Analysis Overview
SHA256
621a81ec8425add43765485f46ddcfcc840bcbefda882294d59403952e7ec77c
Threat Level: Known bad
The file 2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Xmrig family
xmrig
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 18:11
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 18:11
Reported
2024-06-06 18:14
Platform
win7-20231129-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bALEYcf.exe | N/A |
| N/A | N/A | C:\Windows\System\GMxKwzl.exe | N/A |
| N/A | N/A | C:\Windows\System\EwdlsjB.exe | N/A |
| N/A | N/A | C:\Windows\System\xIiUAuH.exe | N/A |
| N/A | N/A | C:\Windows\System\DyCtiPk.exe | N/A |
| N/A | N/A | C:\Windows\System\WuyQiwi.exe | N/A |
| N/A | N/A | C:\Windows\System\sYBDghE.exe | N/A |
| N/A | N/A | C:\Windows\System\fouapfc.exe | N/A |
| N/A | N/A | C:\Windows\System\JgWwIVq.exe | N/A |
| N/A | N/A | C:\Windows\System\jAqsgyV.exe | N/A |
| N/A | N/A | C:\Windows\System\QpAAkzm.exe | N/A |
| N/A | N/A | C:\Windows\System\fgSEgCt.exe | N/A |
| N/A | N/A | C:\Windows\System\kcEZGMJ.exe | N/A |
| N/A | N/A | C:\Windows\System\UizWXZt.exe | N/A |
| N/A | N/A | C:\Windows\System\HlIZaDe.exe | N/A |
| N/A | N/A | C:\Windows\System\scqzlcp.exe | N/A |
| N/A | N/A | C:\Windows\System\tcSyuTQ.exe | N/A |
| N/A | N/A | C:\Windows\System\GKzqwFE.exe | N/A |
| N/A | N/A | C:\Windows\System\IzmiAzz.exe | N/A |
| N/A | N/A | C:\Windows\System\AIrQWOH.exe | N/A |
| N/A | N/A | C:\Windows\System\TgNnMaW.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\bALEYcf.exe
C:\Windows\System\bALEYcf.exe
C:\Windows\System\GMxKwzl.exe
C:\Windows\System\GMxKwzl.exe
C:\Windows\System\EwdlsjB.exe
C:\Windows\System\EwdlsjB.exe
C:\Windows\System\xIiUAuH.exe
C:\Windows\System\xIiUAuH.exe
C:\Windows\System\DyCtiPk.exe
C:\Windows\System\DyCtiPk.exe
C:\Windows\System\WuyQiwi.exe
C:\Windows\System\WuyQiwi.exe
C:\Windows\System\sYBDghE.exe
C:\Windows\System\sYBDghE.exe
C:\Windows\System\fouapfc.exe
C:\Windows\System\fouapfc.exe
C:\Windows\System\JgWwIVq.exe
C:\Windows\System\JgWwIVq.exe
C:\Windows\System\jAqsgyV.exe
C:\Windows\System\jAqsgyV.exe
C:\Windows\System\QpAAkzm.exe
C:\Windows\System\QpAAkzm.exe
C:\Windows\System\fgSEgCt.exe
C:\Windows\System\fgSEgCt.exe
C:\Windows\System\kcEZGMJ.exe
C:\Windows\System\kcEZGMJ.exe
C:\Windows\System\UizWXZt.exe
C:\Windows\System\UizWXZt.exe
C:\Windows\System\HlIZaDe.exe
C:\Windows\System\HlIZaDe.exe
C:\Windows\System\scqzlcp.exe
C:\Windows\System\scqzlcp.exe
C:\Windows\System\tcSyuTQ.exe
C:\Windows\System\tcSyuTQ.exe
C:\Windows\System\GKzqwFE.exe
C:\Windows\System\GKzqwFE.exe
C:\Windows\System\IzmiAzz.exe
C:\Windows\System\IzmiAzz.exe
C:\Windows\System\AIrQWOH.exe
C:\Windows\System\AIrQWOH.exe
C:\Windows\System\TgNnMaW.exe
C:\Windows\System\TgNnMaW.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2332-0-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2332-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\bALEYcf.exe
| MD5 | bc2e8eb24e020ea8a2198c69a024c356 |
| SHA1 | c3db9d35eff52dc586280b186faac67d81b7cafb |
| SHA256 | cb5342726530cd9ae4adc64efd96ea2d2b44ba374cfd09580eea2dbe48dec338 |
| SHA512 | 8422ab103e09f64faea87f77e7cd346f155dd46f0c4c553c1d5648f4274dfabcfcca86f9302b5ef7f51161fc81d0838d485ca1a7c120ce13bad91ebe96c6c49a |
memory/2836-21-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2332-20-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\xIiUAuH.exe
| MD5 | 230179b3d640f46a004430d258c4438f |
| SHA1 | 3dcaaffe21f7208cc684870044e51ce922462ecb |
| SHA256 | cf8f582e7b7af394b9ea5f1eadd4486afac3c4f332eec03a4cf00170f8661de9 |
| SHA512 | 0a1d70b9d9bbc9e092b93cffdc395667ba05f8d098154cb750f3347b33e8c4e885375c7393e6411c4003df5d7e260b4df7a5e436ac8455401ec8d573393348bb |
memory/2904-27-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1840-29-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2332-24-0x00000000023B0000-0x0000000002704000-memory.dmp
C:\Windows\system\EwdlsjB.exe
| MD5 | 73e4872ef83d79caf8441044d2acc835 |
| SHA1 | b2fb75ad1f4a3afa5d2b82a220b6637fe59a4d29 |
| SHA256 | 0f0a2c04d7e8a2a7d601c790a344504f7bab15341e77c8ee6bc12d7062e16919 |
| SHA512 | b264729424fd08962efab3f7a500cbeaaa6d6882718c0bee06f50db8b062ac9c4943c337dbf90bfe1f38a6a9b006badb584a0c97edbeaedb18c24856839fff9d |
memory/2624-36-0x000000013F200000-0x000000013F554000-memory.dmp
\Windows\system\WuyQiwi.exe
| MD5 | f9d83230b4da4e26c393cbf3f54b386d |
| SHA1 | 7f7700f2f5597e43c05213f8158a598e5bd3f4ef |
| SHA256 | 066bc33cf4464942d808adbb9c7c64c6f47350e02aa07f186dd0f11074a16ab5 |
| SHA512 | 2cabe3fb93197f5dbbf4aaff697a94bad27641a55df34fdfcbd06fa8b2858114d1333d2dc2498f814435a3d3d908031cdfc59264e77b435a844677d71fe53eaf |
memory/2332-39-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\DyCtiPk.exe
| MD5 | e8c2cc1accc07e91d7e189222d94c8d5 |
| SHA1 | a33c0c82b12e6d103c5d62c5c602ec90c56c3efe |
| SHA256 | 1526b8a1e26fe19cf1647e8e2f793b316e9e379e13fd09b5f97760557f34df2c |
| SHA512 | b9a5231efa2cf0b7d4c727805d8c7b316d2051840524288775ac12181c23804a8ed95b2ab67f499e5fb78b9d8dd9093cbe6dd0f7869d9e7f7f5d8be78bc506b1 |
memory/2332-31-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2332-18-0x000000013FD60000-0x00000001400B4000-memory.dmp
C:\Windows\system\GMxKwzl.exe
| MD5 | ae30f64bf92fbebec4f42bc20139a14a |
| SHA1 | 4235e37553e784877d331e9a073a2ffa36cc01bf |
| SHA256 | 169bc841093c73c9ee79176a342516508f517e9ba11d10f426b2903281face78 |
| SHA512 | ac4181741b56a826429a8450f041afed88db99c097ec753a2df78e383728c718e01dc310e7faae3f53fdbe4478383515d501dc056ee366346a42a00bfec7d971 |
memory/1672-15-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2332-7-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2332-48-0x000000013F700000-0x000000013FA54000-memory.dmp
C:\Windows\system\sYBDghE.exe
| MD5 | 00612aa8175ebc0cd82cb83b4ea39797 |
| SHA1 | 60540662107925586e57503c323824d9c42b8f66 |
| SHA256 | d877f86866259c7b39332b4ebce0b82c002f5480d182e3353e32c563f58315ba |
| SHA512 | 65b6f3fa0b56de0701e308823a5030f78a4043cd424643b74c7aca98e79633b0408a1a081f47eda843e617d09527433e1cc45c2a3ab1751376ec42db472ebad8 |
\Windows\system\fouapfc.exe
| MD5 | 65e4c23c4db0b1599033863385b7cf04 |
| SHA1 | d93eac517b3df0aa2c89f4d597da1142af0ea8d4 |
| SHA256 | 89fbfcd2cc95e309ca0a86fb3e5941dd53a6cdbd6f3cb3a3f970af07f2f224dd |
| SHA512 | 5d40c8cbce6ac8478f574c24ccaaac2f7d9e59f39193b72d6709c9c68a2db68dd8f57c3578db5e1392aea0281ed97212ac4bbca1d56e56dc1a0af4825e3367a1 |
memory/2696-57-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/1672-58-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2680-56-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2620-55-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2332-64-0x000000013FD60000-0x00000001400B4000-memory.dmp
C:\Windows\system\JgWwIVq.exe
| MD5 | 811c73440fd3dd9686d034532f0286d7 |
| SHA1 | fd341f02abe07c44f8bbfc2c4c7955cee8d9c05c |
| SHA256 | 892c27f4f39565197000397e13be6e6c45de34e03790b9b98e83635d959163f0 |
| SHA512 | 31da888549913ebe4b0f13bdfe926ceb117be1818e365c037a41331d55ad6392f89dd9ab2922dcc6c15b693840abf2cdc4286e0edfec8d1c28a479e23b048b53 |
memory/2424-65-0x000000013F280000-0x000000013F5D4000-memory.dmp
\Windows\system\jAqsgyV.exe
| MD5 | eb6a18fca5cf1c3569ad5bda73993e49 |
| SHA1 | 03c169ddcf889d1b22291dd4383221184dff2c38 |
| SHA256 | 02ec1548b70e8aae7fb9cc650810b59cbfae078d9a4fce603be88844382f38c2 |
| SHA512 | 13e880347e13fbae4c3b590d233d076d310765c6f56d7182a21e4da3f3e5b0255b123628bafa6a7259b95d727392e52ee3af706843275a392b3012c56b32c290 |
C:\Windows\system\fgSEgCt.exe
| MD5 | 58a7618183405220b2148339d949f2bb |
| SHA1 | 74fcafe4502d37c71b5fe5b63b047b77ad5756fa |
| SHA256 | ea0596a67e6660ba0388e4af548c437d84cc8a598adee1f4eeaaf69b038b89e1 |
| SHA512 | 88287bd704eb0a847e04a51023e08c2b1d82452596b768afa2e37c9465ea590b7eb7d0b3194b5872896268591b5a3c680cd0176a7e5f1e53c251ae8920cee8d1 |
C:\Windows\system\UizWXZt.exe
| MD5 | a79b14b23a83f7d6c2084f271246e0d9 |
| SHA1 | c4e509673bfa3f8fd48f88a509e2a2167e4fb4f1 |
| SHA256 | a6989e73bad041eb580a6a9fbba007bd1ea4074589e64590c3489df65649f200 |
| SHA512 | 6cd8d8f706e9743cbd78f97b4a87b355bffb3f308ee5ec39e454899237209fa2473c61e177aa68f07274c6b5d5105472285806255d44b61f2e6057c2038c5d43 |
\Windows\system\scqzlcp.exe
| MD5 | 7b70f7351e1edc9157d84430cba6b07b |
| SHA1 | 72c40b4523f9aafb7cbac5fd4d35d5bff66d2bd5 |
| SHA256 | 1de655c2399f09af23290f5046a807386a899f84b761c5061395dc4427253164 |
| SHA512 | fc4a8980341ff6773077eaf888cfbdd7b5a91b8f17d06d97949e93b18806b760177607f06219369c4137ce04e89204c666abc232fc0da2b31a73e86307911bdd |
C:\Windows\system\AIrQWOH.exe
| MD5 | c320988290cea88cf183e1f064aec30e |
| SHA1 | 260af7a4c2bafc4dc1cc7d0654b593a852bf24bc |
| SHA256 | 3f113eaf92c82a9ae3a7a0a47c0a29850c45e8960826f6d9d536e2fb0f4c71c8 |
| SHA512 | f818e5aacd3f9c63e7e413b7c0a1214181224d05d4c069bd1da0e97b038396e7c701e3cb4178fb118c0199decc0dc3f469b8b5c4049b3faac85e4110f0bcec6d |
C:\Windows\system\TgNnMaW.exe
| MD5 | b69fccfb0a86b7cc987b23f8becd3484 |
| SHA1 | 1305c8db2364303b6c6090a3d30137ce660c82bb |
| SHA256 | 94f04a3d36afff498b09564f3ae7e7ec0fcb9d3b40e79415784a8630df5ed5a5 |
| SHA512 | dd3adcf0b77f618c79988560f0eea63f2806067df094662aa55e41cad69f0defc89fea673e24fe0086919ad4a83003497fce359fd228f4adde9579b580058382 |
C:\Windows\system\IzmiAzz.exe
| MD5 | 3b70652c69b7af4bd0438ada00dee6a4 |
| SHA1 | 3db19647a8c3fa943a17d910246d92fcb6574585 |
| SHA256 | 98821e380bf786e9470a0a97f2d9fd09849401ea31f517d97db893cb2bbc62e3 |
| SHA512 | 6a85d66828a38f9d25baff4408c8d58c9d0195ce90e113585e23813e7d856b517a2b01c13fd2549590ff45caf039abafaff489f9c9353610259fd131ba57dd5c |
C:\Windows\system\tcSyuTQ.exe
| MD5 | 060e14ddea4d54b41c63e47755f3807c |
| SHA1 | abd08b36443b44349b63976c133abc4830546946 |
| SHA256 | 1e3999fede9b8308d768392c6dcb23c09ecfd2a012188de23303093639b2fd10 |
| SHA512 | aacfeadcf173e2b5da3e02e088fbf99f35db06772a2b0a6d683500055d0f83f2ec10265e243685c880b2af07471e7c9c94fd0e0585be9b8232379ff85e72767a |
C:\Windows\system\GKzqwFE.exe
| MD5 | 91fcbf617b8acdd8b6ca2a398a3b39b5 |
| SHA1 | a8c0d4928abd6293c688a3bff8e27dbb45cc5916 |
| SHA256 | ab92f4b8684dd015102c385e48d275d96106d406192a963a90441ededef377ae |
| SHA512 | 7146b767a3f626a305d22dc29953b2976a5277d1cf5f9d76be9eca7245863b8af710e50d7719e944c73c677cdcf42bac9d84277d7e6678d7263befbb81d08f5d |
C:\Windows\system\HlIZaDe.exe
| MD5 | 7cf3c9d43cbc91854e9a00fa735ae71b |
| SHA1 | bf795e931e3064bc0e30b4e80ae8d56d16c2c356 |
| SHA256 | fac71c6da3a63a32aa71ee8e24019821e166354311a706ec074c66bd9701642d |
| SHA512 | efe6803c8409f2abb9f53856ac4a2885d3c6fe5603b9776d070e7711f5e832e177367fb5b3abd726fdb8a505f2f521264e6e91d01f5e1126db35f991a68ca6f1 |
C:\Windows\system\kcEZGMJ.exe
| MD5 | 2c7cd24cfa545b99a4b44927c72805af |
| SHA1 | baf3df5b31ba7998cea9a4e3d6f2457134f984e7 |
| SHA256 | 09ec736b58d1df1de5e5fda4fa263edbfbf9960a4db21288fd6fd4bd0b4c76da |
| SHA512 | 7a0bc1696792b6b5fa3fca31c40359a3610eec19bb447bb8fd3dff08722723228aa5b09725ced4c4367346f3f2f7e5180a111794ae325c908024462928f51571 |
C:\Windows\system\QpAAkzm.exe
| MD5 | 175d0896d53efd6832e2a466bc76f72d |
| SHA1 | 29726ba22a752dcb4e06dd72d90d95a7779c2612 |
| SHA256 | 38c762f84dda3ce8ca21a2c84a247c69edafed1218d757173eef9b4dabc10e8e |
| SHA512 | 84897bcd80c394cddf09ca5e8440267cd64a9613d2be00519df24fa4a47ae6cb64772afc1b7a1a00ea2323e6d85369aea505fbf9a5429b89873d4f2ea78b4813 |
memory/2332-127-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2864-126-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2544-125-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2108-128-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2332-130-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2332-133-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2332-132-0x000000013F200000-0x000000013F554000-memory.dmp
memory/1452-131-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1824-129-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/1840-134-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2332-135-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2332-136-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2332-137-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/1672-138-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2836-139-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2904-140-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2624-141-0x000000013F200000-0x000000013F554000-memory.dmp
memory/1840-142-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2620-143-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2680-144-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2696-145-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2424-146-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2544-147-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2108-149-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2864-148-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/1824-150-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/1452-151-0x000000013FFF0000-0x0000000140344000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 18:11
Reported
2024-06-06 18:14
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bALEYcf.exe | N/A |
| N/A | N/A | C:\Windows\System\GMxKwzl.exe | N/A |
| N/A | N/A | C:\Windows\System\xIiUAuH.exe | N/A |
| N/A | N/A | C:\Windows\System\EwdlsjB.exe | N/A |
| N/A | N/A | C:\Windows\System\WuyQiwi.exe | N/A |
| N/A | N/A | C:\Windows\System\DyCtiPk.exe | N/A |
| N/A | N/A | C:\Windows\System\sYBDghE.exe | N/A |
| N/A | N/A | C:\Windows\System\fouapfc.exe | N/A |
| N/A | N/A | C:\Windows\System\JgWwIVq.exe | N/A |
| N/A | N/A | C:\Windows\System\jAqsgyV.exe | N/A |
| N/A | N/A | C:\Windows\System\QpAAkzm.exe | N/A |
| N/A | N/A | C:\Windows\System\fgSEgCt.exe | N/A |
| N/A | N/A | C:\Windows\System\kcEZGMJ.exe | N/A |
| N/A | N/A | C:\Windows\System\UizWXZt.exe | N/A |
| N/A | N/A | C:\Windows\System\HlIZaDe.exe | N/A |
| N/A | N/A | C:\Windows\System\scqzlcp.exe | N/A |
| N/A | N/A | C:\Windows\System\tcSyuTQ.exe | N/A |
| N/A | N/A | C:\Windows\System\GKzqwFE.exe | N/A |
| N/A | N/A | C:\Windows\System\IzmiAzz.exe | N/A |
| N/A | N/A | C:\Windows\System\AIrQWOH.exe | N/A |
| N/A | N/A | C:\Windows\System\TgNnMaW.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\bALEYcf.exe
C:\Windows\System\bALEYcf.exe
C:\Windows\System\GMxKwzl.exe
C:\Windows\System\GMxKwzl.exe
C:\Windows\System\EwdlsjB.exe
C:\Windows\System\EwdlsjB.exe
C:\Windows\System\xIiUAuH.exe
C:\Windows\System\xIiUAuH.exe
C:\Windows\System\DyCtiPk.exe
C:\Windows\System\DyCtiPk.exe
C:\Windows\System\WuyQiwi.exe
C:\Windows\System\WuyQiwi.exe
C:\Windows\System\sYBDghE.exe
C:\Windows\System\sYBDghE.exe
C:\Windows\System\fouapfc.exe
C:\Windows\System\fouapfc.exe
C:\Windows\System\JgWwIVq.exe
C:\Windows\System\JgWwIVq.exe
C:\Windows\System\jAqsgyV.exe
C:\Windows\System\jAqsgyV.exe
C:\Windows\System\QpAAkzm.exe
C:\Windows\System\QpAAkzm.exe
C:\Windows\System\fgSEgCt.exe
C:\Windows\System\fgSEgCt.exe
C:\Windows\System\kcEZGMJ.exe
C:\Windows\System\kcEZGMJ.exe
C:\Windows\System\UizWXZt.exe
C:\Windows\System\UizWXZt.exe
C:\Windows\System\HlIZaDe.exe
C:\Windows\System\HlIZaDe.exe
C:\Windows\System\scqzlcp.exe
C:\Windows\System\scqzlcp.exe
C:\Windows\System\tcSyuTQ.exe
C:\Windows\System\tcSyuTQ.exe
C:\Windows\System\GKzqwFE.exe
C:\Windows\System\GKzqwFE.exe
C:\Windows\System\IzmiAzz.exe
C:\Windows\System\IzmiAzz.exe
C:\Windows\System\AIrQWOH.exe
C:\Windows\System\AIrQWOH.exe
C:\Windows\System\TgNnMaW.exe
C:\Windows\System\TgNnMaW.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/4272-0-0x00007FF66F5A0000-0x00007FF66F8F4000-memory.dmp
memory/4272-1-0x00000271B8410000-0x00000271B8420000-memory.dmp
C:\Windows\System\bALEYcf.exe
| MD5 | bc2e8eb24e020ea8a2198c69a024c356 |
| SHA1 | c3db9d35eff52dc586280b186faac67d81b7cafb |
| SHA256 | cb5342726530cd9ae4adc64efd96ea2d2b44ba374cfd09580eea2dbe48dec338 |
| SHA512 | 8422ab103e09f64faea87f77e7cd346f155dd46f0c4c553c1d5648f4274dfabcfcca86f9302b5ef7f51161fc81d0838d485ca1a7c120ce13bad91ebe96c6c49a |
C:\Windows\System\EwdlsjB.exe
| MD5 | 73e4872ef83d79caf8441044d2acc835 |
| SHA1 | b2fb75ad1f4a3afa5d2b82a220b6637fe59a4d29 |
| SHA256 | 0f0a2c04d7e8a2a7d601c790a344504f7bab15341e77c8ee6bc12d7062e16919 |
| SHA512 | b264729424fd08962efab3f7a500cbeaaa6d6882718c0bee06f50db8b062ac9c4943c337dbf90bfe1f38a6a9b006badb584a0c97edbeaedb18c24856839fff9d |
C:\Windows\System\GMxKwzl.exe
| MD5 | ae30f64bf92fbebec4f42bc20139a14a |
| SHA1 | 4235e37553e784877d331e9a073a2ffa36cc01bf |
| SHA256 | 169bc841093c73c9ee79176a342516508f517e9ba11d10f426b2903281face78 |
| SHA512 | ac4181741b56a826429a8450f041afed88db99c097ec753a2df78e383728c718e01dc310e7faae3f53fdbe4478383515d501dc056ee366346a42a00bfec7d971 |
memory/1148-10-0x00007FF684520000-0x00007FF684874000-memory.dmp
C:\Windows\System\xIiUAuH.exe
| MD5 | 230179b3d640f46a004430d258c4438f |
| SHA1 | 3dcaaffe21f7208cc684870044e51ce922462ecb |
| SHA256 | cf8f582e7b7af394b9ea5f1eadd4486afac3c4f332eec03a4cf00170f8661de9 |
| SHA512 | 0a1d70b9d9bbc9e092b93cffdc395667ba05f8d098154cb750f3347b33e8c4e885375c7393e6411c4003df5d7e260b4df7a5e436ac8455401ec8d573393348bb |
memory/1628-20-0x00007FF6285C0000-0x00007FF628914000-memory.dmp
C:\Windows\System\DyCtiPk.exe
| MD5 | e8c2cc1accc07e91d7e189222d94c8d5 |
| SHA1 | a33c0c82b12e6d103c5d62c5c602ec90c56c3efe |
| SHA256 | 1526b8a1e26fe19cf1647e8e2f793b316e9e379e13fd09b5f97760557f34df2c |
| SHA512 | b9a5231efa2cf0b7d4c727805d8c7b316d2051840524288775ac12181c23804a8ed95b2ab67f499e5fb78b9d8dd9093cbe6dd0f7869d9e7f7f5d8be78bc506b1 |
C:\Windows\System\WuyQiwi.exe
| MD5 | f9d83230b4da4e26c393cbf3f54b386d |
| SHA1 | 7f7700f2f5597e43c05213f8158a598e5bd3f4ef |
| SHA256 | 066bc33cf4464942d808adbb9c7c64c6f47350e02aa07f186dd0f11074a16ab5 |
| SHA512 | 2cabe3fb93197f5dbbf4aaff697a94bad27641a55df34fdfcbd06fa8b2858114d1333d2dc2498f814435a3d3d908031cdfc59264e77b435a844677d71fe53eaf |
C:\Windows\System\fouapfc.exe
| MD5 | 65e4c23c4db0b1599033863385b7cf04 |
| SHA1 | d93eac517b3df0aa2c89f4d597da1142af0ea8d4 |
| SHA256 | 89fbfcd2cc95e309ca0a86fb3e5941dd53a6cdbd6f3cb3a3f970af07f2f224dd |
| SHA512 | 5d40c8cbce6ac8478f574c24ccaaac2f7d9e59f39193b72d6709c9c68a2db68dd8f57c3578db5e1392aea0281ed97212ac4bbca1d56e56dc1a0af4825e3367a1 |
C:\Windows\System\JgWwIVq.exe
| MD5 | 811c73440fd3dd9686d034532f0286d7 |
| SHA1 | fd341f02abe07c44f8bbfc2c4c7955cee8d9c05c |
| SHA256 | 892c27f4f39565197000397e13be6e6c45de34e03790b9b98e83635d959163f0 |
| SHA512 | 31da888549913ebe4b0f13bdfe926ceb117be1818e365c037a41331d55ad6392f89dd9ab2922dcc6c15b693840abf2cdc4286e0edfec8d1c28a479e23b048b53 |
memory/2720-58-0x00007FF6BBBF0000-0x00007FF6BBF44000-memory.dmp
memory/5016-62-0x00007FF6D73C0000-0x00007FF6D7714000-memory.dmp
memory/3920-65-0x00007FF7639D0000-0x00007FF763D24000-memory.dmp
memory/3256-68-0x00007FF787DF0000-0x00007FF788144000-memory.dmp
memory/996-67-0x00007FF7C4750000-0x00007FF7C4AA4000-memory.dmp
memory/4180-66-0x00007FF62D980000-0x00007FF62DCD4000-memory.dmp
C:\Windows\System\QpAAkzm.exe
| MD5 | 175d0896d53efd6832e2a466bc76f72d |
| SHA1 | 29726ba22a752dcb4e06dd72d90d95a7779c2612 |
| SHA256 | 38c762f84dda3ce8ca21a2c84a247c69edafed1218d757173eef9b4dabc10e8e |
| SHA512 | 84897bcd80c394cddf09ca5e8440267cd64a9613d2be00519df24fa4a47ae6cb64772afc1b7a1a00ea2323e6d85369aea505fbf9a5429b89873d4f2ea78b4813 |
C:\Windows\System\jAqsgyV.exe
| MD5 | eb6a18fca5cf1c3569ad5bda73993e49 |
| SHA1 | 03c169ddcf889d1b22291dd4383221184dff2c38 |
| SHA256 | 02ec1548b70e8aae7fb9cc650810b59cbfae078d9a4fce603be88844382f38c2 |
| SHA512 | 13e880347e13fbae4c3b590d233d076d310765c6f56d7182a21e4da3f3e5b0255b123628bafa6a7259b95d727392e52ee3af706843275a392b3012c56b32c290 |
memory/3232-59-0x00007FF76FF80000-0x00007FF7702D4000-memory.dmp
memory/1320-53-0x00007FF7C3BC0000-0x00007FF7C3F14000-memory.dmp
C:\Windows\System\sYBDghE.exe
| MD5 | 00612aa8175ebc0cd82cb83b4ea39797 |
| SHA1 | 60540662107925586e57503c323824d9c42b8f66 |
| SHA256 | d877f86866259c7b39332b4ebce0b82c002f5480d182e3353e32c563f58315ba |
| SHA512 | 65b6f3fa0b56de0701e308823a5030f78a4043cd424643b74c7aca98e79633b0408a1a081f47eda843e617d09527433e1cc45c2a3ab1751376ec42db472ebad8 |
memory/1020-29-0x00007FF798E80000-0x00007FF7991D4000-memory.dmp
C:\Windows\System\fgSEgCt.exe
| MD5 | 58a7618183405220b2148339d949f2bb |
| SHA1 | 74fcafe4502d37c71b5fe5b63b047b77ad5756fa |
| SHA256 | ea0596a67e6660ba0388e4af548c437d84cc8a598adee1f4eeaaf69b038b89e1 |
| SHA512 | 88287bd704eb0a847e04a51023e08c2b1d82452596b768afa2e37c9465ea590b7eb7d0b3194b5872896268591b5a3c680cd0176a7e5f1e53c251ae8920cee8d1 |
memory/5020-79-0x00007FF6B0340000-0x00007FF6B0694000-memory.dmp
C:\Windows\System\scqzlcp.exe
| MD5 | 7b70f7351e1edc9157d84430cba6b07b |
| SHA1 | 72c40b4523f9aafb7cbac5fd4d35d5bff66d2bd5 |
| SHA256 | 1de655c2399f09af23290f5046a807386a899f84b761c5061395dc4427253164 |
| SHA512 | fc4a8980341ff6773077eaf888cfbdd7b5a91b8f17d06d97949e93b18806b760177607f06219369c4137ce04e89204c666abc232fc0da2b31a73e86307911bdd |
C:\Windows\System\UizWXZt.exe
| MD5 | a79b14b23a83f7d6c2084f271246e0d9 |
| SHA1 | c4e509673bfa3f8fd48f88a509e2a2167e4fb4f1 |
| SHA256 | a6989e73bad041eb580a6a9fbba007bd1ea4074589e64590c3489df65649f200 |
| SHA512 | 6cd8d8f706e9743cbd78f97b4a87b355bffb3f308ee5ec39e454899237209fa2473c61e177aa68f07274c6b5d5105472285806255d44b61f2e6057c2038c5d43 |
memory/3972-96-0x00007FF764840000-0x00007FF764B94000-memory.dmp
C:\Windows\System\GKzqwFE.exe
| MD5 | 91fcbf617b8acdd8b6ca2a398a3b39b5 |
| SHA1 | a8c0d4928abd6293c688a3bff8e27dbb45cc5916 |
| SHA256 | ab92f4b8684dd015102c385e48d275d96106d406192a963a90441ededef377ae |
| SHA512 | 7146b767a3f626a305d22dc29953b2976a5277d1cf5f9d76be9eca7245863b8af710e50d7719e944c73c677cdcf42bac9d84277d7e6678d7263befbb81d08f5d |
memory/1496-112-0x00007FF66C1D0000-0x00007FF66C524000-memory.dmp
C:\Windows\System\IzmiAzz.exe
| MD5 | 3b70652c69b7af4bd0438ada00dee6a4 |
| SHA1 | 3db19647a8c3fa943a17d910246d92fcb6574585 |
| SHA256 | 98821e380bf786e9470a0a97f2d9fd09849401ea31f517d97db893cb2bbc62e3 |
| SHA512 | 6a85d66828a38f9d25baff4408c8d58c9d0195ce90e113585e23813e7d856b517a2b01c13fd2549590ff45caf039abafaff489f9c9353610259fd131ba57dd5c |
C:\Windows\System\AIrQWOH.exe
| MD5 | c320988290cea88cf183e1f064aec30e |
| SHA1 | 260af7a4c2bafc4dc1cc7d0654b593a852bf24bc |
| SHA256 | 3f113eaf92c82a9ae3a7a0a47c0a29850c45e8960826f6d9d536e2fb0f4c71c8 |
| SHA512 | f818e5aacd3f9c63e7e413b7c0a1214181224d05d4c069bd1da0e97b038396e7c701e3cb4178fb118c0199decc0dc3f469b8b5c4049b3faac85e4110f0bcec6d |
C:\Windows\System\TgNnMaW.exe
| MD5 | b69fccfb0a86b7cc987b23f8becd3484 |
| SHA1 | 1305c8db2364303b6c6090a3d30137ce660c82bb |
| SHA256 | 94f04a3d36afff498b09564f3ae7e7ec0fcb9d3b40e79415784a8630df5ed5a5 |
| SHA512 | dd3adcf0b77f618c79988560f0eea63f2806067df094662aa55e41cad69f0defc89fea673e24fe0086919ad4a83003497fce359fd228f4adde9579b580058382 |
memory/948-118-0x00007FF660CE0000-0x00007FF661034000-memory.dmp
memory/1172-106-0x00007FF779410000-0x00007FF779764000-memory.dmp
C:\Windows\System\tcSyuTQ.exe
| MD5 | 060e14ddea4d54b41c63e47755f3807c |
| SHA1 | abd08b36443b44349b63976c133abc4830546946 |
| SHA256 | 1e3999fede9b8308d768392c6dcb23c09ecfd2a012188de23303093639b2fd10 |
| SHA512 | aacfeadcf173e2b5da3e02e088fbf99f35db06772a2b0a6d683500055d0f83f2ec10265e243685c880b2af07471e7c9c94fd0e0585be9b8232379ff85e72767a |
C:\Windows\System\HlIZaDe.exe
| MD5 | 7cf3c9d43cbc91854e9a00fa735ae71b |
| SHA1 | bf795e931e3064bc0e30b4e80ae8d56d16c2c356 |
| SHA256 | fac71c6da3a63a32aa71ee8e24019821e166354311a706ec074c66bd9701642d |
| SHA512 | efe6803c8409f2abb9f53856ac4a2885d3c6fe5603b9776d070e7711f5e832e177367fb5b3abd726fdb8a505f2f521264e6e91d01f5e1126db35f991a68ca6f1 |
memory/4004-91-0x00007FF65BB80000-0x00007FF65BED4000-memory.dmp
memory/908-87-0x00007FF627680000-0x00007FF6279D4000-memory.dmp
memory/3344-86-0x00007FF79C920000-0x00007FF79CC74000-memory.dmp
C:\Windows\System\kcEZGMJ.exe
| MD5 | 2c7cd24cfa545b99a4b44927c72805af |
| SHA1 | baf3df5b31ba7998cea9a4e3d6f2457134f984e7 |
| SHA256 | 09ec736b58d1df1de5e5fda4fa263edbfbf9960a4db21288fd6fd4bd0b4c76da |
| SHA512 | 7a0bc1696792b6b5fa3fca31c40359a3610eec19bb447bb8fd3dff08722723228aa5b09725ced4c4367346f3f2f7e5180a111794ae325c908024462928f51571 |
memory/4272-126-0x00007FF66F5A0000-0x00007FF66F8F4000-memory.dmp
memory/3984-127-0x00007FF77B3D0000-0x00007FF77B724000-memory.dmp
memory/1360-128-0x00007FF628F10000-0x00007FF629264000-memory.dmp
memory/1320-129-0x00007FF7C3BC0000-0x00007FF7C3F14000-memory.dmp
memory/5016-130-0x00007FF6D73C0000-0x00007FF6D7714000-memory.dmp
memory/908-131-0x00007FF627680000-0x00007FF6279D4000-memory.dmp
memory/4004-132-0x00007FF65BB80000-0x00007FF65BED4000-memory.dmp
memory/3972-133-0x00007FF764840000-0x00007FF764B94000-memory.dmp
memory/1496-134-0x00007FF66C1D0000-0x00007FF66C524000-memory.dmp
memory/1148-135-0x00007FF684520000-0x00007FF684874000-memory.dmp
memory/1628-136-0x00007FF6285C0000-0x00007FF628914000-memory.dmp
memory/3920-137-0x00007FF7639D0000-0x00007FF763D24000-memory.dmp
memory/1020-138-0x00007FF798E80000-0x00007FF7991D4000-memory.dmp
memory/4180-139-0x00007FF62D980000-0x00007FF62DCD4000-memory.dmp
memory/2720-141-0x00007FF6BBBF0000-0x00007FF6BBF44000-memory.dmp
memory/996-143-0x00007FF7C4750000-0x00007FF7C4AA4000-memory.dmp
memory/1320-142-0x00007FF7C3BC0000-0x00007FF7C3F14000-memory.dmp
memory/3232-140-0x00007FF76FF80000-0x00007FF7702D4000-memory.dmp
memory/3256-144-0x00007FF787DF0000-0x00007FF788144000-memory.dmp
memory/5016-145-0x00007FF6D73C0000-0x00007FF6D7714000-memory.dmp
memory/5020-146-0x00007FF6B0340000-0x00007FF6B0694000-memory.dmp
memory/3344-147-0x00007FF79C920000-0x00007FF79CC74000-memory.dmp
memory/908-148-0x00007FF627680000-0x00007FF6279D4000-memory.dmp
memory/3972-149-0x00007FF764840000-0x00007FF764B94000-memory.dmp
memory/1172-150-0x00007FF779410000-0x00007FF779764000-memory.dmp
memory/4004-152-0x00007FF65BB80000-0x00007FF65BED4000-memory.dmp
memory/1496-151-0x00007FF66C1D0000-0x00007FF66C524000-memory.dmp
memory/948-153-0x00007FF660CE0000-0x00007FF661034000-memory.dmp
memory/3984-154-0x00007FF77B3D0000-0x00007FF77B724000-memory.dmp
memory/1360-155-0x00007FF628F10000-0x00007FF629264000-memory.dmp