Analysis Overview
SHA256
627441b8fb74b80ea9dc0e3317b2fd868aad37082d095abfdac4677d406196cf
Threat Level: Known bad
The file 2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
XMRig Miner payload
Cobaltstrike
xmrig
Xmrig family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 08:04
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 08:04
Reported
2024-06-11 08:06
Platform
win7-20240221-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YDwNhfP.exe | N/A |
| N/A | N/A | C:\Windows\System\HCQzyvS.exe | N/A |
| N/A | N/A | C:\Windows\System\AQfjBfv.exe | N/A |
| N/A | N/A | C:\Windows\System\bMHnmmc.exe | N/A |
| N/A | N/A | C:\Windows\System\OMJuTlP.exe | N/A |
| N/A | N/A | C:\Windows\System\SdZRQwu.exe | N/A |
| N/A | N/A | C:\Windows\System\lHuGhCb.exe | N/A |
| N/A | N/A | C:\Windows\System\FiMlJvs.exe | N/A |
| N/A | N/A | C:\Windows\System\xriNSIM.exe | N/A |
| N/A | N/A | C:\Windows\System\wZCXwXh.exe | N/A |
| N/A | N/A | C:\Windows\System\wDItKqg.exe | N/A |
| N/A | N/A | C:\Windows\System\PFIEcLD.exe | N/A |
| N/A | N/A | C:\Windows\System\bCvVObV.exe | N/A |
| N/A | N/A | C:\Windows\System\lUxArjW.exe | N/A |
| N/A | N/A | C:\Windows\System\DBGasRf.exe | N/A |
| N/A | N/A | C:\Windows\System\DZmmyUW.exe | N/A |
| N/A | N/A | C:\Windows\System\elUhchW.exe | N/A |
| N/A | N/A | C:\Windows\System\zAOqOUt.exe | N/A |
| N/A | N/A | C:\Windows\System\TdrHVhf.exe | N/A |
| N/A | N/A | C:\Windows\System\ObuQarm.exe | N/A |
| N/A | N/A | C:\Windows\System\PkWvyEM.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\YDwNhfP.exe
C:\Windows\System\YDwNhfP.exe
C:\Windows\System\HCQzyvS.exe
C:\Windows\System\HCQzyvS.exe
C:\Windows\System\AQfjBfv.exe
C:\Windows\System\AQfjBfv.exe
C:\Windows\System\bMHnmmc.exe
C:\Windows\System\bMHnmmc.exe
C:\Windows\System\OMJuTlP.exe
C:\Windows\System\OMJuTlP.exe
C:\Windows\System\SdZRQwu.exe
C:\Windows\System\SdZRQwu.exe
C:\Windows\System\lHuGhCb.exe
C:\Windows\System\lHuGhCb.exe
C:\Windows\System\FiMlJvs.exe
C:\Windows\System\FiMlJvs.exe
C:\Windows\System\xriNSIM.exe
C:\Windows\System\xriNSIM.exe
C:\Windows\System\wZCXwXh.exe
C:\Windows\System\wZCXwXh.exe
C:\Windows\System\wDItKqg.exe
C:\Windows\System\wDItKqg.exe
C:\Windows\System\PFIEcLD.exe
C:\Windows\System\PFIEcLD.exe
C:\Windows\System\bCvVObV.exe
C:\Windows\System\bCvVObV.exe
C:\Windows\System\lUxArjW.exe
C:\Windows\System\lUxArjW.exe
C:\Windows\System\DBGasRf.exe
C:\Windows\System\DBGasRf.exe
C:\Windows\System\DZmmyUW.exe
C:\Windows\System\DZmmyUW.exe
C:\Windows\System\elUhchW.exe
C:\Windows\System\elUhchW.exe
C:\Windows\System\zAOqOUt.exe
C:\Windows\System\zAOqOUt.exe
C:\Windows\System\TdrHVhf.exe
C:\Windows\System\TdrHVhf.exe
C:\Windows\System\ObuQarm.exe
C:\Windows\System\ObuQarm.exe
C:\Windows\System\PkWvyEM.exe
C:\Windows\System\PkWvyEM.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2240-1-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2240-0-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\HCQzyvS.exe
| MD5 | be983e16c270b2fd093cc8f85477ba5c |
| SHA1 | f94f018ab238b47141c6aab20eb846a57def4765 |
| SHA256 | 744ffc0b4c287b8bda1fa78df9b85dac01ce36b2583058b17b0415741b72bcdb |
| SHA512 | f5860deecf114078c479b91b526a60a7f1b4e5e75852cba25d1351a7b5df51ccf4e5f5eddb851f48e20b22cfaaa06fd2d91a78479c10ecb1feba801fdedd91d1 |
C:\Windows\system\YDwNhfP.exe
| MD5 | 72b5b6803380da15532b27cfcf161cbb |
| SHA1 | bf69618aeca1547809f8fb5a4556503859b39126 |
| SHA256 | ce57424a73135dd06fc379173e64d81e6a2f5ab7278516a4b23f8c2522c4763f |
| SHA512 | 452199571fdb6a77ea538cbf89e7214fa5d7d3b13b669eef1d33cc9a27a773e64ae38c5c916d339d12a13fa83ddfd54eac4d4992acea6124b674929387a17dd6 |
memory/2956-12-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2240-11-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2492-16-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2240-14-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
\Windows\system\AQfjBfv.exe
| MD5 | f00c97667b98f922a7dbf1872ae0d9f4 |
| SHA1 | b669a8f59a791634a61a383f37ebb88674415b1e |
| SHA256 | 7d6d87f73deaae5d30b2c357fb8b26b03e4e91b187406a22f126778eb060bda4 |
| SHA512 | f3a3e61839010b4a21a509bf631056c52d22bee875c8d90d892b0a8a8344e34fcc2f33b12f8cbe4905629c240c860179a3e5151b362eddd1df32227c18a72fe8 |
\Windows\system\bMHnmmc.exe
| MD5 | 360b491bf7ab83454b71857665607880 |
| SHA1 | ace1416a0d52659e70617fb31690e2ab34dce07a |
| SHA256 | 59ce1638c70fabae9e639faa203f2b06ec27d7f452d7706df1c350f555de6a74 |
| SHA512 | 6a78c8011c7995b08f9575fbf8b437f49ba3e4dce367e4f692aed03e1d171a2ead158ec4a91cc0295ac1735413b475c2693ae2c66825ddca9dc96081959b3525 |
memory/2004-29-0x000000013F760000-0x000000013FAB4000-memory.dmp
\Windows\system\OMJuTlP.exe
| MD5 | d071a3e4c6570b2a470e6c8181163086 |
| SHA1 | 3e59cfd8660ea3bcef799bb1237ec26591249c99 |
| SHA256 | ce95d9fd735fe530efcaa6c43211f896b63e9db9154d4da8af48752543b4784d |
| SHA512 | 71ed904253e566054271954a6370321a992030a1d2ac5b43622ab2ad04457eff283d26658639e26d879e38d8c1a7afbebf33865dec1b91986e59a55acbd21f03 |
memory/2240-32-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2240-26-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2624-22-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2240-20-0x0000000002290000-0x00000000025E4000-memory.dmp
C:\Windows\system\lHuGhCb.exe
| MD5 | feb4465a1be6ad485414e50e4747b764 |
| SHA1 | 0ea84bd43c9510e07614ce68672dea341ff9f24d |
| SHA256 | 382e255a66d32016a9618853ae8a066ea0b57a15281a0e4515b03fdede7a7219 |
| SHA512 | f6480cb6147b2a8858a9987706a6140a51b53a22ed7e346fdcec1a3e7c991a1f33fb72733d6a0b8b2d5c84ca5dcb34c64d4df0b2432e144b790403cf0d8b2917 |
C:\Windows\system\xriNSIM.exe
| MD5 | 21eb51ce8ddb80e7b1b03c74bca91d31 |
| SHA1 | ccfb39cecd9f7857e988aa5367d2a8b39c2bce17 |
| SHA256 | 218758364cd4aac5646d1cd037e63d59b7654c4de09432c387f7d22c219379e9 |
| SHA512 | fc44b7ea350b9be504faca07381b3d7659492153d02d628fa15399c339fe19ec0e9aac2e6a9a96b83fb7aec2f5996a0bc65e664f91d1ae8ca1fc10921bc6ad65 |
C:\Windows\system\lUxArjW.exe
| MD5 | 7f3962f17cb59366bc04de283ab4c854 |
| SHA1 | 1acefb1dcb6428f89c2be8c6cc6f1ddbac40d424 |
| SHA256 | 9158d6ad1f28b73e439c20d876b7569ecc6f036d06c4a58d12b261ea8b94b7cc |
| SHA512 | 4c95af578fd7592317efedaaf3248835567beee988d568a6098a029a4886e348be773c622bf4415e2c6cea3874944d9797eaf55544c5cc2c8c2e2e72c0e04cff |
C:\Windows\system\DZmmyUW.exe
| MD5 | e9e07d9101810713fdf542361c977628 |
| SHA1 | 8d31b48be0c5334d5fd56e5da88bf3c6a0297c97 |
| SHA256 | a72b1771260ba12f21fc57f4820869a59dd8d61adc453d30dd8a497e3db2feab |
| SHA512 | 3cfb2d8fca56263b3622a388e6618db387ef6eb3e512973dad9ced7b6c3bc689166806b28da1ff778a10333f980fcca92f114288fcb5b3d60e39247b1a8af2dd |
C:\Windows\system\zAOqOUt.exe
| MD5 | ae38663bbb7d819ac921dde648ad27f1 |
| SHA1 | e806b13cdb856f108a28d699287ee01ec03c3c9f |
| SHA256 | fad388f4a38d8d9e783891be6778e4e1de15c348875e47c769ac9febb34b2bd2 |
| SHA512 | c82de09691c5a167ed2b023e5e4599dd71773ddf942fe87972875ebd3e72527975b30a1ce953cb02ce607524221a83511ebac5f624e35989f35d563bbe2e96fb |
C:\Windows\system\PkWvyEM.exe
| MD5 | cd1dae44f8ab4c1971cca8e9a76a168c |
| SHA1 | ea9215de7d00550bce24e393d5329bc040ac3e53 |
| SHA256 | 3b653476247cfda63e4fd95adbd1d3af154c35f7ca233c7800f0e3144eeb4c54 |
| SHA512 | 223a2da3bbae7404f2e12e8368b5a1438cccc51293c78f76d6a635ef9bc69def7c52cd202a7d3e740e7e161f8a62d3c91f64e28ae9b0dbf7d5a96ea78237d0bd |
C:\Windows\system\ObuQarm.exe
| MD5 | 12bae223439beb189e74c9012681c0f2 |
| SHA1 | f6a869afc9b267d0a4d6d53beafc8dc507988350 |
| SHA256 | 6f1161d1022d3a0d3b144fe9a010dc11c3931fbab6070eb6b460368fc25f9bc1 |
| SHA512 | b138bca32a58a8eb08a9c4fad1742c59170e657960fc46bdb2f66fbf5809f286a42db67eb1315d5a492514a89bdb840805a3250bd4a1e45204ca2861c738bfa0 |
C:\Windows\system\TdrHVhf.exe
| MD5 | 8519fe64409b32e861c2c5c69a829215 |
| SHA1 | deb99d6e5424a322f910757ec9ecfbb5f180c0f8 |
| SHA256 | aa0e76b007f63ad2cd2fc60d37475be27b00c1b28485bf76fa4e4b4be9317019 |
| SHA512 | e532accd3e72fd0ec4f096d2d9ca96769a64d6a18735350725c2a5798b64186e7a5bdf58ce2f02e06f938f84e5f72fc7296ada3edc2d03ecd365518dadea6a6e |
C:\Windows\system\elUhchW.exe
| MD5 | bbb79a48b5eec47b15bc7fd0cc78f9b8 |
| SHA1 | 5e77e6b8b3fefe08a10ba0cf76ea0f979247c8fd |
| SHA256 | 0e6e698f723df4cbe8ce119609c7e70514b15f100926600b60d6998eb4664be1 |
| SHA512 | 750f6b0c6326571dacc2694210cd36cdad7fa558ee78fb5d36226649180899c1a779d892a2afc8b04ec8b08efc4a7e1682ab2a417f80ee81a4ed3b8f4dcdd1f9 |
C:\Windows\system\DBGasRf.exe
| MD5 | 4efad9af39a03a284106769e05a701b0 |
| SHA1 | 2e026b004707b679f4121a3884bf92de8175f60b |
| SHA256 | 6ecfc158167a9c0edc698e9e0a3da7b89cc535f48dbb0a59d08fda6d691e853d |
| SHA512 | 1394f235f3f75d57f3d13178dd70f0ce609a83af9f7a1e6031a358447da0bdc3515cad9548a090ed7a4c286ef86d12b588646ba892738a2e9bcf48f7dfac7957 |
C:\Windows\system\bCvVObV.exe
| MD5 | 8c331fed192d2cd78034b1d62cfe5bc9 |
| SHA1 | 3c73562c357df3beaffca94d41e08832525077a0 |
| SHA256 | 8a318303a9d09030df7d6b88806a71abdd276c5223820790e5e3cbcfd61a2f49 |
| SHA512 | 06868eaedd21404996458b3df692733bb90f0f72116e4a8c914c70ceea78ec19e8a3c4d665b7bbd32e1df3f96c6eb22c655bd25e32fb73a798737b15971dadb9 |
C:\Windows\system\PFIEcLD.exe
| MD5 | 922cda9de7a3c24a7fdadb5812a75f52 |
| SHA1 | 06f14f915ef3aa6ec017beedcde08e9afb02cd0b |
| SHA256 | d4f6ccdaa9850a2977840ebc8c5ba00129cff9e57c936b96b1c97df1afd66ce7 |
| SHA512 | 1ea03278c9f851cf9c7d4a5e08acd1c41f6f74b4f82ed5970959d136bb5e81c3c38fe434f3017daa98e1411b57244f153696de17cb15845e80c1bbea74a87069 |
C:\Windows\system\wDItKqg.exe
| MD5 | 7aff54d07746c3e558ba58abb42e484f |
| SHA1 | 25a46129108a930d00a75f95fb32d4138b0ca84d |
| SHA256 | fb81169783626ef0801c17218d8f4e742751f8721dfb022d5e7a500fbfdf4501 |
| SHA512 | 7541f72cc5f5d25bc93d9d7b6fbbab79292ea15fd4b0cc7dc28a392bc72fda44596e4d6a66e51a901547a2f858ded367bebaba26b25109b6e79dfa73da1cbc85 |
C:\Windows\system\wZCXwXh.exe
| MD5 | 4a77e92954f2bfe36eb87389bdefce01 |
| SHA1 | 89c1dc352dcacf39624a2bd754f01c0fa78ff04f |
| SHA256 | be3d1c3b37332b4b27665095fc7371621c795de5eec13850f97d5c2be3593f80 |
| SHA512 | 2825a51c638e137ef9e4bd0925679374e8ee2061aa932e4c275d91e0fd379510167f9cf4b8b5af60e5f497d75cbe2ebfa222036f1fe6c5dc415972c4120b5129 |
C:\Windows\system\FiMlJvs.exe
| MD5 | 172f7443a31cc792996661ab59c78058 |
| SHA1 | f355fd359dc0c4a0e54eb560de74e423443534c8 |
| SHA256 | d6d87aa55af3b914cfee5ea9459d2f779cee8716dbefe29587add208f22e0855 |
| SHA512 | d58674754bb926819c0c99bdb4b10eedbde9867ee6dd6ca80b66daf4b5665c71262d10d7d0e118bd919e67c34d9cd934814c0bcce3e705298d23472fb96bd580 |
C:\Windows\system\SdZRQwu.exe
| MD5 | 75be8efaa0f6bd43d70adbdba012b125 |
| SHA1 | fed4505e1668bafccdebb455ec9d409d741e9110 |
| SHA256 | c4b1dd1937588befd2902ceba424ac0e2ccd833616cfd6f43080319d9034fefc |
| SHA512 | da6e8a7ea61684e3f674b1287b03f2f931f44eb2cd39127bd7655cde4678cd2f0d0db777a1123723f862d2ff10fa3e6739a6be952e48313bf6161cd63dcdecfb |
memory/2240-117-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2656-116-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2240-121-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2412-120-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2240-124-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2428-123-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2360-122-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2240-119-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2856-118-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2876-125-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2064-126-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2240-127-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2580-130-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2240-131-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2432-129-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/384-128-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2240-132-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2240-133-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2240-134-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2624-135-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2004-136-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2956-137-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2492-138-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2624-139-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2004-140-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2656-141-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2856-143-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2412-142-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2360-144-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2428-145-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2876-146-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2064-147-0x000000013F100000-0x000000013F454000-memory.dmp
memory/384-148-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2432-149-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2580-150-0x000000013F120000-0x000000013F474000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 08:04
Reported
2024-06-11 08:06
Platform
win10v2004-20240426-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\coYszFH.exe | N/A |
| N/A | N/A | C:\Windows\System\UlKzBeH.exe | N/A |
| N/A | N/A | C:\Windows\System\jHOOSxz.exe | N/A |
| N/A | N/A | C:\Windows\System\BLlFHOV.exe | N/A |
| N/A | N/A | C:\Windows\System\enGpoSK.exe | N/A |
| N/A | N/A | C:\Windows\System\VnEFeeG.exe | N/A |
| N/A | N/A | C:\Windows\System\usriZsc.exe | N/A |
| N/A | N/A | C:\Windows\System\YpxpGFN.exe | N/A |
| N/A | N/A | C:\Windows\System\rbZcyiO.exe | N/A |
| N/A | N/A | C:\Windows\System\IATnFbK.exe | N/A |
| N/A | N/A | C:\Windows\System\TPoRxlb.exe | N/A |
| N/A | N/A | C:\Windows\System\HgDmItt.exe | N/A |
| N/A | N/A | C:\Windows\System\hKLhrpO.exe | N/A |
| N/A | N/A | C:\Windows\System\NaCeFOs.exe | N/A |
| N/A | N/A | C:\Windows\System\uiqXnXH.exe | N/A |
| N/A | N/A | C:\Windows\System\MESrFEZ.exe | N/A |
| N/A | N/A | C:\Windows\System\umiYyDK.exe | N/A |
| N/A | N/A | C:\Windows\System\wxsqWtz.exe | N/A |
| N/A | N/A | C:\Windows\System\MCrUMzw.exe | N/A |
| N/A | N/A | C:\Windows\System\dMctXor.exe | N/A |
| N/A | N/A | C:\Windows\System\aeeSGPl.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\coYszFH.exe
C:\Windows\System\coYszFH.exe
C:\Windows\System\UlKzBeH.exe
C:\Windows\System\UlKzBeH.exe
C:\Windows\System\jHOOSxz.exe
C:\Windows\System\jHOOSxz.exe
C:\Windows\System\BLlFHOV.exe
C:\Windows\System\BLlFHOV.exe
C:\Windows\System\enGpoSK.exe
C:\Windows\System\enGpoSK.exe
C:\Windows\System\VnEFeeG.exe
C:\Windows\System\VnEFeeG.exe
C:\Windows\System\usriZsc.exe
C:\Windows\System\usriZsc.exe
C:\Windows\System\YpxpGFN.exe
C:\Windows\System\YpxpGFN.exe
C:\Windows\System\rbZcyiO.exe
C:\Windows\System\rbZcyiO.exe
C:\Windows\System\IATnFbK.exe
C:\Windows\System\IATnFbK.exe
C:\Windows\System\TPoRxlb.exe
C:\Windows\System\TPoRxlb.exe
C:\Windows\System\HgDmItt.exe
C:\Windows\System\HgDmItt.exe
C:\Windows\System\hKLhrpO.exe
C:\Windows\System\hKLhrpO.exe
C:\Windows\System\NaCeFOs.exe
C:\Windows\System\NaCeFOs.exe
C:\Windows\System\uiqXnXH.exe
C:\Windows\System\uiqXnXH.exe
C:\Windows\System\MESrFEZ.exe
C:\Windows\System\MESrFEZ.exe
C:\Windows\System\umiYyDK.exe
C:\Windows\System\umiYyDK.exe
C:\Windows\System\wxsqWtz.exe
C:\Windows\System\wxsqWtz.exe
C:\Windows\System\MCrUMzw.exe
C:\Windows\System\MCrUMzw.exe
C:\Windows\System\dMctXor.exe
C:\Windows\System\dMctXor.exe
C:\Windows\System\aeeSGPl.exe
C:\Windows\System\aeeSGPl.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4452-0-0x00007FF69CE00000-0x00007FF69D154000-memory.dmp
memory/4452-1-0x000001CE169B0000-0x000001CE169C0000-memory.dmp
C:\Windows\System\coYszFH.exe
| MD5 | 5e0f51ec301e68921e5197f0087397f0 |
| SHA1 | a10156817588aa3b85638c07781e8a1273d40ac8 |
| SHA256 | 04d4000b6fe3df43c89432b31e1e0e8f99d83e51ebdae8f84eaf8f041e3ac4f6 |
| SHA512 | df3967eb47e93190743c650c8d419f809789d8f3d20c281295f40353fb16b6ac73f2b22052a72feab0e668ae4ba62888907c3a19101d9bc135c8b0af5d235ff3 |
C:\Windows\System\UlKzBeH.exe
| MD5 | f0334ec97f56630cf70fd9de4a80fd47 |
| SHA1 | 911f01b3c2fa51f2965e90f9012320cf7b1c622d |
| SHA256 | 0af8d9512752b98fde63f15c7daa4e1eae540184ecf5e79256b6424c83c3de92 |
| SHA512 | 8c68020be6956ee642ded5e58b922daac8a7003d41e9c08f9e328400ecbfbc6a212f3ae3c72a84d6246b82661f86855920c813aa0fa19ed46b930e6a64a659d5 |
memory/892-9-0x00007FF7FBFC0000-0x00007FF7FC314000-memory.dmp
memory/2508-12-0x00007FF6175C0000-0x00007FF617914000-memory.dmp
memory/4180-20-0x00007FF609260000-0x00007FF6095B4000-memory.dmp
C:\Windows\System\BLlFHOV.exe
| MD5 | 53fd22c82d2bab2fbfb1bebc40687dbb |
| SHA1 | 86dddabc64826d01b034269d9486fa98ce88572a |
| SHA256 | 87930baf22fab7f70585713e5edf658bbbffcd152834e556f27235fec25b5b9e |
| SHA512 | c8f4b8a68e905aa395507e1c20b1333872fde46111332dc53c0f1616065755458674950c9c359563c4e9d37773b69f3aef334915b1f8b5573eadbcb05d2d2a37 |
C:\Windows\System\enGpoSK.exe
| MD5 | 50cda4deb86b473d3cbf21ccc778a45a |
| SHA1 | 1b5b426a13424651a9492d2a76405a8f47f2b041 |
| SHA256 | 03150c6037d9de6e2ecf64d047ac816f2ee5f772fc8961b315ccaa1dcb906705 |
| SHA512 | 6efacdb2ad40c63f5680635943e9faa7f06456a2f92e172f4d04378a77629ef813eb3c22ca6f287a530c37f146473dc8640c681423db68a8d5fd0b5b985f4984 |
C:\Windows\System\VnEFeeG.exe
| MD5 | 8c656edc4b527520db144f405d410721 |
| SHA1 | 250f537f653660c81025aaab799ed560bf059337 |
| SHA256 | 3cb6eca7024a75e8889e24b6c2d9f42c0e4330894ac7e0bfa4491d6e4f76e39f |
| SHA512 | 489e3ab4a3efb612717f36641af02835f3e1accb33fad39b14032b2f15fd1b56fb3118eaf884557de04c57db999c56a0d492201469d235aeed19df753f136853 |
memory/3212-34-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp
memory/3288-28-0x00007FF673E20000-0x00007FF674174000-memory.dmp
memory/1076-24-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp
C:\Windows\System\jHOOSxz.exe
| MD5 | b405e7aefbfa1941f91be089a10308d7 |
| SHA1 | d4dfad8d0f48bbf3aa6731f7d7bef36bd48a9839 |
| SHA256 | f70d05de7b00f211b398821b53390e022b7de19c6fe4bd8b71a9be6eea964085 |
| SHA512 | 5a5fbaddb1a67654adf077eed65467757df1c1e5f632aaab182bf58c2115573a2e52a43133a44f5566d078cad0b7e93d1c91aa24bd9334af2b5eec50b9a5ca6d |
C:\Windows\System\usriZsc.exe
| MD5 | bd6e7dc140ecd9040702e53eda9f4cfb |
| SHA1 | 802737691fc02424e16df5ca7d46c4d0dc927a44 |
| SHA256 | 3fded91e4df03144c0bfe3c60dde5c3fb36d997d460ed121ffbd7f1fa4201d0c |
| SHA512 | b76564b47b389395016151bae0ff656caeb7c661701b9ac20d9c81b7b6978f5012bb843e55b841a0296a35deaecbf26efff1c1f6cfc7302ee6f98ece8db83784 |
memory/4328-44-0x00007FF76F0D0000-0x00007FF76F424000-memory.dmp
C:\Windows\System\YpxpGFN.exe
| MD5 | 67684eb90f898fac8e094ef671090031 |
| SHA1 | 30758c13b69caeb0ddf9d3d3a76c05af8dbc6fac |
| SHA256 | ab5c4e24d6ece48632abdb3b265c7b6d6e7dbac3d0283b8efe0993f205c6de15 |
| SHA512 | d85942f49f5b269a163cf5a9fee3de277b927fd836fbbf0f179dbcea4ca2b88bdc4b417e80da2c4f3bafa2e64e95791860da1d275bcc49e4215c4582ff898580 |
C:\Windows\System\rbZcyiO.exe
| MD5 | b53da18190572d4aebdfee3fc25016c9 |
| SHA1 | 77348f4f02585102a892054faa5c0a5717079f29 |
| SHA256 | 1c47dadd7f1221d201ce6c1b8588b3852d94d42a6915efde4611b509da1b83c4 |
| SHA512 | 5725383cb013772273904e9a7d45b9de09bc2420e2e5fe962b71d5024faba638ea34764b37be2e972562e70ccbbf54dedafb6d90077f92e30436650b8aea8148 |
memory/1984-48-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp
memory/620-56-0x00007FF62E9A0000-0x00007FF62ECF4000-memory.dmp
memory/4452-60-0x00007FF69CE00000-0x00007FF69D154000-memory.dmp
C:\Windows\System\IATnFbK.exe
| MD5 | 27dcb202402eff4110c480359077ebac |
| SHA1 | 5792c50bb2d70d9b4308573283d4d67c6b0f4001 |
| SHA256 | 933b389d34d78834a5d19f192f2adf9c960393e9376f9f8e0148aaf2767fd28b |
| SHA512 | 364c069a050108a4b3b43fe574f1b763c3ad11a618908fae67daa2fa28d4b1177372410c65a3aeb9a839c807e02e84e4ee9d718c02e2022d0b5fd435667f49fc |
memory/4144-61-0x00007FF762BF0000-0x00007FF762F44000-memory.dmp
C:\Windows\System\TPoRxlb.exe
| MD5 | 192dd3a8f7f4b3e78b8092362c6eb5da |
| SHA1 | 66ac675dc2e5bf65b9b308f8876c9f8ed397c161 |
| SHA256 | 755fdca0a78e3974c5e18ddd70db49b3b83e1bb1c6f6e8ab57b9722dca1ef0ec |
| SHA512 | a4e48c36eadce426304353569cbc9bc489605ae141bd03e3dfb1b576e8c8cc0adbdd7e83cb942d516c77fc829c5320bd161b5bbafd4cf6638aaecb3b8b7fa47b |
memory/3432-71-0x00007FF636520000-0x00007FF636874000-memory.dmp
C:\Windows\System\HgDmItt.exe
| MD5 | 55df1bf576bb05a55e831e0606117a10 |
| SHA1 | 5a1b1c57a1c6a326caf52b56f9a0cffa855b8da9 |
| SHA256 | 2e4fb0eee170d2a5193dd66c7c2441592ba9d4df3ea1254d6651ff9631281522 |
| SHA512 | e2b4fe5eb3d64f89d4da15505adea5ab0c6e97a299c528dc4c6dc2814906257d75ee79304f35438c9a80d02f09fd22de09072fe8ff85f7c18b3bee16e1a8b875 |
C:\Windows\System\NaCeFOs.exe
| MD5 | 1aaac901d2aeb9596868f60e9b5d7a57 |
| SHA1 | c48fd56533205207fe74ac3ed257112f0ac610e5 |
| SHA256 | e3443c02e4a342350e6e71d34d7825f824a01b8cf47117e3ceb7d79a337a1bac |
| SHA512 | 01bbc73183a1eeddd36d0986e80641257ff929d9f82e8bc66a5a371a23a33227c759d8a277a00c1e698d904f4e6de9983f2d7ba89255138ea68822ad513717b4 |
C:\Windows\System\hKLhrpO.exe
| MD5 | d5def9607caab912439b0e9ee6c06f4d |
| SHA1 | 5632c0daaaf5640b808aa121ef41ee9df8f48316 |
| SHA256 | b6cd5d6b55e707dce53103c8c76d112fe71ee55b5ff802349d7cb11272a4cdb8 |
| SHA512 | a61b30f808d543c0c46027f07a2e0ff6aac28ad82ceaa1aea8b89a4d4e91c0271acb32ccaab8e1aa3ca1d524b93f910f4538a77acff1f122eda7bb8a4c02566a |
C:\Windows\System\MESrFEZ.exe
| MD5 | 365277cc074e1160558a917dbe778aeb |
| SHA1 | d830c45468aae549aed2789a19b46265b5637c3b |
| SHA256 | b78373471219f631c191ef4b9ba2cec46ce06a882847b0039fb383a0074566b6 |
| SHA512 | 4f44da3864bd22c3fa087fa69249840a5144dd5caed1f006fce77c115c43e6d579c60db541d4d212c8e490af8ec659db5b685c3ee561c5e533c4b6432aabdcb5 |
memory/1772-103-0x00007FF72F030000-0x00007FF72F384000-memory.dmp
C:\Windows\System\umiYyDK.exe
| MD5 | 4c713f3ec2797833e0ebcc98ac70f589 |
| SHA1 | b72cdb40ad3b6c1b01ac44dabaafd167bcb3f041 |
| SHA256 | 18e7374e573c61c26ad58a99d696fa7c87b4779859b0654e9cd5bcad5b99dabf |
| SHA512 | 4b87221149984c10d5366c622626a3c2685394b9401e947391105c8e415cc7abee2649041e0a0e95e401e70c62bb997e8a131ee57aa86f032494f456fe4c2094 |
memory/4988-108-0x00007FF7999C0000-0x00007FF799D14000-memory.dmp
memory/3212-107-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp
memory/3288-102-0x00007FF673E20000-0x00007FF674174000-memory.dmp
C:\Windows\System\uiqXnXH.exe
| MD5 | dd267a146e29603140d2e8ac2491dabe |
| SHA1 | 3c293eb6ceac6ab7f81af2f0444867cf20c16e91 |
| SHA256 | cbec0599ad45197ef2855749706f016b0451452466d4d99b8d83900ec36d1688 |
| SHA512 | bdd33fa0c762ec7866ddb9e62bcee85ac550bb01e14a4c752a60807e2cb94167924ec7d396f8d1c5862e789da4d0ca12bc3bd9728c04f81abe2aca17ee2895a3 |
memory/4472-96-0x00007FF77F480000-0x00007FF77F7D4000-memory.dmp
memory/1376-93-0x00007FF6C5970000-0x00007FF6C5CC4000-memory.dmp
memory/1076-88-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp
memory/4180-85-0x00007FF609260000-0x00007FF6095B4000-memory.dmp
memory/4548-84-0x00007FF668510000-0x00007FF668864000-memory.dmp
memory/4848-82-0x00007FF77FCB0000-0x00007FF780004000-memory.dmp
memory/2508-77-0x00007FF6175C0000-0x00007FF617914000-memory.dmp
C:\Windows\System\wxsqWtz.exe
| MD5 | 4b5369b57964bf8ebef6254559085395 |
| SHA1 | 564771c99be621df7dbdd67c3f6c79492f9650b7 |
| SHA256 | 6de4e77f68710e0c02017020b45c66549e8e6cbcfb396ee06b3ad57b83bbe79e |
| SHA512 | 80a99aee3c4f6f46fcf4964f03c7127b9b234ab0b322a7cda948bc75ab8fa5e1b86db82cadcd950fd695245d4a49d3c8a0365e5b89a1066d781b71a8c58bf6a2 |
memory/1984-118-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp
C:\Windows\System\dMctXor.exe
| MD5 | 66c63e7ef1380dec549a87065447a246 |
| SHA1 | 57ddcffaf5ba90e920642b0602fd275528fe67cd |
| SHA256 | d4bd23491a647941ebc31534d070c5527f50c5950ca58d9d7783a856722e42eb |
| SHA512 | 8448dd050b1c41fb3f2f4015408cda96fca848427b6576996d33b181ac541a33a602d001b2c4e31d2534138e42b7622802fb2faf406c726299df1ca40fa41b5d |
C:\Windows\System\aeeSGPl.exe
| MD5 | af347fc4e6cf1b880ab08a5b01efccff |
| SHA1 | 2b288ff0c3640b7fd55436f2a2a16fad787fa418 |
| SHA256 | cc98abf5305abcf14a6f3914db1e4af6cfb61db11a277244db4d122c6e5d0808 |
| SHA512 | 5787cf3bcffd6a06d9b4cf8f0b8fc0f621f2e4f9d2b02738cd5d76a6bafd800b7b0800ac2d3226cdf7f808e3ae4992baa8b4fde72bda8ccf3efe7d66753cc059 |
memory/2284-132-0x00007FF683170000-0x00007FF6834C4000-memory.dmp
memory/2360-133-0x00007FF71F420000-0x00007FF71F774000-memory.dmp
C:\Windows\System\MCrUMzw.exe
| MD5 | 6346b534a40ee4c329e4059e42e9a5bb |
| SHA1 | e9e357bb87b2f125df3a01a16e278f6d81782af1 |
| SHA256 | f5876b0e9652fc50bee4ae5ded8ae840d776ed5aafde9354f586b77a76d24d38 |
| SHA512 | a0035da8310c5696b1d09fa72fc83d67ba01fbc3ef5fe9e34040a4abde3d22cf0a86b09ddec3c5ce32c3c81f76cc7b03da3e0c5c5564ea88937aaf136e75db76 |
memory/696-119-0x00007FF770AD0000-0x00007FF770E24000-memory.dmp
memory/5044-117-0x00007FF761430000-0x00007FF761784000-memory.dmp
memory/4144-135-0x00007FF762BF0000-0x00007FF762F44000-memory.dmp
memory/4548-136-0x00007FF668510000-0x00007FF668864000-memory.dmp
memory/4472-137-0x00007FF77F480000-0x00007FF77F7D4000-memory.dmp
memory/4988-138-0x00007FF7999C0000-0x00007FF799D14000-memory.dmp
memory/5044-139-0x00007FF761430000-0x00007FF761784000-memory.dmp
memory/696-140-0x00007FF770AD0000-0x00007FF770E24000-memory.dmp
memory/892-141-0x00007FF7FBFC0000-0x00007FF7FC314000-memory.dmp
memory/2508-142-0x00007FF6175C0000-0x00007FF617914000-memory.dmp
memory/4180-143-0x00007FF609260000-0x00007FF6095B4000-memory.dmp
memory/1076-144-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp
memory/3212-145-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp
memory/3288-146-0x00007FF673E20000-0x00007FF674174000-memory.dmp
memory/4328-147-0x00007FF76F0D0000-0x00007FF76F424000-memory.dmp
memory/1984-148-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp
memory/620-149-0x00007FF62E9A0000-0x00007FF62ECF4000-memory.dmp
memory/4144-150-0x00007FF762BF0000-0x00007FF762F44000-memory.dmp
memory/3432-151-0x00007FF636520000-0x00007FF636874000-memory.dmp
memory/4848-152-0x00007FF77FCB0000-0x00007FF780004000-memory.dmp
memory/1376-153-0x00007FF6C5970000-0x00007FF6C5CC4000-memory.dmp
memory/4548-154-0x00007FF668510000-0x00007FF668864000-memory.dmp
memory/4472-155-0x00007FF77F480000-0x00007FF77F7D4000-memory.dmp
memory/1772-156-0x00007FF72F030000-0x00007FF72F384000-memory.dmp
memory/4988-157-0x00007FF7999C0000-0x00007FF799D14000-memory.dmp
memory/2360-158-0x00007FF71F420000-0x00007FF71F774000-memory.dmp
memory/2284-160-0x00007FF683170000-0x00007FF6834C4000-memory.dmp
memory/696-159-0x00007FF770AD0000-0x00007FF770E24000-memory.dmp
memory/5044-161-0x00007FF761430000-0x00007FF761784000-memory.dmp