Analysis Overview
SHA256
dec0a0b592694a6b013df76ee14ea042319b91cac64b202661023e3175b00b98
Threat Level: Known bad
The file 2024-05-29_6b2fd37e0351b8e06387dc846b1b6d08_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike
xmrig
Cobaltstrike family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 22:45
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 22:45
Reported
2024-05-29 22:47
Platform
win7-20240221-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jJUzQiG.exe | N/A |
| N/A | N/A | C:\Windows\System\laXVBcx.exe | N/A |
| N/A | N/A | C:\Windows\System\NquUzYD.exe | N/A |
| N/A | N/A | C:\Windows\System\tNAahSb.exe | N/A |
| N/A | N/A | C:\Windows\System\RcClsli.exe | N/A |
| N/A | N/A | C:\Windows\System\VCsuHsu.exe | N/A |
| N/A | N/A | C:\Windows\System\OVciTjk.exe | N/A |
| N/A | N/A | C:\Windows\System\YLrddpS.exe | N/A |
| N/A | N/A | C:\Windows\System\YShmoFk.exe | N/A |
| N/A | N/A | C:\Windows\System\RCsabdF.exe | N/A |
| N/A | N/A | C:\Windows\System\xRXmHYo.exe | N/A |
| N/A | N/A | C:\Windows\System\WZNkszn.exe | N/A |
| N/A | N/A | C:\Windows\System\RXTptOC.exe | N/A |
| N/A | N/A | C:\Windows\System\WcdyTTA.exe | N/A |
| N/A | N/A | C:\Windows\System\iEKkLyw.exe | N/A |
| N/A | N/A | C:\Windows\System\FJllAdZ.exe | N/A |
| N/A | N/A | C:\Windows\System\uQCWbbO.exe | N/A |
| N/A | N/A | C:\Windows\System\JBjBCrs.exe | N/A |
| N/A | N/A | C:\Windows\System\XvxoVwU.exe | N/A |
| N/A | N/A | C:\Windows\System\kLgwnUR.exe | N/A |
| N/A | N/A | C:\Windows\System\GAEjeuB.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_6b2fd37e0351b8e06387dc846b1b6d08_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_6b2fd37e0351b8e06387dc846b1b6d08_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_6b2fd37e0351b8e06387dc846b1b6d08_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_6b2fd37e0351b8e06387dc846b1b6d08_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jJUzQiG.exe
C:\Windows\System\jJUzQiG.exe
C:\Windows\System\laXVBcx.exe
C:\Windows\System\laXVBcx.exe
C:\Windows\System\NquUzYD.exe
C:\Windows\System\NquUzYD.exe
C:\Windows\System\tNAahSb.exe
C:\Windows\System\tNAahSb.exe
C:\Windows\System\RcClsli.exe
C:\Windows\System\RcClsli.exe
C:\Windows\System\VCsuHsu.exe
C:\Windows\System\VCsuHsu.exe
C:\Windows\System\OVciTjk.exe
C:\Windows\System\OVciTjk.exe
C:\Windows\System\RCsabdF.exe
C:\Windows\System\RCsabdF.exe
C:\Windows\System\YLrddpS.exe
C:\Windows\System\YLrddpS.exe
C:\Windows\System\WcdyTTA.exe
C:\Windows\System\WcdyTTA.exe
C:\Windows\System\YShmoFk.exe
C:\Windows\System\YShmoFk.exe
C:\Windows\System\iEKkLyw.exe
C:\Windows\System\iEKkLyw.exe
C:\Windows\System\xRXmHYo.exe
C:\Windows\System\xRXmHYo.exe
C:\Windows\System\FJllAdZ.exe
C:\Windows\System\FJllAdZ.exe
C:\Windows\System\WZNkszn.exe
C:\Windows\System\WZNkszn.exe
C:\Windows\System\uQCWbbO.exe
C:\Windows\System\uQCWbbO.exe
C:\Windows\System\RXTptOC.exe
C:\Windows\System\RXTptOC.exe
C:\Windows\System\JBjBCrs.exe
C:\Windows\System\JBjBCrs.exe
C:\Windows\System\XvxoVwU.exe
C:\Windows\System\XvxoVwU.exe
C:\Windows\System\GAEjeuB.exe
C:\Windows\System\GAEjeuB.exe
C:\Windows\System\kLgwnUR.exe
C:\Windows\System\kLgwnUR.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1984-0-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/1984-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\jJUzQiG.exe
| MD5 | 6685d421d092a7a788847e5950a9b119 |
| SHA1 | a0c75fa5a360e367d512e0bc3ebede2855f19d71 |
| SHA256 | 536597a4f6ea4ae7d8b9665b2f24ebc5b3fc9971bf9bbc6e9c8518160bac2daa |
| SHA512 | af3e831f6dc4e8ea0b4099ac5793c151179be92ed9502c8df03deaa4b4c0587a02bfda2bb26415d9571898304c04293608bc6a1a76e8e132c945030f2a801a92 |
memory/1984-6-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2728-8-0x000000013F6D0000-0x000000013FA24000-memory.dmp
C:\Windows\system\laXVBcx.exe
| MD5 | 81dd494392fdc4b514507b8965da4a65 |
| SHA1 | e5ca9dcf8fd7395d1ad72266d37deee97add3e57 |
| SHA256 | 7b72b31c71c5587418309c74dbe205f1315e0b3757d97a95a81ecd3775c06490 |
| SHA512 | eb2c5ecb768ea8fba2ad4b10ea12fb89aff0ba9df3d45f44bdc224820cfa3e5b51b6b2cff5f5663002a68dba09ade3fc61db1eace3d4ab4c0e3efb4128458db0 |
memory/2172-15-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1984-14-0x000000013F190000-0x000000013F4E4000-memory.dmp
C:\Windows\system\NquUzYD.exe
| MD5 | bb8d47701e3ab19494b9bc8248140f78 |
| SHA1 | e6323f142cddbaee994396603ef3fd2b8387a1aa |
| SHA256 | bf326d3852e4fb0939beccc357a94b052a159381c60ae2f3261781b1d35f0c7b |
| SHA512 | d4e9b0185e88eb609a7e917499a2f203b35aba8be104267096cbf8caef3fb02626e583e8aca122cc059ec56aee60dc7bba2ba52858aa18956169b74261c369f0 |
memory/2560-22-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/1984-19-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\tNAahSb.exe
| MD5 | 8d4e42798b3d62167ff11ca3f642638b |
| SHA1 | 9a62f5159f6b5089c01d8044498ae116d2535d08 |
| SHA256 | 2e2a6b81e5cb22b921bc05870de1fd403b2fc41681e8540d65286257a413c6ac |
| SHA512 | 5f7a82d27dca04ab093b700c8f136e6a2b867f4bc4414f8c5d207691305459d3b2f6ddda84997130e6d01d854bbddf44fb052644d4fd6fd5a5f62fae5c0f1999 |
memory/2724-29-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/1984-28-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2668-37-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2484-43-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/1984-41-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/1984-36-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\VCsuHsu.exe
| MD5 | 1c1d0d48c2c3dc68d802ee61e9bbc60d |
| SHA1 | 37b6f4c82637660414f1f401d585bd120208f9d5 |
| SHA256 | fd1142782e8ebc38371c3366d60802abf60934cf028fea19f77732e115042593 |
| SHA512 | f721042182e7e32ddfd2838db92c0ddfed6f4d0364e9c4e0d3954ab0d4a2a7780a3940a9d172a948399cd41f3486fdd3864a955c752d6ceb5ffd1873f7f5929d |
C:\Windows\system\RcClsli.exe
| MD5 | ab06e150e232557ad5b4ee843cd3987b |
| SHA1 | d7cbb09f704e8e781bc5b2a745e3af227c158858 |
| SHA256 | babf663b26029e3179554f4db303b7e74fcd68026568fa355386c59b6d5d6408 |
| SHA512 | 8cbda6f884a41d301e97b92af500048f4f86b830bfaa339da076773583a1f88fb95039a04b5f100211264bd00202b86262356e471b9a0a927050cc5266d58787 |
\Windows\system\RXTptOC.exe
| MD5 | 346b9f7f7c6b81400a34ece9e9958482 |
| SHA1 | 174383289a3a44fd0b6a4b3c0f931776b6e2f246 |
| SHA256 | 4e3b87f00a2ab36a9844c4f4ca2797978af1e4d23ec9f08a8987872ddfc14bf9 |
| SHA512 | 9003391b7b9f43dfc2336d39543357fda7273ff4803d25c93630f3f526a7e97eb27b0797c10767329dcaf42f22cf49d7209c6b64e34546e4d92ef552991e9fef |
C:\Windows\system\OVciTjk.exe
| MD5 | a84d9032277eb02daa996d0504933d51 |
| SHA1 | 781da81547284df63ec873f7d2634f558748fdb1 |
| SHA256 | 84fe3e92c16590f9d13d869925d20f8fab608591a5b67a966f5139c788c8bad9 |
| SHA512 | 7d5b7ed8b795cc0bd9c6f5f0af5d63fba8c4c40e10c73fe417a99eb1989424e32af45f2ed6be05442f9c5f52b81448fdc154817cb99fdca9ff87368c35a4b16e |
memory/1984-110-0x000000013F840000-0x000000013FB94000-memory.dmp
C:\Windows\system\GAEjeuB.exe
| MD5 | 2a6d54a18ae458c1aae3f571570bc127 |
| SHA1 | 7b9d1ac7bb726aaca82852fe6e9e0c937c8ff5de |
| SHA256 | 7f328448e35542704c42ab286f75261c28cbd7a2cbc35805a41390d59ffed327 |
| SHA512 | c1148a0500b928e668ec08c3f671e2efc936cc54c4683f45533c59410b103b06639e944d37374518a3744c2274d32e1768297d5db1dc9ceebc62d4a7da83e967 |
memory/1984-131-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/1984-130-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/1984-129-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/1984-128-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/1984-127-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/1984-126-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2448-125-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/1984-124-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2864-123-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\kLgwnUR.exe
| MD5 | 2583ea539b40d634131a420f5ab05535 |
| SHA1 | d6977762b0853f2911de4328785fc51339ad13f2 |
| SHA256 | 59f90855059c6f090dcf3034e4d0fe6bf2440580e96916ab7e18a15817f14a68 |
| SHA512 | e07fafeebdecbc687afe9edaafc0d79fa3bb6f770607ab9a53dbfc032489375300eaed9b21447f6e7a385c2b93c80f9cfcc013663e1de64199a4def16080f91a |
memory/2480-117-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/1984-114-0x000000013F730000-0x000000013FA84000-memory.dmp
C:\Windows\system\XvxoVwU.exe
| MD5 | 6dc2bf676d13969204e6d6288d2bd022 |
| SHA1 | 05e00e519f82fb4cddf027a651a1cc43ca14dc24 |
| SHA256 | 7afd060ccae999ba33d71bfb1453834b1584ceb94557f11a0497b7f400f3ebfb |
| SHA512 | 003f414731e04245aa6dab06955d981133b592b3847c67dcb6fde2539bf6a0f77f11d1e0acd9f26576b0ab62da0f4fffb81216d83d40b882a4991496e012218d |
memory/1984-111-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\JBjBCrs.exe
| MD5 | 40627e6ec8421aec581fb35eda999e66 |
| SHA1 | 652d9d7c62d347042fb2bc0e253fa880630315ba |
| SHA256 | bc69f7d4de45d07c1056e8e22ed4f804c76d47a33e170d31a3869900c603888e |
| SHA512 | 13bca3248dea7307f68f20109d15ffd4939d5584e59a2eddaa43062e38d3f35d475b833ba0f0d925d01527239ef8798bf34e00ce6c65652b4f99ebabf1d53566 |
C:\Windows\system\uQCWbbO.exe
| MD5 | 22483296a8dda791fcc85388af278fa6 |
| SHA1 | 7edbcbe65a44f949bf2f8a7ee30850617a5a09f1 |
| SHA256 | 116003a042e91c6fd63d20d985a54f1041928b0786b01e04cb78d6abc0582309 |
| SHA512 | b011ea31afb47eab4a5697b128988dc0514c85c02bbaf70783b2b59a028c8a6101c1b4be94ef6e54a7e88ae880fd18649793cc7f23466c35203e75ef4d71601e |
C:\Windows\system\FJllAdZ.exe
| MD5 | 6d330c1966c9cdeae92aa6903321d998 |
| SHA1 | 13c651426fd996480aa73cda88cd4b7b4c14f11a |
| SHA256 | fc0b0510b6d8d512d461056df902e00d8c4d2f19a23714320f42f87b23b3b7b9 |
| SHA512 | 0a283f7d0312e40be28840448a1620dd859e99407d75bc0455093ec8e30831979ea385eda3e866da42f28d5fd698317f1519452ba61333d160efd5aefb637c39 |
C:\Windows\system\iEKkLyw.exe
| MD5 | 5f4c750b2106f9cd483dd68917b11a90 |
| SHA1 | 62bd4d322a80d6e1a840d8f5ab9f86c5763be4df |
| SHA256 | 4da7e762fcd959b4eaa2550f1a167f3d18c44a626fb5bca4f4d61fca83b05eaa |
| SHA512 | 0838e30062c08728e2114bde21f3fd6dcfb3b8e3ff3207aa6aae00f37a8c3151b543ece3215c69a5325b421f0ad99f4d6b49152a207c96d5096e987e047cbd79 |
C:\Windows\system\WcdyTTA.exe
| MD5 | f8a1f8a4131d885995a80cbee3b98deb |
| SHA1 | 109c1397efc5d3665c72221526be41ab25085e5a |
| SHA256 | 8ca8b58967a4810d4e8043215e6bff1ee6294f78e4862ac7d360d902706106f3 |
| SHA512 | d30a238677acd710b6544ec5c3ad8db6a1e69c5e4d0a600bd0352cc2d1b7907777d904d91a37d5f15226c93612ed6823dd1f98fcc24a54226b517561da11053b |
memory/1984-134-0x000000013F6D0000-0x000000013FA24000-memory.dmp
C:\Windows\system\WZNkszn.exe
| MD5 | db0819b6f8ab260e7291f193aa5834e9 |
| SHA1 | af81683a7652dd9aacb15b42344df5a5cfcd8c68 |
| SHA256 | 3f64a7a5157981b82c41941b7e13519417ad150c911ac32552fce4afbee3f8ad |
| SHA512 | 35bf074367e073cf83b2ff623a479aeedb9c63939c42813a39aca5b56e957de116ad4a06f2b57a2d45d40c60c2774d460bd1a7b533ee5b4a4aa1fd93201348f9 |
C:\Windows\system\xRXmHYo.exe
| MD5 | e438e17c045672d79947ae6790f5e9f9 |
| SHA1 | 8d527ff204dfb9239450b3b8cbbb7cb37d96ced1 |
| SHA256 | 816ff58a8f65a2dab8676e65eb27459d60f16527abb236435c9918cb6733650a |
| SHA512 | e27c4d7719972c4eb26a203a32038a9839664a36a27b64922127b1bbbffd0b535c140118cd8f6216754ab8793e468a5c801e5e160aea5180a74e83e23bc0bf6d |
C:\Windows\system\RCsabdF.exe
| MD5 | 5d5d57cfc8ec8f930d48c1935f9ee107 |
| SHA1 | 0a8da8957730bfcf5e2c2057c90c505fb6c5e661 |
| SHA256 | 731a890428fc95f8822cae2fd8870450475f83dc70d676e50e22470e60ee0b2b |
| SHA512 | 61719874d8c6c40ba8bce862d58543cf561d212bf40e5743ba895c4df595c58a61d4f75ea2be86517cd8bb52c45bbfdca923625fb24cd055fee5a39721ab52c9 |
memory/2496-80-0x000000013F110000-0x000000013F464000-memory.dmp
C:\Windows\system\YShmoFk.exe
| MD5 | e845b8fce39f876a25b8a50f751a4432 |
| SHA1 | e5b853729afd6181d1f5ac630283087998b7ff1b |
| SHA256 | 136c8c92826662e86d192e3df150f0a95b53acd5237a8c56636ec3ade1c53818 |
| SHA512 | 789510d00cb21692158adf2a990487930b8d9c53c51eaa497a49fcab533e25b43b9fb42c5e925ed0fe462245e70497dd4796b2e746a4a24c57ca73c4f69b95a6 |
memory/1984-68-0x000000013F110000-0x000000013F464000-memory.dmp
C:\Windows\system\YLrddpS.exe
| MD5 | e190a94d44e009c4e87e13e580bafb93 |
| SHA1 | 97ee320a7cab886354819fbba0228eae3d833b7a |
| SHA256 | fb3b3665e889b76a6d35d04267d3c0b10562bee4b6dfebc00ceaf74647f059d7 |
| SHA512 | 0cc2753b9d081233c74c427732dfa511c00950890868716f9ee1f81fd924bfdae46b798ad5e7bcd98a1b722e748ca3b4125fb5e3619106858268b40de22a8d3a |
memory/2728-135-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2172-136-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2560-137-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2484-138-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2728-139-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2172-140-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2724-141-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2560-142-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2668-143-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2484-144-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2496-145-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2480-146-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2448-147-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2864-148-0x000000013F1D0000-0x000000013F524000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 22:45
Reported
2024-05-29 22:47
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CEJnHeM.exe | N/A |
| N/A | N/A | C:\Windows\System\okklOPr.exe | N/A |
| N/A | N/A | C:\Windows\System\ylZyise.exe | N/A |
| N/A | N/A | C:\Windows\System\KdfCClI.exe | N/A |
| N/A | N/A | C:\Windows\System\RGczIPS.exe | N/A |
| N/A | N/A | C:\Windows\System\reUZveY.exe | N/A |
| N/A | N/A | C:\Windows\System\NKLkYJX.exe | N/A |
| N/A | N/A | C:\Windows\System\ZJQKSPt.exe | N/A |
| N/A | N/A | C:\Windows\System\cNJYWJN.exe | N/A |
| N/A | N/A | C:\Windows\System\NwNNVsK.exe | N/A |
| N/A | N/A | C:\Windows\System\JBZHeDG.exe | N/A |
| N/A | N/A | C:\Windows\System\ZwlPLgD.exe | N/A |
| N/A | N/A | C:\Windows\System\cQgFoNY.exe | N/A |
| N/A | N/A | C:\Windows\System\LFaNlAf.exe | N/A |
| N/A | N/A | C:\Windows\System\AmROnae.exe | N/A |
| N/A | N/A | C:\Windows\System\EaVDqPO.exe | N/A |
| N/A | N/A | C:\Windows\System\FjSIkup.exe | N/A |
| N/A | N/A | C:\Windows\System\AgDQHUq.exe | N/A |
| N/A | N/A | C:\Windows\System\CYqNoMj.exe | N/A |
| N/A | N/A | C:\Windows\System\tazGBZX.exe | N/A |
| N/A | N/A | C:\Windows\System\tYbGRaW.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_6b2fd37e0351b8e06387dc846b1b6d08_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_6b2fd37e0351b8e06387dc846b1b6d08_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_6b2fd37e0351b8e06387dc846b1b6d08_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_6b2fd37e0351b8e06387dc846b1b6d08_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\CEJnHeM.exe
C:\Windows\System\CEJnHeM.exe
C:\Windows\System\okklOPr.exe
C:\Windows\System\okklOPr.exe
C:\Windows\System\ylZyise.exe
C:\Windows\System\ylZyise.exe
C:\Windows\System\KdfCClI.exe
C:\Windows\System\KdfCClI.exe
C:\Windows\System\RGczIPS.exe
C:\Windows\System\RGczIPS.exe
C:\Windows\System\reUZveY.exe
C:\Windows\System\reUZveY.exe
C:\Windows\System\NKLkYJX.exe
C:\Windows\System\NKLkYJX.exe
C:\Windows\System\ZJQKSPt.exe
C:\Windows\System\ZJQKSPt.exe
C:\Windows\System\cNJYWJN.exe
C:\Windows\System\cNJYWJN.exe
C:\Windows\System\NwNNVsK.exe
C:\Windows\System\NwNNVsK.exe
C:\Windows\System\JBZHeDG.exe
C:\Windows\System\JBZHeDG.exe
C:\Windows\System\ZwlPLgD.exe
C:\Windows\System\ZwlPLgD.exe
C:\Windows\System\cQgFoNY.exe
C:\Windows\System\cQgFoNY.exe
C:\Windows\System\LFaNlAf.exe
C:\Windows\System\LFaNlAf.exe
C:\Windows\System\AmROnae.exe
C:\Windows\System\AmROnae.exe
C:\Windows\System\EaVDqPO.exe
C:\Windows\System\EaVDqPO.exe
C:\Windows\System\FjSIkup.exe
C:\Windows\System\FjSIkup.exe
C:\Windows\System\AgDQHUq.exe
C:\Windows\System\AgDQHUq.exe
C:\Windows\System\CYqNoMj.exe
C:\Windows\System\CYqNoMj.exe
C:\Windows\System\tazGBZX.exe
C:\Windows\System\tazGBZX.exe
C:\Windows\System\tYbGRaW.exe
C:\Windows\System\tYbGRaW.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1032,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.107.98:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 98.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 108.116.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4736-0-0x00007FF61D6F0000-0x00007FF61DA44000-memory.dmp
memory/4736-1-0x00000163B2EA0000-0x00000163B2EB0000-memory.dmp
C:\Windows\System\CEJnHeM.exe
| MD5 | 144e4913c88fad57888358b69e86ddfe |
| SHA1 | d424643536d296abf968c7e4c8dd2ae61f9c16df |
| SHA256 | 09b80626715f96160902bf04a76c4c52e04329ca3a5a9ec5f7884674004b0510 |
| SHA512 | 04bb9779f304c65d8029d21ab15329551c961ded62b2e30eb5e72bcaa41cd1e6bc0baa5bfc1344f35509071f29dc439143fb291d1b1efe05f1937302a06846fc |
C:\Windows\System\okklOPr.exe
| MD5 | c1ca5ceef3e34e923e09100554d88417 |
| SHA1 | 5dfe17c5488e58413a4a7055604d83d0d9f70a9e |
| SHA256 | 1d7f36abf8a718355a5eb57d9cb5437bbd8e05e27339da110b4cd769e9e4fd01 |
| SHA512 | 52d9414bf0dbf9f208c64f756e9a2ef14733fe322db23b08c19c1162a6b3148399b42da2d53d8f5e646b74ad10323cf6ea2341467c8c6fa778a5af922cb302ff |
C:\Windows\System\ylZyise.exe
| MD5 | e99f930ff8735729b3a0168f9d0cbe98 |
| SHA1 | 5886ea9068a9be70dfddff22e19bd76d89da5a41 |
| SHA256 | 0e70200c375d3fdd6007389ba687cc0140918637c91b80b6e5895aea77488754 |
| SHA512 | 5b2327f49581ccf2ac97e14a07d6fd2df6e1192cafbf205dffabdc9a57cdbd691d5dceb21f72f034650a87f742bfb1fb620a0d2beae759349f0b3965f789b27e |
memory/5076-18-0x00007FF6E8AD0000-0x00007FF6E8E24000-memory.dmp
C:\Windows\System\KdfCClI.exe
| MD5 | a58fc9c767e7cf4e3c9f2a62869346cc |
| SHA1 | 9f7cc1f4e29f4161b6530926b0522eeda3fb5f98 |
| SHA256 | 2d763e57dfba2658c4ebc6bec9bc2b5fc38b854e54714bbc813c0607f5658bbd |
| SHA512 | c5b6a413afcc73296b10f597cf029154493877abf980d900d9f3c5d78a1b84495dfc378c6b0c9400acf9c15b5f12042d06a1d0c2f1ca16b070454bf9502c5b6a |
C:\Windows\System\RGczIPS.exe
| MD5 | 6b0f766581d17c6914d22eb733c0939b |
| SHA1 | d7e15883d9f2b6e457f281462b08241a7bcfef05 |
| SHA256 | d710181e9179105cd48757f03ef5fa7474d4d90956af91315d7ac9fd9193511e |
| SHA512 | 9d14f338a70540998024608c05042fdcd537dc5b14622657de013b36a0e6cdd29ccac1c088d9393fe3957ccc5c066a0973d888343304a38f78b661cfd843271c |
memory/4728-21-0x00007FF70C0C0000-0x00007FF70C414000-memory.dmp
memory/2012-30-0x00007FF7501D0000-0x00007FF750524000-memory.dmp
C:\Windows\System\reUZveY.exe
| MD5 | 403642163d1fadc4f96126dfd3407cf6 |
| SHA1 | b953e8d642ea716e6daf23961ab8e25e6b81ef1a |
| SHA256 | 558faf4f92b38b0ad070cba92e63954ae447c29942d9d8cf25e6700bef70d01c |
| SHA512 | 563c827c5b07ea7be846de74b1c4a614b1eb3bd7d2e9d30ff024c56511806c6182aa4484ad6f936ea8ba343ad383c2d0d60717a15c79ee7b519112d834d844e4 |
memory/2624-34-0x00007FF79E8B0000-0x00007FF79EC04000-memory.dmp
memory/3820-6-0x00007FF771B10000-0x00007FF771E64000-memory.dmp
C:\Windows\System\NKLkYJX.exe
| MD5 | 4a15f7b86cc4e748339d83edb3499e8e |
| SHA1 | 7deeb2570c212f9bdae3dd9e0ceb0a92b1b192fa |
| SHA256 | b0405267919b69ad383369d32f887da5127015fd6357a556c8cb292da989cb60 |
| SHA512 | 0f2d7324d18c4ef4117028b13fcca99134c681ed844632cce95e8ccafd9832c8dd7e90e52109db9dbc42beaa76586ce0d6b453520d7f864b2daa951605a3c181 |
C:\Windows\System\ZJQKSPt.exe
| MD5 | 984fec1f6a899d1f67810f316d875ae1 |
| SHA1 | c84956ba8a2a87f3c073aeb5e67eb4d312cd7090 |
| SHA256 | 4a736df6fba27483bde3571cb6a465dd15813244f718cf0e20b8acc3d53d493f |
| SHA512 | c20e6f37dc1c0ea67beb056c4423d2082763557b807b1dd66f9095424ded7dc6860239439c2507e1fae6c1c92653b1868b1dae90b18843b9c5b4b78e6c06e9fc |
C:\Windows\System\cNJYWJN.exe
| MD5 | db71198c6ff42530e325bd663c76c712 |
| SHA1 | 11e000f8998e51a2b49cc1c905db8a540f4cea7e |
| SHA256 | bad70c023df84f43d3f3c83ccebdcf34322cd7940409b5c9aeb9f9a22c934f59 |
| SHA512 | 8ccfcb8cf258999f33da739edccf13586f66a17f1c7a399a517deb4cae6cf2d66381a8abb94e3b5bc82e5f2202d5f43dd776cd3378c41ba4965b6af24f761b0c |
memory/2076-54-0x00007FF6A3020000-0x00007FF6A3374000-memory.dmp
C:\Windows\System\cQgFoNY.exe
| MD5 | 77e87641c070a1316ddbfecb4bdd5993 |
| SHA1 | e198994a08c08986055bc7e91e4412a0b206c5dc |
| SHA256 | 532ff6b4143682d58ff90ddd276f667155a1ac7ca0d7c1db722b78da4503a31e |
| SHA512 | ccb9f633a7660026f221d55843e33493ef7ab445b842e28d8ad858966c570c6edfbadf5294760f3664dc50406b95cf20b74171377f6eef8c4f83dfcc3ce48867 |
C:\Windows\System\LFaNlAf.exe
| MD5 | df83a99f710ff43eb40488748730097e |
| SHA1 | 37ff0e3a79c3d1d8c9a75e9f60a64f13b6160cef |
| SHA256 | 33a623af17ee1eae0f766a2014ad004b0f0fc12b181ae0173c4de954206e5477 |
| SHA512 | e218eb03aff36d413dbcef3751ac68ea42e970a7abf738e7ec5cc8c0e9ef1eb7d439f2dc88b6ffcead4e1b2d8765c76cf73d1bbd9a4133c08624e6d4e54a97bd |
C:\Windows\System\AgDQHUq.exe
| MD5 | ac46aadca81e76338762c8ff2ee52af0 |
| SHA1 | 1176e63d086a7dbed6b2f2bb91f53b6eb1285ab0 |
| SHA256 | 1a58bd3dcd89f2c3371f28d7bae64005d18b46cc519b0af68c345f8bdff39a9b |
| SHA512 | 4eae6eb59624289b6132fc0da52144a0c0818b68f70b26a560c2e0eded0817211d220d271dd3659d4db695455ee0c07b0f7c4ecd0778efd3eb91fbb34585504f |
C:\Windows\System\tYbGRaW.exe
| MD5 | 99acee7f506ed6d66b3a8c5d5de8ad71 |
| SHA1 | d2fe8974d928da069bb191d096f0cb510e65ba1b |
| SHA256 | 4724de0fd2a9453e5003c751c50eb31e1ea791e68b24195ea655dcba9ff057c0 |
| SHA512 | 4d76c7e9216b9cd0cad9a50a127c38e6fbc5663671106720c594937dda98660805928dbb88b3cd4f2224f6e1b4637ee8e62e1fa1ce99f94e362c3f4fc6dbd5b5 |
C:\Windows\System\tazGBZX.exe
| MD5 | 3e38f36e89eb56e61100f59f3f9afc68 |
| SHA1 | 01d3c140ccc5b300252cd17ea8f144528a9a201d |
| SHA256 | 993bd3c431a6b402cbda436d0d3bf2bd3deb1cd81360615504049715d15413ba |
| SHA512 | 412eea99360e7f12b6f681b1e608b2d448365dfb8d4df4574000cfd250c3ac8579879048151d0333783d84c5af227a05a94946780b875bc43b0c3b843507b3f8 |
C:\Windows\System\CYqNoMj.exe
| MD5 | 46f4348ea8f108babb2aab24196057a5 |
| SHA1 | c122cd9525edd67ef3d061f36f232ff4adebe4a4 |
| SHA256 | bf1b4dde70eb0b31a77db1edc4b22f0bfac1ccf4cb6df9d5b8b57f8f057aed10 |
| SHA512 | 75cd3a8741b5f6535d88ef0c457fd5050b746ac1dc90984b95b3944ae859bc7928cd4b71706da555bcc0265be0976ccd944a963cfc9b68ef2f3a81968a60a786 |
C:\Windows\System\FjSIkup.exe
| MD5 | 5b33f95ef6d9aaae026b31d0e9d52532 |
| SHA1 | 87b0f836dc485e593d9727dcd6f0d1c8ac1f69db |
| SHA256 | aacfa67b94c58d4d495ba975e6840afea9b2efd55b2e549e7a05cd11223b1096 |
| SHA512 | a24068f6cbd9b66acd911a21f7d58c7a3255a199d306e94344407f9602f2b7f126676479f94de98d1c8b22a8f43cba03f3e8e097ed5a72f18bc614616b653943 |
C:\Windows\System\EaVDqPO.exe
| MD5 | f28954eee5bddc5bdc6bb2880b2900fc |
| SHA1 | 3f6bd38d803139d1e85ee18e39ed84e19f2300b4 |
| SHA256 | f323e55b092d49cf8d96556e857a3fa4704c87d96951578a83845294f83cb984 |
| SHA512 | 6040daafcf34aa16030c47d157877ea9a14f16dde252a82d306558764cdd1639800f3d7b9e1d32038c5b84b29bc708311037dfbc6b703263f7ce78b933186b45 |
C:\Windows\System\AmROnae.exe
| MD5 | dff69bc335fcc35f6bc9da527aad8a8d |
| SHA1 | 99e7a8aa4beb29f7aa4f396e2baf7199e5821bb1 |
| SHA256 | c84e4844d93bfb94ae1ac85d04de576219da41bdb383b75b5b62de3c4e1b4246 |
| SHA512 | 928ddb6ffdcd9fd0d092452e427e4aa6314fb7629220643b7c3f1edbb1907db4a9563e1667acfe8736091f632fab6b3b5d56d7e3ff0bcd7b34751f7d26ffdd1f |
C:\Windows\System\ZwlPLgD.exe
| MD5 | 50a02d1bd0c0c6366e62a04895df66f0 |
| SHA1 | 697861008ccfd2eaad4e09ee57b9645b851a6c55 |
| SHA256 | 8b8dd2f4cb036150379fac4d5e6d231f5aed872754c40572475dd1cc17b11095 |
| SHA512 | c600410737dfea43bcc22f77165e43781a65e11db2678fc64e30c4ffd0b320fb52c12022af18edf5f6b43990100af69fb3064bbd385f577e780a87ea71c7f25c |
C:\Windows\System\JBZHeDG.exe
| MD5 | 9784e8678878c99ff98b6c1005ddabff |
| SHA1 | fede66b73ed6e5a7610d9364ef6fe75c8d5e0001 |
| SHA256 | 5d9e3abc2d4ebffaca810a0738cfcf4d32cc466d137f7be484c4ff2364a7ac93 |
| SHA512 | 1ec1739597287c889cdf4f5a78aff3100a328e34400ffd4491a510dadc10cf096b73214a8a26f5772f0896b99f1b86b584a30774a11faabea44e7eab9925291d |
C:\Windows\System\NwNNVsK.exe
| MD5 | d3abe6fe87f697d983e22ea5328c564d |
| SHA1 | 93a8fff3399392f6417be74a49e334e41cd644e1 |
| SHA256 | 4ebc8a7f6cd236ff0f45acbe508daf90ff72f7967be119b743e87ea91d7e771b |
| SHA512 | f8928b7a134187fbfbcb2c75fdcb4792f705cdf8e03df81de9eab8ebb8cdb365212f05b0d606db4d01a3e0cf033b281b518309c2878d7f0572f1eb54033022c6 |
memory/5028-51-0x00007FF6DEB60000-0x00007FF6DEEB4000-memory.dmp
memory/2732-43-0x00007FF71E190000-0x00007FF71E4E4000-memory.dmp
memory/2116-38-0x00007FF6C5FC0000-0x00007FF6C6314000-memory.dmp
memory/4736-116-0x00007FF61D6F0000-0x00007FF61DA44000-memory.dmp
memory/4504-117-0x00007FF712BE0000-0x00007FF712F34000-memory.dmp
memory/3076-118-0x00007FF7734C0000-0x00007FF773814000-memory.dmp
memory/3408-119-0x00007FF69B600000-0x00007FF69B954000-memory.dmp
memory/4588-120-0x00007FF695D20000-0x00007FF696074000-memory.dmp
memory/1144-121-0x00007FF609D30000-0x00007FF60A084000-memory.dmp
memory/4916-122-0x00007FF6C0720000-0x00007FF6C0A74000-memory.dmp
memory/1792-124-0x00007FF7ACEC0000-0x00007FF7AD214000-memory.dmp
memory/3868-123-0x00007FF7DBA40000-0x00007FF7DBD94000-memory.dmp
memory/4948-125-0x00007FF795F50000-0x00007FF7962A4000-memory.dmp
memory/912-126-0x00007FF6148E0000-0x00007FF614C34000-memory.dmp
memory/3456-127-0x00007FF7DE590000-0x00007FF7DE8E4000-memory.dmp
memory/4296-128-0x00007FF711E50000-0x00007FF7121A4000-memory.dmp
memory/3820-129-0x00007FF771B10000-0x00007FF771E64000-memory.dmp
memory/2732-130-0x00007FF71E190000-0x00007FF71E4E4000-memory.dmp
memory/2076-131-0x00007FF6A3020000-0x00007FF6A3374000-memory.dmp
memory/3820-132-0x00007FF771B10000-0x00007FF771E64000-memory.dmp
memory/5076-133-0x00007FF6E8AD0000-0x00007FF6E8E24000-memory.dmp
memory/4728-134-0x00007FF70C0C0000-0x00007FF70C414000-memory.dmp
memory/2012-135-0x00007FF7501D0000-0x00007FF750524000-memory.dmp
memory/2624-136-0x00007FF79E8B0000-0x00007FF79EC04000-memory.dmp
memory/2116-137-0x00007FF6C5FC0000-0x00007FF6C6314000-memory.dmp
memory/2732-138-0x00007FF71E190000-0x00007FF71E4E4000-memory.dmp
memory/5028-139-0x00007FF6DEB60000-0x00007FF6DEEB4000-memory.dmp
memory/2076-140-0x00007FF6A3020000-0x00007FF6A3374000-memory.dmp
memory/4504-141-0x00007FF712BE0000-0x00007FF712F34000-memory.dmp
memory/3076-142-0x00007FF7734C0000-0x00007FF773814000-memory.dmp
memory/4588-143-0x00007FF695D20000-0x00007FF696074000-memory.dmp
memory/1144-144-0x00007FF609D30000-0x00007FF60A084000-memory.dmp
memory/3408-145-0x00007FF69B600000-0x00007FF69B954000-memory.dmp
memory/4916-146-0x00007FF6C0720000-0x00007FF6C0A74000-memory.dmp
memory/4296-147-0x00007FF711E50000-0x00007FF7121A4000-memory.dmp
memory/912-149-0x00007FF6148E0000-0x00007FF614C34000-memory.dmp
memory/3868-152-0x00007FF7DBA40000-0x00007FF7DBD94000-memory.dmp
memory/1792-151-0x00007FF7ACEC0000-0x00007FF7AD214000-memory.dmp
memory/4948-150-0x00007FF795F50000-0x00007FF7962A4000-memory.dmp
memory/3456-148-0x00007FF7DE590000-0x00007FF7DE8E4000-memory.dmp