77d8164d14bdc35f230715567f49079696c2bb0eb7515b73d5c2638d55e72f1d4a4e9c57baed4dd1938b |
C:\Windows\System\olwZJzV.exe
| MD5 | 070e94583fc891e203f0094597f9ab80 |
| SHA1 | 813a3f613138c527ac08be597825f56ea6d736d1 |
| SHA256 | afc28d4643389d02604729fcb573e45c68c98326d27958a12ca0cf2d8b7dd2f4 |
| SHA512 | 40f21eb1729ae3bb7a30c23cc24d1585adb00d0dcae34e01b835f3f755537a47c11eddae2d88c29de9d43088edb7faa272f3c52e2b9ae91cedee010a4e26ad56 |
C:\Windows\System\ttJCLLj.exe
| MD5 | 2233450f6f4d2875ab0fb346a8c59e27 |
| SHA1 | 6f7f8a16206ca2a8e8a878183e2937f6daf3d5a9 |
| SHA256 | a7490e0845575bc46c4268d3d710db6b6dde2731ce425b2e48426c79675e7389 |
| SHA512 | 7dd1fde8b37b2262154fde99229ea69849ffec14765fa7ae00a2a63eb8fa25aa7987b8a09552bc0e506d1743c628e0599c8a5360c51e49c617fcbede3dc0f769 |
C:\Windows\System\tVHDaLM.exe
| MD5 | 8d83b2fbe9ddc300eb4c0094316bb79c |
| SHA1 | a8c91ead95ed50bd1a0b694711e5da44d1bcf37a |
| SHA256 | 2a19325117b81e9de36a683675fa3907881889cc39759c6a7704bb3dc7b43acf |
| SHA512 | fc19cb2e1f5c30a81e03b7d5821a1a07217c0e28fa327cab92378e6c4f3cb2f49c36ffa4289baffeb2ec98c025151fc7e7d5397f34f0b3da24aaa2c422881d20 |
C:\Windows\System\qaowyOV.exe
| MD5 | 016aa52ae36a6950978368c9d1bd56ae |
| SHA1 | a08e108d1d33fb7d66d2343fbc10f1d9735536b3 |
| SHA256 | bac7ab6a3499770d56d67050eeb912bb57acef7fc3566f489acad03a857840db |
| SHA512 | f817719b7feb1b6338799f72c8b66739d7dd795e72435c6b8838a5d1a920f024502a594a2ea1053761b5c5b857c3c5001d203ad4564859de9ed135e970e2b56e |
C:\Windows\System\IhSXPUf.exe
| MD5 | 68a8ac5abc1a0801e7b681ba227ebc44 |
| SHA1 | 341fb0c6bd7785f9d7433875991da9fb13c60978 |
| SHA256 | ca2cc1136c4d40c557753d070cdb7d1213f125dde2cf546f4bfd66acbecde9aa |
| SHA512 | 3aa7fbe9ef531351177e014ebc6e18241941fba0effeafa7b9d04828ba130dae6371152dd25fce75df901051f103d73aa18a637ef6ec27527b0cdabeb660e5a3 |
C:\Windows\System\ynwpAym.exe
| MD5 | 598f788f8735d277541b5c45319fcfd1 |
| SHA1 | 1b8cd61636e0382cd44c935ce6c487edccae18da |
| SHA256 | cb6061011b3bc803876dbd1ce8e94968bb18856a9dd792c3ae3aa4344df5f254 |
| SHA512 | 39b6fa532ced3035999185c5d27a1c30545eba5cffda7d18e0f624b31a4a83dd520991d7689a689899f842d56a3543ac518f7073b593edac79b495a5003cac9b |
C:\Windows\System\gxvVZiZ.exe
| MD5 | ca9c9a73e2d858e193b24922db69d091 |
| SHA1 | 0028ab1a6e09b326a8d1af55e2c464726668bb28 |
| SHA256 | bdcdd539ddbd9b973b82fbc0d428f6c46a9c38022dd247b5a236cf7997f60348 |
| SHA512 | c36035878578da03b8011b940b1f64afd83742b85aa4b13b4dd94f08481835d8401ed9158b1cc8525b7a58eba9e95fc3c38b11cd0f4fa008b6dcde132f243d8f |
C:\Windows\System\dfJmjsS.exe
| MD5 | f35812ec155dc718c29c12e3f3858904 |
| SHA1 | 34c326c243448ed510220f51e3642ddb61ab35c6 |
| SHA256 | 9f4a65b314454b29af4752db6ce9f3c7c5eb680499ae1f63927254e72d377183 |
| SHA512 | 1f166e0a022c28b9f72a865a4338b5302e2f59ccab66da34802548aef9935a76cb025e322b63d0cd973ad65b3cc4835996a221ba456ac0fda224eb44ea451d3e |
C:\Windows\System\CNeApHs.exe
| MD5 | b4b7f5b309e674bb5282f5d741d187b5 |
| SHA1 | dccbbe93faa41002ca7a36bdc5d67b75f22fb4cc |
| SHA256 | 620add5ed9ebf0c0053be6b8b3cc4c9d2dd835f3e8f8298b1b7bda7d95e495d7 |
| SHA512 | 113aee900d15c84867c86794c4545b3282cb303d780f381b3dbc35e19db4ba139fb4bc93d556d0ad3387b3dd8db789c7a70122837613b9442a25cd3d365544b0 |
C:\Windows\System\ZkRlkAx.exe
| MD5 | 8ec6922157836fb3a49336dd6d39dccd |
| SHA1 | 73d4c6ef6f30544fbd93f1fce8281489ac99b1aa |
| SHA256 | a5268c0911d12189fa9fd27e747d23cc9c5064103d88cda5031aa220ddfe066e |
| SHA512 | b2287fd83b1a2cb9a03cd9e8ca2202a762a83081a251a50f57029499b27d7bf6e8ea5d6cca2d40b1d586ead474d7ba0839d09d1d09465967ca20b99a77913a0c |
C:\Windows\System\RkTVnqx.exe
| MD5 | 1f2780855023c5ef34e35a3f1dabeec0 |
| SHA1 | 374e48670558ae45000fb23b400a70327437f8ca |
| SHA256 | 37acfaa2f7076c30a6485eee8ad9317020447d4dbd871aa44838b38d2190cd6b |
| SHA512 | 844bb88e9df394d24591c87582aed461d73d1b18257cc5883b93959a59f214a84335f4a6deea79961c27f0d7bb40cea539127d2fd02d1fd5de568e99da3d31af |
C:\Windows\System\LtPIgOt.exe
| MD5 | 65ea8eeb942b4dfaac94730de58fccc0 |
| SHA1 | b4e512aba7ad496f42e9b19025d1fe62a067d2bb |
| SHA256 | 8a092420d4e509c35e0d3b62d6e7867bc62b69e7588bf6fc047cab7149945c27 |
| SHA512 | 4605bca37529aaea199a39cee82a82dea19f92ea07b0df519647565db57e586edd690b52de825af98026610376856d79c00727b026556b38da89f98cb5fba751 |
memory/4028-34-0x00007FF61A5B0000-0x00007FF61A904000-memory.dmp
memory/4844-24-0x00007FF78C330000-0x00007FF78C684000-memory.dmp
memory/4720-14-0x00007FF654CB0000-0x00007FF655004000-memory.dmp
memory/2000-111-0x00007FF79C2B0000-0x00007FF79C604000-memory.dmp
memory/4356-113-0x00007FF60E1D0000-0x00007FF60E524000-memory.dmp
memory/3180-112-0x00007FF696040000-0x00007FF696394000-memory.dmp
memory/2708-114-0x00007FF7E14F0000-0x00007FF7E1844000-memory.dmp
memory/2700-115-0x00007FF702F60000-0x00007FF7032B4000-memory.dmp
memory/4460-116-0x00007FF6CB7F0000-0x00007FF6CBB44000-memory.dmp
memory/3528-117-0x00007FF6154F0000-0x00007FF615844000-memory.dmp
memory/1996-118-0x00007FF6A1E20000-0x00007FF6A2174000-memory.dmp
memory/3552-119-0x00007FF713340000-0x00007FF713694000-memory.dmp
memory/3920-120-0x00007FF719C60000-0x00007FF719FB4000-memory.dmp
memory/4116-121-0x00007FF734860000-0x00007FF734BB4000-memory.dmp
memory/960-122-0x00007FF66FBA0000-0x00007FF66FEF4000-memory.dmp
memory/2296-123-0x00007FF6DB0A0000-0x00007FF6DB3F4000-memory.dmp
memory/2588-124-0x00007FF7FDD60000-0x00007FF7FE0B4000-memory.dmp
memory/2744-125-0x00007FF7AD7A0000-0x00007FF7ADAF4000-memory.dmp
memory/1120-126-0x00007FF77D1E0000-0x00007FF77D534000-memory.dmp
memory/3000-127-0x00007FF7255E0000-0x00007FF725934000-memory.dmp
memory/1580-128-0x00007FF6FE980000-0x00007FF6FECD4000-memory.dmp
memory/4768-129-0x00007FF7A8150000-0x00007FF7A84A4000-memory.dmp
memory/4720-130-0x00007FF654CB0000-0x00007FF655004000-memory.dmp
memory/4844-131-0x00007FF78C330000-0x00007FF78C684000-memory.dmp
memory/4768-132-0x00007FF7A8150000-0x00007FF7A84A4000-memory.dmp
memory/4720-133-0x00007FF654CB0000-0x00007FF655004000-memory.dmp
memory/4844-134-0x00007FF78C330000-0x00007FF78C684000-memory.dmp
memory/2000-135-0x00007FF79C2B0000-0x00007FF79C604000-memory.dmp
memory/4028-136-0x00007FF61A5B0000-0x00007FF61A904000-memory.dmp
memory/3000-137-0x00007FF7255E0000-0x00007FF725934000-memory.dmp
memory/4356-139-0x00007FF60E1D0000-0x00007FF60E524000-memory.dmp
memory/3180-138-0x00007FF696040000-0x00007FF696394000-memory.dmp
memory/1996-141-0x00007FF6A1E20000-0x00007FF6A2174000-memory.dmp
memory/4460-143-0x00007FF6CB7F0000-0x00007FF6CBB44000-memory.dmp
memory/3552-145-0x00007FF713340000-0x00007FF713694000-memory.dmp
memory/2700-144-0x00007FF702F60000-0x00007FF7032B4000-memory.dmp
memory/3528-142-0x00007FF6154F0000-0x00007FF615844000-memory.dmp
memory/2708-140-0x00007FF7E14F0000-0x00007FF7E1844000-memory.dmp
memory/1120-146-0x00007FF77D1E0000-0x00007FF77D534000-memory.dmp
memory/2588-152-0x00007FF7FDD60000-0x00007FF7FE0B4000-memory.dmp
memory/3920-151-0x00007FF719C60000-0x00007FF719FB4000-memory.dmp
memory/4116-150-0x00007FF734860000-0x00007FF734BB4000-memory.dmp
memory/960-149-0x00007FF66FBA0000-0x00007FF66FEF4000-memory.dmp
memory/2296-148-0x00007FF6DB0A0000-0x00007FF6DB3F4000-memory.dmp
memory/2744-147-0x00007FF7AD7A0000-0x00007FF7ADAF4000-memory.dmp