Analysis Overview
SHA256
5845551224007c22914672f9a41dbca30e82d88a1cc64b3fcf76ce629830e7a4
Threat Level: Known bad
The file 2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
XMRig Miner payload
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike family
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 22:53
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 22:53
Reported
2024-05-29 22:56
Platform
win7-20240221-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eeWvFQS.exe | N/A |
| N/A | N/A | C:\Windows\System\XbjYyFq.exe | N/A |
| N/A | N/A | C:\Windows\System\chWvwtP.exe | N/A |
| N/A | N/A | C:\Windows\System\isVNqop.exe | N/A |
| N/A | N/A | C:\Windows\System\etCdboC.exe | N/A |
| N/A | N/A | C:\Windows\System\TypySei.exe | N/A |
| N/A | N/A | C:\Windows\System\BOwKsWC.exe | N/A |
| N/A | N/A | C:\Windows\System\GcEgKcJ.exe | N/A |
| N/A | N/A | C:\Windows\System\dvktIcv.exe | N/A |
| N/A | N/A | C:\Windows\System\MhAycUo.exe | N/A |
| N/A | N/A | C:\Windows\System\tXZwquF.exe | N/A |
| N/A | N/A | C:\Windows\System\BqKGLyy.exe | N/A |
| N/A | N/A | C:\Windows\System\YhgKXqs.exe | N/A |
| N/A | N/A | C:\Windows\System\DOVLnsU.exe | N/A |
| N/A | N/A | C:\Windows\System\BgJAAiP.exe | N/A |
| N/A | N/A | C:\Windows\System\lfpnYst.exe | N/A |
| N/A | N/A | C:\Windows\System\WnqUqry.exe | N/A |
| N/A | N/A | C:\Windows\System\yPlXNSa.exe | N/A |
| N/A | N/A | C:\Windows\System\bhFDRQz.exe | N/A |
| N/A | N/A | C:\Windows\System\PZAkaCh.exe | N/A |
| N/A | N/A | C:\Windows\System\VaEtSTq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\eeWvFQS.exe
C:\Windows\System\eeWvFQS.exe
C:\Windows\System\XbjYyFq.exe
C:\Windows\System\XbjYyFq.exe
C:\Windows\System\chWvwtP.exe
C:\Windows\System\chWvwtP.exe
C:\Windows\System\isVNqop.exe
C:\Windows\System\isVNqop.exe
C:\Windows\System\etCdboC.exe
C:\Windows\System\etCdboC.exe
C:\Windows\System\TypySei.exe
C:\Windows\System\TypySei.exe
C:\Windows\System\BOwKsWC.exe
C:\Windows\System\BOwKsWC.exe
C:\Windows\System\GcEgKcJ.exe
C:\Windows\System\GcEgKcJ.exe
C:\Windows\System\dvktIcv.exe
C:\Windows\System\dvktIcv.exe
C:\Windows\System\MhAycUo.exe
C:\Windows\System\MhAycUo.exe
C:\Windows\System\tXZwquF.exe
C:\Windows\System\tXZwquF.exe
C:\Windows\System\BqKGLyy.exe
C:\Windows\System\BqKGLyy.exe
C:\Windows\System\YhgKXqs.exe
C:\Windows\System\YhgKXqs.exe
C:\Windows\System\DOVLnsU.exe
C:\Windows\System\DOVLnsU.exe
C:\Windows\System\BgJAAiP.exe
C:\Windows\System\BgJAAiP.exe
C:\Windows\System\lfpnYst.exe
C:\Windows\System\lfpnYst.exe
C:\Windows\System\WnqUqry.exe
C:\Windows\System\WnqUqry.exe
C:\Windows\System\yPlXNSa.exe
C:\Windows\System\yPlXNSa.exe
C:\Windows\System\bhFDRQz.exe
C:\Windows\System\bhFDRQz.exe
C:\Windows\System\PZAkaCh.exe
C:\Windows\System\PZAkaCh.exe
C:\Windows\System\VaEtSTq.exe
C:\Windows\System\VaEtSTq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2740-0-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2740-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\eeWvFQS.exe
| MD5 | 3fb3053495fdff2872578292412ffd6a |
| SHA1 | e55297d2803a821080b75b983e393438c2ab7295 |
| SHA256 | c28f22edc13c216d8947d975bcddc135ad8586b3ed35202fb02c3d567d152b29 |
| SHA512 | d232baccaa4ce418f8e24807aac63fef65792f13b03e13bf2797a580f9d59a7e98477c083bb2185bdcee17d2fa5880132f8e6f67149991cc41b318b42ecb7772 |
memory/2740-6-0x000000013F050000-0x000000013F3A4000-memory.dmp
C:\Windows\system\XbjYyFq.exe
| MD5 | 141f20cbdd48deb52beb176e72c08b4f |
| SHA1 | fb01ca9a06f782331dad2dd2a922d675a65b218f |
| SHA256 | f6c59ed3507ede456c94412561d92929abf9e040ef2f1b705051abf47e2d279b |
| SHA512 | cf8accb1c7937dacb6b220f138f54dad8430110ded1e39a0770a4fb6c4ed60905ec6b20f3eeb7378162a4609e84eb31c6a1437c5dce357261cbfa7c1b731d732 |
memory/2196-14-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2740-12-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2112-16-0x000000013FF30000-0x0000000140284000-memory.dmp
C:\Windows\system\chWvwtP.exe
| MD5 | da429fcfbe8187f84833680805884ab1 |
| SHA1 | f12505f61ea244f824e3a5ecd2edce4808cb71fb |
| SHA256 | eabd79705a492657731a6a57b11f9f9c34d33d5bee02a478c25fa85743127ac6 |
| SHA512 | b761df70ef3dbd61f5b6468213542c48f302ce713a2f6a6529e4b1f46958ac4429862137459bdeb160087edc95112a8c814a7329a117e8e0ba93c3c42ab9620d |
C:\Windows\system\isVNqop.exe
| MD5 | daed953314233b872f9ff6a3057e3b64 |
| SHA1 | 2b57d29c95309f31b0efc52032acb859d039f165 |
| SHA256 | 3724a2a5a7def7b448d741c3cbeef495f1bb2e29fb8cb6e65e8b7bff2e367b38 |
| SHA512 | a6cc215776e5d8c227ca0948526e6adb1d8c68097cfa02ef06bba80889b420738e9b5976b8e8d76520790193ea39af061abca449972a6c8d060afdf147051703 |
C:\Windows\system\TypySei.exe
| MD5 | 4a7577e2f323f252eaecf44217912db8 |
| SHA1 | 76526bf63d399f1e2487476ee2d7c9d1209b9c52 |
| SHA256 | 33c44c359cdcc6f79b7b5bf7fcec22485b5f0dce4c6e26ee1d80d2d500641ccc |
| SHA512 | 395bd1a5d6d443344bfbde59ec3385acbe914a719a7257d7221188194e63b5a2061dd5550a5fca831fa14444fcdc330c4f7f72868233bf9857e525a1bd889d0f |
memory/2740-40-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2160-29-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2644-42-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2636-41-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2740-37-0x000000013F390000-0x000000013F6E4000-memory.dmp
C:\Windows\system\etCdboC.exe
| MD5 | c27072dc7c4f575d83d2597b689337d9 |
| SHA1 | c8d19db4806e973b5811d87fc431febf2c312f7b |
| SHA256 | 96e61368f2d8e8468727da1b2754b176f3ba9fa79fc40cb953f4e6e9125c6360 |
| SHA512 | 51689eb498946efb6b80fa1f9f9da203cabc3f117bdc3abb87624e345559aca9aafdf95abbaf18177d0d440d3146b6097d2b9a861710a8320e18eadf8ed25c5b |
memory/2580-33-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\BOwKsWC.exe
| MD5 | bd24fc52679fbc91c78e9390408a6769 |
| SHA1 | 97af6e774630dd07766351e2ce1ed6354b048eb2 |
| SHA256 | cf0b8d1603e5e703971ffaef036fe07157a980603bd22441bcb35cd4cdae8340 |
| SHA512 | 4bc9457f5ff2783bf7f121eea237d3f2b8b90db9072c62b1c26ccf5ca05c52951ffe327b709f91f3a2c97775eeeb35405febca3f1d17baebf0c036a01e110159 |
memory/2740-48-0x0000000002370000-0x00000000026C4000-memory.dmp
\Windows\system\GcEgKcJ.exe
| MD5 | 1dabf39dd8bc322208f22dc103747ef9 |
| SHA1 | c804737f2bdc254f1f434b6391cd8ea06d782b21 |
| SHA256 | ca3999dd6e45206f8cba8658f72eb26d8c2a19bbbd6413f6922ff58a6e3a2da9 |
| SHA512 | 131ea41b3e009c1f9bffd1659fc6ab66958c9cfaf8b22af3ac6d0da279ed8fdb2097c18f4411665e9c2e7f2fa3f0da4a06bf6b5b7169146bc90e4f342fcb0a1d |
memory/2740-55-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2552-56-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2476-49-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2740-62-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2504-63-0x000000013FAF0000-0x000000013FE44000-memory.dmp
C:\Windows\system\dvktIcv.exe
| MD5 | 40fe0046010825c090becf3ac257e742 |
| SHA1 | 1b26f219f9f20f028aa5236ccb4f268091f73154 |
| SHA256 | 45851780344c485f9cc913564f7b2ea33febbf705d65c3bebf7af5920162d5d8 |
| SHA512 | d6479c8d9df9685bad18ade17d501486483db0f201fa865680b93dca6b70488f2c5e406591cbae9438790222b07598b619cb622af121cd56ab49c0a9d55e844a |
C:\Windows\system\tXZwquF.exe
| MD5 | f756387f9cc4381abdc05674655e4a6a |
| SHA1 | 095f5ec3db913b33c4eeca624910796ff59e19e6 |
| SHA256 | 2612f046d90a199853fa7235fc4a695d7841b3e5beee249ca8adcdcb124393c0 |
| SHA512 | bd0a6be0b9c211ee95c8a1117f46da32f177c98a05503f5108036ae60c8b9679ac393f06504ddaeb1fb918e1f65dd788cb73ddd935ba846d1d945e2f5c8ee5bb |
memory/2956-78-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2704-85-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2740-82-0x000000013F530000-0x000000013F884000-memory.dmp
\Windows\system\BgJAAiP.exe
| MD5 | e192019364cf0e49d117704eafdaac94 |
| SHA1 | 514a8770e135f592170f9f76c970da42e2106438 |
| SHA256 | c31950acfc7d6df51184bee47b8e17001adce5a7154599aa229e633c1b0835e8 |
| SHA512 | ff18e741981cf2e48eaf8998c476e80826fb0fb5f63d512ccbeccc54605c4f67f6409afe44b73ed077a40c2be228ba0b77bd41a8e7a5dab948465fadf31416df |
C:\Windows\system\YhgKXqs.exe
| MD5 | 7feefea09010d1dca6776dc14ccf614a |
| SHA1 | a939a05fd7eadcb6d5114d510ebd84c019d91c42 |
| SHA256 | e7b01ae26180d668fc63966de249098983ae2f37197902078329d945c8ed9c0b |
| SHA512 | 2588b7f7a9b603d262ce958afdff97ae28d0919fe277fe57cca36c3728f1555a3c46621cef48b178494502925fbdfe16f71448b36dae101c5f98c05652544c93 |
C:\Windows\system\lfpnYst.exe
| MD5 | 6a6bea7524e87d6388febb1a6c8bbd8f |
| SHA1 | 58866849d58367ce76bb1a2d72725b85295c44a7 |
| SHA256 | d73464ba0712d83f487497b6b678d7e33b993f351e00512c6c766ad8ef0943f6 |
| SHA512 | 83162b174a713941f38743a1bbb30c98a2d95505b7fa71a933baec712a664b0b482dff4cb252e7c20456aac83ed438d918f8dd8195e9739cdecb46c2b716978c |
C:\Windows\system\yPlXNSa.exe
| MD5 | 2d15922da46d9259e8983b8575b8c402 |
| SHA1 | 027448b12a8e83c21ad347d7846e868a66461e0f |
| SHA256 | 899974a77d88ef55bd0f846a23c884bbced34569fb0d811f2da91d3a7a417a6b |
| SHA512 | 83374bb5d4ea80ed447038e43fc845ed362b0b59b4d36a2e03681d9589a31d52a737c9e2e234ce2e744045b5fe2e83147010ef445ba5b26a25c11da1406ade31 |
C:\Windows\system\PZAkaCh.exe
| MD5 | 9731ecc4a2b27273a67c8e84b2caa240 |
| SHA1 | 0a221cc5a066cad53f1baa56503968962019cd15 |
| SHA256 | 6993e73b9fd7daffa92cb818c5a734f1bba52d617340f4bb9b684a8b61404137 |
| SHA512 | 7dd4fa5b9d02e44932cf4078c891520bed881f3ec1fe4ca07fa519a260e68a70c3d501a33972f8eca1c80b0c717e33cf130d8b1b668b6512654c47a15d72d558 |
\Windows\system\VaEtSTq.exe
| MD5 | 08b83c1988b1744b76a353603cea4e3b |
| SHA1 | a730601abe644f119889dc76800c8ce4f0d95c1f |
| SHA256 | d6280250e27bfa718bde70c26064260015f970550516981f238b375f189ebf38 |
| SHA512 | c74bb059c31cc0b854764455ee05dff8ddfa58242d6558974d15009ad20cf5d6242d095ded26bd40042ed6de40db9775e3a617d87831f026bcf77ecd9d30ee52 |
C:\Windows\system\bhFDRQz.exe
| MD5 | cf9b6c82fea5ee0cc31333ab4341f40f |
| SHA1 | e17fa30140513e63acb788fa4dd865400d3681ab |
| SHA256 | ae1e0b8eaecd3e75e674de9abdee951265e02b2873eb0bd0f0ec18071c947146 |
| SHA512 | d434a9ae43f201ec63448f38c2a7a8c1441deea660786e916219752ab8000a431e5fb1d14e2c5ef6b84aebc7e53d93a4caf262fff63e33315fe2eec869a3ffcb |
C:\Windows\system\WnqUqry.exe
| MD5 | 2667284e899a71998e4569e7ee74631a |
| SHA1 | c91431464e10c1e8b96aeeb581fe822c0bc3272e |
| SHA256 | cbf57ef1dafd11c6ec6990b638fa063a8dd458042a6009f5c8deb622f986085c |
| SHA512 | 9d68b6dad202278f8ec486c125a70a997c923e737ca7fdef48ed834056d5bc7ea6e1dcac99304274e8e6de75c0974a7c0060e4dbb92cb13ad3a2be13d3e2a6b8 |
memory/2812-100-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2740-99-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2764-98-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2580-97-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\DOVLnsU.exe
| MD5 | 2a88ed449a99b2697eb296f4379b8cf2 |
| SHA1 | 9787450999467ae57ad9519cba476d94450fc21e |
| SHA256 | 1011638aff4e13c36b7631220af1472cea2e95a91e7627231ca05ec2da426a48 |
| SHA512 | a1cbd7c0cf6f855b783886b1d11d4fb3d63b6d9184b350c3db299b1382455fb9f41e68a94956f0b23fa5cae9bdf0ae9a3b2b0ec1c5e8e0642955818f2164b530 |
memory/2740-95-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2112-94-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2968-81-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2740-80-0x000000013F880000-0x000000013FBD4000-memory.dmp
C:\Windows\system\BqKGLyy.exe
| MD5 | 623c859fbfd13d1be1d5aa8606dd4eeb |
| SHA1 | fff601208c4d6dcf70f372dc7adff39965cbdb01 |
| SHA256 | 489c67fc4fcdae4492371bf04df0d01268f19a0ba26c147773f68c13ffc204f0 |
| SHA512 | 690e256f20bb321e32c3927eb9f0bfa27dcc7e184ae1bc56d9314c95ed3434e8af17f5857f95f96fff4a780f8cd40e6e69a85a152eafb2c577abec30c06230fd |
C:\Windows\system\MhAycUo.exe
| MD5 | deb7fd63fd425b7db87a5975eca26846 |
| SHA1 | a2726743a3099af24080bdf6cf7463415630cb1d |
| SHA256 | 39631006e6931f60d85fdb60a4dd7c87cbd65d22e980bf8378318e242a0aafb9 |
| SHA512 | e2720e2734e850dd3a7f086e65178fb10d29672ca98dbb385d92164877ce30ce225d733ec523f6a75006a365c9a363f18e9ce47fe6b74c1859e0297b77555899 |
memory/2740-134-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2740-135-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2812-136-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2196-137-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2112-138-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2160-139-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2580-140-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2644-141-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2636-142-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2476-143-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2552-144-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2504-145-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2956-146-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2968-147-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2704-148-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2764-149-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2812-150-0x000000013FE00000-0x0000000140154000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 22:53
Reported
2024-05-29 22:56
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\krSGiRD.exe | N/A |
| N/A | N/A | C:\Windows\System\EtXgCXU.exe | N/A |
| N/A | N/A | C:\Windows\System\mRhFWOV.exe | N/A |
| N/A | N/A | C:\Windows\System\rslqYsU.exe | N/A |
| N/A | N/A | C:\Windows\System\KDoTSvr.exe | N/A |
| N/A | N/A | C:\Windows\System\gZyZulG.exe | N/A |
| N/A | N/A | C:\Windows\System\VcrWdCU.exe | N/A |
| N/A | N/A | C:\Windows\System\ryaYEpI.exe | N/A |
| N/A | N/A | C:\Windows\System\riaPudu.exe | N/A |
| N/A | N/A | C:\Windows\System\ZITXdUr.exe | N/A |
| N/A | N/A | C:\Windows\System\lDlmYcv.exe | N/A |
| N/A | N/A | C:\Windows\System\BiBeXGX.exe | N/A |
| N/A | N/A | C:\Windows\System\dyMiTBY.exe | N/A |
| N/A | N/A | C:\Windows\System\HggUHDx.exe | N/A |
| N/A | N/A | C:\Windows\System\zkevyLa.exe | N/A |
| N/A | N/A | C:\Windows\System\EiKvvCy.exe | N/A |
| N/A | N/A | C:\Windows\System\DwCuqhJ.exe | N/A |
| N/A | N/A | C:\Windows\System\sIvedIt.exe | N/A |
| N/A | N/A | C:\Windows\System\yxxcGBp.exe | N/A |
| N/A | N/A | C:\Windows\System\tuPsLvq.exe | N/A |
| N/A | N/A | C:\Windows\System\sNUfZpf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\krSGiRD.exe
C:\Windows\System\krSGiRD.exe
C:\Windows\System\EtXgCXU.exe
C:\Windows\System\EtXgCXU.exe
C:\Windows\System\mRhFWOV.exe
C:\Windows\System\mRhFWOV.exe
C:\Windows\System\rslqYsU.exe
C:\Windows\System\rslqYsU.exe
C:\Windows\System\KDoTSvr.exe
C:\Windows\System\KDoTSvr.exe
C:\Windows\System\gZyZulG.exe
C:\Windows\System\gZyZulG.exe
C:\Windows\System\VcrWdCU.exe
C:\Windows\System\VcrWdCU.exe
C:\Windows\System\ryaYEpI.exe
C:\Windows\System\ryaYEpI.exe
C:\Windows\System\ZITXdUr.exe
C:\Windows\System\ZITXdUr.exe
C:\Windows\System\riaPudu.exe
C:\Windows\System\riaPudu.exe
C:\Windows\System\lDlmYcv.exe
C:\Windows\System\lDlmYcv.exe
C:\Windows\System\BiBeXGX.exe
C:\Windows\System\BiBeXGX.exe
C:\Windows\System\dyMiTBY.exe
C:\Windows\System\dyMiTBY.exe
C:\Windows\System\HggUHDx.exe
C:\Windows\System\HggUHDx.exe
C:\Windows\System\zkevyLa.exe
C:\Windows\System\zkevyLa.exe
C:\Windows\System\EiKvvCy.exe
C:\Windows\System\EiKvvCy.exe
C:\Windows\System\DwCuqhJ.exe
C:\Windows\System\DwCuqhJ.exe
C:\Windows\System\sIvedIt.exe
C:\Windows\System\sIvedIt.exe
C:\Windows\System\yxxcGBp.exe
C:\Windows\System\yxxcGBp.exe
C:\Windows\System\tuPsLvq.exe
C:\Windows\System\tuPsLvq.exe
C:\Windows\System\sNUfZpf.exe
C:\Windows\System\sNUfZpf.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/800-0-0x00007FF66B740000-0x00007FF66BA94000-memory.dmp
memory/800-1-0x0000022E58960000-0x0000022E58970000-memory.dmp
C:\Windows\System\krSGiRD.exe
| MD5 | eaae17063a78df5a110860dc4be9ea14 |
| SHA1 | 8795f47989bdee85ee5e773d917aac845e29d1ea |
| SHA256 | 05304caf8af7ce111312d37cddcfd391c42265688360659fa98bc7ccdf08231c |
| SHA512 | a7e7f9134504ae2995d8c05dc62d9bf221063eaffcef075460de3508fa6c53e461298e500aa4093f681091cc256b5f3c8b62429f7245240a9e94ece9b4c361c1 |
C:\Windows\System\EtXgCXU.exe
| MD5 | 8cf6a54198b2960bec18c9987b2e42a1 |
| SHA1 | 60820d39912186dfdc034a4cb7d2984cabf4e94e |
| SHA256 | f5aaec7e231c8da0dbe16437cfbe1c9a51c6f14f831bb1730592567400e23d3a |
| SHA512 | 7308fe12b3a2c84133c314b7c2d6125507d058490783c3f985f1f29e77af81ea8c4986a14e8fbb02fc6c1f818b7944c6ef06587169f87141085bbcb9f787a448 |
C:\Windows\System\mRhFWOV.exe
| MD5 | 9d12ff4ad78c692307f0ae3c8a00d53b |
| SHA1 | 71ae3ff075993c42b82608bf07f19166b4832b2f |
| SHA256 | 0c3b4cfcaf1764fce4f0e0d930185f1159ecc9482b4598bac3f8b547d5790587 |
| SHA512 | a59a42bc1214c49d05b8dbbf50b207f60de3f588ff35528f41c5d04018368e3989f12c17d80751f7207a07f64671ede54e45c0279b5e244fbfcfdd83760eec66 |
memory/2324-16-0x00007FF77F7F0000-0x00007FF77FB44000-memory.dmp
C:\Windows\System\KDoTSvr.exe
| MD5 | a5f003b7f4a84a1e8f56fcb82af02e82 |
| SHA1 | 9b884078f2ab582babe42163cfe8e34034aa687c |
| SHA256 | 213e977848fe4ffa6e76edb7817490e5cc4680ffbdcf1d176b8a7db0f099999e |
| SHA512 | 4e4354a0bf9c2bedba6f9f0bcae6d6aba6e916490e88bf91db509cc881e06474ca5c02d4a4912c73efbde2e3d7a536e5c0e97245a6071f88f3203568bb960d59 |
C:\Windows\System\gZyZulG.exe
| MD5 | 4258555f719880514b34bc3a7931be6d |
| SHA1 | 05b5554da4a2ffeb2603e5cec41932199a7405b2 |
| SHA256 | 27da0052a7419dacc44586e97ef56799d517ab54084afe9e34630d254638a9f7 |
| SHA512 | a1c58fb747c2aa494da79fc415292d9fd71208d8e720453c1d44d73878a5dd24b6981a0ad7d9db311f3fac42c91a2a5778f67fa2aa5d97bf4743e23553afc525 |
C:\Windows\System\ryaYEpI.exe
| MD5 | ad551564eb7b4c0d026913adf7b7c36b |
| SHA1 | 7bf31535dfe7bddc9c42c7589e64376e723453cd |
| SHA256 | 98e97cc279bc418ea7805e33087ae541d940695ac000498a68bb42131e0a7e50 |
| SHA512 | 04981e888939b0ab2842a36a39ed02dcc03856c7c21da639402082770b62eca2e2cc4d44a44cfbed97ee9d21a1cd2b6a67ff2fd7ab7294283a3a770786e23272 |
C:\Windows\System\VcrWdCU.exe
| MD5 | 8a6eb55dc6c0de67d9ae30bdd2c06b0e |
| SHA1 | e34b77cea091f0ff6b4281ce969456aeb22bbb64 |
| SHA256 | c656af932529cd746d3be0522b4ae75eaebd6fe5815b84ec70d1bbcf3bf50fb2 |
| SHA512 | 351135c7885534c667ab80dd2667ac241fd2714babd39ea76de3b772f39d916f65c879fdee09ccbbd8aa42e5f6f52f8c04d4e0fb24cd3857a022bc9a89e9ee41 |
memory/4972-50-0x00007FF696F40000-0x00007FF697294000-memory.dmp
C:\Windows\System\riaPudu.exe
| MD5 | d1dabe4d580377d4b71acc9935ce5b8c |
| SHA1 | a934a79ccbf59bbb25f2a7c6c152e3d49ee81fb7 |
| SHA256 | 6ebf87371f5da3f94d15965ad8993e190081e8998334249fad13cf2141b31c6d |
| SHA512 | cbcdada6d63b641b7f60ec113ba2e5d6234bf867af250c99c29a9029ad7ecb3d4782194df5514c6300a50db54ef23fcec12cdad1b2e9a7538244ac381a31ec49 |
memory/1284-48-0x00007FF7FADA0000-0x00007FF7FB0F4000-memory.dmp
memory/1980-44-0x00007FF6FF860000-0x00007FF6FFBB4000-memory.dmp
memory/3000-34-0x00007FF675520000-0x00007FF675874000-memory.dmp
C:\Windows\System\ZITXdUr.exe
| MD5 | 2bcf3432fc50472ac5eff0af6db82b97 |
| SHA1 | 392c4e975f1091e239ace297d7934b29b911f686 |
| SHA256 | 9f81443844c316a4710a2355760e24f19194b34a799c0e9cf6f224f404350e80 |
| SHA512 | 9d8e1c979de0254a65ac8dcfe95c1f665989057f6538f5ef0e3e6bef944954e43dbf57c2ef9ead8427ac8fcc0a2c297e20dba9d058c2936986cfd55f566e1406 |
memory/4820-67-0x00007FF7096C0000-0x00007FF709A14000-memory.dmp
memory/2564-70-0x00007FF7221D0000-0x00007FF722524000-memory.dmp
C:\Windows\System\dyMiTBY.exe
| MD5 | 1f641a1b83734e4c35649dac59bdfeb3 |
| SHA1 | 6b8c1361e8efe235c4536145785b4d538433f21b |
| SHA256 | 9f39a8c9ecd5bbc34519da194c1945c7cb9333703e825f5c1d67762271e1c6fa |
| SHA512 | c96fc517ecb7da8f44af484714624fab8420677d8786cfa4da0940854412d1399c5ee3d7397a3c6c0eba0aa99ed22c1e811d7802d512877b1f455b1e8dfa6c27 |
C:\Windows\System\zkevyLa.exe
| MD5 | 6083d3d8fe88875943471b8a9a322b7c |
| SHA1 | 9eee5808b08e4829509d896a63f092104751a95a |
| SHA256 | 046c407b7f00008c8baa3175dcb82acb5557fd28eedd344801b5799f6f24460e |
| SHA512 | e67bf70efa4b8e9f8f4c5498668e9c6d10f7e8796ea914141236fcbcd7d822c93295e5b99502e618c2f2fa208647e567c37d51a6aca7f1809823137578c32b02 |
memory/4188-90-0x00007FF74C250000-0x00007FF74C5A4000-memory.dmp
C:\Windows\System\HggUHDx.exe
| MD5 | 72d8121a6690c34b61a6c3a69aec3ca0 |
| SHA1 | bedfea511f539ba8b017562acfb46eea9498f14a |
| SHA256 | 5ae81e765f06b4b9892d834f9ed7c563335192757b52f973a6640a02bfa92177 |
| SHA512 | db8093788aa04e501655edf3f89556e7241c2413d752f69b09be4965aa44a2ddc1ed1ef3b5436071b3d870a07970c0e6218c46150257233e434e5f141f1c45fb |
C:\Windows\System\sNUfZpf.exe
| MD5 | 5563022841042a4d6e3cb27b59070100 |
| SHA1 | 72ceb781e954600d3510dd0e46213e41dc5ae7de |
| SHA256 | df962a114df5e2c18f99fa9bd3e4dce5fe4e625c977344dd237be0f575496337 |
| SHA512 | f3d4d9520752365e59a7c39ba3dec7fd5a1c8dca2a6fecfd47daa73cbea0b4fb71040efffef9add8e7224e84072e1263a95b44619b92a0b46bd64573e4b18edf |
C:\Windows\System\tuPsLvq.exe
| MD5 | 99e3acd9e6a5e0a195d2ba0576b31048 |
| SHA1 | b50bc729ce8b74b277a8ec3918835e63b370599b |
| SHA256 | b4f2c0f8b8c8610338f831aa64c8c7917c765b24998a667082e7f7ea7675f6ce |
| SHA512 | 092b67771d74f6b097f8ce18faa9502d539bbea58f98c3193b502c29be250053fae1fd3beeac867ead87937229067f139a774f122fd05d0d74386ad22d91720b |
C:\Windows\System\yxxcGBp.exe
| MD5 | 262d72f4269a7ad166e76e6ef8e28c12 |
| SHA1 | 6a88f64e3c39516de2b5cd0f1248fa9e24c674ea |
| SHA256 | 05fe371990b49384213c2c34ad5fdca7a2d968d2fd9031f19baaeff114cb118c |
| SHA512 | b9069cfa2ae433ed4fbd0980ca7aa87cba52e5fc0c292c0ca410ee43b126308bdeabfbb4370825fec4b048e75eac901b5761a86dce4c818556f983a500e16de9 |
C:\Windows\System\sIvedIt.exe
| MD5 | 845d33673794a82dab8139bdcebbb683 |
| SHA1 | 8aef4e39c0b30203f3b9efbd88410407ff8d73cc |
| SHA256 | b8f9f477915c0b7fef1dcd2a8f42306f9e84f90da8fb88adfeb8c2223a441835 |
| SHA512 | 17f1cc00adbd8950205d926492e5862376e90ebcc3cf82a95f90ad4b6587a58af311d711ed7cff82b9f31620cf1d5f32e4ac24e7a49da7e5669a40e24ab39ba5 |
C:\Windows\System\DwCuqhJ.exe
| MD5 | c8653bf5b6ea8df58dd82eee7b34b603 |
| SHA1 | e5affdb9aaec014317b5a153aba395fe52a73139 |
| SHA256 | 2dd5287416fe8abae0fdc2f124abf5d686f2aeee24e60de1ad793d4d26215e90 |
| SHA512 | 70932d8960d1cb71c4480f68c48b14f44ad4ed54dbc03f1770e84a00cfbee1b5ee3555fab2969c9bba47c2102d52d392fde4db97a6ef90c4d259457f813e7900 |
C:\Windows\System\EiKvvCy.exe
| MD5 | 605ef43b519627bb115ff6a6594ca143 |
| SHA1 | 204748e918185cc98a82e8d37bcfd192c84e9956 |
| SHA256 | 25c8d6c34d6d86ab076d5a2936fbe64af2dc601de10f5acfdaa728d33a537a91 |
| SHA512 | 4c49c4b32b8a28f6dd9e18776ecb9e340a3e05ad61beef110f3c7309b54eb8fb629b17a3dc372b4588e3a336aefa6528df0ce6e3aca42b850b277f370743f216 |
memory/1492-100-0x00007FF755CA0000-0x00007FF755FF4000-memory.dmp
memory/1440-94-0x00007FF7415D0000-0x00007FF741924000-memory.dmp
memory/1160-81-0x00007FF71B320000-0x00007FF71B674000-memory.dmp
memory/800-79-0x00007FF66B740000-0x00007FF66BA94000-memory.dmp
C:\Windows\System\lDlmYcv.exe
| MD5 | ec558317dc8aa44e0fc6e31ab4284565 |
| SHA1 | 70f512f9f53138c13a72b18314ca53033cc48a25 |
| SHA256 | 3c8475e96aeb4ab2e5a0df597f1582d48bce32661a829e5fb92b50a102ed67bc |
| SHA512 | 421cc86a5ac5ad79e0862d2263d663ead1143eb896539b36018c785b1cb517323097c0562fb163a90ccd7268bc3384f84962b0898b789b4c84b191bcd86120a5 |
C:\Windows\System\BiBeXGX.exe
| MD5 | 882198598fa4649b2abd601a5a6ec993 |
| SHA1 | 7afb5444e7f9fb71d4587f4890141d0fe8e96da4 |
| SHA256 | 7d98a6fc71ebdadd6301150aac5d160b0abf6b68c992037fbd70e20a6c5ab102 |
| SHA512 | 47178d0c53793ec824cd50ece6b5820c5789448a5494f8e334193178cfc6667a1fe987c8371c76d2d53b83c935c0b66c95876fd98258b2a0af3d808ccbb0b513 |
memory/4560-64-0x00007FF7462D0000-0x00007FF746624000-memory.dmp
memory/3932-57-0x00007FF644A20000-0x00007FF644D74000-memory.dmp
memory/1056-31-0x00007FF63B1D0000-0x00007FF63B524000-memory.dmp
C:\Windows\System\rslqYsU.exe
| MD5 | 4756cfc038985fafaf562acd840e946e |
| SHA1 | 545157c3ded7f91e233f05353a5c40d8c63fa26f |
| SHA256 | aee48e97463b7d9a3b05702332ba077e4358e79db1a5276f2e12f95969942190 |
| SHA512 | 5a5cf12bbe6b2d3225b3651215b9af04c7ba2d055d5f4b0c636a161fe80ad1b8498d74c506244d88b5c1dbe6a801b987407b9a20847a01ccd15d0f5add0e3c4c |
memory/4716-22-0x00007FF73DCB0000-0x00007FF73E004000-memory.dmp
memory/1440-8-0x00007FF7415D0000-0x00007FF741924000-memory.dmp
memory/5076-124-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp
memory/4932-125-0x00007FF71BE50000-0x00007FF71C1A4000-memory.dmp
memory/5084-126-0x00007FF6A0650000-0x00007FF6A09A4000-memory.dmp
memory/4316-127-0x00007FF707AE0000-0x00007FF707E34000-memory.dmp
memory/2284-128-0x00007FF69E580000-0x00007FF69E8D4000-memory.dmp
memory/4716-130-0x00007FF73DCB0000-0x00007FF73E004000-memory.dmp
memory/1704-129-0x00007FF796B70000-0x00007FF796EC4000-memory.dmp
memory/1284-131-0x00007FF7FADA0000-0x00007FF7FB0F4000-memory.dmp
memory/4972-132-0x00007FF696F40000-0x00007FF697294000-memory.dmp
memory/4560-133-0x00007FF7462D0000-0x00007FF746624000-memory.dmp
memory/3932-134-0x00007FF644A20000-0x00007FF644D74000-memory.dmp
memory/4820-135-0x00007FF7096C0000-0x00007FF709A14000-memory.dmp
memory/1160-136-0x00007FF71B320000-0x00007FF71B674000-memory.dmp
memory/2564-137-0x00007FF7221D0000-0x00007FF722524000-memory.dmp
memory/4188-138-0x00007FF74C250000-0x00007FF74C5A4000-memory.dmp
memory/5076-139-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp
memory/1440-140-0x00007FF7415D0000-0x00007FF741924000-memory.dmp
memory/2324-141-0x00007FF77F7F0000-0x00007FF77FB44000-memory.dmp
memory/4716-142-0x00007FF73DCB0000-0x00007FF73E004000-memory.dmp
memory/1056-143-0x00007FF63B1D0000-0x00007FF63B524000-memory.dmp
memory/3000-144-0x00007FF675520000-0x00007FF675874000-memory.dmp
memory/1980-145-0x00007FF6FF860000-0x00007FF6FFBB4000-memory.dmp
memory/1284-146-0x00007FF7FADA0000-0x00007FF7FB0F4000-memory.dmp
memory/4972-147-0x00007FF696F40000-0x00007FF697294000-memory.dmp
memory/3932-148-0x00007FF644A20000-0x00007FF644D74000-memory.dmp
memory/4560-149-0x00007FF7462D0000-0x00007FF746624000-memory.dmp
memory/4820-150-0x00007FF7096C0000-0x00007FF709A14000-memory.dmp
memory/2564-151-0x00007FF7221D0000-0x00007FF722524000-memory.dmp
memory/1160-152-0x00007FF71B320000-0x00007FF71B674000-memory.dmp
memory/1492-153-0x00007FF755CA0000-0x00007FF755FF4000-memory.dmp
memory/4188-154-0x00007FF74C250000-0x00007FF74C5A4000-memory.dmp
memory/1704-157-0x00007FF796B70000-0x00007FF796EC4000-memory.dmp
memory/5076-158-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp
memory/4316-159-0x00007FF707AE0000-0x00007FF707E34000-memory.dmp
memory/5084-156-0x00007FF6A0650000-0x00007FF6A09A4000-memory.dmp
memory/4932-155-0x00007FF71BE50000-0x00007FF71C1A4000-memory.dmp
memory/2284-160-0x00007FF69E580000-0x00007FF69E8D4000-memory.dmp