Analysis Overview
SHA256
b0edf5228f688fdf6e7bca7d0e2333931b98ba6905ee9634ce55a22a58f61e38
Threat Level: Known bad
The file 2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
xmrig
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
Cobaltstrike
Xmrig family
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 08:33
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 08:33
Reported
2024-06-10 08:36
Platform
win7-20240221-en
Max time kernel
138s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SRqPvyB.exe | N/A |
| N/A | N/A | C:\Windows\System\wkEbXDO.exe | N/A |
| N/A | N/A | C:\Windows\System\vxQjQqC.exe | N/A |
| N/A | N/A | C:\Windows\System\LaIGXyt.exe | N/A |
| N/A | N/A | C:\Windows\System\pacrUQW.exe | N/A |
| N/A | N/A | C:\Windows\System\Ovsbxfu.exe | N/A |
| N/A | N/A | C:\Windows\System\dovlXIj.exe | N/A |
| N/A | N/A | C:\Windows\System\ldIMvcQ.exe | N/A |
| N/A | N/A | C:\Windows\System\GRrQeQV.exe | N/A |
| N/A | N/A | C:\Windows\System\PxZUauk.exe | N/A |
| N/A | N/A | C:\Windows\System\ghcIsyJ.exe | N/A |
| N/A | N/A | C:\Windows\System\QUpJfoX.exe | N/A |
| N/A | N/A | C:\Windows\System\GITggoi.exe | N/A |
| N/A | N/A | C:\Windows\System\gUvsFvC.exe | N/A |
| N/A | N/A | C:\Windows\System\qEMpiuA.exe | N/A |
| N/A | N/A | C:\Windows\System\etikcPx.exe | N/A |
| N/A | N/A | C:\Windows\System\RvyQcAA.exe | N/A |
| N/A | N/A | C:\Windows\System\jrvEfXa.exe | N/A |
| N/A | N/A | C:\Windows\System\QZwYMIX.exe | N/A |
| N/A | N/A | C:\Windows\System\XJdhjPh.exe | N/A |
| N/A | N/A | C:\Windows\System\RPZmduf.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\SRqPvyB.exe
C:\Windows\System\SRqPvyB.exe
C:\Windows\System\wkEbXDO.exe
C:\Windows\System\wkEbXDO.exe
C:\Windows\System\vxQjQqC.exe
C:\Windows\System\vxQjQqC.exe
C:\Windows\System\LaIGXyt.exe
C:\Windows\System\LaIGXyt.exe
C:\Windows\System\Ovsbxfu.exe
C:\Windows\System\Ovsbxfu.exe
C:\Windows\System\pacrUQW.exe
C:\Windows\System\pacrUQW.exe
C:\Windows\System\dovlXIj.exe
C:\Windows\System\dovlXIj.exe
C:\Windows\System\ldIMvcQ.exe
C:\Windows\System\ldIMvcQ.exe
C:\Windows\System\GRrQeQV.exe
C:\Windows\System\GRrQeQV.exe
C:\Windows\System\PxZUauk.exe
C:\Windows\System\PxZUauk.exe
C:\Windows\System\ghcIsyJ.exe
C:\Windows\System\ghcIsyJ.exe
C:\Windows\System\QUpJfoX.exe
C:\Windows\System\QUpJfoX.exe
C:\Windows\System\GITggoi.exe
C:\Windows\System\GITggoi.exe
C:\Windows\System\gUvsFvC.exe
C:\Windows\System\gUvsFvC.exe
C:\Windows\System\qEMpiuA.exe
C:\Windows\System\qEMpiuA.exe
C:\Windows\System\etikcPx.exe
C:\Windows\System\etikcPx.exe
C:\Windows\System\RvyQcAA.exe
C:\Windows\System\RvyQcAA.exe
C:\Windows\System\jrvEfXa.exe
C:\Windows\System\jrvEfXa.exe
C:\Windows\System\QZwYMIX.exe
C:\Windows\System\QZwYMIX.exe
C:\Windows\System\XJdhjPh.exe
C:\Windows\System\XJdhjPh.exe
C:\Windows\System\RPZmduf.exe
C:\Windows\System\RPZmduf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3000-0-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/3000-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\SRqPvyB.exe
| MD5 | b06eaf61e95b8cbc7a8df83589f7a35e |
| SHA1 | cd93746b9e91d588698f5b26f14d4b1ef81c124e |
| SHA256 | 047c3c42f2ce52079e70f1e95ceeaa59518babab081b0d544594ef4d34cca1ab |
| SHA512 | bc7c5bc756dff6cc940563446bdeaa46a6ae7d7b3c802a49db5175eb81eac9aebf5400d84f4c32a625575a53a9187b25447d1cf0a01ffaf71cab84be8ce08200 |
\Windows\system\wkEbXDO.exe
| MD5 | 74eaca9f21a52b42f00b1fb9448a5aa7 |
| SHA1 | df2d5df9ae6a6bea8afa9093d11cc0baf6fdab29 |
| SHA256 | a49c2585033c46d9ac96196fd09e22523403b0b5f321e67668dd72bd3da0bef3 |
| SHA512 | dd0b9a9bf234f3a89654b0695a1a8af8f60d3a929ae099cd703702ac45fd6ef75c89e73e9a8c566a3b70c766b83d00e866cccae0feb3a8b749c330152f2ef7ab |
memory/1072-12-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2828-14-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/3000-8-0x0000000002260000-0x00000000025B4000-memory.dmp
C:\Windows\system\vxQjQqC.exe
| MD5 | 90019705c78c3c187c676b3905b4bbe9 |
| SHA1 | 788a996d922a35a4ae63aacb258a17469d1f7777 |
| SHA256 | d94c6092d4c6e5361ac7503617ed1b8c6d8f800c083e2ddf734b3823a946fcd5 |
| SHA512 | 76b6f52a45d8cdfd258846f77115813c86508cad241979d981128c0eaa7cd06fe26123e75265a6e5d810ed3edc918f072c1cdbd58dbe140408434e8a5e7b93a8 |
memory/1664-21-0x000000013F440000-0x000000013F794000-memory.dmp
memory/3000-17-0x000000013F440000-0x000000013F794000-memory.dmp
C:\Windows\system\LaIGXyt.exe
| MD5 | 18c36091d128eb704f86a723d10be89a |
| SHA1 | f67b0ea592f421bb45b08e5105b49d50a4754706 |
| SHA256 | bbcea96678a5a0ef933f8b67c00ccc6dc0644465f0cd222dc278a59737fe97e4 |
| SHA512 | cb66711ee837acad8f35c667126ae54a76e6e77018a85d90b4c40d16e837bb453d11acecffb66c4de3ff5697739b630be8901209b4f5134c1c05600f12e9b4f2 |
\Windows\system\Ovsbxfu.exe
| MD5 | 84056270d876bee7ec0f1c866a7071ac |
| SHA1 | fdcf54350e7f9529b82aaaf046acc2bbb096b0e8 |
| SHA256 | ab5be699af289bd17e2d1de873a92697d4b4baeb0bacbdf44dd33b7b08b3cafd |
| SHA512 | 087a1fac5ef4b2f7878d764dfd14e492d98efe2f6eede6ec8cdf1626644cd510bc7e5b57fa209f11085a3e97f80e91cd7d8cddef6351eca6ca3abff524959b4d |
\Windows\system\pacrUQW.exe
| MD5 | 021841b44c136345fef587c9a048f049 |
| SHA1 | dcb2038e58bc5f6035204c99ebb01f766e7cc8a9 |
| SHA256 | 8a9703fb50d37ff0cd0d5253fe97b674eccb8bb7387b69467969be0a35ed0ead |
| SHA512 | 490fec80adfa3bef7deb33a91001f1dc92233130cbdb454283c2a10f8e275d67af0c90e7e4c09324a58fb797f7b4572f2776c5cd8c53881ffb7a5ec3d5a782f0 |
C:\Windows\system\dovlXIj.exe
| MD5 | ec88e9e99c491e5b233f0f0e13d9ab94 |
| SHA1 | e9595a884d2ea56f4ea1f78ef31201274fbbc581 |
| SHA256 | 73d58cb61229ce6d6da5e793d1dbc2ddcb3e2bb0d479cc6f56679e9d4ca45b23 |
| SHA512 | e100e3cfba47052326a949dd39e130898194b4268c8ad3449e73c3536f9c6c6662781fd598a44e35bc529030732974cb5c114c792e5aa136c3f5be025c213c6f |
C:\Windows\system\PxZUauk.exe
| MD5 | f5c35f3abf35824aa511b6f223deba12 |
| SHA1 | 8716f9ebf3586774c668df3d2f3584e42ac66db2 |
| SHA256 | d4613210544e964d1a2403ea0d4346ffc0a89eeb698d342344381a9581aac97f |
| SHA512 | 0665ac5c14bf287d1bce916f76bd0f488a8c23d22870182ae963e7bcd2f6a86422cd4b870548474e1f53a1e3cb232016cd99e56f75392ced1bdb056d41e68ef8 |
\Windows\system\QUpJfoX.exe
| MD5 | 4b18c8bc18cafaa28869ae1b0604aa9e |
| SHA1 | 522247484ea3ca46e2c7153b1c0110512561b840 |
| SHA256 | 815ab0f68c2c256c8bf51d010cb144e0bd029e5e41f45a3760b4cd341ca602cf |
| SHA512 | fdf1de2576c884435a9d4e384afec10567bd9f59dc8956b4e0fe8c09285a6fa0c6882f2225f51203da38e9a521231011f0988bbd058244e44471d5dc763f79b9 |
C:\Windows\system\etikcPx.exe
| MD5 | 9c6ed1ee90d058602ea891ac49057c25 |
| SHA1 | 432807b4bd164a1ee78dd599645ea53add1b8a27 |
| SHA256 | 990f085ff1f283e012d33d0276278401b7bb7c901e04f7917d13165f9eb0b004 |
| SHA512 | 2415f1bd42f4ff763d772a2d90df5e6279cc7519235c699f3f5b0a015a9dc945d27b8214ef1d1d3aa47df8b8c72d42c29829f2f5f36a90028ee2479435a74ca3 |
C:\Windows\system\RvyQcAA.exe
| MD5 | afcdcdd14d14b02f26f6f3d1051e149f |
| SHA1 | 9086d92bea3ce85f9efce8e966eab8672ff7e35e |
| SHA256 | cf8da61b72a383d4075b6c42313281181e183f199aca264695da16fe6d19ee08 |
| SHA512 | 2084f012da94d9d6d27896da5f5793833d94074cfde3fa30bc07405edda13b0fd81f899fe4485dccd5345812b184f82bf1fb05c3f8dbea590879be590583898e |
C:\Windows\system\XJdhjPh.exe
| MD5 | 92c9921fe2b1e60cbcfede7cc9286bc9 |
| SHA1 | 8e0baf2aa68eae67653a415f4a3888e42fddb199 |
| SHA256 | abeb01fb8b198f5e7640131bcf7665b3aa1729cd75a62a43db06e25e2f5cafc5 |
| SHA512 | e2391edbc125e20abb863e099dcf8d1cc8e84a1071565835be4920ab22b6927daec6f0b0e27bc5bf4024b6981a6c5086956dfdd81e5cb6c63041e65ddc88ccf5 |
\Windows\system\RPZmduf.exe
| MD5 | 0f9759ab3f10c367077d9c283064da33 |
| SHA1 | a22a2baeff26161a877bcf36133526461dd5eab3 |
| SHA256 | d656cf45005a3297a78f1c0afb77e1fd7270f606f8e71333a6d9d8daaf8f02be |
| SHA512 | fca2b0e32aa6d5fe7fec9a643a92c746b5f8dd973308bb405c70dee80758ea372bce1844bde4957952a341ee1bbbcc32a8f0bcc4a4c1d8caf098d85a5685e413 |
C:\Windows\system\QZwYMIX.exe
| MD5 | 317c844baada6b78d2757ae01dd60b77 |
| SHA1 | 4dc601feaaa0331c37e7f75503e45350afcbf034 |
| SHA256 | 7b1ca10d37c7cca91bad1bc27694f1c0799776e35626c542ebc477dc8da76ead |
| SHA512 | 81df45d32913bfd19d058c0274d6bc8b4a89330449fd63c40224d8ae11a58c5500f2e843806b033ecbd961ee038ab897b7f469be359672ed19aaa86d7987b9a6 |
C:\Windows\system\jrvEfXa.exe
| MD5 | d1176e200522e57402d151466a2133ab |
| SHA1 | 5c1b178a3bbdc74cf7e69f6d21088dff44ac5719 |
| SHA256 | 5a171031e89580f117f95c17d41be110f7cd840da02e869fb41208853197659a |
| SHA512 | 45080887f750c353aa0b660984560198334e3e311514c7e42d9b4e9a0dbf921dfa2593a40ed67694cd503ff514e7efe8ccd763d0e944bfa5165c50fa0a6facb1 |
C:\Windows\system\qEMpiuA.exe
| MD5 | 246134a244cc801bacddde31e680232d |
| SHA1 | 3ffce6ece24b444661fab50765acd10699920ab4 |
| SHA256 | b25e35546621dcaf182b949c42fc28a1f5ad087bc2ef445a50caeeea53ddc837 |
| SHA512 | 8a3f4d097011e44d03b2423ab45f62daebc3d88432d83e41d0cebad2792a529dbf8c641f5bfe4e0d61557e22a54937a624153192ab5a1684147614a7b92a1c25 |
C:\Windows\system\GITggoi.exe
| MD5 | 88acbbd842967a06f60915a927f33e3f |
| SHA1 | 45cf0f7dcc81f28857469e474654ca5868979afe |
| SHA256 | 07b72327afe27fc88c8be8cca5d7b02bd6705dcf41bf63eda843df8081f388df |
| SHA512 | 6c05d9a651ee48239f4cd9edb73e91c7ef83e9d14c4b9d195e2cf69bfba572c61562688a2f943dd3d33c2549bba329e6c2cb2e7e42bddb33c0e26f8fee40246c |
C:\Windows\system\gUvsFvC.exe
| MD5 | 5b6c03b6cf4ce4bf2fc7278af61f2d54 |
| SHA1 | 12c13ffc5efd638bfbbd9ab54dfc4d7e91e1a038 |
| SHA256 | 9ca55556c92ac76c0af0e9dd774a3708fb5b2940247b31056b477c369b565e2d |
| SHA512 | 088f1fb11413bb0ad8acdf370bdd2c385d187b4831a5203e333dfebc0c12bd4659a390e5649dcbfa2dea0117222e89955c8a2928bb0bbaf39737c2a9e14284f8 |
C:\Windows\system\ghcIsyJ.exe
| MD5 | 970633dd2b2b84a5303cdd37eed46f47 |
| SHA1 | 69ec83062d4f5696426d82f75edf3adeaed8b708 |
| SHA256 | c666036451c022798272e66e57423a398db53b0484a387a5dbd77fe4f6270fc7 |
| SHA512 | e6a8b877e9671c75de353404560339bd6e1f3d74cd83983cb439fb0a9501d37a28494166d97bcb4d4de3f46a8ba773c5877c3507f95ed94d02e9eceb73e44124 |
C:\Windows\system\GRrQeQV.exe
| MD5 | 3daa8cfdbca1d9d351266d967ce3e4fb |
| SHA1 | a627c53b1ffd75984e6a84b348a49af60b803b2b |
| SHA256 | 3477036d2790bcd3cb1cd438499b57c00855a13632df78c30c08c6aa59f4dbda |
| SHA512 | d0bbbecc8d4362eb1cad526bd1b27ea8e948b666ef80837a8602ce7f0fb4bf1bec051f343cfd67c800366d8d50d01e7281e0a426ea0fc6000f06d5486f4c6d0e |
C:\Windows\system\ldIMvcQ.exe
| MD5 | 315d2b762e256d99d449c19ada1a716b |
| SHA1 | 81746afa982c423cff1acd7fb2d992c5962c13a8 |
| SHA256 | bf939f03ef31bc8ad4b45db0e279eebe4c51f820e905689d20308a279a9c41b9 |
| SHA512 | c502e4de4f21586fa707b7f4b8b3e6780cb5decdb820b0a597c1c2618a22073969a9020c51eddb6fdc4c64b68934564407d37a9cae62f2bb0adb09a991d00d0e |
memory/2584-116-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2640-115-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2260-114-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/3000-113-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2528-111-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2588-118-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2456-121-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/1152-125-0x000000013F030000-0x000000013F384000-memory.dmp
memory/1644-127-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/3000-128-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/3000-126-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/3000-124-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2592-123-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/3000-122-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/3000-120-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2596-119-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2808-117-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/3000-129-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2828-130-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1664-131-0x000000013F440000-0x000000013F794000-memory.dmp
memory/1072-132-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2828-133-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1664-134-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2528-135-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2808-136-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2640-138-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2584-137-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2596-140-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2588-139-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2456-141-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2592-142-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/1152-143-0x000000013F030000-0x000000013F384000-memory.dmp
memory/1644-144-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2260-145-0x000000013F6B0000-0x000000013FA04000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 08:33
Reported
2024-06-10 08:36
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SRqPvyB.exe | N/A |
| N/A | N/A | C:\Windows\System\wkEbXDO.exe | N/A |
| N/A | N/A | C:\Windows\System\vxQjQqC.exe | N/A |
| N/A | N/A | C:\Windows\System\LaIGXyt.exe | N/A |
| N/A | N/A | C:\Windows\System\Ovsbxfu.exe | N/A |
| N/A | N/A | C:\Windows\System\pacrUQW.exe | N/A |
| N/A | N/A | C:\Windows\System\ldIMvcQ.exe | N/A |
| N/A | N/A | C:\Windows\System\dovlXIj.exe | N/A |
| N/A | N/A | C:\Windows\System\GRrQeQV.exe | N/A |
| N/A | N/A | C:\Windows\System\PxZUauk.exe | N/A |
| N/A | N/A | C:\Windows\System\ghcIsyJ.exe | N/A |
| N/A | N/A | C:\Windows\System\QUpJfoX.exe | N/A |
| N/A | N/A | C:\Windows\System\GITggoi.exe | N/A |
| N/A | N/A | C:\Windows\System\gUvsFvC.exe | N/A |
| N/A | N/A | C:\Windows\System\qEMpiuA.exe | N/A |
| N/A | N/A | C:\Windows\System\etikcPx.exe | N/A |
| N/A | N/A | C:\Windows\System\RvyQcAA.exe | N/A |
| N/A | N/A | C:\Windows\System\jrvEfXa.exe | N/A |
| N/A | N/A | C:\Windows\System\QZwYMIX.exe | N/A |
| N/A | N/A | C:\Windows\System\XJdhjPh.exe | N/A |
| N/A | N/A | C:\Windows\System\RPZmduf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\SRqPvyB.exe
C:\Windows\System\SRqPvyB.exe
C:\Windows\System\wkEbXDO.exe
C:\Windows\System\wkEbXDO.exe
C:\Windows\System\vxQjQqC.exe
C:\Windows\System\vxQjQqC.exe
C:\Windows\System\LaIGXyt.exe
C:\Windows\System\LaIGXyt.exe
C:\Windows\System\Ovsbxfu.exe
C:\Windows\System\Ovsbxfu.exe
C:\Windows\System\pacrUQW.exe
C:\Windows\System\pacrUQW.exe
C:\Windows\System\dovlXIj.exe
C:\Windows\System\dovlXIj.exe
C:\Windows\System\ldIMvcQ.exe
C:\Windows\System\ldIMvcQ.exe
C:\Windows\System\GRrQeQV.exe
C:\Windows\System\GRrQeQV.exe
C:\Windows\System\PxZUauk.exe
C:\Windows\System\PxZUauk.exe
C:\Windows\System\ghcIsyJ.exe
C:\Windows\System\ghcIsyJ.exe
C:\Windows\System\QUpJfoX.exe
C:\Windows\System\QUpJfoX.exe
C:\Windows\System\GITggoi.exe
C:\Windows\System\GITggoi.exe
C:\Windows\System\gUvsFvC.exe
C:\Windows\System\gUvsFvC.exe
C:\Windows\System\qEMpiuA.exe
C:\Windows\System\qEMpiuA.exe
C:\Windows\System\etikcPx.exe
C:\Windows\System\etikcPx.exe
C:\Windows\System\RvyQcAA.exe
C:\Windows\System\RvyQcAA.exe
C:\Windows\System\jrvEfXa.exe
C:\Windows\System\jrvEfXa.exe
C:\Windows\System\QZwYMIX.exe
C:\Windows\System\QZwYMIX.exe
C:\Windows\System\XJdhjPh.exe
C:\Windows\System\XJdhjPh.exe
C:\Windows\System\RPZmduf.exe
C:\Windows\System\RPZmduf.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4016-0-0x00007FF7BEE90000-0x00007FF7BF1E4000-memory.dmp
memory/4016-1-0x000001F64D6A0000-0x000001F64D6B0000-memory.dmp
C:\Windows\System\SRqPvyB.exe
| MD5 | b06eaf61e95b8cbc7a8df83589f7a35e |
| SHA1 | cd93746b9e91d588698f5b26f14d4b1ef81c124e |
| SHA256 | 047c3c42f2ce52079e70f1e95ceeaa59518babab081b0d544594ef4d34cca1ab |
| SHA512 | bc7c5bc756dff6cc940563446bdeaa46a6ae7d7b3c802a49db5175eb81eac9aebf5400d84f4c32a625575a53a9187b25447d1cf0a01ffaf71cab84be8ce08200 |
C:\Windows\System\vxQjQqC.exe
| MD5 | 90019705c78c3c187c676b3905b4bbe9 |
| SHA1 | 788a996d922a35a4ae63aacb258a17469d1f7777 |
| SHA256 | d94c6092d4c6e5361ac7503617ed1b8c6d8f800c083e2ddf734b3823a946fcd5 |
| SHA512 | 76b6f52a45d8cdfd258846f77115813c86508cad241979d981128c0eaa7cd06fe26123e75265a6e5d810ed3edc918f072c1cdbd58dbe140408434e8a5e7b93a8 |
C:\Windows\System\wkEbXDO.exe
| MD5 | 74eaca9f21a52b42f00b1fb9448a5aa7 |
| SHA1 | df2d5df9ae6a6bea8afa9093d11cc0baf6fdab29 |
| SHA256 | a49c2585033c46d9ac96196fd09e22523403b0b5f321e67668dd72bd3da0bef3 |
| SHA512 | dd0b9a9bf234f3a89654b0695a1a8af8f60d3a929ae099cd703702ac45fd6ef75c89e73e9a8c566a3b70c766b83d00e866cccae0feb3a8b749c330152f2ef7ab |
C:\Windows\System\Ovsbxfu.exe
| MD5 | 84056270d876bee7ec0f1c866a7071ac |
| SHA1 | fdcf54350e7f9529b82aaaf046acc2bbb096b0e8 |
| SHA256 | ab5be699af289bd17e2d1de873a92697d4b4baeb0bacbdf44dd33b7b08b3cafd |
| SHA512 | 087a1fac5ef4b2f7878d764dfd14e492d98efe2f6eede6ec8cdf1626644cd510bc7e5b57fa209f11085a3e97f80e91cd7d8cddef6351eca6ca3abff524959b4d |
C:\Windows\System\LaIGXyt.exe
| MD5 | 18c36091d128eb704f86a723d10be89a |
| SHA1 | f67b0ea592f421bb45b08e5105b49d50a4754706 |
| SHA256 | bbcea96678a5a0ef933f8b67c00ccc6dc0644465f0cd222dc278a59737fe97e4 |
| SHA512 | cb66711ee837acad8f35c667126ae54a76e6e77018a85d90b4c40d16e837bb453d11acecffb66c4de3ff5697739b630be8901209b4f5134c1c05600f12e9b4f2 |
C:\Windows\System\pacrUQW.exe
| MD5 | 021841b44c136345fef587c9a048f049 |
| SHA1 | dcb2038e58bc5f6035204c99ebb01f766e7cc8a9 |
| SHA256 | 8a9703fb50d37ff0cd0d5253fe97b674eccb8bb7387b69467969be0a35ed0ead |
| SHA512 | 490fec80adfa3bef7deb33a91001f1dc92233130cbdb454283c2a10f8e275d67af0c90e7e4c09324a58fb797f7b4572f2776c5cd8c53881ffb7a5ec3d5a782f0 |
memory/2424-50-0x00007FF759130000-0x00007FF759484000-memory.dmp
memory/4308-54-0x00007FF693250000-0x00007FF6935A4000-memory.dmp
C:\Windows\System\GRrQeQV.exe
| MD5 | 3daa8cfdbca1d9d351266d967ce3e4fb |
| SHA1 | a627c53b1ffd75984e6a84b348a49af60b803b2b |
| SHA256 | 3477036d2790bcd3cb1cd438499b57c00855a13632df78c30c08c6aa59f4dbda |
| SHA512 | d0bbbecc8d4362eb1cad526bd1b27ea8e948b666ef80837a8602ce7f0fb4bf1bec051f343cfd67c800366d8d50d01e7281e0a426ea0fc6000f06d5486f4c6d0e |
C:\Windows\System\dovlXIj.exe
| MD5 | ec88e9e99c491e5b233f0f0e13d9ab94 |
| SHA1 | e9595a884d2ea56f4ea1f78ef31201274fbbc581 |
| SHA256 | 73d58cb61229ce6d6da5e793d1dbc2ddcb3e2bb0d479cc6f56679e9d4ca45b23 |
| SHA512 | e100e3cfba47052326a949dd39e130898194b4268c8ad3449e73c3536f9c6c6662781fd598a44e35bc529030732974cb5c114c792e5aa136c3f5be025c213c6f |
memory/4488-51-0x00007FF6AA120000-0x00007FF6AA474000-memory.dmp
C:\Windows\System\ldIMvcQ.exe
| MD5 | 315d2b762e256d99d449c19ada1a716b |
| SHA1 | 81746afa982c423cff1acd7fb2d992c5962c13a8 |
| SHA256 | bf939f03ef31bc8ad4b45db0e279eebe4c51f820e905689d20308a279a9c41b9 |
| SHA512 | c502e4de4f21586fa707b7f4b8b3e6780cb5decdb820b0a597c1c2618a22073969a9020c51eddb6fdc4c64b68934564407d37a9cae62f2bb0adb09a991d00d0e |
memory/3148-43-0x00007FF663560000-0x00007FF6638B4000-memory.dmp
memory/4196-37-0x00007FF6B7290000-0x00007FF6B75E4000-memory.dmp
memory/2164-30-0x00007FF7420B0000-0x00007FF742404000-memory.dmp
memory/4600-27-0x00007FF775150000-0x00007FF7754A4000-memory.dmp
memory/1812-18-0x00007FF725490000-0x00007FF7257E4000-memory.dmp
memory/2068-7-0x00007FF704AF0000-0x00007FF704E44000-memory.dmp
C:\Windows\System\PxZUauk.exe
| MD5 | f5c35f3abf35824aa511b6f223deba12 |
| SHA1 | 8716f9ebf3586774c668df3d2f3584e42ac66db2 |
| SHA256 | d4613210544e964d1a2403ea0d4346ffc0a89eeb698d342344381a9581aac97f |
| SHA512 | 0665ac5c14bf287d1bce916f76bd0f488a8c23d22870182ae963e7bcd2f6a86422cd4b870548474e1f53a1e3cb232016cd99e56f75392ced1bdb056d41e68ef8 |
C:\Windows\System\ghcIsyJ.exe
| MD5 | 970633dd2b2b84a5303cdd37eed46f47 |
| SHA1 | 69ec83062d4f5696426d82f75edf3adeaed8b708 |
| SHA256 | c666036451c022798272e66e57423a398db53b0484a387a5dbd77fe4f6270fc7 |
| SHA512 | e6a8b877e9671c75de353404560339bd6e1f3d74cd83983cb439fb0a9501d37a28494166d97bcb4d4de3f46a8ba773c5877c3507f95ed94d02e9eceb73e44124 |
C:\Windows\System\GITggoi.exe
| MD5 | 88acbbd842967a06f60915a927f33e3f |
| SHA1 | 45cf0f7dcc81f28857469e474654ca5868979afe |
| SHA256 | 07b72327afe27fc88c8be8cca5d7b02bd6705dcf41bf63eda843df8081f388df |
| SHA512 | 6c05d9a651ee48239f4cd9edb73e91c7ef83e9d14c4b9d195e2cf69bfba572c61562688a2f943dd3d33c2549bba329e6c2cb2e7e42bddb33c0e26f8fee40246c |
C:\Windows\System\QUpJfoX.exe
| MD5 | 4b18c8bc18cafaa28869ae1b0604aa9e |
| SHA1 | 522247484ea3ca46e2c7153b1c0110512561b840 |
| SHA256 | 815ab0f68c2c256c8bf51d010cb144e0bd029e5e41f45a3760b4cd341ca602cf |
| SHA512 | fdf1de2576c884435a9d4e384afec10567bd9f59dc8956b4e0fe8c09285a6fa0c6882f2225f51203da38e9a521231011f0988bbd058244e44471d5dc763f79b9 |
C:\Windows\System\qEMpiuA.exe
| MD5 | 246134a244cc801bacddde31e680232d |
| SHA1 | 3ffce6ece24b444661fab50765acd10699920ab4 |
| SHA256 | b25e35546621dcaf182b949c42fc28a1f5ad087bc2ef445a50caeeea53ddc837 |
| SHA512 | 8a3f4d097011e44d03b2423ab45f62daebc3d88432d83e41d0cebad2792a529dbf8c641f5bfe4e0d61557e22a54937a624153192ab5a1684147614a7b92a1c25 |
memory/4028-91-0x00007FF788D80000-0x00007FF7890D4000-memory.dmp
C:\Windows\System\RvyQcAA.exe
| MD5 | afcdcdd14d14b02f26f6f3d1051e149f |
| SHA1 | 9086d92bea3ce85f9efce8e966eab8672ff7e35e |
| SHA256 | cf8da61b72a383d4075b6c42313281181e183f199aca264695da16fe6d19ee08 |
| SHA512 | 2084f012da94d9d6d27896da5f5793833d94074cfde3fa30bc07405edda13b0fd81f899fe4485dccd5345812b184f82bf1fb05c3f8dbea590879be590583898e |
memory/2068-98-0x00007FF704AF0000-0x00007FF704E44000-memory.dmp
C:\Windows\System\jrvEfXa.exe
| MD5 | d1176e200522e57402d151466a2133ab |
| SHA1 | 5c1b178a3bbdc74cf7e69f6d21088dff44ac5719 |
| SHA256 | 5a171031e89580f117f95c17d41be110f7cd840da02e869fb41208853197659a |
| SHA512 | 45080887f750c353aa0b660984560198334e3e311514c7e42d9b4e9a0dbf921dfa2593a40ed67694cd503ff514e7efe8ccd763d0e944bfa5165c50fa0a6facb1 |
memory/4184-111-0x00007FF6A68B0000-0x00007FF6A6C04000-memory.dmp
memory/2164-110-0x00007FF7420B0000-0x00007FF742404000-memory.dmp
C:\Windows\System\etikcPx.exe
| MD5 | 9c6ed1ee90d058602ea891ac49057c25 |
| SHA1 | 432807b4bd164a1ee78dd599645ea53add1b8a27 |
| SHA256 | 990f085ff1f283e012d33d0276278401b7bb7c901e04f7917d13165f9eb0b004 |
| SHA512 | 2415f1bd42f4ff763d772a2d90df5e6279cc7519235c699f3f5b0a015a9dc945d27b8214ef1d1d3aa47df8b8c72d42c29829f2f5f36a90028ee2479435a74ca3 |
memory/640-102-0x00007FF7BA670000-0x00007FF7BA9C4000-memory.dmp
memory/3972-96-0x00007FF7D6D60000-0x00007FF7D70B4000-memory.dmp
C:\Windows\System\gUvsFvC.exe
| MD5 | 5b6c03b6cf4ce4bf2fc7278af61f2d54 |
| SHA1 | 12c13ffc5efd638bfbbd9ab54dfc4d7e91e1a038 |
| SHA256 | 9ca55556c92ac76c0af0e9dd774a3708fb5b2940247b31056b477c369b565e2d |
| SHA512 | 088f1fb11413bb0ad8acdf370bdd2c385d187b4831a5203e333dfebc0c12bd4659a390e5649dcbfa2dea0117222e89955c8a2928bb0bbaf39737c2a9e14284f8 |
memory/1564-93-0x00007FF69BB00000-0x00007FF69BE54000-memory.dmp
memory/4016-90-0x00007FF7BEE90000-0x00007FF7BF1E4000-memory.dmp
memory/1208-83-0x00007FF71AB30000-0x00007FF71AE84000-memory.dmp
memory/1788-78-0x00007FF6B1CB0000-0x00007FF6B2004000-memory.dmp
memory/3724-76-0x00007FF6C69D0000-0x00007FF6C6D24000-memory.dmp
memory/2308-66-0x00007FF662EF0000-0x00007FF663244000-memory.dmp
C:\Windows\System\QZwYMIX.exe
| MD5 | 317c844baada6b78d2757ae01dd60b77 |
| SHA1 | 4dc601feaaa0331c37e7f75503e45350afcbf034 |
| SHA256 | 7b1ca10d37c7cca91bad1bc27694f1c0799776e35626c542ebc477dc8da76ead |
| SHA512 | 81df45d32913bfd19d058c0274d6bc8b4a89330449fd63c40224d8ae11a58c5500f2e843806b033ecbd961ee038ab897b7f469be359672ed19aaa86d7987b9a6 |
memory/3148-117-0x00007FF663560000-0x00007FF6638B4000-memory.dmp
C:\Windows\System\RPZmduf.exe
| MD5 | 0f9759ab3f10c367077d9c283064da33 |
| SHA1 | a22a2baeff26161a877bcf36133526461dd5eab3 |
| SHA256 | d656cf45005a3297a78f1c0afb77e1fd7270f606f8e71333a6d9d8daaf8f02be |
| SHA512 | fca2b0e32aa6d5fe7fec9a643a92c746b5f8dd973308bb405c70dee80758ea372bce1844bde4957952a341ee1bbbcc32a8f0bcc4a4c1d8caf098d85a5685e413 |
memory/4488-128-0x00007FF6AA120000-0x00007FF6AA474000-memory.dmp
memory/5084-127-0x00007FF777460000-0x00007FF7777B4000-memory.dmp
memory/2572-121-0x00007FF7A3D50000-0x00007FF7A40A4000-memory.dmp
C:\Windows\System\XJdhjPh.exe
| MD5 | 92c9921fe2b1e60cbcfede7cc9286bc9 |
| SHA1 | 8e0baf2aa68eae67653a415f4a3888e42fddb199 |
| SHA256 | abeb01fb8b198f5e7640131bcf7665b3aa1729cd75a62a43db06e25e2f5cafc5 |
| SHA512 | e2391edbc125e20abb863e099dcf8d1cc8e84a1071565835be4920ab22b6927daec6f0b0e27bc5bf4024b6981a6c5086956dfdd81e5cb6c63041e65ddc88ccf5 |
memory/1640-132-0x00007FF697650000-0x00007FF6979A4000-memory.dmp
memory/3724-133-0x00007FF6C69D0000-0x00007FF6C6D24000-memory.dmp
memory/1788-134-0x00007FF6B1CB0000-0x00007FF6B2004000-memory.dmp
memory/3972-135-0x00007FF7D6D60000-0x00007FF7D70B4000-memory.dmp
memory/4028-136-0x00007FF788D80000-0x00007FF7890D4000-memory.dmp
memory/1564-137-0x00007FF69BB00000-0x00007FF69BE54000-memory.dmp
memory/640-138-0x00007FF7BA670000-0x00007FF7BA9C4000-memory.dmp
memory/4184-139-0x00007FF6A68B0000-0x00007FF6A6C04000-memory.dmp
memory/2572-140-0x00007FF7A3D50000-0x00007FF7A40A4000-memory.dmp
memory/5084-141-0x00007FF777460000-0x00007FF7777B4000-memory.dmp
memory/1640-142-0x00007FF697650000-0x00007FF6979A4000-memory.dmp
memory/1812-144-0x00007FF725490000-0x00007FF7257E4000-memory.dmp
memory/2068-143-0x00007FF704AF0000-0x00007FF704E44000-memory.dmp
memory/4600-145-0x00007FF775150000-0x00007FF7754A4000-memory.dmp
memory/4196-146-0x00007FF6B7290000-0x00007FF6B75E4000-memory.dmp
memory/2164-147-0x00007FF7420B0000-0x00007FF742404000-memory.dmp
memory/3148-148-0x00007FF663560000-0x00007FF6638B4000-memory.dmp
memory/2424-149-0x00007FF759130000-0x00007FF759484000-memory.dmp
memory/4488-150-0x00007FF6AA120000-0x00007FF6AA474000-memory.dmp
memory/4308-151-0x00007FF693250000-0x00007FF6935A4000-memory.dmp
memory/2308-152-0x00007FF662EF0000-0x00007FF663244000-memory.dmp
memory/1208-153-0x00007FF71AB30000-0x00007FF71AE84000-memory.dmp
memory/3724-154-0x00007FF6C69D0000-0x00007FF6C6D24000-memory.dmp
memory/1788-155-0x00007FF6B1CB0000-0x00007FF6B2004000-memory.dmp
memory/4028-156-0x00007FF788D80000-0x00007FF7890D4000-memory.dmp
memory/3972-158-0x00007FF7D6D60000-0x00007FF7D70B4000-memory.dmp
memory/1564-157-0x00007FF69BB00000-0x00007FF69BE54000-memory.dmp
memory/640-159-0x00007FF7BA670000-0x00007FF7BA9C4000-memory.dmp
memory/4184-160-0x00007FF6A68B0000-0x00007FF6A6C04000-memory.dmp
memory/2572-161-0x00007FF7A3D50000-0x00007FF7A40A4000-memory.dmp
memory/5084-163-0x00007FF777460000-0x00007FF7777B4000-memory.dmp
memory/1640-162-0x00007FF697650000-0x00007FF6979A4000-memory.dmp