Analysis Overview
SHA256
c94081d5e83cd3fd6f98325ffab902f1cacf9ac8ea43a393adb207fe96d89efa
Threat Level: Known bad
The file 2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
Xmrig family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 09:23
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 09:22
Reported
2024-06-10 09:26
Platform
win7-20240221-en
Max time kernel
136s
Max time network
147s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SOnpgAO.exe | N/A |
| N/A | N/A | C:\Windows\System\fDiEMxv.exe | N/A |
| N/A | N/A | C:\Windows\System\OulOuiz.exe | N/A |
| N/A | N/A | C:\Windows\System\VOIfsCn.exe | N/A |
| N/A | N/A | C:\Windows\System\StsQHWm.exe | N/A |
| N/A | N/A | C:\Windows\System\FbtsTqs.exe | N/A |
| N/A | N/A | C:\Windows\System\jCbllfq.exe | N/A |
| N/A | N/A | C:\Windows\System\dYyKbdJ.exe | N/A |
| N/A | N/A | C:\Windows\System\uZPMZvl.exe | N/A |
| N/A | N/A | C:\Windows\System\IRWnnkO.exe | N/A |
| N/A | N/A | C:\Windows\System\qjGWgUy.exe | N/A |
| N/A | N/A | C:\Windows\System\YgZeeGW.exe | N/A |
| N/A | N/A | C:\Windows\System\GPiZIhy.exe | N/A |
| N/A | N/A | C:\Windows\System\JdbyjSY.exe | N/A |
| N/A | N/A | C:\Windows\System\LVUmdcW.exe | N/A |
| N/A | N/A | C:\Windows\System\upUbGnp.exe | N/A |
| N/A | N/A | C:\Windows\System\qqAcdzX.exe | N/A |
| N/A | N/A | C:\Windows\System\WTKaDrX.exe | N/A |
| N/A | N/A | C:\Windows\System\WogSfSA.exe | N/A |
| N/A | N/A | C:\Windows\System\MWHGKxS.exe | N/A |
| N/A | N/A | C:\Windows\System\JmHZsmj.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\SOnpgAO.exe
C:\Windows\System\SOnpgAO.exe
C:\Windows\System\fDiEMxv.exe
C:\Windows\System\fDiEMxv.exe
C:\Windows\System\OulOuiz.exe
C:\Windows\System\OulOuiz.exe
C:\Windows\System\VOIfsCn.exe
C:\Windows\System\VOIfsCn.exe
C:\Windows\System\StsQHWm.exe
C:\Windows\System\StsQHWm.exe
C:\Windows\System\FbtsTqs.exe
C:\Windows\System\FbtsTqs.exe
C:\Windows\System\jCbllfq.exe
C:\Windows\System\jCbllfq.exe
C:\Windows\System\dYyKbdJ.exe
C:\Windows\System\dYyKbdJ.exe
C:\Windows\System\uZPMZvl.exe
C:\Windows\System\uZPMZvl.exe
C:\Windows\System\IRWnnkO.exe
C:\Windows\System\IRWnnkO.exe
C:\Windows\System\qjGWgUy.exe
C:\Windows\System\qjGWgUy.exe
C:\Windows\System\YgZeeGW.exe
C:\Windows\System\YgZeeGW.exe
C:\Windows\System\GPiZIhy.exe
C:\Windows\System\GPiZIhy.exe
C:\Windows\System\JdbyjSY.exe
C:\Windows\System\JdbyjSY.exe
C:\Windows\System\LVUmdcW.exe
C:\Windows\System\LVUmdcW.exe
C:\Windows\System\upUbGnp.exe
C:\Windows\System\upUbGnp.exe
C:\Windows\System\qqAcdzX.exe
C:\Windows\System\qqAcdzX.exe
C:\Windows\System\WTKaDrX.exe
C:\Windows\System\WTKaDrX.exe
C:\Windows\System\WogSfSA.exe
C:\Windows\System\WogSfSA.exe
C:\Windows\System\MWHGKxS.exe
C:\Windows\System\MWHGKxS.exe
C:\Windows\System\JmHZsmj.exe
C:\Windows\System\JmHZsmj.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2944-0-0x0000000000100000-0x0000000000110000-memory.dmp
memory/2944-1-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2556-37-0x000000013FC60000-0x000000013FFB4000-memory.dmp
C:\Windows\system\jCbllfq.exe
| MD5 | 2e820f8af7aa3bf225d37608a0a87341 |
| SHA1 | b813ceb09756bee341a57c9525bd3abdbe863ab8 |
| SHA256 | de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa |
| SHA512 | 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4 |
memory/2944-47-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\dYyKbdJ.exe
| MD5 | 06e7776c45522cd727375134e965e22f |
| SHA1 | b3c6cc8ec21bae0f0aa8708062a4e0f18fd21432 |
| SHA256 | 2e168c5305fc6931df6647569f2eac771398a9fe5bbc1782667bc1c201007bfb |
| SHA512 | 0b18810a5223438d648db6031a4bc963ddc222296395333088b069467dd1914822ad34fd9a3ff6c6694db24c914bdda3b30ab67d7943ad9a074d0ee7d9dc226d |
\Windows\system\uZPMZvl.exe
| MD5 | 798628437c4823e17d8e57facadaa5a1 |
| SHA1 | 4be9e2a956db29ed5fdc7d21ca59e87cd89097b1 |
| SHA256 | 61b9d4d4d42f43a523daed7217b3f40f7d5b10be4da6b41364f9ba7aebf7c2ed |
| SHA512 | 57d97fa3795a59d19b4cccff258a8d9e7722a5e6673f549c82548e40666fd134623544cd66d38e810ed3b23239001ffe1a19f35aac37a12faf1c5e8f1c30140b |
memory/2712-63-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2780-72-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2944-79-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2616-83-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2944-82-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\GPiZIhy.exe
| MD5 | 473e05b9007245959011d8397481c0c1 |
| SHA1 | a7d4ea5b3171641ef1500c4df41271c313a04d3e |
| SHA256 | 6ba75e2fc9b50af19f538f4cc133d1c407570cfd11f0a312bf6a106311ef45f5 |
| SHA512 | 954541c06ab2b82c50275ae68ae8fddb1bb35af652e3fec552c9a797fc3cf41cd1fd184fbc3762e033862a19b48a474528e6ad25930b9056a29df30461d32308 |
memory/640-90-0x000000013F840000-0x000000013FB94000-memory.dmp
C:\Windows\system\JdbyjSY.exe
| MD5 | d17d952a6dfc7f7d5b98cc09f0b7cbdd |
| SHA1 | fec0c348c1cdd77b648a3ba5748d48987d56b005 |
| SHA256 | 8184e8993fcef83d3b35fef1a39835244fc74f67e41d3b1febcdbef18a2c840d |
| SHA512 | 6b601426fee04e6970ad065a6a77a039ecdfdecd7e3e6db10af0a524fcaf1c5335d4a35a500337669f2dd87735e561f3c527213ef37f84e0fd9989bd932cf7f1 |
\Windows\system\LVUmdcW.exe
| MD5 | 9d367348bc2b0a338371873ab92b5ce0 |
| SHA1 | 7f656575ff1e475fc391f43341a8d5f4ac819b19 |
| SHA256 | 54a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309 |
| SHA512 | 8ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454 |
memory/2696-97-0x000000013FC10000-0x000000013FF64000-memory.dmp
C:\Windows\system\LVUmdcW.exe
| MD5 | d5a548d48b0efc78b598096b40926b85 |
| SHA1 | edcbde6a385a137b3a91183bd121518426889baa |
| SHA256 | 42f01608c563e1fdeb6e59c7fe4c28f2c9f529fa535eccc55ea0c51405a8baf1 |
| SHA512 | 25418c0549804a91261fe95b79c8a224e9f918592399505462b2504c6a118a6cbc4de282a7f1f55658d164e02e3afa2dd9b17b9c5f19859d2429525050fbbc30 |
memory/2944-99-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2944-95-0x000000013FC10000-0x000000013FF64000-memory.dmp
\Windows\system\JdbyjSY.exe
| MD5 | 2cf608c269c2503d2d70c58a81a3676b |
| SHA1 | b27db114868b2570bcdef46af05f3e25d1657d56 |
| SHA256 | 80c0229d9b512aa75f940b04af50fe97eb5c2319dbc11286e86fb6cf98db6c5e |
| SHA512 | ecc09caa16a1cac3b87a1d0384cb3a95292ab2d07c7a7d188860c1c8564d6e5f42a729c4886644c27a4757027adccebb2d12d707596f0a50da9c8821e88ba013 |
memory/2944-89-0x000000013F840000-0x000000013FB94000-memory.dmp
\Windows\system\GPiZIhy.exe
| MD5 | 64608890dcd212091a87599b2f0612b4 |
| SHA1 | 642cba6fdd06687bf7b84652d1d79a4e1e6a2442 |
| SHA256 | b0713465db08a043a2fc63565826669db6692aab975c0e29a5185ae16112322b |
| SHA512 | 9bdeddb8d2b5d212ce44eb56a90491fbba59fad54bddc0d8b4b8bf820f02cd20cd341a5b8d7dee63bec0cc37a66e5649ab2d3fa0a94759da8902674545d3a347 |
\Windows\system\JmHZsmj.exe
| MD5 | 3c4936ba91eaa69f7fdbfccc9b857022 |
| SHA1 | d97c8ba6655ec64594f86192c6bdb9c832040c3a |
| SHA256 | f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10 |
| SHA512 | 327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9 |
C:\Windows\system\JmHZsmj.exe
| MD5 | 7aaed59e81883ccc6a1f51d7ceba8aea |
| SHA1 | ad439da9e172d66fb363ee3ccdeb784403802da7 |
| SHA256 | 60993be56448ec872285aca4f955766be9ffb9322286c54762c862c7bff99a4a |
| SHA512 | a8213af11deee16995da3c584834892588465d8fcd7ba16d1dd81cde7e4051b7f82cc58b51f91d4f9df8d00b1ae51dd7c77c17c0b2f9917f25c200091d3e704c |
C:\Windows\system\MWHGKxS.exe
| MD5 | c83a72fd32d1ea03c4c25e0b40a06534 |
| SHA1 | de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1 |
| SHA256 | c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359 |
| SHA512 | 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c |
C:\Windows\system\WogSfSA.exe
| MD5 | e36afd6c35c94d0a3760ffc5c520dbaf |
| SHA1 | fcfc435aabd0379d632916351cc7214f0664adaa |
| SHA256 | ebd86d5f4a0406fe798891a46ff8fabe34a9c281968b64c8280b930804f0c378 |
| SHA512 | 85f6a8dd361a30c09ef040453801cb93767c13eb3ac2e43c9b6b850094d02a297b76981263b283089ab424f00f181a7668301067964aa2871c2c59a079aee447 |
C:\Windows\system\WTKaDrX.exe
| MD5 | d40da3f72b1d0ff826f884cc7bd2f64f |
| SHA1 | 595107e8eeeb9ebf769d1150884a0116a28ff187 |
| SHA256 | 2fa22e04917720135e7a1682bb830fdfcb60dffeb587ca30bb2c2d0c5bfb8ae6 |
| SHA512 | 45a0a431e2ef2af7274cccb93798b3808553eef56456dd590718a6ad5f1100a72b5d0e312e97f60b8d225c223b97ad48f02e0e480cde2b6cf85b0f7b0144968f |
\Windows\system\WTKaDrX.exe
| MD5 | bfe1cf23f0f502213cae1ec2f78f716d |
| SHA1 | 076b515974d2bf63967d59a6dc0a17b696d54075 |
| SHA256 | 307be75b3b328023566c69390a465ea651e48b5d5552661259a739aff948c1f9 |
| SHA512 | afaf3bbda04cec4f2f84d03994e15e67d6b8de09a08cc4a1926a00fb5b952360f1ef60c0c6bb8cfc013b4f061d156b1aa97e987bec07b1dff9541f8749a6847b |
\Windows\system\qqAcdzX.exe
| MD5 | 314443a3e1d326f4d0ae325268d0a3cb |
| SHA1 | cae79eb9491bd5710642496562a3e9bf1f8c3f64 |
| SHA256 | 6125164f3647ae1fd03ea3b1d8ead097c3c13d01b86bc85db540ad05b7482030 |
| SHA512 | d362df1a89ca8040636780edb1c21d00b1dd6b210f931aa0b39181c09aaeec00bf55bb78a4aae06319204dfa3c9bdff7fda633a055d7b5bc3569a4e8c2759e78 |
C:\Windows\system\upUbGnp.exe
| MD5 | 90be846177ebce09b1bfa8b40630684a |
| SHA1 | 43a2c66ff47d9e295f18f8c18fe76b69e8850154 |
| SHA256 | 2237948f07e37d90442b50a92836356588f3ae1e31ae0d8dac227315cf2c7f65 |
| SHA512 | f4ff566c9eaa4a50bcad3cfa87bbb92d072dc2249f94ae304b8cb104e61cee98dba9f3ef0ceebfe48bef05c9c2df36d9188d043c7aa83ca58742993e634b68a6 |
C:\Windows\system\YgZeeGW.exe
| MD5 | 03b1764556b0d07f54050f99d7902224 |
| SHA1 | 9ce874a7c6589e716d72a032bf4a1674a6b96d94 |
| SHA256 | 41e41c2c64d4536cacd90e62cab5db3682930ca34e93fa589977512a02064965 |
| SHA512 | 81a7b86d614a98f85d8d348baa710a1de131ed3ca519baafe45637a70ec4efe5731630a1469374b97246c9fd70bfdca18ed68c31e2d7b0b7f466f072403b51f4 |
memory/2468-77-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2212-75-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2612-74-0x000000013F330000-0x000000013F684000-memory.dmp
C:\Windows\system\qjGWgUy.exe
| MD5 | 6aabe2e748cee6d07f24c026461cb48a |
| SHA1 | fe435ec8690de5aed611e8b6e996882f126c4bb9 |
| SHA256 | 551c2573568f6ad35d10f80b58ca4997f5dba80ae615fb3a522cbfb755fa022a |
| SHA512 | 13d999d941baed2473792d915bae6ed172cd29ce935c44fff65629b650c371ebe29b735b83455a9a37b0fdfa4912df807a91d4e5572cd52076bb1f8b14ed1cf5 |
\Windows\system\IRWnnkO.exe
| MD5 | 53316368a5c35bfe8d2650de718bf34c |
| SHA1 | 1f19034b7b11940fd11aecb68e1e1001adf683cd |
| SHA256 | e0c333f848fe9c9f14b05e33c591c684ad4110067b4eace58f300da96c22985e |
| SHA512 | 8b208e51a71160cb1b5808744c50b1438ba943bd3e381649ef8dea146af35ef7878ac903d4569a46f0c64ef098a935d18e4382fdb3f217b2d57b02a94f54480a |
memory/2944-66-0x000000013F910000-0x000000013FC64000-memory.dmp
C:\Windows\system\IRWnnkO.exe
| MD5 | ec92e07b02f20d795a0e1863fe069dc8 |
| SHA1 | 5076ad4225509fb06df6a1c7d82542c5a224c871 |
| SHA256 | d93ccd8bbd9241ae214cf9bd04fec1c798bfa78296802457f50c065fad349de1 |
| SHA512 | 5cea4a90d5b075c2c3843f219d649bcc179719c667dc7e023eb40c8f330b42346385b74a58e4419cdbca8a4582a56595f734d564e1b2748ba9d9dc4d7400b368 |
\Windows\system\qjGWgUy.exe
| MD5 | ccf7e0b017f1f57e15628f2b144791a7 |
| SHA1 | 541751df01a48b92c0e1bbf53d3d82e0a047034d |
| SHA256 | 7f5a8c6275c0337803eaf59b78ec5be8cc02c704ff17f9440537b2d843501c93 |
| SHA512 | 0c3526ea832ca44194f9d6e573294c04ba39d0fddaa17548d289d0175238d916d47141db5e4e89d41239a154037c657a07d52a72591424920afb9b685f0525fa |
memory/2944-58-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\uZPMZvl.exe
| MD5 | 51a51ebc84c388c79a91f0b3179b5c2d |
| SHA1 | 3c972a7b976a1850c5cfb1f9d7c2c42730c06f8f |
| SHA256 | cbfbbcf972fc71c8f8ee59465cf3f9800b7e00f9c21efbdabbf3a708d55ab9e6 |
| SHA512 | 65a0879242c47331e54a5a0993ab3eaff209a8935d346f6cbc6005b8903a4ea25b77854b41878c75510a37292ca93d1e0b4470998505fe051262be09344375bb |
\Windows\system\dYyKbdJ.exe
| MD5 | 9fae6a62d0e7737cd1f90ae57eb20b3d |
| SHA1 | 13784b0da7ba1dedd03f6abdda89b4afea844996 |
| SHA256 | 01c73a08c7489480d1f803769c13916571cd7bd967246a4c2426c45f5800ef2c |
| SHA512 | 820a39f84575455d289b1f5165babe217901b51c9a818650b199bc3390d3737f43758b6f24b9b34f4ba07b5aa4010222d008eb2fbec1b5af4fb196e1fdf5b3f4 |
memory/2840-48-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2944-46-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2944-45-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2644-41-0x000000013F140000-0x000000013F494000-memory.dmp
\Windows\system\jCbllfq.exe
| MD5 | 4680f13079c0e48ee439b976a9ac693d |
| SHA1 | a5c12784c8da3cfabec20069ab3c25a1dfc4425f |
| SHA256 | 0e6bfb7d33136e38a277815d9f2033d77a81430c490510147ae8c15098c1a1c4 |
| SHA512 | 237160c9b2ec927f1f7f8eb93eb0998feae0a5fdd096d5d2839acdea62b53ff40c45b15a6c068ea902eeaba138635691258cd1beaebf5b47a125222bc088363f |
C:\Windows\system\FbtsTqs.exe
| MD5 | 977386e05d43a135b6e404a1960d7bc0 |
| SHA1 | 763800e9f7b3068ec836119e3cb480edf764c444 |
| SHA256 | 9d9d9529f9a54cfec92ff0817ece8548d369cb1de1628f0e773611998cde0c5e |
| SHA512 | a1d26f11fbea269491e824fc7d2d40c00fe1fe8385711294ccc9c2165d61d76bfeb4274070c882235be800f68485144c058702e098a07fa296183730a5dc3385 |
memory/2968-32-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2944-28-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2940-25-0x000000013F040000-0x000000013F394000-memory.dmp
memory/272-23-0x000000013FB00000-0x000000013FE54000-memory.dmp
\Windows\system\VOIfsCn.exe
| MD5 | 3aaf7053b1006fd7d70c363e848b8e8e |
| SHA1 | e2be9819683f0283d109809481c733839febbc3d |
| SHA256 | 2fa086ee3728339162cc3efc11e0508d1f1e7cae6d38f9e6760e87a8d8f0ce12 |
| SHA512 | 130dd95ec7cc0fb5ad51a6ff145ab69cb89e3ab2460901bb7cc8d243ccf54f04b145bcad784faf61c4e1b14203cbfa8785cb8650d5bbac13727aba2d8a9c9ee7 |
C:\Windows\system\VOIfsCn.exe
| MD5 | ff64dcb83e4bfcbec95c1199068a4029 |
| SHA1 | 01f05afdcb01e8ad3ef58e9fa9bef68f24d046a7 |
| SHA256 | 8efa3f8aa831de7fe27cf1cbe36bbeb398f5d663c062d85acba5fe5c7378e48b |
| SHA512 | 06923ac204cf11b9d902f24bbbe8d40fcac11c82ca7b20accd56287ae5b42ce760e7423e128d433e189b023a4f6db6a19e8634cbefaf2d5abef747cddd00411d |
memory/2944-16-0x000000013FB00000-0x000000013FE54000-memory.dmp
\Windows\system\OulOuiz.exe
| MD5 | d86c13c002e1f9c3d18cea41a8f7272f |
| SHA1 | 17b169b1bbff68c674d94b4d5e154ee9030bd7be |
| SHA256 | ceb45eeeef4cecffe5421da62919d4d6e2499dda9d0d0390457610d4ebf3217f |
| SHA512 | c03bf374cecd07327461316e12a491e0707d965095efa204623ede1c8a9109820dcde79f32914948c8a936806132a47556176cce4d7174e7d3d33a84c10401ff |
memory/2944-133-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2944-134-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2944-135-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2840-141-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2712-142-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2780-143-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2612-144-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2468-146-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2616-147-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2212-145-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/640-148-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2696-149-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2644-140-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2556-139-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2968-138-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2940-137-0x000000013F040000-0x000000013F394000-memory.dmp
memory/272-136-0x000000013FB00000-0x000000013FE54000-memory.dmp
Analysis: behavioral2
Detonation Overview
Reported
0001-01-01 00:00