Analysis Overview
SHA256
4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05
Threat Level: Known bad
The file 2024-06-01_f2c9143da8a5c478882d27a822eb9fa5_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 08:03
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 08:03
Reported
2024-06-01 08:06
Platform
win7-20240508-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BacEdBf.exe | N/A |
| N/A | N/A | C:\Windows\System\oYLZTbm.exe | N/A |
| N/A | N/A | C:\Windows\System\oTzxzeH.exe | N/A |
| N/A | N/A | C:\Windows\System\ACcBVBn.exe | N/A |
| N/A | N/A | C:\Windows\System\TPIZyaj.exe | N/A |
| N/A | N/A | C:\Windows\System\KluHWzI.exe | N/A |
| N/A | N/A | C:\Windows\System\fkpenQw.exe | N/A |
| N/A | N/A | C:\Windows\System\YXoQifw.exe | N/A |
| N/A | N/A | C:\Windows\System\kGnDCgF.exe | N/A |
| N/A | N/A | C:\Windows\System\ZxsOLKT.exe | N/A |
| N/A | N/A | C:\Windows\System\bQLMYtd.exe | N/A |
| N/A | N/A | C:\Windows\System\fecVrtz.exe | N/A |
| N/A | N/A | C:\Windows\System\dBTwtwH.exe | N/A |
| N/A | N/A | C:\Windows\System\SLdcajr.exe | N/A |
| N/A | N/A | C:\Windows\System\jcyIDMx.exe | N/A |
| N/A | N/A | C:\Windows\System\dZfKOiW.exe | N/A |
| N/A | N/A | C:\Windows\System\dbJcniv.exe | N/A |
| N/A | N/A | C:\Windows\System\jkCrhSS.exe | N/A |
| N/A | N/A | C:\Windows\System\QmGAFen.exe | N/A |
| N/A | N/A | C:\Windows\System\VNfHRft.exe | N/A |
| N/A | N/A | C:\Windows\System\lqueAoL.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2c9143da8a5c478882d27a822eb9fa5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2c9143da8a5c478882d27a822eb9fa5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2c9143da8a5c478882d27a822eb9fa5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2c9143da8a5c478882d27a822eb9fa5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\BacEdBf.exe
C:\Windows\System\BacEdBf.exe
C:\Windows\System\oYLZTbm.exe
C:\Windows\System\oYLZTbm.exe
C:\Windows\System\oTzxzeH.exe
C:\Windows\System\oTzxzeH.exe
C:\Windows\System\ACcBVBn.exe
C:\Windows\System\ACcBVBn.exe
C:\Windows\System\TPIZyaj.exe
C:\Windows\System\TPIZyaj.exe
C:\Windows\System\KluHWzI.exe
C:\Windows\System\KluHWzI.exe
C:\Windows\System\SLdcajr.exe
C:\Windows\System\SLdcajr.exe
C:\Windows\System\fkpenQw.exe
C:\Windows\System\fkpenQw.exe
C:\Windows\System\jcyIDMx.exe
C:\Windows\System\jcyIDMx.exe
C:\Windows\System\YXoQifw.exe
C:\Windows\System\YXoQifw.exe
C:\Windows\System\dZfKOiW.exe
C:\Windows\System\dZfKOiW.exe
C:\Windows\System\kGnDCgF.exe
C:\Windows\System\kGnDCgF.exe
C:\Windows\System\dbJcniv.exe
C:\Windows\System\dbJcniv.exe
C:\Windows\System\ZxsOLKT.exe
C:\Windows\System\ZxsOLKT.exe
C:\Windows\System\jkCrhSS.exe
C:\Windows\System\jkCrhSS.exe
C:\Windows\System\bQLMYtd.exe
C:\Windows\System\bQLMYtd.exe
C:\Windows\System\QmGAFen.exe
C:\Windows\System\QmGAFen.exe
C:\Windows\System\fecVrtz.exe
C:\Windows\System\fecVrtz.exe
C:\Windows\System\VNfHRft.exe
C:\Windows\System\VNfHRft.exe
C:\Windows\System\dBTwtwH.exe
C:\Windows\System\dBTwtwH.exe
C:\Windows\System\lqueAoL.exe
C:\Windows\System\lqueAoL.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2416-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2416-2-0x000000013FEF0000-0x0000000140244000-memory.dmp
\Windows\system\oTzxzeH.exe
| MD5 | 3451963138acc4e5e610842fa21ba9d9 |
| SHA1 | 644f602cf8e7d7e4052bd606731d3b2177a46f62 |
| SHA256 | a0f2a45ae1878ae6d3f18f4c4ec17d26e64c317254e22b32e3939ca874ce718f |
| SHA512 | aa1f964beeadbdc78f47ad421afd2b642c78f6eec3ca3ae5082077292eba3584fa44ce7b6a69de73651902757567c8a40f1d2f6593e2daa5053f47ed3ad8c82e |
\Windows\system\oYLZTbm.exe
| MD5 | e4e6699fc05c5c5494129b48a91afa81 |
| SHA1 | 3ba3585a3a3c8052aa3db3ed573fb4907e632cd9 |
| SHA256 | 3ed91ef971e5d7d4d6f34dd2ff90375ea8f014a657ead68dd224c86accbcaee4 |
| SHA512 | b17ba0ccf9cdd5ff17b5d83d5a5ed1293036f2e804e4865ed589176c8e99f6b5ffa4c2b4c6648ecefa13ae7c96508d613ed136192b36bf3871fc934cb607c68c |
memory/1400-13-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2988-20-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\ACcBVBn.exe
| MD5 | d6d5e78eef709b5848ff5dd3b3da1d64 |
| SHA1 | 4014882a7817c4442ce54c9cbac7539632f1dec8 |
| SHA256 | c3da8242e14243a05d72ecaefef3ace88409f89eab01b756d45057d56e836da2 |
| SHA512 | 7798a62c772556cd1ccaf2ca852bb31fd873d0997cfb2bb13addd0d3674ad260604ddfbedd42285f06e5d005e39a101d0b16b5fbc0d05aab77a8e505ce975499 |
memory/2416-27-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2200-28-0x000000013F340000-0x000000013F694000-memory.dmp
C:\Windows\system\TPIZyaj.exe
| MD5 | cc6300a467d9be380e4d94bb187a8117 |
| SHA1 | af05acbb3c34d3a1d78ec9796db074996ef549aa |
| SHA256 | 909f2b6785c56f35879f87538ebb00f68855111229f9dd6fbfb93c368e4fbfe4 |
| SHA512 | 5383ba99e4f9c721ac97eb9bb70ff30633d13908fc91f42bd1d3c5f6a3196bb7930b9132e2873c676bfd4207dcfd2c8b0bc7f810d8d587b5cbf38444c69036f2 |
memory/2976-33-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2416-31-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2932-18-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2416-14-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2416-7-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\BacEdBf.exe
| MD5 | 983f56b56be0cc3520dbfc2ca935df20 |
| SHA1 | 93ee966d29f02990b61c63504b537a9a32b27c66 |
| SHA256 | 61a5dc03257ed593554d9c33bda5455b371d37bfd1437575fa01ef18d8a5b00e |
| SHA512 | 5673f81a45ca81a0df830c1858a087757b02011e9c5560c39daadea1c72e98f567b8336b576f14cb83032f9a4b7ccb1070ffc8f1dbddbcd57a1c0adc4034368c |
memory/2416-36-0x000000013FEF0000-0x0000000140244000-memory.dmp
\Windows\system\KluHWzI.exe
| MD5 | 72db7c65c8270b1b2f5a0df8a47516a6 |
| SHA1 | 662c58be24c1ea1c43f9448be12ea0ca727edfc3 |
| SHA256 | b6ecfb22a70f07ed71f33468f017ed6385043f21dd15c08248805d80899b7cbb |
| SHA512 | e0ca5c991805b56ce737d351b3ea5039edb3ef42298763222d68750a34c167d0b6da5f961697b805606966ede1f0147a1a5e3643135717ef5c271bf67132e83b |
memory/2740-44-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2780-107-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2416-113-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2416-115-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2416-118-0x000000013F550000-0x000000013F8A4000-memory.dmp
C:\Windows\system\dbJcniv.exe
| MD5 | 56428a286168e3d8ea65f3ee59030582 |
| SHA1 | 174d9d03b9026c3b02acea96517d5063b82a2d86 |
| SHA256 | f6c2d53d158c35bee43d98b07a9fad0ef1502be83f7916d46059eaa2a08d56ec |
| SHA512 | 69140722f128a3b30241113ecbf33c0d912c39803705e1676029227dd0f488581fbbafe6ce370415d890c256d3fa3169d5bf044bc54efe4b7d84c9c6a2733017 |
C:\Windows\system\lqueAoL.exe
| MD5 | be786b58966c43ea064e671ef5dbab6d |
| SHA1 | f3ab02b378f5b1996b245e071a8287c0b8d38ab3 |
| SHA256 | 86cc357af2ae9e2c46afdbb7009e2099481d23d6cd4556a69075c626a6d867b8 |
| SHA512 | c7fb25e39562b4392b7b1715c7dd3d3d8f93cba59c94eee23358ed08ae90ab4c394ae77d2277f599f458781161822e1287289a8c7f43e0f8b949610dd3f0b140 |
C:\Windows\system\fecVrtz.exe
| MD5 | 8ced86a1f2c92b3c7b4be84aae7c4210 |
| SHA1 | 7e23f82bb1b263bedca8aff3d39ddd92a895528e |
| SHA256 | b2e3d5d25273369f46c5c1b31a3a838093b7b3b4a88b944c4dab78aff314edb3 |
| SHA512 | 0262e24f33774b258567c86473865c42bec1500851cab7c2ce2e42b1ae2ce81f48f52c6e352d11191636cee4ad16d7081786d5617fddbd3ed0086b905897ff10 |
C:\Windows\system\bQLMYtd.exe
| MD5 | 3d29bc13992b34f74fb82f0ca4994347 |
| SHA1 | dc174f5322c174b773cee5d68663fd820ae2b307 |
| SHA256 | ce3c9760228448a3f4611ed7b6286c6dd564467f786cf54d61f3cc528602a4a0 |
| SHA512 | 4fd886c0b9e871c85fbba4c02259fb1be23f2209fb1fff0e6c74c8076691cdfaf8424a06cb637d0b64528e4bac44d208934d2b60c6a01c71277269c295b0d5c2 |
C:\Windows\system\ZxsOLKT.exe
| MD5 | 228ac83a559a0a592012fbf845c6d997 |
| SHA1 | 1a5eb8d027a57032c05bfc1cbee4adbd02d65662 |
| SHA256 | bc79d4d45be8148ecf4fd6c960eb30ecebfb7373d55cbb6409cc6be73b0a96e4 |
| SHA512 | 57347e911ff8e1fc6e6fbc3f75e7b0a3de977197d7c3e5c5c30a4cb1c13cd3a1dd076fa0bed6b659a8683c8e2f7e2d2eb815bc2adf1f467a6a58dc72b5406aa9 |
\Windows\system\VNfHRft.exe
| MD5 | 1e3ecfac28924c710569302ffc889084 |
| SHA1 | 9f298ca69d634ce2bdd8734b7c37c6d4f1a4923c |
| SHA256 | eda92d59bb0a336abde4d9c892cb71287f209e878c6699f506728bd8b7af0f81 |
| SHA512 | 1accf54d0a088a9b3a4ed91290f138846b04c9a2ff77bae8bdecf4d3b2d4b2b77a54881b57e2fbc9c346393d26dd5a61d861e6b6b390126b5689a02ff08888ed |
memory/1280-88-0x000000013FDA0000-0x00000001400F4000-memory.dmp
\Windows\system\QmGAFen.exe
| MD5 | c0d8cdb179007f2099cc307cedea9893 |
| SHA1 | 662f9fc2fdfc34ed5ed3b99be6959a5a8fa14dcc |
| SHA256 | 9488f54f019479df8d2f5e1a2911bdf1b36b127da61b7e9f22b77da5e8128686 |
| SHA512 | a4e8e18e49f3279d21b78e4e674c2ccc24e9ad69a5aa90ad6b1fc126461e5df20e2cfb8a369ea8a267e5b298dba05ce017370f268f432bf96094699aa8fd80c5 |
\Windows\system\jkCrhSS.exe
| MD5 | 840cb0d209ffa3287fea5f32f8599bdd |
| SHA1 | 5e572de8c223390cb0b17c3c413ebfbccbdc0133 |
| SHA256 | df83f46a197ea008e7209153b643f304cbce939619bca3659d0fbe49beeac43a |
| SHA512 | 8d4d7d6127e868467246595b39f13d70f7aa7b3f9bfef9552f66a0048b2e5f6be1ecfc57787b65ec10521ea235a240f6763ab10ebd7abda236a225b6f74bf619 |
C:\Windows\system\kGnDCgF.exe
| MD5 | 4d2755155ffb86fcd32e1d25f1b209f2 |
| SHA1 | 06a340ad06c66ce2edf7f81352f73456ba61e4dc |
| SHA256 | c106199389535c370d4b176ae12da8ef5e2e507c7a2cf0bb265d6f87f4ca6d19 |
| SHA512 | e81ce315027bfad0d4bf30c7c00ffc6f766a8cfc9b013cf3f2a48560817dbddb99d27a46991c45800904af6b12d046851979f76016a559fae9594b898e2c1857 |
memory/2416-61-0x000000013F670000-0x000000013F9C4000-memory.dmp
\Windows\system\dZfKOiW.exe
| MD5 | 585be2a2631f36179cff087392fdf09f |
| SHA1 | 4e3842e04d0c759c033643affc86f7f29e093112 |
| SHA256 | b91d999c6d9e2debc229ce2f8b36aff7fcd2d19ce8361feeb1a1354758bda5ef |
| SHA512 | 986c1886359ca7356a22c28b8db3e228c71d7aaf21b6c9521b47b482936d14662b790bfe3a11107d62dba164e6f75b825f4c98902ed88a7efda0be6c6dbe7153 |
C:\Windows\system\fkpenQw.exe
| MD5 | 050debfddd5c0894ec64b2856f9331fb |
| SHA1 | de16ad45587ca5237de293d7a61c3b4915c1daba |
| SHA256 | 463be66b7105629b64beef64820774eaac43169dcd91de30b8908ce285ccfdf2 |
| SHA512 | 37ac8b625f1e0a548f150db41b772f967b232864d7833558e2341abe6eb44f88371655607c01f95cc837da3e42e276e9762175f1614c53e404dda813420769e9 |
memory/2416-120-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2932-119-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2776-117-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2548-116-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2988-133-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2416-114-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\jcyIDMx.exe
| MD5 | d5c5856f37050898421d6395801f6dad |
| SHA1 | 7ae9ffb72c53131b73595aacde2ae92ef6b82922 |
| SHA256 | f25eb21065ac61fbcaf3d14d050cbab87bdb955b918bd19ca9540f247e3f0cf6 |
| SHA512 | b5ef7ae61399b6b89ee961332c14ffba74a970ffd2955833904530693446379c45234e7a0fddbbc8ebb1cc600072fbdbab0d7995b6c87c300554cdceac20e050 |
C:\Windows\system\SLdcajr.exe
| MD5 | 3169e7216c6eb2ac9e7a77b117755e8f |
| SHA1 | 8455b81afe04c2721574ef4a6b2a2ccc458c9c43 |
| SHA256 | 27c51679df020ac7c15b3ce9444835ebf0b019b062265cfb5f4c9b0fcb5d67f4 |
| SHA512 | d94bae152eaf93644ecc8ce7077fcb3cf858a1633b980efb0e4f4e0599e55c207b2a1467c8d13aaa44b27b94232866403ea98b90a0c4c745b4ae012106285290 |
memory/2416-108-0x000000013F700000-0x000000013FA54000-memory.dmp
C:\Windows\system\dBTwtwH.exe
| MD5 | 5ba9dd3c5e174ed497252d62496c4a06 |
| SHA1 | e3d8dc0f6005444d669ede72c5df4f11ad60966d |
| SHA256 | 04aaa4763c11d88529b8c879e8bdafc4f63c1fd5030c840754fea0e2b978baa8 |
| SHA512 | 92d6c6a760fd59b3d0c5ef1f3cc38a231cb6c200f8515aa8b9165c3a62f735d2d713d77ce65b17bbdae2c9fefee92a5209e886d60c577e0d609f8ada1f103f3a |
memory/2416-105-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2416-104-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2416-101-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\YXoQifw.exe
| MD5 | 960b5aff398ea10ae54915a29efc1a27 |
| SHA1 | b4d0e3ada39832e886eadbfc4489d53b3ce34561 |
| SHA256 | 4c487c3fb2eb064828cf424dc66aa4daf94fcad71bb94d81f78fc995c97857ae |
| SHA512 | 28af9a9380137215d5ad0415d0580dfdce556eebaba9b32c3acb6569b531c56de0aba4e090337e3662880c0f1563a0eb80d937f0d5c0fcf682593cabcd30b871 |
memory/2416-65-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2976-135-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2416-136-0x000000013F430000-0x000000013F784000-memory.dmp
memory/1400-137-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2932-138-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2200-139-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2988-141-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2976-140-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2740-142-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/1280-143-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2776-144-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2548-146-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2780-145-0x000000013F040000-0x000000013F394000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 08:03
Reported
2024-06-01 08:06
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BacEdBf.exe | N/A |
| N/A | N/A | C:\Windows\System\oYLZTbm.exe | N/A |
| N/A | N/A | C:\Windows\System\oTzxzeH.exe | N/A |
| N/A | N/A | C:\Windows\System\ACcBVBn.exe | N/A |
| N/A | N/A | C:\Windows\System\TPIZyaj.exe | N/A |
| N/A | N/A | C:\Windows\System\KluHWzI.exe | N/A |
| N/A | N/A | C:\Windows\System\SLdcajr.exe | N/A |
| N/A | N/A | C:\Windows\System\fkpenQw.exe | N/A |
| N/A | N/A | C:\Windows\System\jcyIDMx.exe | N/A |
| N/A | N/A | C:\Windows\System\YXoQifw.exe | N/A |
| N/A | N/A | C:\Windows\System\dZfKOiW.exe | N/A |
| N/A | N/A | C:\Windows\System\kGnDCgF.exe | N/A |
| N/A | N/A | C:\Windows\System\dbJcniv.exe | N/A |
| N/A | N/A | C:\Windows\System\ZxsOLKT.exe | N/A |
| N/A | N/A | C:\Windows\System\jkCrhSS.exe | N/A |
| N/A | N/A | C:\Windows\System\bQLMYtd.exe | N/A |
| N/A | N/A | C:\Windows\System\QmGAFen.exe | N/A |
| N/A | N/A | C:\Windows\System\fecVrtz.exe | N/A |
| N/A | N/A | C:\Windows\System\VNfHRft.exe | N/A |
| N/A | N/A | C:\Windows\System\dBTwtwH.exe | N/A |
| N/A | N/A | C:\Windows\System\lqueAoL.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2c9143da8a5c478882d27a822eb9fa5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2c9143da8a5c478882d27a822eb9fa5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2c9143da8a5c478882d27a822eb9fa5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2c9143da8a5c478882d27a822eb9fa5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\BacEdBf.exe
C:\Windows\System\BacEdBf.exe
C:\Windows\System\oYLZTbm.exe
C:\Windows\System\oYLZTbm.exe
C:\Windows\System\oTzxzeH.exe
C:\Windows\System\oTzxzeH.exe
C:\Windows\System\ACcBVBn.exe
C:\Windows\System\ACcBVBn.exe
C:\Windows\System\TPIZyaj.exe
C:\Windows\System\TPIZyaj.exe
C:\Windows\System\KluHWzI.exe
C:\Windows\System\KluHWzI.exe
C:\Windows\System\SLdcajr.exe
C:\Windows\System\SLdcajr.exe
C:\Windows\System\fkpenQw.exe
C:\Windows\System\fkpenQw.exe
C:\Windows\System\jcyIDMx.exe
C:\Windows\System\jcyIDMx.exe
C:\Windows\System\YXoQifw.exe
C:\Windows\System\YXoQifw.exe
C:\Windows\System\dZfKOiW.exe
C:\Windows\System\dZfKOiW.exe
C:\Windows\System\kGnDCgF.exe
C:\Windows\System\kGnDCgF.exe
C:\Windows\System\dbJcniv.exe
C:\Windows\System\dbJcniv.exe
C:\Windows\System\ZxsOLKT.exe
C:\Windows\System\ZxsOLKT.exe
C:\Windows\System\jkCrhSS.exe
C:\Windows\System\jkCrhSS.exe
C:\Windows\System\bQLMYtd.exe
C:\Windows\System\bQLMYtd.exe
C:\Windows\System\QmGAFen.exe
C:\Windows\System\QmGAFen.exe
C:\Windows\System\fecVrtz.exe
C:\Windows\System\fecVrtz.exe
C:\Windows\System\VNfHRft.exe
C:\Windows\System\VNfHRft.exe
C:\Windows\System\dBTwtwH.exe
C:\Windows\System\dBTwtwH.exe
C:\Windows\System\lqueAoL.exe
C:\Windows\System\lqueAoL.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2096-0-0x00007FF7C29A0000-0x00007FF7C2CF4000-memory.dmp
memory/2096-1-0x0000020A17610000-0x0000020A17620000-memory.dmp
C:\Windows\System\BacEdBf.exe
| MD5 | 983f56b56be0cc3520dbfc2ca935df20 |
| SHA1 | 93ee966d29f02990b61c63504b537a9a32b27c66 |
| SHA256 | 61a5dc03257ed593554d9c33bda5455b371d37bfd1437575fa01ef18d8a5b00e |
| SHA512 | 5673f81a45ca81a0df830c1858a087757b02011e9c5560c39daadea1c72e98f567b8336b576f14cb83032f9a4b7ccb1070ffc8f1dbddbcd57a1c0adc4034368c |
memory/4984-8-0x00007FF66DE20000-0x00007FF66E174000-memory.dmp
C:\Windows\System\oTzxzeH.exe
| MD5 | 3451963138acc4e5e610842fa21ba9d9 |
| SHA1 | 644f602cf8e7d7e4052bd606731d3b2177a46f62 |
| SHA256 | a0f2a45ae1878ae6d3f18f4c4ec17d26e64c317254e22b32e3939ca874ce718f |
| SHA512 | aa1f964beeadbdc78f47ad421afd2b642c78f6eec3ca3ae5082077292eba3584fa44ce7b6a69de73651902757567c8a40f1d2f6593e2daa5053f47ed3ad8c82e |
memory/3340-12-0x00007FF7A0F70000-0x00007FF7A12C4000-memory.dmp
memory/2184-20-0x00007FF771500000-0x00007FF771854000-memory.dmp
C:\Windows\System\ACcBVBn.exe
| MD5 | d6d5e78eef709b5848ff5dd3b3da1d64 |
| SHA1 | 4014882a7817c4442ce54c9cbac7539632f1dec8 |
| SHA256 | c3da8242e14243a05d72ecaefef3ace88409f89eab01b756d45057d56e836da2 |
| SHA512 | 7798a62c772556cd1ccaf2ca852bb31fd873d0997cfb2bb13addd0d3674ad260604ddfbedd42285f06e5d005e39a101d0b16b5fbc0d05aab77a8e505ce975499 |
memory/1548-32-0x00007FF603360000-0x00007FF6036B4000-memory.dmp
C:\Windows\System\KluHWzI.exe
| MD5 | 72db7c65c8270b1b2f5a0df8a47516a6 |
| SHA1 | 662c58be24c1ea1c43f9448be12ea0ca727edfc3 |
| SHA256 | b6ecfb22a70f07ed71f33468f017ed6385043f21dd15c08248805d80899b7cbb |
| SHA512 | e0ca5c991805b56ce737d351b3ea5039edb3ef42298763222d68750a34c167d0b6da5f961697b805606966ede1f0147a1a5e3643135717ef5c271bf67132e83b |
C:\Windows\System\TPIZyaj.exe
| MD5 | cc6300a467d9be380e4d94bb187a8117 |
| SHA1 | af05acbb3c34d3a1d78ec9796db074996ef549aa |
| SHA256 | 909f2b6785c56f35879f87538ebb00f68855111229f9dd6fbfb93c368e4fbfe4 |
| SHA512 | 5383ba99e4f9c721ac97eb9bb70ff30633d13908fc91f42bd1d3c5f6a3196bb7930b9132e2873c676bfd4207dcfd2c8b0bc7f810d8d587b5cbf38444c69036f2 |
memory/4540-36-0x00007FF678000000-0x00007FF678354000-memory.dmp
memory/1124-29-0x00007FF7920F0000-0x00007FF792444000-memory.dmp
C:\Windows\System\oYLZTbm.exe
| MD5 | e4e6699fc05c5c5494129b48a91afa81 |
| SHA1 | 3ba3585a3a3c8052aa3db3ed573fb4907e632cd9 |
| SHA256 | 3ed91ef971e5d7d4d6f34dd2ff90375ea8f014a657ead68dd224c86accbcaee4 |
| SHA512 | b17ba0ccf9cdd5ff17b5d83d5a5ed1293036f2e804e4865ed589176c8e99f6b5ffa4c2b4c6648ecefa13ae7c96508d613ed136192b36bf3871fc934cb607c68c |
C:\Windows\System\SLdcajr.exe
| MD5 | 3169e7216c6eb2ac9e7a77b117755e8f |
| SHA1 | 8455b81afe04c2721574ef4a6b2a2ccc458c9c43 |
| SHA256 | 27c51679df020ac7c15b3ce9444835ebf0b019b062265cfb5f4c9b0fcb5d67f4 |
| SHA512 | d94bae152eaf93644ecc8ce7077fcb3cf858a1633b980efb0e4f4e0599e55c207b2a1467c8d13aaa44b27b94232866403ea98b90a0c4c745b4ae012106285290 |
memory/4612-50-0x00007FF774470000-0x00007FF7747C4000-memory.dmp
C:\Windows\System\dZfKOiW.exe
| MD5 | 585be2a2631f36179cff087392fdf09f |
| SHA1 | 4e3842e04d0c759c033643affc86f7f29e093112 |
| SHA256 | b91d999c6d9e2debc229ce2f8b36aff7fcd2d19ce8361feeb1a1354758bda5ef |
| SHA512 | 986c1886359ca7356a22c28b8db3e228c71d7aaf21b6c9521b47b482936d14662b790bfe3a11107d62dba164e6f75b825f4c98902ed88a7efda0be6c6dbe7153 |
C:\Windows\System\YXoQifw.exe
| MD5 | 960b5aff398ea10ae54915a29efc1a27 |
| SHA1 | b4d0e3ada39832e886eadbfc4489d53b3ce34561 |
| SHA256 | 4c487c3fb2eb064828cf424dc66aa4daf94fcad71bb94d81f78fc995c97857ae |
| SHA512 | 28af9a9380137215d5ad0415d0580dfdce556eebaba9b32c3acb6569b531c56de0aba4e090337e3662880c0f1563a0eb80d937f0d5c0fcf682593cabcd30b871 |
C:\Windows\System\dbJcniv.exe
| MD5 | 56428a286168e3d8ea65f3ee59030582 |
| SHA1 | 174d9d03b9026c3b02acea96517d5063b82a2d86 |
| SHA256 | f6c2d53d158c35bee43d98b07a9fad0ef1502be83f7916d46059eaa2a08d56ec |
| SHA512 | 69140722f128a3b30241113ecbf33c0d912c39803705e1676029227dd0f488581fbbafe6ce370415d890c256d3fa3169d5bf044bc54efe4b7d84c9c6a2733017 |
C:\Windows\System\jkCrhSS.exe
| MD5 | 840cb0d209ffa3287fea5f32f8599bdd |
| SHA1 | 5e572de8c223390cb0b17c3c413ebfbccbdc0133 |
| SHA256 | df83f46a197ea008e7209153b643f304cbce939619bca3659d0fbe49beeac43a |
| SHA512 | 8d4d7d6127e868467246595b39f13d70f7aa7b3f9bfef9552f66a0048b2e5f6be1ecfc57787b65ec10521ea235a240f6763ab10ebd7abda236a225b6f74bf619 |
C:\Windows\System\QmGAFen.exe
| MD5 | c0d8cdb179007f2099cc307cedea9893 |
| SHA1 | 662f9fc2fdfc34ed5ed3b99be6959a5a8fa14dcc |
| SHA256 | 9488f54f019479df8d2f5e1a2911bdf1b36b127da61b7e9f22b77da5e8128686 |
| SHA512 | a4e8e18e49f3279d21b78e4e674c2ccc24e9ad69a5aa90ad6b1fc126461e5df20e2cfb8a369ea8a267e5b298dba05ce017370f268f432bf96094699aa8fd80c5 |
C:\Windows\System\lqueAoL.exe
| MD5 | be786b58966c43ea064e671ef5dbab6d |
| SHA1 | f3ab02b378f5b1996b245e071a8287c0b8d38ab3 |
| SHA256 | 86cc357af2ae9e2c46afdbb7009e2099481d23d6cd4556a69075c626a6d867b8 |
| SHA512 | c7fb25e39562b4392b7b1715c7dd3d3d8f93cba59c94eee23358ed08ae90ab4c394ae77d2277f599f458781161822e1287289a8c7f43e0f8b949610dd3f0b140 |
C:\Windows\System\dBTwtwH.exe
| MD5 | 5ba9dd3c5e174ed497252d62496c4a06 |
| SHA1 | e3d8dc0f6005444d669ede72c5df4f11ad60966d |
| SHA256 | 04aaa4763c11d88529b8c879e8bdafc4f63c1fd5030c840754fea0e2b978baa8 |
| SHA512 | 92d6c6a760fd59b3d0c5ef1f3cc38a231cb6c200f8515aa8b9165c3a62f735d2d713d77ce65b17bbdae2c9fefee92a5209e886d60c577e0d609f8ada1f103f3a |
C:\Windows\System\VNfHRft.exe
| MD5 | 1e3ecfac28924c710569302ffc889084 |
| SHA1 | 9f298ca69d634ce2bdd8734b7c37c6d4f1a4923c |
| SHA256 | eda92d59bb0a336abde4d9c892cb71287f209e878c6699f506728bd8b7af0f81 |
| SHA512 | 1accf54d0a088a9b3a4ed91290f138846b04c9a2ff77bae8bdecf4d3b2d4b2b77a54881b57e2fbc9c346393d26dd5a61d861e6b6b390126b5689a02ff08888ed |
C:\Windows\System\fecVrtz.exe
| MD5 | 8ced86a1f2c92b3c7b4be84aae7c4210 |
| SHA1 | 7e23f82bb1b263bedca8aff3d39ddd92a895528e |
| SHA256 | b2e3d5d25273369f46c5c1b31a3a838093b7b3b4a88b944c4dab78aff314edb3 |
| SHA512 | 0262e24f33774b258567c86473865c42bec1500851cab7c2ce2e42b1ae2ce81f48f52c6e352d11191636cee4ad16d7081786d5617fddbd3ed0086b905897ff10 |
C:\Windows\System\bQLMYtd.exe
| MD5 | 3d29bc13992b34f74fb82f0ca4994347 |
| SHA1 | dc174f5322c174b773cee5d68663fd820ae2b307 |
| SHA256 | ce3c9760228448a3f4611ed7b6286c6dd564467f786cf54d61f3cc528602a4a0 |
| SHA512 | 4fd886c0b9e871c85fbba4c02259fb1be23f2209fb1fff0e6c74c8076691cdfaf8424a06cb637d0b64528e4bac44d208934d2b60c6a01c71277269c295b0d5c2 |
C:\Windows\System\ZxsOLKT.exe
| MD5 | 228ac83a559a0a592012fbf845c6d997 |
| SHA1 | 1a5eb8d027a57032c05bfc1cbee4adbd02d65662 |
| SHA256 | bc79d4d45be8148ecf4fd6c960eb30ecebfb7373d55cbb6409cc6be73b0a96e4 |
| SHA512 | 57347e911ff8e1fc6e6fbc3f75e7b0a3de977197d7c3e5c5c30a4cb1c13cd3a1dd076fa0bed6b659a8683c8e2f7e2d2eb815bc2adf1f467a6a58dc72b5406aa9 |
C:\Windows\System\kGnDCgF.exe
| MD5 | 4d2755155ffb86fcd32e1d25f1b209f2 |
| SHA1 | 06a340ad06c66ce2edf7f81352f73456ba61e4dc |
| SHA256 | c106199389535c370d4b176ae12da8ef5e2e507c7a2cf0bb265d6f87f4ca6d19 |
| SHA512 | e81ce315027bfad0d4bf30c7c00ffc6f766a8cfc9b013cf3f2a48560817dbddb99d27a46991c45800904af6b12d046851979f76016a559fae9594b898e2c1857 |
C:\Windows\System\jcyIDMx.exe
| MD5 | d5c5856f37050898421d6395801f6dad |
| SHA1 | 7ae9ffb72c53131b73595aacde2ae92ef6b82922 |
| SHA256 | f25eb21065ac61fbcaf3d14d050cbab87bdb955b918bd19ca9540f247e3f0cf6 |
| SHA512 | b5ef7ae61399b6b89ee961332c14ffba74a970ffd2955833904530693446379c45234e7a0fddbbc8ebb1cc600072fbdbab0d7995b6c87c300554cdceac20e050 |
C:\Windows\System\fkpenQw.exe
| MD5 | 050debfddd5c0894ec64b2856f9331fb |
| SHA1 | de16ad45587ca5237de293d7a61c3b4915c1daba |
| SHA256 | 463be66b7105629b64beef64820774eaac43169dcd91de30b8908ce285ccfdf2 |
| SHA512 | 37ac8b625f1e0a548f150db41b772f967b232864d7833558e2341abe6eb44f88371655607c01f95cc837da3e42e276e9762175f1614c53e404dda813420769e9 |
memory/1096-56-0x00007FF643350000-0x00007FF6436A4000-memory.dmp
memory/3636-53-0x00007FF79EFC0000-0x00007FF79F314000-memory.dmp
memory/2068-47-0x00007FF709810000-0x00007FF709B64000-memory.dmp
memory/2096-117-0x00007FF7C29A0000-0x00007FF7C2CF4000-memory.dmp
memory/3716-120-0x00007FF7D5290000-0x00007FF7D55E4000-memory.dmp
memory/4916-119-0x00007FF7290B0000-0x00007FF729404000-memory.dmp
memory/1592-118-0x00007FF6E1610000-0x00007FF6E1964000-memory.dmp
memory/2844-121-0x00007FF6592B0000-0x00007FF659604000-memory.dmp
memory/1820-122-0x00007FF6FF160000-0x00007FF6FF4B4000-memory.dmp
memory/468-123-0x00007FF7C7EC0000-0x00007FF7C8214000-memory.dmp
memory/4516-124-0x00007FF7C3AF0000-0x00007FF7C3E44000-memory.dmp
memory/1484-125-0x00007FF681440000-0x00007FF681794000-memory.dmp
memory/2024-126-0x00007FF74EE60000-0x00007FF74F1B4000-memory.dmp
memory/4740-128-0x00007FF6AEEB0000-0x00007FF6AF204000-memory.dmp
memory/4864-127-0x00007FF61E0E0000-0x00007FF61E434000-memory.dmp
memory/4984-129-0x00007FF66DE20000-0x00007FF66E174000-memory.dmp
memory/3340-130-0x00007FF7A0F70000-0x00007FF7A12C4000-memory.dmp
memory/1548-131-0x00007FF603360000-0x00007FF6036B4000-memory.dmp
memory/4540-132-0x00007FF678000000-0x00007FF678354000-memory.dmp
memory/4612-133-0x00007FF774470000-0x00007FF7747C4000-memory.dmp
memory/2068-134-0x00007FF709810000-0x00007FF709B64000-memory.dmp
memory/3636-135-0x00007FF79EFC0000-0x00007FF79F314000-memory.dmp
memory/1096-136-0x00007FF643350000-0x00007FF6436A4000-memory.dmp
memory/4984-137-0x00007FF66DE20000-0x00007FF66E174000-memory.dmp
memory/3340-138-0x00007FF7A0F70000-0x00007FF7A12C4000-memory.dmp
memory/2184-139-0x00007FF771500000-0x00007FF771854000-memory.dmp
memory/1124-140-0x00007FF7920F0000-0x00007FF792444000-memory.dmp
memory/1548-141-0x00007FF603360000-0x00007FF6036B4000-memory.dmp
memory/4540-142-0x00007FF678000000-0x00007FF678354000-memory.dmp
memory/2068-143-0x00007FF709810000-0x00007FF709B64000-memory.dmp
memory/3636-144-0x00007FF79EFC0000-0x00007FF79F314000-memory.dmp
memory/1592-146-0x00007FF6E1610000-0x00007FF6E1964000-memory.dmp
memory/4612-145-0x00007FF774470000-0x00007FF7747C4000-memory.dmp
memory/1096-147-0x00007FF643350000-0x00007FF6436A4000-memory.dmp
memory/4916-148-0x00007FF7290B0000-0x00007FF729404000-memory.dmp
memory/3716-149-0x00007FF7D5290000-0x00007FF7D55E4000-memory.dmp
memory/2844-150-0x00007FF6592B0000-0x00007FF659604000-memory.dmp
memory/2024-152-0x00007FF74EE60000-0x00007FF74F1B4000-memory.dmp
memory/4740-151-0x00007FF6AEEB0000-0x00007FF6AF204000-memory.dmp
memory/1820-157-0x00007FF6FF160000-0x00007FF6FF4B4000-memory.dmp
memory/468-156-0x00007FF7C7EC0000-0x00007FF7C8214000-memory.dmp
memory/4516-155-0x00007FF7C3AF0000-0x00007FF7C3E44000-memory.dmp
memory/1484-154-0x00007FF681440000-0x00007FF681794000-memory.dmp
memory/4864-153-0x00007FF61E0E0000-0x00007FF61E434000-memory.dmp