Analysis Overview
SHA256
4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30
Threat Level: Known bad
The file 4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30 was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
xmrig
Cobaltstrike
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 14:50
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 14:50
Reported
2024-06-01 14:53
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kfqymBl.exe | N/A |
| N/A | N/A | C:\Windows\System\SmWyMHJ.exe | N/A |
| N/A | N/A | C:\Windows\System\qpFcDoO.exe | N/A |
| N/A | N/A | C:\Windows\System\DCmvokj.exe | N/A |
| N/A | N/A | C:\Windows\System\HcshWBa.exe | N/A |
| N/A | N/A | C:\Windows\System\vvGmwTV.exe | N/A |
| N/A | N/A | C:\Windows\System\bOgZbMS.exe | N/A |
| N/A | N/A | C:\Windows\System\BbUOzRM.exe | N/A |
| N/A | N/A | C:\Windows\System\sPFTSFG.exe | N/A |
| N/A | N/A | C:\Windows\System\tunkfFQ.exe | N/A |
| N/A | N/A | C:\Windows\System\UeEequn.exe | N/A |
| N/A | N/A | C:\Windows\System\bChMppM.exe | N/A |
| N/A | N/A | C:\Windows\System\FTkudHG.exe | N/A |
| N/A | N/A | C:\Windows\System\bgpUPUb.exe | N/A |
| N/A | N/A | C:\Windows\System\JSldDng.exe | N/A |
| N/A | N/A | C:\Windows\System\LMUAPyj.exe | N/A |
| N/A | N/A | C:\Windows\System\qWYnGZW.exe | N/A |
| N/A | N/A | C:\Windows\System\pbZIsXz.exe | N/A |
| N/A | N/A | C:\Windows\System\mlsjWAG.exe | N/A |
| N/A | N/A | C:\Windows\System\kLyIyVH.exe | N/A |
| N/A | N/A | C:\Windows\System\xaXGlMl.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe
"C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe"
C:\Windows\System\kfqymBl.exe
C:\Windows\System\kfqymBl.exe
C:\Windows\System\SmWyMHJ.exe
C:\Windows\System\SmWyMHJ.exe
C:\Windows\System\qpFcDoO.exe
C:\Windows\System\qpFcDoO.exe
C:\Windows\System\DCmvokj.exe
C:\Windows\System\DCmvokj.exe
C:\Windows\System\HcshWBa.exe
C:\Windows\System\HcshWBa.exe
C:\Windows\System\vvGmwTV.exe
C:\Windows\System\vvGmwTV.exe
C:\Windows\System\bOgZbMS.exe
C:\Windows\System\bOgZbMS.exe
C:\Windows\System\BbUOzRM.exe
C:\Windows\System\BbUOzRM.exe
C:\Windows\System\sPFTSFG.exe
C:\Windows\System\sPFTSFG.exe
C:\Windows\System\tunkfFQ.exe
C:\Windows\System\tunkfFQ.exe
C:\Windows\System\UeEequn.exe
C:\Windows\System\UeEequn.exe
C:\Windows\System\bChMppM.exe
C:\Windows\System\bChMppM.exe
C:\Windows\System\FTkudHG.exe
C:\Windows\System\FTkudHG.exe
C:\Windows\System\bgpUPUb.exe
C:\Windows\System\bgpUPUb.exe
C:\Windows\System\JSldDng.exe
C:\Windows\System\JSldDng.exe
C:\Windows\System\LMUAPyj.exe
C:\Windows\System\LMUAPyj.exe
C:\Windows\System\qWYnGZW.exe
C:\Windows\System\qWYnGZW.exe
C:\Windows\System\pbZIsXz.exe
C:\Windows\System\pbZIsXz.exe
C:\Windows\System\mlsjWAG.exe
C:\Windows\System\mlsjWAG.exe
C:\Windows\System\kLyIyVH.exe
C:\Windows\System\kLyIyVH.exe
C:\Windows\System\xaXGlMl.exe
C:\Windows\System\xaXGlMl.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2224-0-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2224-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\kfqymBl.exe
| MD5 | 223ce16b7bde63ae8aec2595448213a8 |
| SHA1 | a0b21bb21e0546ab0ce09179abb8e52c2870ad30 |
| SHA256 | 99daa080975cf6556d5af5db632ffa23dfb51435c443c5693ea868f82ef63496 |
| SHA512 | d02fc5ed09afe1313699736425b5974ac571acdc6af66040bb83ff43538555de3b458dd04cca8d0ee1ab20c031f4e205c7699fd3ae8a5b368e47bcbd3a74d88b |
memory/2432-9-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2224-7-0x000000013FF40000-0x0000000140294000-memory.dmp
\Windows\system\SmWyMHJ.exe
| MD5 | 318c3550f218dfb48886677b6cf8c194 |
| SHA1 | 1c252dbff39717bd61876af00296dd275acb45d9 |
| SHA256 | a5bd37d5000fa0cc38046fd6c7572f5424143fe0dace44b7be94670301684afa |
| SHA512 | 84eba25b012ed3347ab3dcf69032b96605b859a269f1bc78b82b8c17a776e6db3937a27d54d3716e74f47273461e39147ccd6f353a3bed16d3554471ba3f4f6c |
memory/2596-14-0x000000013FB10000-0x000000013FE64000-memory.dmp
C:\Windows\system\qpFcDoO.exe
| MD5 | f8da32f412fe8a7e09813e47f29276b8 |
| SHA1 | 1f2c92a544819102af9403434456f273a26b9279 |
| SHA256 | 0330ea4ec14b7aeb86fa597c3554799f5222f9e5f0a10e81701c9e17e3d31986 |
| SHA512 | 42bcc076039dd668897f17b243f2e51b80fd7cf548acaea31aa4259281f9fbc80ad1734405aca7865435d63670b0d127fb5ecfb96c43e3153c7126a3ba690dd6 |
\Windows\system\DCmvokj.exe
| MD5 | dfdada151be22874c0adb982734a2e7e |
| SHA1 | 91c5e7631f0de39030e612c184f6872bb335ed06 |
| SHA256 | b338a6d02712e5b1b0dded1c6a708cc657c7d1b6831290b8f43882991832f691 |
| SHA512 | f3b602aebb6e420b1426accf01b194d148c2bd2a460dc79fa01f301ee377301bf6d6e680f09e6fa563dbb4c7f3ed9b4fc97f82827cc53fa3ae1fcc3220013c8c |
memory/2640-28-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\vvGmwTV.exe
| MD5 | 0ee75ebfaf712444c2c5d4bdf9e5df33 |
| SHA1 | 5360d8bc087d90110cae5ab4259ed7104cf5a9ea |
| SHA256 | 12e3f4aacc684e10f50cf84ff01cd31af5f3082cdb2aeeb22f5026ed6a0ad2ce |
| SHA512 | 10d2770e80e95efbd9c107e8fe53bfb0d01be9f868732b19ff1a981243ae7543814d19038c0b714b060b225f4b12aeed89ef7f694315a33e60a07ed1d852730b |
memory/2224-39-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2800-48-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2780-54-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2224-53-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2436-59-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2988-66-0x000000013F9D0000-0x000000013FD24000-memory.dmp
C:\Windows\system\tunkfFQ.exe
| MD5 | 9bc199e265438bd7271402ea09d58273 |
| SHA1 | 2c3df13e02a3a531715adad50279050eeef27cde |
| SHA256 | 7e29898651038e7c8dff945997430ce1ed35cdf787dc40ab1bd4d2f0f6b2176d |
| SHA512 | 25329d0e15c5992036407913806ab9d64721c5632e2cdfdbfef9f0e41ddce7dfefe87aee959d3e15761db91febb7bf13e706c32e54ace3e0eacbf558b854c1a8 |
memory/2596-72-0x000000013FB10000-0x000000013FE64000-memory.dmp
C:\Windows\system\bChMppM.exe
| MD5 | b40c9d39fcb0d8ffe5d7b59f65357348 |
| SHA1 | c804952a4ed20eb87a37dc29e1809f53c9731d03 |
| SHA256 | 7ea88a03f9ea5b6c9c97a7062f6fdac3e3def4d69b1175d601c619ebfcd45834 |
| SHA512 | 261acba73859d375e4a65f43bbddc8c9f467ba938c3bb1dc193b375377d1189ec52891654e671630ed0d8ccb9921a42085da100080747b7d3688ba98fce86ae5 |
C:\Windows\system\JSldDng.exe
| MD5 | 5a5d176fa3e4445c11397c282fe8af70 |
| SHA1 | 247d8415f7c25714d7c2876b537840262394a20f |
| SHA256 | 7708b87d896019819c5d514add1c5a9b088c96f138ba0ce0f45438ed835cf39e |
| SHA512 | d9d1363db28f9655d1c8684bb9c8d175e10e7af804bffeec9e3d8acd792d5e1e6b1861db4f7d702bee77f393136bb9c61a74c8a058bd428c566d94f345b6da96 |
C:\Windows\system\qWYnGZW.exe
| MD5 | 0679ade58e7904446988c0b9ad3818f1 |
| SHA1 | 9254f76e4e01697957ed4b659bf3116d5a198e68 |
| SHA256 | 56a0c1e643fa73e52b4568f07109437c36524fd5cc6a46aa98c844b36ddf8d01 |
| SHA512 | 35cc1b6048de168aecd5a3f8340dd1d0af9489555775d65c120a85b7faf784d21eacf8faa27b1a246699b2106b84e6678655445fa90fc7641cd57b6ed6ab08aa |
C:\Windows\system\mlsjWAG.exe
| MD5 | e3c8a2463cc3a52045c0124bc3197714 |
| SHA1 | 29e6ae4d4654c8b34dc9a5a5a0b4e3939cc78d4a |
| SHA256 | cc596db4faba1c2fc911b63916f9d9c309c0ee84242d093926f99a1ec700f6f4 |
| SHA512 | 803e31c1be8423d384d3146078c4dee2544c1ecf126d12292215ec21af5ff1590f48bf5cd381bd8337f76ece6717100260269e1f5c1d00bdc4fc3b0294170d79 |
\Windows\system\xaXGlMl.exe
| MD5 | 2a7cae2e2066512d2ea06a87e837cef9 |
| SHA1 | 9bc3973874ce4cbf824b1bc6e42f8702768e63cb |
| SHA256 | 21e8622740c848bf365b79577f7633f1896a56f399f6f70f32f17d0b700368c4 |
| SHA512 | 03bed969b2acad47f6de476389425f83ecc05b347761ba5f3b816c269752177edd537245635d440af66b16184c91dcea62b5c89659191eaea8fdf097375e4e77 |
C:\Windows\system\kLyIyVH.exe
| MD5 | 0eef37ecb8228bf999ab76a035e0b4dd |
| SHA1 | bb1beb15c35b5d09a9483d1a33399863ca0e3e18 |
| SHA256 | ecc0b73930016ca97466441793069912fe8a355a0952f92d123c403d6dc7265d |
| SHA512 | 5406f27b080d7c0fd76c6146b1af3ca58bb40ad9cb575c32395658cc31ec93068e236204a0cfc52de26898b598a754b61c65ae8a74910a42776ac6c9a29b99b6 |
C:\Windows\system\pbZIsXz.exe
| MD5 | 90a1edfc2edbc8e5c26a881afbd8dbac |
| SHA1 | f1ad0c686a955845f7d7e84cff00c31ce48b4ca0 |
| SHA256 | d933ee43015eb2851e62a12bbd2cf9a60fa4229099d9f32b1bf293d08bf122b6 |
| SHA512 | e98d7923db67108888fd93d80f77b74bab0c31c0d6baed923a3fb9648f4818207d07ccfdbb35cad06de81e9e8f18979f15b4f9ac11d56d53e49b6c8e3dbe9785 |
C:\Windows\system\LMUAPyj.exe
| MD5 | f145eb38833b6bb6b1f05e7c174f249f |
| SHA1 | 459b45e8b1c3e86fed47a604a8b87fc2c94357fe |
| SHA256 | 00d0748db99f0b464be48cd14755d2a2ea34ccec75e991ff4317e1927b8c1635 |
| SHA512 | cdc50b3791303aa5b0e91350a3f42817cc3b88becb5f8f4a1c5c539393c6b1a0c8f9c3bff9deb8090398341c176c669160e473216a4d361e3a8469a323538e47 |
memory/2224-105-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2636-104-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2976-99-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2224-98-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2792-97-0x000000013F650000-0x000000013F9A4000-memory.dmp
C:\Windows\system\bgpUPUb.exe
| MD5 | e64d0bebed2094a92a90a3c0603c548a |
| SHA1 | 57a1119a160f175e28418b3254ab201b09aecfbd |
| SHA256 | cd19c4d2babd461b6e3c08eb4688181cd8721038826026645fb8660063718e59 |
| SHA512 | 3bb2ee8ac44bc1215ea99cdc3fb391e040a5047e43ca15bc362b1aca16b5738c0a5e11a5e9f6edcab102caa9c842e187c91e3e7ad1e4ef6f137c89be9f679b46 |
memory/2876-91-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2224-90-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2640-89-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\FTkudHG.exe
| MD5 | 1096fed69699ed313ce720c8a8403f08 |
| SHA1 | 04d44f3a1ed4418fdae66336bf4d4a0c61c6258f |
| SHA256 | 0ff078533f41b9f86579a831f5d249a39c38fe769c30ee7d3d085cdba1705857 |
| SHA512 | 435f8143cad6047b90cbec48754c7661b49c0760d3f72ee5546cbb99fee76b16627610098b641ec5877c346b2b916733653caeb0dab448ee5cc3a8fdef413d6f |
memory/2832-84-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2224-83-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1304-82-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2680-74-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2224-73-0x000000013FD70000-0x00000001400C4000-memory.dmp
C:\Windows\system\UeEequn.exe
| MD5 | 3d2346cf3b8b564f297b8047fc42038b |
| SHA1 | a2164f5bc3136e95a3095366c127e6bd4fd29444 |
| SHA256 | c2a7c5a776ba7323ef1b03dd7252dbadc3e1c775f9e39ec9b27c39a9bc81f6fa |
| SHA512 | cce38dd9d7902d7c0d1cf2529ff71d80eb22c009362fe5971a964a1bbbed47d4ed245367da984712f905a7752d3d27af551e1ecab7204aabdce740ff201411c0 |
C:\Windows\system\sPFTSFG.exe
| MD5 | 8c1dea069db07eddb4df8a054f9ecfe5 |
| SHA1 | 7e5d76f6ac20f3a215321edb169df001948e16f2 |
| SHA256 | 484faea475bd1b105d2b147707410c412c19812c9cf07229daddce5b5ad05d51 |
| SHA512 | 8758b82e976d7b1de5a39765fe4b980311314c1e659cdf7d51b80bf1c2bab5986cff3d2240ad4b75b8045277bae4de237cf0940c84a7f0eefe9c3466ecae8398 |
C:\Windows\system\bOgZbMS.exe
| MD5 | 198ddbce074c42a6901ac8a9c64322ec |
| SHA1 | 907c450ec43e15666c38ec45fc4088e5918546c2 |
| SHA256 | a2bba0e7ed8952b36509f0a3b181076d7f92b6e02e8db9f284b7b7b146b378d2 |
| SHA512 | 366f4cf5fff5e513640d3a3d6c7b1367c04693170bde71c35d6b3eb501f9bf70f9113e0c89b03a1769c6f4917974b34f0fb67c2f230b03f670eaeb318a5717d2 |
C:\Windows\system\BbUOzRM.exe
| MD5 | 8e5ba95337c3edc2be8b15a9ab4c5bc7 |
| SHA1 | 1cf312d93157125a49226e3c1d90a1e9ecc7c0ac |
| SHA256 | e5856ec7daaf1fa8b082e0e781a9a650bf46376c6f2efc5355561e6a92d3affb |
| SHA512 | 74ae5847b52e286ddd96be086c8d99cb31a21b13e6c78f0ffa2a4010af77e2a9926e0cd2adc1e0c22abb192b4e64ea37ed821193d9a26da81b4852581f8f5e13 |
memory/2780-137-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2636-40-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2792-35-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2224-34-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\HcshWBa.exe
| MD5 | 6eb1e23c101aa5ecd0a0825351e8ddb4 |
| SHA1 | c0644ded1e601a818fcdee8182f1531dd83e724e |
| SHA256 | 41de8ad7ef88534bd2861a6c364573b730987214cc7eb0d4f8dd13edaff43609 |
| SHA512 | a6dd5d14418e3993d0c684d5ba79563cb9e3919f9d5398839bc58fd24076c35678eea8ea0798f7937f053596eac3f68138c968d40d4ecc7a8df4abc7e5d262ce |
memory/1304-22-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2224-20-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2224-27-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2436-138-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2224-139-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2988-140-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2224-141-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2680-142-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2224-143-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2224-144-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2876-145-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2224-146-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2976-147-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2224-148-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2432-149-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2596-150-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/1304-151-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2640-152-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2636-153-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2800-154-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2780-155-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2436-156-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2988-157-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2792-158-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2680-159-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2832-160-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2876-161-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2976-162-0x000000013FBE0000-0x000000013FF34000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 14:50
Reported
2024-06-01 14:53
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nQTdxce.exe | N/A |
| N/A | N/A | C:\Windows\System\nVQyOqy.exe | N/A |
| N/A | N/A | C:\Windows\System\ZhgHUyR.exe | N/A |
| N/A | N/A | C:\Windows\System\dCQNJLU.exe | N/A |
| N/A | N/A | C:\Windows\System\XDpcsjV.exe | N/A |
| N/A | N/A | C:\Windows\System\xFlZKBq.exe | N/A |
| N/A | N/A | C:\Windows\System\drdJTBT.exe | N/A |
| N/A | N/A | C:\Windows\System\UqGKwbh.exe | N/A |
| N/A | N/A | C:\Windows\System\uzxizXI.exe | N/A |
| N/A | N/A | C:\Windows\System\FdFtpKt.exe | N/A |
| N/A | N/A | C:\Windows\System\qqsCdhi.exe | N/A |
| N/A | N/A | C:\Windows\System\bUdCVPv.exe | N/A |
| N/A | N/A | C:\Windows\System\DbJGxNs.exe | N/A |
| N/A | N/A | C:\Windows\System\EmuzVrx.exe | N/A |
| N/A | N/A | C:\Windows\System\AqNbGCI.exe | N/A |
| N/A | N/A | C:\Windows\System\UsBNWZm.exe | N/A |
| N/A | N/A | C:\Windows\System\HfeecuJ.exe | N/A |
| N/A | N/A | C:\Windows\System\mXDQAwF.exe | N/A |
| N/A | N/A | C:\Windows\System\fKswMTX.exe | N/A |
| N/A | N/A | C:\Windows\System\zDgmvRM.exe | N/A |
| N/A | N/A | C:\Windows\System\BTXUlXB.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe
"C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe"
C:\Windows\System\nQTdxce.exe
C:\Windows\System\nQTdxce.exe
C:\Windows\System\nVQyOqy.exe
C:\Windows\System\nVQyOqy.exe
C:\Windows\System\ZhgHUyR.exe
C:\Windows\System\ZhgHUyR.exe
C:\Windows\System\dCQNJLU.exe
C:\Windows\System\dCQNJLU.exe
C:\Windows\System\XDpcsjV.exe
C:\Windows\System\XDpcsjV.exe
C:\Windows\System\xFlZKBq.exe
C:\Windows\System\xFlZKBq.exe
C:\Windows\System\drdJTBT.exe
C:\Windows\System\drdJTBT.exe
C:\Windows\System\UqGKwbh.exe
C:\Windows\System\UqGKwbh.exe
C:\Windows\System\uzxizXI.exe
C:\Windows\System\uzxizXI.exe
C:\Windows\System\FdFtpKt.exe
C:\Windows\System\FdFtpKt.exe
C:\Windows\System\qqsCdhi.exe
C:\Windows\System\qqsCdhi.exe
C:\Windows\System\bUdCVPv.exe
C:\Windows\System\bUdCVPv.exe
C:\Windows\System\DbJGxNs.exe
C:\Windows\System\DbJGxNs.exe
C:\Windows\System\EmuzVrx.exe
C:\Windows\System\EmuzVrx.exe
C:\Windows\System\AqNbGCI.exe
C:\Windows\System\AqNbGCI.exe
C:\Windows\System\UsBNWZm.exe
C:\Windows\System\UsBNWZm.exe
C:\Windows\System\HfeecuJ.exe
C:\Windows\System\HfeecuJ.exe
C:\Windows\System\mXDQAwF.exe
C:\Windows\System\mXDQAwF.exe
C:\Windows\System\fKswMTX.exe
C:\Windows\System\fKswMTX.exe
C:\Windows\System\zDgmvRM.exe
C:\Windows\System\zDgmvRM.exe
C:\Windows\System\BTXUlXB.exe
C:\Windows\System\BTXUlXB.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2284-0-0x00007FF652540000-0x00007FF652894000-memory.dmp
memory/2284-1-0x000001D7E7160000-0x000001D7E7170000-memory.dmp
C:\Windows\System\nQTdxce.exe
| MD5 | 20a6dc233286052dd4c82727fe9a7163 |
| SHA1 | cdbcf45ac564d98211685a87ff0ced2e6f2aa892 |
| SHA256 | 04c75255988fff5439b6a118ff189b365de26ebb7ec6f41478608eb993b7b43d |
| SHA512 | e93a63567020a4e55e05011705cf99e2cca6b99e2897bd27e2205c3db7978c69861dfa3ba84c19c5fb7af5c6151afcf31a94a35a27260ab7f7ef05fa11cb70b4 |
memory/1420-8-0x00007FF677560000-0x00007FF6778B4000-memory.dmp
C:\Windows\System\ZhgHUyR.exe
| MD5 | 46d2dcec0d4c0a885c397fa12db950c4 |
| SHA1 | 80efd66ec640c479558a3d5506c5b5f18626bece |
| SHA256 | f4225dbd86f221857635f4a633478604a217e87ecac85106a4d7801a6f2450fd |
| SHA512 | 734f25b08100bed2e0de9324506eacbf73b9ece7b249e59451118bb23df60d5aed39d627244f9138d882c8b009f25abfe6fe90919365aa71394bb83a12a29386 |
C:\Windows\System\nVQyOqy.exe
| MD5 | eb8ac4f5db59b1981781ddbfe92935d9 |
| SHA1 | c248bf9d60e5c3e5d3f4d58de1182de049bd0b2e |
| SHA256 | 5fe7b7a7a7c6afeba4535c964b5d6f15b563512e6a4eed687e01e7679e0d3c20 |
| SHA512 | 40fdc3bf082f39ff1f93c0398d6479eb130408ebf8b8f2d41b65dbd4f2e918db97b723e248543699d792388538ff89cb9782671504593cc52442b31aaf0b29bd |
C:\Windows\System\dCQNJLU.exe
| MD5 | dda122ef8a8d008c2828cd1cdab01a81 |
| SHA1 | f08fd3f87de3d48ad87b3603e0f7f2818c1dd3aa |
| SHA256 | a959f753ad51e778a5db9de18d463af372a1b76b08e6e577298e2e33c45b8708 |
| SHA512 | f8321994604179798d081c1ff3271f83b71f5a840d17c97b1bbae7c5e693c14741898bd0dbd43a4ccf5ed28977da073777ec5683fd688da485e8718b28d458b2 |
C:\Windows\System\XDpcsjV.exe
| MD5 | f73b324983c6a64ee5ecff0458f52951 |
| SHA1 | 69d55af48e349bd5a2c8b6fb0e9208a5eb085366 |
| SHA256 | 34fcac8351d1035cbb01ef789f9bbf2cb1fe15d9eb44c656ff240f7d34eddcac |
| SHA512 | ebd953243e247ac03ec6c324ac0730ac9a7c1e4f0b46692bd4ce1eeed02b3cd48fb8f4618a91c9f951d0235648c19a48f6ae29312de653efdeb66e3c04bd13bb |
C:\Windows\System\xFlZKBq.exe
| MD5 | 1e7a45e776772c698f2e03bd8ca2d8f5 |
| SHA1 | 658b700235254601e1960bf7160d5147e9cf3cbb |
| SHA256 | a4ac507ed61e990e9f1ed13c8aebcf6d958b208badac872948a7c6b677b4bccc |
| SHA512 | 9fea1930dcedac2a640af408d971e99d0ead085b0090828d3782868b989b350762fa4f0541268ae44d93ff13d19d1be5c01d65afcf4c82c911ec370cb9d93246 |
C:\Windows\System\drdJTBT.exe
| MD5 | 70fa823be5c6588ce335db68e9e5b195 |
| SHA1 | 8d562dc06766415041f876d56ffca262af39a316 |
| SHA256 | ecd6ae649d3ee7f930c8236b0bfaee3b279ec876f235ee67bdbe77417f763617 |
| SHA512 | 1eb9db4762589d9ec90e643d729415eda99cfcdeda83abb0f28977b07156a9653ec09dcc651d2966537df7e23bbd03cf56df289721e3875a49dce5130e291942 |
C:\Windows\System\UqGKwbh.exe
| MD5 | 9e74ab037b9fffb38105fb334473e22d |
| SHA1 | 980d99f0fcaa25a5da78d0947f4e23191e86cefc |
| SHA256 | 5687f4635c150d6927efcebb30e619e2e064b3093ec12d81c84fadd94a8732ad |
| SHA512 | d35923e8349ebdc6531b75a208eed82812913899569b241f548f3bc94eb25bf0a8edd58f23294f344e96b92b718f96c861d8c840bbaad3ead509504fe862d630 |
C:\Windows\System\uzxizXI.exe
| MD5 | be127c00d5df20897dad4fd0f0175c5e |
| SHA1 | a5805ac053e32c0af4cbc2d0dd15dbd988c107c8 |
| SHA256 | 834825f0d1465dd7868e2962c5e11b216948469dd541f017e207d2cbfa90607e |
| SHA512 | 8085ca6399f963abdca304e8ccabd76f03d3f43434d7db3607e9fed23abec39c0b60acda9e28566fced1d36da34a07fa91f8ae2e0d5c64fa87bcab96ffb02288 |
C:\Windows\System\FdFtpKt.exe
| MD5 | 4a4a3b1bcf1b887f89eb8a550bb705d7 |
| SHA1 | 19299a8dddf4273572a2b4f3dec5559474b4126a |
| SHA256 | ef2f72ef93c3e3d362de81ee55805af9e609c32dac02be5679129786786ed9dd |
| SHA512 | e6bdc1e4eaeedb28ba3ed4c0c92e7bb59e23b9f029d84eedaf407c276842f1b7b06374efd5b0327c27b31580cb1c4aa8c834d7bf6d979d0eb1de35532622d83b |
C:\Windows\System\qqsCdhi.exe
| MD5 | 2706163fe2f6a47a671d22390538fbfb |
| SHA1 | 3525e140918ab5a797f00665fea2165d0dc3d566 |
| SHA256 | dd0b94797a5e727c538b7241e8b9d46a8444e8b5709d3fc5203fa7a7a8cb5705 |
| SHA512 | e0b34ccc025b3d1934a64027d92df48d5d2b21d608b8bf3630f5c3011e61a8fc767e25c5c338e8e68c2eada9daac1e6aa3d8fa66b103484acee574cdffbd0b8b |
C:\Windows\System\DbJGxNs.exe
| MD5 | 71e00281da82c6904bf05eeb95dcf12c |
| SHA1 | e1527f00ef85cdead377bbfcb1bbc817f122f46f |
| SHA256 | a6e741d3f8a724d0617092fd3e9be2b57c4958057807f94b5b1c3d915ffdb6ca |
| SHA512 | b358defdd9ac771a701ca3206fcdec28ce07e8a9f0044b25adc5a9a6a34776a2855ab8402c7a1664d851d86d6002c652b8156f3b04c5de4373fd36c64c186f97 |
C:\Windows\System\EmuzVrx.exe
| MD5 | fa451dd232667084f03064ee7852ca21 |
| SHA1 | b95554aac315f8f183819942789097c60a8f2801 |
| SHA256 | 4a3782f4a9f395e1e5d6a51a8317d7a66f53fc08ab2de475995e824e03e1c37b |
| SHA512 | b7f200ecc218e7a87621bce2d67b0efd39a203d393546adb7d09b35f388f3191e2511fed2edbead2d098444a68cf2f0ef3bde9572e8499db9a033f89268ae92e |
C:\Windows\System\AqNbGCI.exe
| MD5 | 788107b9772b38a5aa7174a667aafe19 |
| SHA1 | 8cb38c74d0f1a4bc151a718e14b11a8dc37d9b11 |
| SHA256 | 36de35cf9becfdc27cf0d0e4ed49d85577f358b228c56ccf7d33d472df1f1791 |
| SHA512 | 06ab8e4fc854c3e37c2286b43e8d75e4407f81c07cd409b258e4a2df3f27174b65aed5d50beac102521243321ae8e6f48427ec238b42b34e17825b32d2746842 |
memory/1436-91-0x00007FF7255E0000-0x00007FF725934000-memory.dmp
memory/3228-94-0x00007FF672D80000-0x00007FF6730D4000-memory.dmp
memory/4568-98-0x00007FF6B9120000-0x00007FF6B9474000-memory.dmp
memory/3972-97-0x00007FF6B51D0000-0x00007FF6B5524000-memory.dmp
memory/4152-96-0x00007FF66A090000-0x00007FF66A3E4000-memory.dmp
memory/5004-95-0x00007FF7BFAC0000-0x00007FF7BFE14000-memory.dmp
memory/4760-93-0x00007FF63D6A0000-0x00007FF63D9F4000-memory.dmp
memory/5060-92-0x00007FF6296F0000-0x00007FF629A44000-memory.dmp
memory/2588-90-0x00007FF6B7870000-0x00007FF6B7BC4000-memory.dmp
C:\Windows\System\UsBNWZm.exe
| MD5 | 2ffdc740a2ba6b0fc24c73edddd5a5da |
| SHA1 | 1a8d91342c5d3450cab4dfda62fee7984ce05b03 |
| SHA256 | ebecd8ad1c626a7d99f8b8bbde7500b9b365daeafcbf518238e399399f0fe0f2 |
| SHA512 | a97f94ca5bc38483e9584f30950260741b4f2aa07e473e4c36790ea069f5411cbd8b685d74d3097c2465ac9806333637480ded0aa5cbb4544245b79d1d5aaaba |
memory/4756-87-0x00007FF712D00000-0x00007FF713054000-memory.dmp
memory/184-84-0x00007FF72A1A0000-0x00007FF72A4F4000-memory.dmp
memory/3948-82-0x00007FF7410C0000-0x00007FF741414000-memory.dmp
C:\Windows\System\bUdCVPv.exe
| MD5 | 8207f42d869165fc2ebc70105310c6e4 |
| SHA1 | 05ccf3cd0cbf5e9058d5e0cf7e491d6d08e61420 |
| SHA256 | 03761ecf1219063f3b678b95cb4250bcad845fecddc9ceb12dd34eeb63af908b |
| SHA512 | 2e2c5356b061fb9f57c5bee392e75b846190544853f2133aaad09983b31cb68da2b848297e5f7634a0b5e837ffb3bd128ba4dd00ff1041f962074a6de437adc1 |
memory/1888-29-0x00007FF66CCF0000-0x00007FF66D044000-memory.dmp
memory/2984-23-0x00007FF6365F0000-0x00007FF636944000-memory.dmp
memory/1592-17-0x00007FF70E090000-0x00007FF70E3E4000-memory.dmp
C:\Windows\System\mXDQAwF.exe
| MD5 | fc279a8cd869223cf15b895ef126fe35 |
| SHA1 | 2bc29617fb09cc27756f1060a0f6aadc33c6475d |
| SHA256 | f80d925c0c7a9cdc0d44199b61a85d183044a53fb751df2f499eb9f7893754a9 |
| SHA512 | fb0c13a00e0ed50156bc6ef703e635d4e2bb6988a3d9f2b22e387a491086c0f9f70867d1f4e3b2558fa6191ddb4a349db053cf04af20f2d36e1b8b12e1ae3af7 |
C:\Windows\System\fKswMTX.exe
| MD5 | b21416167fbfff9d45fba7652e6a8b36 |
| SHA1 | 55bbf2a465b426fde9bb230d38d58fa1463b9bef |
| SHA256 | a20692fd7eff198dbceb94c57b575bd5b08031c9a42f986180ce92c979906c29 |
| SHA512 | 964566a9358f2129c8bec104e39da3280d4a8d6a1d3c4fce2206afee0fe9e14c7b3ae421ffa24dbf3d83b33c468a3ab50589f1ab6c5ebb4cb2228f1016799982 |
memory/2484-110-0x00007FF794250000-0x00007FF7945A4000-memory.dmp
C:\Windows\System\BTXUlXB.exe
| MD5 | 51ba5944dcb2f71688e30028d75f6f0b |
| SHA1 | 8cd109a93d2c0b9c96457a58e493c7c92f04ad1a |
| SHA256 | 5b1aafc2450829775f91a6f76834fd7dbcffd285c6cecb1d6f1aa1761aab357f |
| SHA512 | 9ca45cf0de6928d392f98a0c208195946118f52d9a65baa1b5f88c712a29b0322b14bc8f2be512bda5ac3a0b34b9169a7307c865d3ba3492a2c024d2cfce1e9a |
C:\Windows\System\zDgmvRM.exe
| MD5 | 67bd95245eacbd108c9fafdfe965ac3f |
| SHA1 | 8199bda3ec7245f8c328c76f52be0b57d40a30a9 |
| SHA256 | 1eb6e1e9cdb230ab66e999e876b209842bab78d5459b8b4dd52ce5f581d255d5 |
| SHA512 | d078d406982cf89bfd74e8d52f004740c282b7901fd0c5a3f47a3c993aaf517ed05d30518ada08872d5b9e4a949894679cc2fcb9f4f910a0ab9c1c7ee77e4caa |
memory/4008-117-0x00007FF6590C0000-0x00007FF659414000-memory.dmp
memory/2284-127-0x00007FF652540000-0x00007FF652894000-memory.dmp
memory/4896-128-0x00007FF6D8C30000-0x00007FF6D8F84000-memory.dmp
memory/3840-124-0x00007FF6E3A30000-0x00007FF6E3D84000-memory.dmp
C:\Windows\System\HfeecuJ.exe
| MD5 | 89477aaacbda057dde6eb12d38e4d1ac |
| SHA1 | 6bafeea67eb87da499c20b60a74ccaf192463702 |
| SHA256 | cd3ee96a90bb94ed1dd45e7aa7eebe7059169c306aed8050971d109346f7f91d |
| SHA512 | ed25d667d7e2fe72720bba25253355c748c97c461c1326ec932e3a947579837b19c4cb238dfb558c6f792ed6aa225c31eb9071463a8ee7de56dbd32f3bc78d91 |
memory/5064-105-0x00007FF69F180000-0x00007FF69F4D4000-memory.dmp
memory/1592-129-0x00007FF70E090000-0x00007FF70E3E4000-memory.dmp
memory/2984-130-0x00007FF6365F0000-0x00007FF636944000-memory.dmp
memory/1888-131-0x00007FF66CCF0000-0x00007FF66D044000-memory.dmp
memory/5064-132-0x00007FF69F180000-0x00007FF69F4D4000-memory.dmp
memory/2484-133-0x00007FF794250000-0x00007FF7945A4000-memory.dmp
memory/4008-134-0x00007FF6590C0000-0x00007FF659414000-memory.dmp
memory/1420-135-0x00007FF677560000-0x00007FF6778B4000-memory.dmp
memory/1592-136-0x00007FF70E090000-0x00007FF70E3E4000-memory.dmp
memory/2984-137-0x00007FF6365F0000-0x00007FF636944000-memory.dmp
memory/1888-138-0x00007FF66CCF0000-0x00007FF66D044000-memory.dmp
memory/3948-140-0x00007FF7410C0000-0x00007FF741414000-memory.dmp
memory/3972-139-0x00007FF6B51D0000-0x00007FF6B5524000-memory.dmp
memory/184-141-0x00007FF72A1A0000-0x00007FF72A4F4000-memory.dmp
memory/4568-142-0x00007FF6B9120000-0x00007FF6B9474000-memory.dmp
memory/1436-144-0x00007FF7255E0000-0x00007FF725934000-memory.dmp
memory/4756-146-0x00007FF712D00000-0x00007FF713054000-memory.dmp
memory/2588-145-0x00007FF6B7870000-0x00007FF6B7BC4000-memory.dmp
memory/5060-143-0x00007FF6296F0000-0x00007FF629A44000-memory.dmp
memory/4152-149-0x00007FF66A090000-0x00007FF66A3E4000-memory.dmp
memory/4760-147-0x00007FF63D6A0000-0x00007FF63D9F4000-memory.dmp
memory/5004-150-0x00007FF7BFAC0000-0x00007FF7BFE14000-memory.dmp
memory/3228-148-0x00007FF672D80000-0x00007FF6730D4000-memory.dmp
memory/2484-151-0x00007FF794250000-0x00007FF7945A4000-memory.dmp
memory/5064-152-0x00007FF69F180000-0x00007FF69F4D4000-memory.dmp
memory/3840-154-0x00007FF6E3A30000-0x00007FF6E3D84000-memory.dmp
memory/4008-153-0x00007FF6590C0000-0x00007FF659414000-memory.dmp
memory/4896-155-0x00007FF6D8C30000-0x00007FF6D8F84000-memory.dmp