Analysis Overview
SHA256
f37a94fa043d2c79425689168d969c32b2c757bfa1b95f8d1bd44e5a9b261a88
Threat Level: Known bad
The file 2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
xmrig
Cobaltstrike family
Cobaltstrike
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 16:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 16:48
Reported
2024-06-01 16:51
Platform
win10v2004-20240426-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SgUCiNX.exe | N/A |
| N/A | N/A | C:\Windows\System\zWjhHTy.exe | N/A |
| N/A | N/A | C:\Windows\System\qwWaFWK.exe | N/A |
| N/A | N/A | C:\Windows\System\VQtxeYV.exe | N/A |
| N/A | N/A | C:\Windows\System\lQdBfMx.exe | N/A |
| N/A | N/A | C:\Windows\System\YYrxXNZ.exe | N/A |
| N/A | N/A | C:\Windows\System\imejPNm.exe | N/A |
| N/A | N/A | C:\Windows\System\nJQrqfZ.exe | N/A |
| N/A | N/A | C:\Windows\System\lnDtNYT.exe | N/A |
| N/A | N/A | C:\Windows\System\vNyrFbX.exe | N/A |
| N/A | N/A | C:\Windows\System\CsXcQPE.exe | N/A |
| N/A | N/A | C:\Windows\System\CkyoGJw.exe | N/A |
| N/A | N/A | C:\Windows\System\rDoqRsh.exe | N/A |
| N/A | N/A | C:\Windows\System\fQEVZEe.exe | N/A |
| N/A | N/A | C:\Windows\System\GJCAHZz.exe | N/A |
| N/A | N/A | C:\Windows\System\pjYUtuJ.exe | N/A |
| N/A | N/A | C:\Windows\System\THjbRFF.exe | N/A |
| N/A | N/A | C:\Windows\System\bApIwnq.exe | N/A |
| N/A | N/A | C:\Windows\System\MBwCAbx.exe | N/A |
| N/A | N/A | C:\Windows\System\JOJZlmM.exe | N/A |
| N/A | N/A | C:\Windows\System\yblMukG.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\SgUCiNX.exe
C:\Windows\System\SgUCiNX.exe
C:\Windows\System\zWjhHTy.exe
C:\Windows\System\zWjhHTy.exe
C:\Windows\System\qwWaFWK.exe
C:\Windows\System\qwWaFWK.exe
C:\Windows\System\VQtxeYV.exe
C:\Windows\System\VQtxeYV.exe
C:\Windows\System\lQdBfMx.exe
C:\Windows\System\lQdBfMx.exe
C:\Windows\System\YYrxXNZ.exe
C:\Windows\System\YYrxXNZ.exe
C:\Windows\System\imejPNm.exe
C:\Windows\System\imejPNm.exe
C:\Windows\System\nJQrqfZ.exe
C:\Windows\System\nJQrqfZ.exe
C:\Windows\System\lnDtNYT.exe
C:\Windows\System\lnDtNYT.exe
C:\Windows\System\vNyrFbX.exe
C:\Windows\System\vNyrFbX.exe
C:\Windows\System\CsXcQPE.exe
C:\Windows\System\CsXcQPE.exe
C:\Windows\System\CkyoGJw.exe
C:\Windows\System\CkyoGJw.exe
C:\Windows\System\rDoqRsh.exe
C:\Windows\System\rDoqRsh.exe
C:\Windows\System\fQEVZEe.exe
C:\Windows\System\fQEVZEe.exe
C:\Windows\System\GJCAHZz.exe
C:\Windows\System\GJCAHZz.exe
C:\Windows\System\pjYUtuJ.exe
C:\Windows\System\pjYUtuJ.exe
C:\Windows\System\THjbRFF.exe
C:\Windows\System\THjbRFF.exe
C:\Windows\System\bApIwnq.exe
C:\Windows\System\bApIwnq.exe
C:\Windows\System\MBwCAbx.exe
C:\Windows\System\MBwCAbx.exe
C:\Windows\System\JOJZlmM.exe
C:\Windows\System\JOJZlmM.exe
C:\Windows\System\yblMukG.exe
C:\Windows\System\yblMukG.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4248-0-0x00007FF646CD0000-0x00007FF647024000-memory.dmp
memory/4248-1-0x000001DD601F0000-0x000001DD60200000-memory.dmp
C:\Windows\System\SgUCiNX.exe
| MD5 | 14f0a2de75e5873d58346f36aea61149 |
| SHA1 | 09a24a54024ab92a995069d09e34a784ef7a8258 |
| SHA256 | 89f74d8803ee4822fae710375c4a928f5360759d2c320be64cd7fef4f94c8c21 |
| SHA512 | 043a9cf58f13adc4a99bfe528b8ff841fb5bb632dadfdcfc34298de99062df8c6798db5ff37353d3f99e0ab979998c98949bade048d6acbd1b5ce9242e55c889 |
memory/4232-8-0x00007FF63B2F0000-0x00007FF63B644000-memory.dmp
C:\Windows\System\qwWaFWK.exe
| MD5 | f8a8a855047ee0e084f6b121658baa21 |
| SHA1 | 1629dc50bedb7565f6c4237ee5d08b43ce912089 |
| SHA256 | 182615ebb6784d68ab53a5623de8c134ac128684201ec9ae82818a5e903ea4b9 |
| SHA512 | f804a460311bc0a23f4df806d4b26f9bd59099c12d18c12c6f4378dd613060ea96927a3d7a3d8bf7fb826ed60e188f27deb1b487cbda6c87d8964d79e34619d2 |
C:\Windows\System\zWjhHTy.exe
| MD5 | e089590e38b710c60464c4697d520f71 |
| SHA1 | 4265eb0910724bf25c8713b18ec7ac74fb8751c1 |
| SHA256 | 8867e52fcb133faea74cf9ed1776d58338041e968b1b3a165a6411a167410bc0 |
| SHA512 | 8268399db04cc469920773a9cf59293bc5c7606f0d3ee3dff9e3ef7c9e5dd11a8a43517021b89616ace69375696da5ebae34ae5e7be80b7e4ec886dccb6e5203 |
memory/440-13-0x00007FF7906C0000-0x00007FF790A14000-memory.dmp
C:\Windows\System\VQtxeYV.exe
| MD5 | 281f3774714e397fcdf4ab5d80fd50fe |
| SHA1 | e1bd56125bde98d9880f5d0d1db962c2c9b1da65 |
| SHA256 | ee3ae50fd46c5fc45205f0a3d131feeef7c7ff998196c0a5d306abccd00b0b1e |
| SHA512 | 416479da23dacfb3bd2d87d31b20bbdc370eaefd313cb9495112eb4e550599ad3b6c6958b85de281e0ed42266ee8dbee10c4c56e0ad16304a2357ba7b47f1451 |
memory/1788-20-0x00007FF720A60000-0x00007FF720DB4000-memory.dmp
C:\Windows\System\lQdBfMx.exe
| MD5 | 3bb4bc989a19c3d505b0dd5d1a0a2c55 |
| SHA1 | c807eda017f0af7f8e0b60343d2acddfc0d3013e |
| SHA256 | 6bd67fb28e8c49579ffbc30ea0ecac525505462ee00a3e0dc6148e32fa851922 |
| SHA512 | ac662d0432ce26b07816ef91d3d678f4802472b906b5c9ed1a52456ec59d2d8ce82eb6382f9b7f9d24cf258173b040325b4241b5c92682831c15dc5caf7d16a7 |
memory/4932-30-0x00007FF7DFE60000-0x00007FF7E01B4000-memory.dmp
C:\Windows\System\YYrxXNZ.exe
| MD5 | bf32b5b90ec74e6503a4cfb0020012b3 |
| SHA1 | 46bb1109f784f2b816110e5c18bbff3f9458ca06 |
| SHA256 | 061d79d896141e27f4ab7c507e883b801542d53060a5d2cf46a69837a3863ddb |
| SHA512 | 1535312b4cbe2db2387c34c5e54eb65ff03a38585f142af424304715789339cf2fa9f4ab72a902fc70a6d4590122e4d15c25494cc6b40b64e89e5b53c1c5d43d |
C:\Windows\System\imejPNm.exe
| MD5 | 9592292d3eddcf60bba82aff3865b5b0 |
| SHA1 | d8928b0e908aa3407ee35e2aff9ff0624425e558 |
| SHA256 | d5219543ff3c264bd629cb0e8b9f703586ac8b3c9f0eb743ea87f4a3f5a39d7b |
| SHA512 | adf06c824110abce040391b8822c5ad0ed2aebb10453a872e1f833442262411531c8da8453ceddce3086d1ebc1b9970cae407170293cb5362230885f077e0bd0 |
memory/5104-45-0x00007FF719F60000-0x00007FF71A2B4000-memory.dmp
C:\Windows\System\vNyrFbX.exe
| MD5 | de3931cc82f6277cf7f846a91f7636e0 |
| SHA1 | 14f13b30f26c0e0e28fba285e342126cffc2ff77 |
| SHA256 | eee1de82db4a94cffe6ef7e0582e79b376583f24f6f78c9e0ed7b3a2f5d6076a |
| SHA512 | af28dd7b8b6cb646530fa59cbb552626ec4a9fbce3539d78b6e60cbe9ec0deb4ca5795430134236372130ec7710330beca616b6f7f71419165abd18a03b073e9 |
C:\Windows\System\CsXcQPE.exe
| MD5 | e2e20bd3c762817ac4ed1174e16179f2 |
| SHA1 | 6044c7639fcd36169582d9bb026e7f5911a5b778 |
| SHA256 | ca2bbadd43b3b0c5b69d6df8af53dde23f904d016684afb83211b414eebdfe61 |
| SHA512 | 1154910774a0a321be939396193fdd3b70054281fc951d1a4cf1eb9101b9029d14d0aa73851d9969e179a9e9d99424af51abca37afdccf9031a26320848f089c |
C:\Windows\System\CkyoGJw.exe
| MD5 | c730a08b5d45e4c63c0fe10b5856d340 |
| SHA1 | 2fc847dbefe3acb46f7dfb7850c58196249fe20c |
| SHA256 | c07df06636df983da69f27649197d044bca9e4be090f567a1d6d1653b025405c |
| SHA512 | ee89aacb15fd7dacf6f19c29d34cc85bbdac32f5a182ed4b72b63f6098f446e26cb631e36c5b5adedf00584b36eaa0cb939ea06bbf9f262acf38604c72b60087 |
C:\Windows\System\rDoqRsh.exe
| MD5 | a7a46c4828a1cfe74f8e96a56ab48411 |
| SHA1 | 0e54663aaba90f9a7437e2af15f418e9ea80baf4 |
| SHA256 | 50ec07e030526f721a73e9228c76ecf807ad2f3b66ede96eacb407d45fe89d73 |
| SHA512 | 78bae16d40ff9dc0b2b83568d115f426a28aef2a9b2163d2a90f634ed3b7db68860fd55a3c9483fa490debdeed1b012ac031e1d0d3bfda2f9f1434e8c2da3a02 |
C:\Windows\System\fQEVZEe.exe
| MD5 | 0d8274c0979bb517c56a28091e22b28e |
| SHA1 | 32f8fca820a2405833f58adee5bf8769fc1de651 |
| SHA256 | 5f91764fe1abc2a6906462252f4d9ed0a879ea34b6abcb58d6de23763cd946f7 |
| SHA512 | 5bcc7ce80303f28750f55240c5e05b920cffa181f1a1c9495e552959f38bbccc1b5ccde6f40c520cf937acf714662dd5f10c20e846f5685aac98f1cba67c97f7 |
C:\Windows\System\GJCAHZz.exe
| MD5 | ae45807c0741e11e25dd9992b95d3424 |
| SHA1 | b65028fe89aa55af83692c860413468cd0f787bb |
| SHA256 | 286a02c60ee4511a55d301cf4abac48c4a896ed64bd7e45db36ac3ae2eb9ece0 |
| SHA512 | 9d0878941c558ae3cf944d3a3793d3553d4397a6faad9dcbc0ee4c59900af246a36d1dbe56712100f8f7ea8a471e0f5dc0d472f79acd19f88db4cdff0e967993 |
memory/4792-84-0x00007FF66D210000-0x00007FF66D564000-memory.dmp
memory/376-86-0x00007FF652BD0000-0x00007FF652F24000-memory.dmp
memory/3660-90-0x00007FF7A71B0000-0x00007FF7A7504000-memory.dmp
memory/2324-92-0x00007FF6F8E10000-0x00007FF6F9164000-memory.dmp
C:\Windows\System\THjbRFF.exe
| MD5 | 3f035566ece671c0590652bfe1929d9e |
| SHA1 | 2db30e3267b2dd59c2c46f2069791016a032a4bb |
| SHA256 | 6082ec5c66795c1986c9fe628009bb12c6db5de04669a3356893382cb24cd11e |
| SHA512 | 4429490ac6beab0938c72d53c87dcb81827126aa736dddd15c6612ca4ed49d68efe131aac85694304bdd5ef1d407940a06df8f1c11464c495b134646e25e4a6a |
C:\Windows\System\bApIwnq.exe
| MD5 | ad6f5948d885b5038cbc528df167adfa |
| SHA1 | ea74aec07414f895d69dafba165d803b6d530773 |
| SHA256 | f8c1b1ebc72af16f38a8b9f17fe4dcd69dad0d5e808165d010e7168bfbb98b4b |
| SHA512 | dcb35899c235b9e9a8860c2cd606cc39d8668120f93305cd7eacc5e5ce06c8263f3e6d8b8862377c0c7b9c252bab5dda8fb7ccc59e25cd0af18f9c91f8fb7a46 |
C:\Windows\System\JOJZlmM.exe
| MD5 | 9bdde2f50477fdc0741f134357d9612c |
| SHA1 | e0f097ece616194d31796745bf9304aa8c01f871 |
| SHA256 | f523c92934f960d6dd9cd6dc46d454938f2ffe246a2f5df15105a80a490f1dbc |
| SHA512 | d085b7237c0d960c58ef311ec19fb177af60fb03a55b9ae5d75dc05db40f9bf47091f3cbbdb3e34d2e3338fdfc2faf5f378c5ee10a79fa11ec711841dab90d62 |
C:\Windows\System\yblMukG.exe
| MD5 | b5beb6ea041e1c9370e864af9bd33999 |
| SHA1 | e9ddf037352a48f93730392ff96f6a7073ce7c6f |
| SHA256 | 41b352668a63808bff28cb2f6c656f496f6eb2c45efbdfcfb8ea1f672fc39973 |
| SHA512 | 9f700dbeec668aa5cd2edd9244daeb9b542955e955661cb44220de6cf87c6290ddca242b352f5dcf4c12cc551aefcc64e904bcb7a3ff18c9ad2939fde600b609 |
C:\Windows\System\MBwCAbx.exe
| MD5 | 279b959f6eb0ded48f55cadb38bf5d52 |
| SHA1 | 023f587873e12a5f384082ddcfcd95f7131f5b43 |
| SHA256 | 62cd0f359fae9ebc1c91d929ddca29fad9907aaac2f3774bdea3a1aeffd0964a |
| SHA512 | e8ffbc1d735981b9e0d2c4bc9264c4b54b3c25010cf0d906ab1a859a460259b0114eac6b4c45ac668ab5a08daaa8d114b1ea20611482192ae27e3f85493b2087 |
C:\Windows\System\pjYUtuJ.exe
| MD5 | 38208a3c335205575e08d151f5addd6a |
| SHA1 | 4b280e2266b704d6f7819d717da797c3c5eafe59 |
| SHA256 | c9b11945e79252cea14a093c5ef4b82fe73b85fb7b9f7df9604de823418af8f9 |
| SHA512 | 4a5867be06b648d22da0ca96d1ce2d0e6d001ad19ac2fd5f102c4660890a5ff3a307162fe7657790cd20dc5f299725e9a770f348e798d0c57507d389ffd6e473 |
memory/1256-100-0x00007FF7E4C90000-0x00007FF7E4FE4000-memory.dmp
memory/4424-98-0x00007FF77E1F0000-0x00007FF77E544000-memory.dmp
memory/3820-91-0x00007FF7555E0000-0x00007FF755934000-memory.dmp
memory/3468-87-0x00007FF76A410000-0x00007FF76A764000-memory.dmp
memory/4524-85-0x00007FF714EA0000-0x00007FF7151F4000-memory.dmp
memory/3880-75-0x00007FF6E7790000-0x00007FF6E7AE4000-memory.dmp
C:\Windows\System\lnDtNYT.exe
| MD5 | d8238a501b7bc8d859c65e14621242c4 |
| SHA1 | 8a2516885783a88aa36c947e3206576f28297f78 |
| SHA256 | cc23c92e91d7da6626b1df309c6f5f2cb7082c1ba8d9eb509377b11835d74155 |
| SHA512 | 1f855831c7f0d9915baf297e6bbd1005b4ef420ca9849220f9567f74e03206bea5f8ce006c0cac6a58ed41205bb5dc1c38cee548029fb647634d4145fd704e4b |
C:\Windows\System\nJQrqfZ.exe
| MD5 | 8ff9bc0ce8102c459c7b4de8f2507af0 |
| SHA1 | 9bc615b42372ecebf7dbbf77d5764dc3c823018b |
| SHA256 | b2a5984765dc08db697bb90cb88b3e3a60ff505c1c7d80e2069c1221cd2ec99d |
| SHA512 | d3c381f488425f182279f8d854431d96491e45caa2f4adfa25d329cc1cad0b02b23ef15b723e9e259d8d21668122be2e7740a9a905c353740cff3bd8ba557528 |
memory/4992-34-0x00007FF743030000-0x00007FF743384000-memory.dmp
memory/4904-29-0x00007FF6BD6F0000-0x00007FF6BDA44000-memory.dmp
memory/4248-124-0x00007FF646CD0000-0x00007FF647024000-memory.dmp
memory/4828-126-0x00007FF78C4F0000-0x00007FF78C844000-memory.dmp
memory/4212-125-0x00007FF6528F0000-0x00007FF652C44000-memory.dmp
memory/2040-127-0x00007FF7E7430000-0x00007FF7E7784000-memory.dmp
memory/2248-128-0x00007FF777370000-0x00007FF7776C4000-memory.dmp
memory/4232-129-0x00007FF63B2F0000-0x00007FF63B644000-memory.dmp
memory/440-130-0x00007FF7906C0000-0x00007FF790A14000-memory.dmp
memory/4932-131-0x00007FF7DFE60000-0x00007FF7E01B4000-memory.dmp
memory/4992-132-0x00007FF743030000-0x00007FF743384000-memory.dmp
memory/3880-133-0x00007FF6E7790000-0x00007FF6E7AE4000-memory.dmp
memory/5104-134-0x00007FF719F60000-0x00007FF71A2B4000-memory.dmp
memory/4424-135-0x00007FF77E1F0000-0x00007FF77E544000-memory.dmp
memory/1256-136-0x00007FF7E4C90000-0x00007FF7E4FE4000-memory.dmp
memory/4232-137-0x00007FF63B2F0000-0x00007FF63B644000-memory.dmp
memory/440-138-0x00007FF7906C0000-0x00007FF790A14000-memory.dmp
memory/1788-139-0x00007FF720A60000-0x00007FF720DB4000-memory.dmp
memory/4904-140-0x00007FF6BD6F0000-0x00007FF6BDA44000-memory.dmp
memory/4932-142-0x00007FF7DFE60000-0x00007FF7E01B4000-memory.dmp
memory/4992-141-0x00007FF743030000-0x00007FF743384000-memory.dmp
memory/5104-144-0x00007FF719F60000-0x00007FF71A2B4000-memory.dmp
memory/3880-143-0x00007FF6E7790000-0x00007FF6E7AE4000-memory.dmp
memory/3820-145-0x00007FF7555E0000-0x00007FF755934000-memory.dmp
memory/4792-146-0x00007FF66D210000-0x00007FF66D564000-memory.dmp
memory/4524-148-0x00007FF714EA0000-0x00007FF7151F4000-memory.dmp
memory/376-147-0x00007FF652BD0000-0x00007FF652F24000-memory.dmp
memory/3468-149-0x00007FF76A410000-0x00007FF76A764000-memory.dmp
memory/3660-150-0x00007FF7A71B0000-0x00007FF7A7504000-memory.dmp
memory/2324-151-0x00007FF6F8E10000-0x00007FF6F9164000-memory.dmp
memory/4424-152-0x00007FF77E1F0000-0x00007FF77E544000-memory.dmp
memory/1256-153-0x00007FF7E4C90000-0x00007FF7E4FE4000-memory.dmp
memory/4212-154-0x00007FF6528F0000-0x00007FF652C44000-memory.dmp
memory/2040-156-0x00007FF7E7430000-0x00007FF7E7784000-memory.dmp
memory/4828-155-0x00007FF78C4F0000-0x00007FF78C844000-memory.dmp
memory/2248-157-0x00007FF777370000-0x00007FF7776C4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 16:48
Reported
2024-06-01 16:51
Platform
win7-20240221-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fGMfwQl.exe | N/A |
| N/A | N/A | C:\Windows\System\VGJpYwG.exe | N/A |
| N/A | N/A | C:\Windows\System\RHruOUX.exe | N/A |
| N/A | N/A | C:\Windows\System\dXIDKnX.exe | N/A |
| N/A | N/A | C:\Windows\System\FkJhEik.exe | N/A |
| N/A | N/A | C:\Windows\System\WOTQjIP.exe | N/A |
| N/A | N/A | C:\Windows\System\lUmKmzT.exe | N/A |
| N/A | N/A | C:\Windows\System\nvvHYnk.exe | N/A |
| N/A | N/A | C:\Windows\System\iZJAjje.exe | N/A |
| N/A | N/A | C:\Windows\System\QlRtCOl.exe | N/A |
| N/A | N/A | C:\Windows\System\uKliwXf.exe | N/A |
| N/A | N/A | C:\Windows\System\aSWbIma.exe | N/A |
| N/A | N/A | C:\Windows\System\MQpBeye.exe | N/A |
| N/A | N/A | C:\Windows\System\sBQsRUd.exe | N/A |
| N/A | N/A | C:\Windows\System\JCRimDX.exe | N/A |
| N/A | N/A | C:\Windows\System\GXHhpsj.exe | N/A |
| N/A | N/A | C:\Windows\System\BlZumim.exe | N/A |
| N/A | N/A | C:\Windows\System\guioFQA.exe | N/A |
| N/A | N/A | C:\Windows\System\ZqOteXM.exe | N/A |
| N/A | N/A | C:\Windows\System\YlAPdSU.exe | N/A |
| N/A | N/A | C:\Windows\System\SMpoPYX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\fGMfwQl.exe
C:\Windows\System\fGMfwQl.exe
C:\Windows\System\VGJpYwG.exe
C:\Windows\System\VGJpYwG.exe
C:\Windows\System\RHruOUX.exe
C:\Windows\System\RHruOUX.exe
C:\Windows\System\dXIDKnX.exe
C:\Windows\System\dXIDKnX.exe
C:\Windows\System\FkJhEik.exe
C:\Windows\System\FkJhEik.exe
C:\Windows\System\iZJAjje.exe
C:\Windows\System\iZJAjje.exe
C:\Windows\System\WOTQjIP.exe
C:\Windows\System\WOTQjIP.exe
C:\Windows\System\JCRimDX.exe
C:\Windows\System\JCRimDX.exe
C:\Windows\System\lUmKmzT.exe
C:\Windows\System\lUmKmzT.exe
C:\Windows\System\GXHhpsj.exe
C:\Windows\System\GXHhpsj.exe
C:\Windows\System\nvvHYnk.exe
C:\Windows\System\nvvHYnk.exe
C:\Windows\System\BlZumim.exe
C:\Windows\System\BlZumim.exe
C:\Windows\System\QlRtCOl.exe
C:\Windows\System\QlRtCOl.exe
C:\Windows\System\guioFQA.exe
C:\Windows\System\guioFQA.exe
C:\Windows\System\uKliwXf.exe
C:\Windows\System\uKliwXf.exe
C:\Windows\System\ZqOteXM.exe
C:\Windows\System\ZqOteXM.exe
C:\Windows\System\aSWbIma.exe
C:\Windows\System\aSWbIma.exe
C:\Windows\System\YlAPdSU.exe
C:\Windows\System\YlAPdSU.exe
C:\Windows\System\MQpBeye.exe
C:\Windows\System\MQpBeye.exe
C:\Windows\System\SMpoPYX.exe
C:\Windows\System\SMpoPYX.exe
C:\Windows\System\sBQsRUd.exe
C:\Windows\System\sBQsRUd.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2692-0-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2692-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\fGMfwQl.exe
| MD5 | d280f46b91878c5a987e560b59bc9baf |
| SHA1 | cc121de187294d41d2d2bf16caa81ed613bb404b |
| SHA256 | b39489f0496da230a8842ef395c0799eb95fa453e9c694a2b07d4763dbb6dfa7 |
| SHA512 | 544a1bf759ace2e3f444f69914aa583be88ab9c7077f3f2467815a3b16ce109e53923966b459b14053b2637b917174244d08b46202863bf3f1de75b2669e89c4 |
\Windows\system\VGJpYwG.exe
| MD5 | e6059f869286b97b3dc74d8b2c5074e2 |
| SHA1 | 35c04df793699592eefcffae369ea264f1bf9df3 |
| SHA256 | e06915410c6a8d0e1ae2e341183764b45dab9c7072dc41789e473fc2eae5dac9 |
| SHA512 | e15698db7abde31b4bd42607f54f4d51689033d15029ce97271673b6e4be93ed8926b134cfb632b7ef2035e88b942272ea8131ccc493bfb4c4dec6697bba5e90 |
memory/2552-20-0x000000013FA50000-0x000000013FDA4000-memory.dmp
C:\Windows\system\RHruOUX.exe
| MD5 | b235a321c65f74abded93aeacd1ebc96 |
| SHA1 | 579e3397570fe86db089e2a4f042146ccc63f389 |
| SHA256 | 29e1714fb12a88055bac68d362689227aeac8dffdc1f9770a55e05bdc2954dcf |
| SHA512 | 3591f085aff65ecfddd48229cbf2d67c5e91083b3dc9367604744a20ec54b7640df173cde53bb0d4585dca7906fe6541293fad79d02fa04e3130b6cafb891331 |
memory/2512-27-0x000000013FA50000-0x000000013FDA4000-memory.dmp
C:\Windows\system\BlZumim.exe
| MD5 | fbb4a2ae501dde7a7a445df5c9b717d2 |
| SHA1 | 9c3ff1e4c8420f8ed0d09ffa383ae66f72944905 |
| SHA256 | 212cfdf680668f7528a6a5326aa2873ad3d7927ea5966ffe01208c61fb39aea5 |
| SHA512 | 63edff134acfeef0f5121b16205158119288e4fe1f4178ad74fa25210dfa2e73364eaac6a4cc37f9d1f42efdb5b056d2e416d6dbc717392c5d1f907c0c0a0041 |
C:\Windows\system\MQpBeye.exe
| MD5 | 51798b57a05aa497ea186f8107f196e1 |
| SHA1 | 391fa5af9c65c3e17cb2e0bea5a189ad6633762f |
| SHA256 | 0fad7ef2529a37fbafd8950d1fd247f39e387257b437db9f5cac00fca493d640 |
| SHA512 | 90dbf0f1c7d6f5040f6c942c7571fbdc9ef76a1f9fdef9646a43d91e03f379853f29eaf049df57d3441a4b9f3d7da5af0ec3d240106d2cea19204278bee7a4ba |
\Windows\system\SMpoPYX.exe
| MD5 | 685560f9a135c7f147fd7a4d548aa4b5 |
| SHA1 | 28fb29a8581bd5f3571d49ca67b2f9817edd57ca |
| SHA256 | 28301abce7e2894cd842c1d8f2a1d3a42a1f8113f1e81a15ddeb0835898cb2ba |
| SHA512 | 1892d8e6a837f05c5a5c310ada55266663ce3ace040b9e7d0017c2f1c820476f373330f8863f8c2131926ee86c9ab96c2044bc19d73221e73d1a47891a0c620d |
C:\Windows\system\aSWbIma.exe
| MD5 | f101d61b0de85ef30752252494268aa9 |
| SHA1 | ba9fefd83b4c9a83510dc62c879c28af1bd790b4 |
| SHA256 | 935c5f381d6ed4da91ae4bf60ff5799dcc66276f887be69560fdd736cc981d82 |
| SHA512 | cbb21b9bd5c6b7fa24ad1d157fef555887b1330a5f24db986b3619961eba3dce45a39817ef378ae1c2124b42610a6753f92eff8fd41326b18754cb14f08c4435 |
\Windows\system\YlAPdSU.exe
| MD5 | 3495c64900fc0833688ab98897ca5608 |
| SHA1 | 9da5099058078d4657cdbb2eb58b31d2d7ff8beb |
| SHA256 | 6dea533b32aa8e185e9055ecec6fd36905bfe598b4c6620aad9a596ab31406c0 |
| SHA512 | 66ebf4ae23b13c7021fd99ca9c2999f5527bbdfe2bed60e2752138d2be3bc87615da54a874f9161ebd39dfc98b3335595f1bcbe70f6e0a0d3b92ddf40cfb3d67 |
memory/2692-91-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2692-90-0x00000000022F0000-0x0000000002644000-memory.dmp
\Windows\system\ZqOteXM.exe
| MD5 | 79d14d305ef674c67a18504f769caa8c |
| SHA1 | 9e4d6d907ee943f0f4d3715eac2c086188c37d95 |
| SHA256 | 8e341b6cf601a51b957b07db45873d88436fc073421eb27ffd7868e11bcb6afa |
| SHA512 | e3dbcef67530b83285609379bfdf66769414897f2e1bf954e73b6076d0b9bbea443b4510ce6975de3eefc04c402db79cb3222cf7d43b737a66b73ae624ca02bf |
memory/2000-75-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2692-74-0x00000000022F0000-0x0000000002644000-memory.dmp
\Windows\system\guioFQA.exe
| MD5 | cb81442ffe14163fd9fde2c6796768d5 |
| SHA1 | 6de55fec953e50fb67e40948ae062de1fc5361e0 |
| SHA256 | ae802bfdbb8bd76230c49616151cd0b706b2462be885d366d2ed0a4e2a3758fa |
| SHA512 | e451b077821bf66dd50e41507af8c77454a41fa354d97b7d8f4aead1a48c25f81d706c32bebc4b34584851bafc0cb9cd95839c56e62ba82877fa10d9f75323e4 |
\Windows\system\GXHhpsj.exe
| MD5 | fdb0798fd6c01e6a30282d3595416b80 |
| SHA1 | c1d2bdb1db221f79ca1f910372ee22e263496632 |
| SHA256 | 7829b3e7eb46815b1fcc03406e873c276513eded3573e7eaf5c2cb9cb80572e0 |
| SHA512 | 2659a1198f4884d78f18a8bd1414acffacad704a25b86de9aa52932205699693a488a631042ce0947a67c0516af8bad6f064327b6d2eed91afe6ea499be5739e |
\Windows\system\JCRimDX.exe
| MD5 | f01d81bf3cb2b3a6dfca320984f01dd2 |
| SHA1 | 6c9117c5b5ed9e4cc735872e75ad3adef6f78338 |
| SHA256 | 1a58e8f10cbffa91d2acfd14c6354085234fa0bf5b3fa1204977fa43f9747277 |
| SHA512 | 32276cd2a767043393fa97adf9f31f0b173f27b772baf4a6329aa01bd8bd5fbdac1a34169d5e1dc33e35dfaab5bb532a4ef108d4afc55ba98a546157aeeae5ae |
memory/2692-38-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2440-35-0x000000013FD70000-0x00000001400C4000-memory.dmp
\Windows\system\iZJAjje.exe
| MD5 | 36f12896086f1be914352ab55b3361ed |
| SHA1 | 1b001cc8cabf96f8863d06b5527eca1d6ffb7397 |
| SHA256 | 37099a6c2711389729d9a861436d3e1a798da7c4256e8e823cbe92b5bd0b93d1 |
| SHA512 | d582ffd0beb004889b3e5982bc4f03b2bf23c6150259f2e98e269a9ad31c956a7f6e34d46815a0718913667ab42f3fa8f9f04b34735d3bc10f58c42f68564bc0 |
memory/2692-114-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2692-113-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/572-112-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2692-111-0x000000013FC00000-0x000000013FF54000-memory.dmp
C:\Windows\system\sBQsRUd.exe
| MD5 | cab2652ea76a042ddecba4cec4339b60 |
| SHA1 | 6427f640947e02b7d5eaa12436e230a0170a69e1 |
| SHA256 | 97c495afc824543309352ea2f6ddf3a951c54e5f40ce24ba02466fb567bea498 |
| SHA512 | 4a77fe62d0cb0f89bdc70078557ada6415762c00d66b11bb1164b287470955b683ffa526379192d13726072ac4357a860e4d449509c925dfd6bbf50ff6bc1278 |
memory/2692-103-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1228-95-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2552-133-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2428-86-0x000000013F220000-0x000000013F574000-memory.dmp
C:\Windows\system\uKliwXf.exe
| MD5 | f1e291c0ee4e84757dc540b0aad0153c |
| SHA1 | f324953cfd6edcc2b80930311e2439c49d4b2630 |
| SHA256 | 946b22621f961cbc3ada9ab7e200a5aa6afbeefb73170c0dbb5465aba8f42d82 |
| SHA512 | 37f7af1dcdcc01c79cc25e77d444f5c62b0b9d4eb8a417516d3571f0cd2e9da81e488acdc1889c77094b72707509df14ba27a74f48fdac9690139bd90b5e7960 |
memory/2876-84-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2692-81-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2692-80-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2456-79-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2692-78-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2692-77-0x000000013F280000-0x000000013F5D4000-memory.dmp
C:\Windows\system\QlRtCOl.exe
| MD5 | f4aa658ff33d4e35bd545204781f0115 |
| SHA1 | 2932fccb06ebfd8745dd86fb5f9ced227a4c98db |
| SHA256 | 5b1bd33e7cd46a191833431e0e711aac80006ed2b13a7ce63d82dd914255bc0e |
| SHA512 | 62d5ee47576917e987b8b43d3c29114eb18ae6a659f126acae8790ec8e1939858f852b3e5aa646e417985dd9bc4f742598af1116e9af7e53190115844ee10a68 |
C:\Windows\system\nvvHYnk.exe
| MD5 | 69533e72307afa412ef384cf47c0ec17 |
| SHA1 | 3d430e2984179c62ad3a64db66f541e073020ef2 |
| SHA256 | bd3aa128a3bb9ce7fb715f199139c5bbf1d1e10448d4adb072a11318102d0d22 |
| SHA512 | 5c1d3fd22389d0c8bee34884ccb9b41cd84fab8b782a5ce2649136dd15a266ca01052f1911f055bcf3f0bf7b44118f0247e59737c7ffe0f8e1603090f0042fb4 |
C:\Windows\system\lUmKmzT.exe
| MD5 | dfd948c30a9879eccdc7af93c18e79f9 |
| SHA1 | bff1fff0a711fb1030ade2602e05269ac94a04a4 |
| SHA256 | bb0f6c3ad49d28d3190612295dde83ff3bfe13ed666dceb291460340f750d1ed |
| SHA512 | bf4924846ecb4c09b110e3769411726c66845ed6633b2435a0eb11b107e72c08b9cc3c4069424b7faad283411e5799778b71c603d0abe18b06865f6fcaae8be1 |
C:\Windows\system\WOTQjIP.exe
| MD5 | 3a178b2278ce317cfb73982b6568d62e |
| SHA1 | d79fc494e9cdbb93d6e49c462bd24f4b26bb1467 |
| SHA256 | 1893cdc9cd567dce7b418c065b7eba402987b38735e599a92aa8f88c1ec5396f |
| SHA512 | 42c0d9d1cdf4af480df788d121ea0a7122cc9142300627fe718a8684e764124da2f25823188b36e6dca2beff82cdd3a3e880b610466327bd5092f79be76d0083 |
memory/2692-32-0x000000013FD70000-0x00000001400C4000-memory.dmp
C:\Windows\system\FkJhEik.exe
| MD5 | e845b14f2f30c8ab538e8b92e80403d4 |
| SHA1 | 5c0d17bbe12664790650df7c7a1fbd730adc908f |
| SHA256 | 2efc3b091df1af06c372d63099bd041e84e0ec613627bea5f482825b0a251937 |
| SHA512 | efacdc6abf74796234f0993060753c18f7dd97fe24c0d9dfdaed812be58fd4fb6881cc29f45d087270783733f660cdd6e5f50486215f2288410f9a328489415f |
C:\Windows\system\dXIDKnX.exe
| MD5 | b3df85e85ed32c1edfdc806bc88d7bdd |
| SHA1 | e62c5451ee2e26679d61e6415a1df747b163e481 |
| SHA256 | 3a7ae0528f139d4a7972e8149ba7d9b11ddddfb68ec03763e64c544cda7a9a26 |
| SHA512 | aefc9301728ccf6f4021faad451fe4e8175a3091f08334890cb0472fec2712fb570bc9bfa894e30920f42bcdd020327106e5c29fd34a636d415ac1980ed44506 |
memory/2692-25-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2612-24-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/3016-11-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2692-16-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2512-134-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2440-135-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2692-136-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/572-137-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/3016-138-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2612-139-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2552-140-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2440-141-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2512-142-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2000-143-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2456-144-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2876-146-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2428-145-0x000000013F220000-0x000000013F574000-memory.dmp
memory/1228-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/572-148-0x000000013FC00000-0x000000013FF54000-memory.dmp