Analysis Overview
SHA256
604a7e01311339f36497a48f34163f15e3ca8c462806d48452eeb48980abad39
Threat Level: Known bad
The file 2024-06-01_c8ca84bf81758956a36d57c0dc10e822_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike
Cobaltstrike family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:55
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:55
Reported
2024-06-01 07:57
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\QZOShiP.exe | N/A |
| N/A | N/A | C:\Windows\System\frYaTnI.exe | N/A |
| N/A | N/A | C:\Windows\System\QLgnTac.exe | N/A |
| N/A | N/A | C:\Windows\System\ySZClJH.exe | N/A |
| N/A | N/A | C:\Windows\System\YLfZpRV.exe | N/A |
| N/A | N/A | C:\Windows\System\doyoFEI.exe | N/A |
| N/A | N/A | C:\Windows\System\vYjhyEp.exe | N/A |
| N/A | N/A | C:\Windows\System\wmpgojv.exe | N/A |
| N/A | N/A | C:\Windows\System\mKyBkOQ.exe | N/A |
| N/A | N/A | C:\Windows\System\UsBKSFd.exe | N/A |
| N/A | N/A | C:\Windows\System\vhYrMqK.exe | N/A |
| N/A | N/A | C:\Windows\System\kYCMqMP.exe | N/A |
| N/A | N/A | C:\Windows\System\Ezrclhf.exe | N/A |
| N/A | N/A | C:\Windows\System\UmZzsjN.exe | N/A |
| N/A | N/A | C:\Windows\System\wpxBGMc.exe | N/A |
| N/A | N/A | C:\Windows\System\XvRCNsv.exe | N/A |
| N/A | N/A | C:\Windows\System\AQAYwWl.exe | N/A |
| N/A | N/A | C:\Windows\System\VIysDqS.exe | N/A |
| N/A | N/A | C:\Windows\System\idCRRiQ.exe | N/A |
| N/A | N/A | C:\Windows\System\gDyiCgt.exe | N/A |
| N/A | N/A | C:\Windows\System\tQyxPKi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_c8ca84bf81758956a36d57c0dc10e822_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_c8ca84bf81758956a36d57c0dc10e822_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_c8ca84bf81758956a36d57c0dc10e822_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_c8ca84bf81758956a36d57c0dc10e822_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\QZOShiP.exe
C:\Windows\System\QZOShiP.exe
C:\Windows\System\frYaTnI.exe
C:\Windows\System\frYaTnI.exe
C:\Windows\System\QLgnTac.exe
C:\Windows\System\QLgnTac.exe
C:\Windows\System\ySZClJH.exe
C:\Windows\System\ySZClJH.exe
C:\Windows\System\YLfZpRV.exe
C:\Windows\System\YLfZpRV.exe
C:\Windows\System\doyoFEI.exe
C:\Windows\System\doyoFEI.exe
C:\Windows\System\vYjhyEp.exe
C:\Windows\System\vYjhyEp.exe
C:\Windows\System\wmpgojv.exe
C:\Windows\System\wmpgojv.exe
C:\Windows\System\mKyBkOQ.exe
C:\Windows\System\mKyBkOQ.exe
C:\Windows\System\UsBKSFd.exe
C:\Windows\System\UsBKSFd.exe
C:\Windows\System\vhYrMqK.exe
C:\Windows\System\vhYrMqK.exe
C:\Windows\System\kYCMqMP.exe
C:\Windows\System\kYCMqMP.exe
C:\Windows\System\Ezrclhf.exe
C:\Windows\System\Ezrclhf.exe
C:\Windows\System\UmZzsjN.exe
C:\Windows\System\UmZzsjN.exe
C:\Windows\System\wpxBGMc.exe
C:\Windows\System\wpxBGMc.exe
C:\Windows\System\XvRCNsv.exe
C:\Windows\System\XvRCNsv.exe
C:\Windows\System\AQAYwWl.exe
C:\Windows\System\AQAYwWl.exe
C:\Windows\System\VIysDqS.exe
C:\Windows\System\VIysDqS.exe
C:\Windows\System\idCRRiQ.exe
C:\Windows\System\idCRRiQ.exe
C:\Windows\System\gDyiCgt.exe
C:\Windows\System\gDyiCgt.exe
C:\Windows\System\tQyxPKi.exe
C:\Windows\System\tQyxPKi.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4976-0-0x00007FF64E3E0000-0x00007FF64E734000-memory.dmp
memory/4976-1-0x000002764F940000-0x000002764F950000-memory.dmp
C:\Windows\System\QZOShiP.exe
| MD5 | 61dd0f1fb7d079f474d3152746771a01 |
| SHA1 | 7e4e5ae1a40754cbd617caef820db741ed860e81 |
| SHA256 | 1d8c773ff83f6ccd1440dd941cf23dd9be51c8e79b5ef0a3b4317d91930b8eab |
| SHA512 | 2fa5c736792a8ec0b90d0a17a6a5abcb4bd7bf6ff03923158dfe4bd2c00c0b2fd95784ac14a26ba0cde3e0c320c56335eddbe8ea8cbe43cb1bac3b2976dcb491 |
memory/3492-8-0x00007FF755170000-0x00007FF7554C4000-memory.dmp
C:\Windows\System\frYaTnI.exe
| MD5 | 75dd922467c7c881b14df967133f4a7e |
| SHA1 | 65930b03ff95b1089f3a3f2be2870be7c663a8f3 |
| SHA256 | 1db88a5d0eee053058768d82c30fe1b1b217e582d3d3e588c7d4be67931de014 |
| SHA512 | db568449f57371c75d852acfb5df8276053dcd7588ac573bb911a20c16f929a19810d12302d6f4851dd528148eeec7c1b8caa66a8ca55355ae4e6f7b0f655b8c |
C:\Windows\System\QLgnTac.exe
| MD5 | cc68040cb71fec98c6360fda15a31299 |
| SHA1 | 7976b641a730080531a5246d6f39f7481583e975 |
| SHA256 | b482982267e95a6a3d04119d22e724e18c5059d99692704c2132417345425c84 |
| SHA512 | 052a50e6d1d7aa29d9a28ffd02ec808b7b81e892f435129a157a889fda4c5c8cb6b18e0c3a67271f924aacd5833d2dd411fc405999cb7dcd733dfd27d9e48910 |
memory/4592-13-0x00007FF728DF0000-0x00007FF729144000-memory.dmp
memory/1720-20-0x00007FF71F290000-0x00007FF71F5E4000-memory.dmp
C:\Windows\System\ySZClJH.exe
| MD5 | 4dc0f8bb6334dca37086438341b34cac |
| SHA1 | 577c765b74ce923055eda9600af90389f25a27ee |
| SHA256 | 20c9e3ab44106b68de44c242e22a20c36da24b89c5ef3112a153106745dc1530 |
| SHA512 | 45dec6115440f4583220fca467319aa804cdc1d1d3ea3f74c83c7f4869719afd58168c06d8532cb9ee4630b0dca40c5b94addfae140d4fa99335bfbbbec4f30f |
C:\Windows\System\YLfZpRV.exe
| MD5 | 2c60a960b72e131a18d19dc84c51d1c3 |
| SHA1 | d0d60e45d157d164367afaa81ada2efd36f50d34 |
| SHA256 | 38fab42ab7c8ab82e16eaa5a3a5624b78c799784a5efbf2639dcdee7d5fc34bf |
| SHA512 | 113055a89719fd78fab1a41562be5f48dd73b10e6bcb10b77248c52dfe218e2f044eec44e320428d4c0f37f11ec2f25a9508cec437dae85d924fbd30225381f0 |
C:\Windows\System\doyoFEI.exe
| MD5 | 933eab49c80aea8e09c1dcf4c1f19ace |
| SHA1 | 6e91cfe23848c71a01314ca392fc2ad16a645135 |
| SHA256 | e0df162f48e9304f2abc1a74edf640b68e556de7dd4dda2a7ea7de3c1da8c280 |
| SHA512 | 49b6ded3c70bc78b07861a4ee23d0297147300b100099e94114233ef4937bbb3759d897ff6e39a3cfbc52c57efb4fde3d989dfe69ecb9320358bcba2446ef17d |
memory/4388-30-0x00007FF6A47F0000-0x00007FF6A4B44000-memory.dmp
memory/4824-26-0x00007FF6D06B0000-0x00007FF6D0A04000-memory.dmp
memory/1828-38-0x00007FF6052E0000-0x00007FF605634000-memory.dmp
C:\Windows\System\vYjhyEp.exe
| MD5 | adcdaba6cfec4c742ddb4aa0bf657d18 |
| SHA1 | 5d61a58e517e985092239befd2a210adb7842d27 |
| SHA256 | cae26a50adbdef99473a3232bfdb90d8758fc03d29e16e1c1957604027c32153 |
| SHA512 | 9504ddb8e0881486591f9181be4606c93d515b0fec1f769b0308c38fdaf4e67d240023d694aa013b5db1179d3347eb64ed33b156e724aad3e23d446f750fa7a4 |
C:\Windows\System\wmpgojv.exe
| MD5 | 6d7100c4315024c4edf43b2f9fef7734 |
| SHA1 | c23d2078e1b767e99028dd41ae476f7b67eb095f |
| SHA256 | e784a2141560ee2b59e3087079a44371967fee09cb76d2c9395e30ebad758ed6 |
| SHA512 | af0e422e5d9203c05aaa3327b41a7129fd3d800ef9972ed16f6be5034164805d86ad20c224ce8a10c3730a4ebd53025328109f29233eabcc24ec893416c82fdf |
memory/1088-42-0x00007FF7B5B80000-0x00007FF7B5ED4000-memory.dmp
memory/396-50-0x00007FF6EEF80000-0x00007FF6EF2D4000-memory.dmp
C:\Windows\System\mKyBkOQ.exe
| MD5 | b2c24450d6d74ff0bd393af0fbdd196a |
| SHA1 | 6ec6f0ad97173d3b5a36d97a7970badf38f0a29b |
| SHA256 | 9362b8830abd85f250036d7ab3f3bac7ec76c5ed999932b0da3571d511cdf4d6 |
| SHA512 | d532a1c86cecd690187a07dd0efda3695b791afd895b93bc98aa93f8a2ca8680ce816b0a52a8a198a766a796ebce8a71acc79f0af220262dce3e5db57054f84d |
C:\Windows\System\UsBKSFd.exe
| MD5 | f2eb832003837bb42f2dfe8a277b07d3 |
| SHA1 | e47b30c8b8065e94dc6da2cf8d857aac83e74421 |
| SHA256 | ac890a096f4ad0c21637e68a29ec6dec2c40e722a0e3f5a04a30409d173f511e |
| SHA512 | 5b56c82063cb1f9066442eb83afe4963bdd6a79a60c109b1c79ad6efd3d396c1feba7a7789f0df788d535638afcd6871c48e3751174c9017d907a107e9eef3ea |
C:\Windows\System\vhYrMqK.exe
| MD5 | 4b18f07b9d28f587fc26b639c56e6440 |
| SHA1 | 5113b77732377743ffb2711d3ee1eea877178e78 |
| SHA256 | e88bd0e7860143abd8dafb6c09997babb8aef51851da7c7e5b92d73bd11500dc |
| SHA512 | 06ee75f943efdc2b61385f42702f24e0a45b981f6a4d45cccf1213d4dff7eb3a492434e9f3c91b5a3db5c2cb5c8fed54fd2703ea1ec39238d352a9312b64cd31 |
C:\Windows\System\kYCMqMP.exe
| MD5 | c665213888a3cd218f16c95db36361fe |
| SHA1 | 6626444394e1195bfbc7dcdd0617119762e86ed8 |
| SHA256 | 2e51e12cc5c57d5a57fe0becaaf9ae3085f884c630823e79db4ca5d69509f476 |
| SHA512 | 140987adc760fc224d98a82b7d009f8db1297a3a2b63935da27f354fba1411eb0aaaab18d3d1b3ab608f6f3dfa008469506519cc4d1168fa0bb3deef1a4381cc |
C:\Windows\System\Ezrclhf.exe
| MD5 | c6348298969d6cb1e43d4c774b8d2623 |
| SHA1 | f8e5e6cfa66b57c68675d3c36f54cc5edd440726 |
| SHA256 | 84a73254466177b78c97850a1ba775d885babb153086a35ef2dec9c3b8fd4ee8 |
| SHA512 | df86901718229aecf2a70b1ae6b83102fd062af9d7452f2a999fcba9692c57b1ae632e83c9b0391a13522a6f659b510c5f745200c3aaae6451e56f016283da2c |
C:\Windows\System\VIysDqS.exe
| MD5 | 06163fea5de46cb2cc94a7f3045b5302 |
| SHA1 | 585ea02380d292a41b4f504677e29257fc04fadf |
| SHA256 | 3fc18444353ab06149c0ca9db9652e6f666ca4259279ae973cb255a39c64106b |
| SHA512 | 8f8dd075d4c43ca10213c2c877e9c10c49ec1f2d29cc3f0d5f9c02615639dc6e4135d20d20f995fe2e7137c8c4328f4d8bc282ea5ba97ec554570dc7c5a12f9b |
C:\Windows\System\tQyxPKi.exe
| MD5 | 73db2a30c4e13918153fa4b1851f98fd |
| SHA1 | 4d4e824f515a101a938c61ef3ee559d3a08aefa5 |
| SHA256 | 64fd8ad8baca1a42d417acc1db783be0f9afa2a546b2f936b067875119142232 |
| SHA512 | b4a7e88da3763cd8f2b259f2facb17775afdbfc7acd57cb7b37ca329568e9dfbcd4ee75a00e824da6350e1a9a1575f9189d3468dc1009bad521d64ffeec850c7 |
C:\Windows\System\gDyiCgt.exe
| MD5 | 8671489c433c42991854d8513e21ee28 |
| SHA1 | c1cedbd52d0bcd1da51017d445bd1396f1cedb93 |
| SHA256 | 949664b4db2bdd6d00be717dd8c62c5e3996a4aad176bab24db6c6081fb525f5 |
| SHA512 | 8cf1475b09012d39447f44a32ef3e7cea886174fd92500b34ee50f8df59c5019fe9b1b731f2110516644571f317d5fabfeeced816ca0a7d613473af4a2f8b863 |
C:\Windows\System\idCRRiQ.exe
| MD5 | 8f0ef1333694ff2fe2d44a4ddd28969d |
| SHA1 | 4221c77326b29ffad3c35f79581554414e243437 |
| SHA256 | 219c9e3b0c8b28b74417aacf8af78952769041c622cb6eb9e326220b8aafb933 |
| SHA512 | 25ffd097a8124ff9e0faca63b72a50a793a27374c104aee29ff7882d6f5a91e23dd0528cd7bb17a3571ab909d3c8cc21809c2daa2fcb8c7333a2fa70bdbe8843 |
C:\Windows\System\AQAYwWl.exe
| MD5 | a5f8f4ece0f8d9371d63cb3c79dc8f25 |
| SHA1 | ea9e539368f02260a51f58d3e9a713f70a1d79e7 |
| SHA256 | 508ba0de073e553bd033198ec3a21aa97379ddc84f35fb3c636cb30108e0abb1 |
| SHA512 | 7aaab2d4fcca0330f7f99e7bb9b4774c96bd72412f546a4640182cf772a8f9bffa7421707566ffddfed81cd99352ce3622d454e74c8907fe6f5e51dc53be35b3 |
C:\Windows\System\XvRCNsv.exe
| MD5 | f262045a79e2dbaca02f2112be102c46 |
| SHA1 | 99de60e57012ff3d64368da8069f75a0502a4350 |
| SHA256 | f4d801c24ede8a8af371298574107bc0ca27de1b7927a2edd557fc0f9b352b06 |
| SHA512 | 6f3a04b6af2cfd9a96f42594ce0a77097b1c63229ab82a339a50b494cd3fe5878e1e542e6ca409bfc678dcc412126e39c1c611335ee40fbf0109dda2a1bc505e |
C:\Windows\System\wpxBGMc.exe
| MD5 | 905c1146c4eb9b220207178e0a076e0e |
| SHA1 | aa50d18732a0a5ef311f3fac30b5876e305e87f7 |
| SHA256 | abdfa9be9546e0d8c86b232b57f4679cbfa7064b9c3398fbeeba550dd639a9e1 |
| SHA512 | b6909608c08a520bc2d0c2c72525439a93b6d328b8ead91975b668ba9303c723327a009ad6483ddd96ea2f9d023684f201dc47586fabcfd4edea28fe9467843f |
C:\Windows\System\UmZzsjN.exe
| MD5 | 04efade112cb1104e2d5375a5f67283a |
| SHA1 | 00a85237c77b2805a0e0729debc32d8e875138ba |
| SHA256 | eafde6f3c3711ec8586c746a5645494fbab6a250b917bcc820d1bc5a6a0d8514 |
| SHA512 | 9a50ce080f85907188f04909009ff149a720b7bb7905cadb1e7d107eca366d0496dc65947f3681f6ef76990b0f052745f787898562a80e37b0c9eb4ac4d673e7 |
memory/2560-107-0x00007FF742290000-0x00007FF7425E4000-memory.dmp
memory/544-117-0x00007FF62E7E0000-0x00007FF62EB34000-memory.dmp
memory/4504-114-0x00007FF66DEE0000-0x00007FF66E234000-memory.dmp
memory/4180-118-0x00007FF779CD0000-0x00007FF77A024000-memory.dmp
memory/3168-119-0x00007FF759580000-0x00007FF7598D4000-memory.dmp
memory/5056-121-0x00007FF637F70000-0x00007FF6382C4000-memory.dmp
memory/5064-120-0x00007FF773480000-0x00007FF7737D4000-memory.dmp
memory/1800-122-0x00007FF7700F0000-0x00007FF770444000-memory.dmp
memory/5040-123-0x00007FF798750000-0x00007FF798AA4000-memory.dmp
memory/3208-124-0x00007FF72D450000-0x00007FF72D7A4000-memory.dmp
memory/3456-125-0x00007FF75C8A0000-0x00007FF75CBF4000-memory.dmp
memory/656-126-0x00007FF744810000-0x00007FF744B64000-memory.dmp
memory/4700-127-0x00007FF70B040000-0x00007FF70B394000-memory.dmp
memory/4976-128-0x00007FF64E3E0000-0x00007FF64E734000-memory.dmp
memory/4592-129-0x00007FF728DF0000-0x00007FF729144000-memory.dmp
memory/4388-130-0x00007FF6A47F0000-0x00007FF6A4B44000-memory.dmp
memory/1088-131-0x00007FF7B5B80000-0x00007FF7B5ED4000-memory.dmp
memory/2560-132-0x00007FF742290000-0x00007FF7425E4000-memory.dmp
memory/4504-133-0x00007FF66DEE0000-0x00007FF66E234000-memory.dmp
memory/3492-134-0x00007FF755170000-0x00007FF7554C4000-memory.dmp
memory/1720-135-0x00007FF71F290000-0x00007FF71F5E4000-memory.dmp
memory/4592-136-0x00007FF728DF0000-0x00007FF729144000-memory.dmp
memory/4824-137-0x00007FF6D06B0000-0x00007FF6D0A04000-memory.dmp
memory/4388-138-0x00007FF6A47F0000-0x00007FF6A4B44000-memory.dmp
memory/1828-139-0x00007FF6052E0000-0x00007FF605634000-memory.dmp
memory/396-140-0x00007FF6EEF80000-0x00007FF6EF2D4000-memory.dmp
memory/1088-141-0x00007FF7B5B80000-0x00007FF7B5ED4000-memory.dmp
memory/5056-142-0x00007FF637F70000-0x00007FF6382C4000-memory.dmp
memory/3208-144-0x00007FF72D450000-0x00007FF72D7A4000-memory.dmp
memory/2560-145-0x00007FF742290000-0x00007FF7425E4000-memory.dmp
memory/4700-143-0x00007FF70B040000-0x00007FF70B394000-memory.dmp
memory/656-150-0x00007FF744810000-0x00007FF744B64000-memory.dmp
memory/3168-153-0x00007FF759580000-0x00007FF7598D4000-memory.dmp
memory/4180-152-0x00007FF779CD0000-0x00007FF77A024000-memory.dmp
memory/544-151-0x00007FF62E7E0000-0x00007FF62EB34000-memory.dmp
memory/3456-149-0x00007FF75C8A0000-0x00007FF75CBF4000-memory.dmp
memory/1800-148-0x00007FF7700F0000-0x00007FF770444000-memory.dmp
memory/5064-147-0x00007FF773480000-0x00007FF7737D4000-memory.dmp
memory/5040-146-0x00007FF798750000-0x00007FF798AA4000-memory.dmp
memory/4504-154-0x00007FF66DEE0000-0x00007FF66E234000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:55
Reported
2024-06-01 07:57
Platform
win7-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NpunWIX.exe | N/A |
| N/A | N/A | C:\Windows\System\KIfSRMT.exe | N/A |
| N/A | N/A | C:\Windows\System\pTFICPZ.exe | N/A |
| N/A | N/A | C:\Windows\System\QSvkQiV.exe | N/A |
| N/A | N/A | C:\Windows\System\IcieUsb.exe | N/A |
| N/A | N/A | C:\Windows\System\aWUAjXw.exe | N/A |
| N/A | N/A | C:\Windows\System\lvuxGOg.exe | N/A |
| N/A | N/A | C:\Windows\System\dfEkjZR.exe | N/A |
| N/A | N/A | C:\Windows\System\kaGlEwO.exe | N/A |
| N/A | N/A | C:\Windows\System\IRkCQAA.exe | N/A |
| N/A | N/A | C:\Windows\System\RVsaZvP.exe | N/A |
| N/A | N/A | C:\Windows\System\sGOeKmh.exe | N/A |
| N/A | N/A | C:\Windows\System\xrbQJct.exe | N/A |
| N/A | N/A | C:\Windows\System\sgTVmDr.exe | N/A |
| N/A | N/A | C:\Windows\System\xQNEDyB.exe | N/A |
| N/A | N/A | C:\Windows\System\OYcqFJA.exe | N/A |
| N/A | N/A | C:\Windows\System\jPuhatF.exe | N/A |
| N/A | N/A | C:\Windows\System\xDCETQy.exe | N/A |
| N/A | N/A | C:\Windows\System\iXraIzS.exe | N/A |
| N/A | N/A | C:\Windows\System\YLbsuRM.exe | N/A |
| N/A | N/A | C:\Windows\System\QLQEGko.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_c8ca84bf81758956a36d57c0dc10e822_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_c8ca84bf81758956a36d57c0dc10e822_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_c8ca84bf81758956a36d57c0dc10e822_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_c8ca84bf81758956a36d57c0dc10e822_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\NpunWIX.exe
C:\Windows\System\NpunWIX.exe
C:\Windows\System\KIfSRMT.exe
C:\Windows\System\KIfSRMT.exe
C:\Windows\System\pTFICPZ.exe
C:\Windows\System\pTFICPZ.exe
C:\Windows\System\QSvkQiV.exe
C:\Windows\System\QSvkQiV.exe
C:\Windows\System\IcieUsb.exe
C:\Windows\System\IcieUsb.exe
C:\Windows\System\aWUAjXw.exe
C:\Windows\System\aWUAjXw.exe
C:\Windows\System\lvuxGOg.exe
C:\Windows\System\lvuxGOg.exe
C:\Windows\System\dfEkjZR.exe
C:\Windows\System\dfEkjZR.exe
C:\Windows\System\kaGlEwO.exe
C:\Windows\System\kaGlEwO.exe
C:\Windows\System\IRkCQAA.exe
C:\Windows\System\IRkCQAA.exe
C:\Windows\System\RVsaZvP.exe
C:\Windows\System\RVsaZvP.exe
C:\Windows\System\sGOeKmh.exe
C:\Windows\System\sGOeKmh.exe
C:\Windows\System\xrbQJct.exe
C:\Windows\System\xrbQJct.exe
C:\Windows\System\sgTVmDr.exe
C:\Windows\System\sgTVmDr.exe
C:\Windows\System\xQNEDyB.exe
C:\Windows\System\xQNEDyB.exe
C:\Windows\System\OYcqFJA.exe
C:\Windows\System\OYcqFJA.exe
C:\Windows\System\jPuhatF.exe
C:\Windows\System\jPuhatF.exe
C:\Windows\System\YLbsuRM.exe
C:\Windows\System\YLbsuRM.exe
C:\Windows\System\xDCETQy.exe
C:\Windows\System\xDCETQy.exe
C:\Windows\System\QLQEGko.exe
C:\Windows\System\QLQEGko.exe
C:\Windows\System\iXraIzS.exe
C:\Windows\System\iXraIzS.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
\Windows\system\NpunWIX.exe
| MD5 | 1186ca32efadf41772d3d256d68b37b3 |
| SHA1 | 677f339d5e8abb7cee16a47b68a64b4d551ad20d |
| SHA256 | 35c6f7f0dfc38e94a53e58be9eb2c1fcc44798ff74640432cadd99a659dd1d7d |
| SHA512 | c25696e16475783fafe9caa1c3ad67135e3d43c63b056377e6ef3b888ff75876be7b400103ef61d36d08c2ca95272b3fbde1ed21d7b0bc907509481811986ed7 |
memory/2196-7-0x00000000003F0000-0x0000000000400000-memory.dmp
memory/2236-2-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
\Windows\system\KIfSRMT.exe
| MD5 | ae67dba01d140a34287e34fe5869d543 |
| SHA1 | f5ea9724198cf891671ef9bbb5fbde3933e34cd2 |
| SHA256 | 82664e9140e902534b5de95b7adb330f07559ad2fc072758abbd6382c38c4b2e |
| SHA512 | 04aaf2e105d0e0b8570f30d1daa228ff795d1b84d3033c8101c96fedf9f502b0c869ca976750452edf3cfbdaf42d636d2e7684a1fbcd05947de788df4ad77bf1 |
\Windows\system\pTFICPZ.exe
| MD5 | bb59ed1c6db59f199a9bc838c2fc7470 |
| SHA1 | 3b1b08630754e2651208549fe0256f77a824574f |
| SHA256 | 44a39c77c0d78e732efbb1622267d3efec62aad804ec8b73632b43977d261832 |
| SHA512 | d80f8446cc7f3317580d350615fd45762119e687976b1e57a8b0e9465645c7eacd5cd5507d12d1c92ac98f77fd5cd162e4ada2ebe1480b0166a72549eab2201e |
C:\Windows\system\QSvkQiV.exe
| MD5 | bbae40d6546d2d04634b2fe8d739e32d |
| SHA1 | 47acd8e4997f753f5a956efee05fd0a299f70aa0 |
| SHA256 | fcf7f0e85ba16229136a50acbd2498e13188e97535a933ccc728c6b4c43c3d2b |
| SHA512 | 2c6134a948accc8e3355ce53a9d8ffec5a1c2652986d8c26a578d991b0fbaa2308a8e3c30e32cae0f9a56e706e991b39ed94b59ed06f2f6b60b55ff8a1755682 |
C:\Windows\system\aWUAjXw.exe
| MD5 | db8d8efd3670b40764d66ccb520314c6 |
| SHA1 | 098ef35d3b35a88cc0fdd195808d65b89820436b |
| SHA256 | 04df0ae9a236b86a863926c34347726ac6430189de31a001f3bb260a0b90680e |
| SHA512 | 2507020ac711f34e6acc8017c7014a8a51223be7c87e56ffbbee4068b024d9544fb882802b9f0a15f5b4215b4d5fcd8d859f3862586b5bfc35402481bc8c2c93 |
C:\Windows\system\dfEkjZR.exe
| MD5 | 032bccf2645fafcdbae18f23d1f2c5f3 |
| SHA1 | 7c9676398a6bfc0a8547441703c21822d2f3697e |
| SHA256 | d76c445ee6c200ff9b159434d0be3583424da903d45f080d2dd6e2c17f634cff |
| SHA512 | 2c87eeecd55abfab8af81075fbbd2a700d1fcb782647c32c92488b23bcd3d72310c702078702b70ce8b9eb96d69c975ce34ff91dbfcfe18382e36caadbb85ff3 |
C:\Windows\system\RVsaZvP.exe
| MD5 | 7eb61bb3739fdeeece5c93764cadc00c |
| SHA1 | 25686596e4910823a9031053b95c40617a19fbbd |
| SHA256 | 3b4e5fa79cc65430d6aa773854eecaa712bfef09d14023f500e58888f2f3c8ed |
| SHA512 | 3e95962105e3415b4f8adf75519fbcb7f7062fa1d019123a596e64475ac156bc3dd0e26c0961f1d94da38b7ae7ad832afa094ebc2deb84ba4a4f4485973d8ee4 |
C:\Windows\system\sgTVmDr.exe
| MD5 | 1d12e0e4e905ef32b43dac9a5c195ab9 |
| SHA1 | 3316cdbdefdde5f26482d8d01f747f991b6461a0 |
| SHA256 | d71154ee62b488ed90fe113982eebc7b8ec1b00ac34891979d6bbfcf55fd6d43 |
| SHA512 | 3ccbfeb1d67d05d57de83d01d3310185fa948fe6c20cffd5a8b72a134ee46aa08ec800bd21a0d15a8d170cef715a7f5039ee966eb6394720a0c03c125ae1ace1 |
C:\Windows\system\xQNEDyB.exe
| MD5 | 74458a4377d744592e4cc0fa59cd78b5 |
| SHA1 | 0beae78b0fd05ba7687b77fd3f3a69f064d6994a |
| SHA256 | 6e19d25d8b3557a8d1ac4fb7cc7d5abbc047c17b9b09316c3820428a83c754ee |
| SHA512 | 2a8c08011da1ab08c19eb2a16d7e564d3c14e5701503c7f172604328ebab5141c371aa7b4ff3a47c9aaf4d79a2fa918c77ab72b40108c937d57001ed706c89cd |
C:\Windows\system\OYcqFJA.exe
| MD5 | 412ad00cde3d9124046af25545fd0534 |
| SHA1 | 161682cad216004aa9fa8124017fc6fdf70759c5 |
| SHA256 | 9e1ce4e0a25b9411e7e13329d7e0648d42c84357ae99d6938759dbfd3d149838 |
| SHA512 | dc77d812b1c976ab74c9ac3f374269371ee00f5c73ac8b3990346e1cb56d931ad419be062be37673d41bc7de55414fd7451310a5ad8292e5b26614c20fffb8a4 |
memory/2236-88-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2236-128-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2236-102-0x0000000002410000-0x0000000002764000-memory.dmp
\Windows\system\QLQEGko.exe
| MD5 | 1607b4d6c48a9818b7c189871b38144f |
| SHA1 | 6eeac5356c87b50674e518e891dec229e9621027 |
| SHA256 | d4938e251dbd873e6fb72b277d7fd312e47e6d48f3234aef0928b5a22d62d75f |
| SHA512 | f897216a088aea19b960d12335db464b90fc1868b1cbaa65c3e374817a6275d4f9d2a6e1a21f0114d78bf2723feb001953b67dfbeb0a52684128568b9e30d4d0 |
\Windows\system\YLbsuRM.exe
| MD5 | e30c656353e9230a2d453013df36135f |
| SHA1 | e194c26a7235b39f7e6c11640a31fa0ed20bf681 |
| SHA256 | f8fd504c9f9164ee2b972abe6415cdcef0d414bebc0832d785eff60c900c15c4 |
| SHA512 | 2d647fedbd84f377afa875ca6bb349254e3e71a7ed7c812a97400847d3aeefda7bfb9d35b77ca6a5d0fedd18d2e566d6faad5081c0714b26f466d460c05b32f0 |
memory/2196-129-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2132-127-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2236-126-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/1260-125-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2236-124-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2524-123-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2236-122-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2188-121-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2236-120-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2164-119-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2236-118-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2592-117-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2236-116-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2652-115-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2236-114-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2500-113-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2236-112-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2616-111-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2236-110-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2768-109-0x000000013FE20000-0x0000000140174000-memory.dmp
C:\Windows\system\iXraIzS.exe
| MD5 | 38b321e24fe14c62bcb9512b2d03b542 |
| SHA1 | 894ec9097b3343d57c1dad3deb89786aa2637d78 |
| SHA256 | aec56df5a9858604e13a9f65e2c479f2435a2b5a71fefb3d968abcd0ca150eb1 |
| SHA512 | aabeae263f09bbe357d62c3649354fe5afb84dbb886966d17cf4818dbef2def8960ed97dc60dfe8c5b7f19e77e2240ea4cdf6d0c8e8d35095b493fd1352dfea4 |
memory/2236-106-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2736-105-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2600-98-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2236-97-0x0000000002410000-0x0000000002764000-memory.dmp
C:\Windows\system\xDCETQy.exe
| MD5 | f9428db2a12f708dcc46ec660220a12c |
| SHA1 | 52afefd32966024cc3cad00b6bb1db824a3c083d |
| SHA256 | 6a99736a030d5d3389c2b77e07254af7f0929bcba7060c0fc13d2fc05c46f874 |
| SHA512 | f7a23ec3192e996fc468e01d730f12d723fdcd08df67a4df1937f58201e23920115fa8dda19d2c72819c58a363843aa9bbaabcf5403d4a216768ac25001b1601 |
memory/2676-95-0x000000013F830000-0x000000013FB84000-memory.dmp
C:\Windows\system\jPuhatF.exe
| MD5 | d235b55829f9c90117e7d97434659f82 |
| SHA1 | 5340442c99f66f71188ff1d5f072f2f55cc22274 |
| SHA256 | 602f9d97c67641cad04b33a5dbcfc0f824832fa4220ca7c202f5efccdf39d7fa |
| SHA512 | a98a58a5a8145883f816af093ac7f6ec659260c29d719ba275d49df7895121852b66abcd49eb43b1d20b8f0533faeddf6354ecab3fb7bc4409ac841621352ba3 |
C:\Windows\system\xrbQJct.exe
| MD5 | 74159eec820ae75ff71a920241aeb9fc |
| SHA1 | 36c331d990811c438dd78738258c8bc8e88627ec |
| SHA256 | d1346db51a464506ad774e2e3d1a95081a2cf0a3a4f53237d0e6e75ed81dc796 |
| SHA512 | d2f3123bbb25207d5b633c8ac572e8d83bf2ebe266ed1f52349e212af4d3950ae4f3302e5f0f97a4cd1264ccf5a381855f023fe2116923c582a7e6b938fa3a0e |
C:\Windows\system\sGOeKmh.exe
| MD5 | 60ad65620750d74b7a2f5100151f540a |
| SHA1 | b4469c6e488345d834aa770fcffb5baadf561b81 |
| SHA256 | 40e010e661486d4d20b039f1004c11456dd49b81884e21842c489646b3b3bb32 |
| SHA512 | 50be7235d5fb77776964b7293ca083dbec1d6aa83595838878e5a4ef64721f5f8ed2b569a6d936b35e3ecaa8d0e2f6fb9e7acdf1f6a54f51bb3416addf8d29ee |
C:\Windows\system\IRkCQAA.exe
| MD5 | 55764dcfc78f31885af61621394b8cd4 |
| SHA1 | 430121e7c996a048c482f65e60393b133e5f75b3 |
| SHA256 | 7a3708c4199d4236126a47436a03b5544c283cc525d17c39f677a7410fa9b989 |
| SHA512 | b711b0a92e70aa85698a4b370c4922162dc34630bd58f8d8317bc72a22e994c311c5d5816f7f44a60c87615a8142d621fbdc02cf7b2f9b06a64b4cfdd3d7f87a |
C:\Windows\system\kaGlEwO.exe
| MD5 | 28237543c44be2e9ff48ed8a6f101f5b |
| SHA1 | 4c7ea557f0cd041b175ef86b9030f06f560c9f93 |
| SHA256 | 46d90e33ecd4ff651d10812dfc3c59d86a68a07d4962c7c8c295ecc7193d51e5 |
| SHA512 | a4822e1011ff4f5afcec599625af7b6576203f24ab2d3738fd8f4ffd0e0cb210bcf65266a1c8af75f346cdcd0162ece7241304cceb9889afbbbf3be90d15c7c9 |
C:\Windows\system\lvuxGOg.exe
| MD5 | 380e2b9b8dc2104ddadfc4c712fef865 |
| SHA1 | 82b6afbaef50d975e97c12d023539a0120bb602d |
| SHA256 | b342d922ce266442db7d36d0f3b61c50fb2a1785b84131d57f5722741b9ef938 |
| SHA512 | 9a19adad2cbf2881ad43bf916be747439017a11da3d24fff34c40b7e2698d2818f9ec992b83c15b699b6446c8603840b5edacbcf89b8c483f977e003c02ce633 |
C:\Windows\system\IcieUsb.exe
| MD5 | b5623e0c7594678923e797f15d8c87d1 |
| SHA1 | 1c26bbcfd2865e0365b6e6435e2f0f9511d972ab |
| SHA256 | 5ecd14965f4dbcde35adfc75c3df98c969b0d7c62d62a9040e998e5af95cfca4 |
| SHA512 | 99d65ad35619050d76e2eae5bc82103832a92bf36f6a9687c466bcd74cc85590c042fcdaffff72ba007eaa727c987b23bc90e5ff8e1fb22d8e8c7a7c05333479 |
memory/2236-135-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2236-136-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2196-137-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2676-138-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2600-139-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2768-141-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2736-140-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2616-142-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2500-143-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2652-144-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2592-145-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2164-146-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2188-147-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2524-148-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1260-149-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2132-150-0x000000013F660000-0x000000013F9B4000-memory.dmp