Analysis Overview
SHA256
77365bbe3797d7a048e83f2f634be853d6d5d8e1728580c74161226814d26130
Threat Level: Known bad
The file 2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike family
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 03:05
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 03:03
Reported
2024-06-09 03:07
Platform
win7-20240221-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gPuvRur.exe | N/A |
| N/A | N/A | C:\Windows\System\OAuocsi.exe | N/A |
| N/A | N/A | C:\Windows\System\sZpCIiX.exe | N/A |
| N/A | N/A | C:\Windows\System\pNQNKhM.exe | N/A |
| N/A | N/A | C:\Windows\System\LSUOzyP.exe | N/A |
| N/A | N/A | C:\Windows\System\TRYBSVU.exe | N/A |
| N/A | N/A | C:\Windows\System\wvgBkIp.exe | N/A |
| N/A | N/A | C:\Windows\System\IlBTeNl.exe | N/A |
| N/A | N/A | C:\Windows\System\gGFyegf.exe | N/A |
| N/A | N/A | C:\Windows\System\mCrqWzt.exe | N/A |
| N/A | N/A | C:\Windows\System\gUYWEXL.exe | N/A |
| N/A | N/A | C:\Windows\System\YYxoHYl.exe | N/A |
| N/A | N/A | C:\Windows\System\HCelRQk.exe | N/A |
| N/A | N/A | C:\Windows\System\pIpVhnD.exe | N/A |
| N/A | N/A | C:\Windows\System\SwzxbVZ.exe | N/A |
| N/A | N/A | C:\Windows\System\symRklM.exe | N/A |
| N/A | N/A | C:\Windows\System\WaxeNyo.exe | N/A |
| N/A | N/A | C:\Windows\System\kxpovlP.exe | N/A |
| N/A | N/A | C:\Windows\System\aSQtAuI.exe | N/A |
| N/A | N/A | C:\Windows\System\BbBoVnF.exe | N/A |
| N/A | N/A | C:\Windows\System\pIewjZz.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\gPuvRur.exe
C:\Windows\System\gPuvRur.exe
C:\Windows\System\OAuocsi.exe
C:\Windows\System\OAuocsi.exe
C:\Windows\System\sZpCIiX.exe
C:\Windows\System\sZpCIiX.exe
C:\Windows\System\pNQNKhM.exe
C:\Windows\System\pNQNKhM.exe
C:\Windows\System\LSUOzyP.exe
C:\Windows\System\LSUOzyP.exe
C:\Windows\System\TRYBSVU.exe
C:\Windows\System\TRYBSVU.exe
C:\Windows\System\wvgBkIp.exe
C:\Windows\System\wvgBkIp.exe
C:\Windows\System\IlBTeNl.exe
C:\Windows\System\IlBTeNl.exe
C:\Windows\System\gGFyegf.exe
C:\Windows\System\gGFyegf.exe
C:\Windows\System\mCrqWzt.exe
C:\Windows\System\mCrqWzt.exe
C:\Windows\System\gUYWEXL.exe
C:\Windows\System\gUYWEXL.exe
C:\Windows\System\YYxoHYl.exe
C:\Windows\System\YYxoHYl.exe
C:\Windows\System\HCelRQk.exe
C:\Windows\System\HCelRQk.exe
C:\Windows\System\pIpVhnD.exe
C:\Windows\System\pIpVhnD.exe
C:\Windows\System\SwzxbVZ.exe
C:\Windows\System\SwzxbVZ.exe
C:\Windows\System\symRklM.exe
C:\Windows\System\symRklM.exe
C:\Windows\System\WaxeNyo.exe
C:\Windows\System\WaxeNyo.exe
C:\Windows\System\kxpovlP.exe
C:\Windows\System\kxpovlP.exe
C:\Windows\System\aSQtAuI.exe
C:\Windows\System\aSQtAuI.exe
C:\Windows\System\BbBoVnF.exe
C:\Windows\System\BbBoVnF.exe
C:\Windows\System\pIewjZz.exe
C:\Windows\System\pIewjZz.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1996-0-0x000000013F040000-0x000000013F394000-memory.dmp
memory/1996-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\gPuvRur.exe
| MD5 | 6a6495ac7d8b33356e7207c225183989 |
| SHA1 | 23dedeb38c1d3462c6660c0c354675c4f10af7a7 |
| SHA256 | d9f3bbbf669847b4984bd17a89142960d54124a9f5a71fb2f0941c250b9c0f14 |
| SHA512 | eb4c77e6a03f29d1d8786020ae6c7e167d05c1f664188b7cf332670efbcd3705e1d84a496d38ccc8ffb8219f815d2d4775dfd8e8b4044d900a9255007b09696b |
\Windows\system\OAuocsi.exe
| MD5 | e34686bf22933617f0b1d99f3d9650bf |
| SHA1 | 4246750d37de60b3132f078b3007f2db0d991fbd |
| SHA256 | f453ca29e9bb32500b9868ca3871362eb853c351b1738213bdf388c143309447 |
| SHA512 | 2dfb1496083b4b17c65029fb74a0505ec0e9a1fd37e5cc4852a948bca7f7be4858f54c7ceadb78274a978c02c02740961a47850dc2501655587af88e3da6d8da |
\Windows\system\sZpCIiX.exe
| MD5 | 0fa1a7c1e3081790624e4d27e00425e5 |
| SHA1 | a8925a76a7df0f2f4db08132007826a0fc4220d7 |
| SHA256 | d76f7575810772453f3d7b2b9913fd4fd301efc9fb4aff1a075ac2f4675e6697 |
| SHA512 | 767311ade357dcc6efadcf465d466497335c9ca040b727fc27c36c0061f581f8ee9e66646219943ebb13a407100cc3f795ff49a8d9747650f114a939061e8d63 |
memory/1996-16-0x000000013FA30000-0x000000013FD84000-memory.dmp
\Windows\system\pNQNKhM.exe
| MD5 | f76666ef5e45fce65e7a5d1a18f94534 |
| SHA1 | 50d7f597048f28a6bc4ded54ec0bf478555e19e6 |
| SHA256 | 3bb5d7303efaab1772ea0cba36a586c597976bddc0dd572dd63632cb9bbcd4de |
| SHA512 | a89feee3eceb3a092cda5bc5f0b1bf9bc741386e3669efd35fe12e721e0f9b07b299bae571c0dea2aa542c3a53539c33ffa3e4a1b771ec3ec86c9c9a90d09cd9 |
C:\Windows\system\LSUOzyP.exe
| MD5 | 0fc3c7b89d24926f732e41828b0aff45 |
| SHA1 | 1c42a9036c31fe7d1a1e3772ee37b08ad069c904 |
| SHA256 | 33e33dbab8d4425727422e56491dae1bc708014e2c782dda3a43b6e55af6e235 |
| SHA512 | 13316b70b8add368f8f6d715e8a601265a4b6742b4c871bcaec320229ba7a3a10dabb6ebdcfa4518409ebb0573618d918b71c353403710a7fbf3a449bba3ce61 |
C:\Windows\system\TRYBSVU.exe
| MD5 | e6e25c8ed305d19e257431fa052888fe |
| SHA1 | 567e89d950ec8f50952ca0f9418ab8fc9d497249 |
| SHA256 | 2dc05c83a40f456be2bfce6337b80ce249cff8ab085752660833b793c2f8ac38 |
| SHA512 | c9a67f8dd4c619d3b2b776fe24ebafc7dffbe898e5ef3e0d927020af7ffb755fecc450106fa3512a9b1f93444240a162dbde9e37d53835f538b37c512e92bdd0 |
C:\Windows\system\wvgBkIp.exe
| MD5 | afdf94c43581756570759fb10a373194 |
| SHA1 | a68fd51ee5f81aad352a6281527916855af049dd |
| SHA256 | 163ae47279acb50830ec02b79789e088055a6e8341226f2206be0d255dd8478c |
| SHA512 | 00c856c7ac3c3aef0b9d89a6ed5bbaf78970d9d22a87e48cd731fccebd5e71d6500aaa754a82b4ce0b39c7b714fddd89b2569923f1a0c673801a335eb3819c64 |
C:\Windows\system\IlBTeNl.exe
| MD5 | 01370593592887c2db697fecdc371f8d |
| SHA1 | 7678467f353ab0e45548990defb75ec09c05ad2d |
| SHA256 | 06b30f4c16221de09f64ec3c2de23e9a200c5ba6f6443db49b78a778954d8c20 |
| SHA512 | 9b7bd6600df4a89271555758b006e94a2541c259f563d373b9695858bb2a44c6dbb0f61894f6b562ef1474ddec5e02cb619ccb82a74dde17b40f27c019596f0d |
C:\Windows\system\gGFyegf.exe
| MD5 | fbe62081b6eae9bcb8c89f46bf72b644 |
| SHA1 | c5bb97b0e55b3ef54859eabd2887a714580a4284 |
| SHA256 | cd52012c6675ebd43e61270f5d97ce131dc56aa476d4a4073e83498cdd576098 |
| SHA512 | ec6fec6e3ded3507fdf234b76ebe1f34cb5322983eedb5ff738daf4c3b0a54d95762d744caa6e3405957abc18a0be0e396b34e6dedc12a246cef86c8718440e1 |
C:\Windows\system\pIpVhnD.exe
| MD5 | 7aee1b782971b040e0bb34df87af6a54 |
| SHA1 | 7c8d73fb3285b8c4a26db66580fa6a393b43fd15 |
| SHA256 | d59b10688e2153d32464ea5bdf3007448739b7f88678f3a12871cd4034607406 |
| SHA512 | 1ca9dab696bf30caec85fe9616877399f5bd5e1dcba6ab5e23eecfff9f569773427916cfd64e78ca9b67c7d36be18a74f05830ee0a945165b5f35f0329712d1c |
C:\Windows\system\aSQtAuI.exe
| MD5 | 47a4a7a6a2356df589d9ba441f55554f |
| SHA1 | 7eb12e50906a545537cfb9b9638e172b238baf17 |
| SHA256 | 060f804b2e213e4062fdc24564c6dc7ad87f71719b8c97ec5f0ba8abac25038f |
| SHA512 | be9090b3c9812658de85de96f54c696762ddc66481cd0d01e25d5009d73011a26fe83de16ee4f8a560d86613fa41cd11d7a83d7e52f6d3e8bb69139e5a5342a5 |
C:\Windows\system\pIewjZz.exe
| MD5 | 7b0cd64d7f2f83eb9d2790da19c07907 |
| SHA1 | 52ae1623c0c198aa2ca91a6ec17bb5edce59ddb9 |
| SHA256 | 5fdb3a564df549499e23cfae47689a728b7b817aed68b46bb746e885d7e33f70 |
| SHA512 | a827682c7272db5a7e516bbff6ac2f3cb931abb962f21ce33ca6316b3b7025cae8a8715dfd5761d23180d6095133c268f9e2a3184b5f02c120751c7d0040f5ba |
C:\Windows\system\BbBoVnF.exe
| MD5 | 5acc378baf509dcc061e3b67a83bc2ab |
| SHA1 | 6e041fb5477d1aa76df49abbaf7fd73c71db4fc1 |
| SHA256 | 826c9ee409a32d1f2a66372fc961eb5cdd921da0203980e408d20fd55c1220ce |
| SHA512 | b4b87aac3cf8ee4aad9bef7c7497914b8a82787e6a0c3ee87e67714a7bee53efa20ee95046bad87d20fcd29a7b142da3d45136d39edcaf2c61bf76fe9de3891b |
C:\Windows\system\kxpovlP.exe
| MD5 | 91a85dccb2e21b2bac3861ad685e008d |
| SHA1 | d0250dad23562559891eb02eadd78422d5f5bfa1 |
| SHA256 | 877bc1c27d66b67306cda8c9ba32907b6981c48fce7951bf4864ccf5e4f2be52 |
| SHA512 | bef739af6c8b17f884b85f52d52f6cd93929e2f4917be8c76b7a138901df9e7f591238e0a40d46e516efcd09c5ed0864f3c8d1f218cf2303ec83e74d77fc62ae |
C:\Windows\system\WaxeNyo.exe
| MD5 | 104b32745e19e6fcbfa3e04320bfe7b1 |
| SHA1 | 8aa3ed5433428b96e0579c8864dbf2ef30d47a84 |
| SHA256 | 6eb513e13a4553ee8adbeffb7637de60e92f0daa1c91e05d4d8ec9691274b39d |
| SHA512 | cbcf0c3ddc3b705b5d25e345b4b91db345215eee286c3853e43cac92f2921b300d992a56eb25fc59790e5b30f872aac1529606e7402d87f02528a43305a7f705 |
C:\Windows\system\symRklM.exe
| MD5 | a0517f6051d7397584f490bfe150aedb |
| SHA1 | 13c2301ac4a93d25a846321306495075b5606b33 |
| SHA256 | 5f408207d8afe92d1f466e5774d18263694d2e070dffdec2016ae742f25e18cc |
| SHA512 | cb9c887daeaa90721da5ca420212b3c67423cf52b671040186174e78b6037d729f4be06fe93a084f99259cdceb49a8940ef564619bbca2c8733ef9aa802abdfb |
C:\Windows\system\SwzxbVZ.exe
| MD5 | 9186682ebc23bc95e53c7c05cf946387 |
| SHA1 | 5a0a6fbc296f16f97b263fc2957f8101d42f8071 |
| SHA256 | bdde1442ef70ce9c0d9569f0b01cfae50500daf3c6674f1715da674487052297 |
| SHA512 | 2ba1903a27080202a5efdc32e3bd604ff4f0c0ee0352582828f1f6d1edf510a7fe84c1503bede0f029197699119c67f31f86736299fb2e54f648506c415126a2 |
C:\Windows\system\YYxoHYl.exe
| MD5 | 1ffd42fc6c3f39d2984d58faddde0a9c |
| SHA1 | 8a7c05b864bc6a20c9ab2990065259a46d6871e3 |
| SHA256 | cdb653e9270a894fb1342205cb6082fe9db66ed3879c5acde45094b6390ccf5d |
| SHA512 | bc9242d80dc6e29bf95ee406489d3197ddad9e1fc65151ba4dfda55d37c147243156f258025c7ed37e2aac7a6ad25cb4c35685fa72d5cafcd6ab26196fc774df |
C:\Windows\system\HCelRQk.exe
| MD5 | 946ab05db4ecb89ca92b54539ab3187a |
| SHA1 | dbb3ab65e1e64ad82a3930a1a36aff3edc04a27e |
| SHA256 | 2c62f5e2f6aa463e6953036d766310599a7904077e88b9830de703c5946e281b |
| SHA512 | b6d697e8f1d8412f6498a367ccb38354baabb2f6337046aa3f5fba11cee0aafb1ab8c3532955eb87df61db66f5dc1f78bf5c43f114b009bec258612204c00d56 |
memory/2936-60-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1996-59-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2692-58-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2588-57-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/1996-56-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/1836-55-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/1996-50-0x000000013F780000-0x000000013FAD4000-memory.dmp
C:\Windows\system\gUYWEXL.exe
| MD5 | 0936eba371f2f8f737013bb11af1426b |
| SHA1 | f3b0691109e4e23b1ed5882fe883a04ee188363a |
| SHA256 | 41df8c64773b34741dd22aef88fa5e6ff3fa8065de5ee810dacb6659de2ce793 |
| SHA512 | edfc791b43c65e01e1fe76f4f40f5ac08821ffd0e89bc68b3f2dce397366c1bc5a22cd2cbf533879f2173d088a0af05356e28879e24643a0e2c0086053d3c676 |
C:\Windows\system\mCrqWzt.exe
| MD5 | 4afd6c8a74c90b9d41dbee3fd7a89ec2 |
| SHA1 | 30419adcd568d88f638da0cee70fa13f634b5a50 |
| SHA256 | 6e7e635fd441b4433df1a9e394ed8981c31c9dfebe7c5b9a1c6260153bfe084d |
| SHA512 | aa53ea5140d10bea642ad267b03f084eeec2a39ee57ac5583e2838583ea2c7c5d0df69ff24b898af4f6a41db030f9e7e581ec0e846a2616010debe009a2771a5 |
memory/2924-116-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/1996-117-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/1996-115-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/1996-119-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2920-118-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/1996-125-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2616-126-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2020-124-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/1996-123-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/1996-135-0x000000013F630000-0x000000013F984000-memory.dmp
memory/1996-134-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2912-133-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/1996-132-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2872-131-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1996-130-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2844-129-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2332-128-0x000000013F630000-0x000000013F984000-memory.dmp
memory/1996-127-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2868-122-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/1996-121-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2644-120-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/1996-136-0x000000013F040000-0x000000013F394000-memory.dmp
memory/1996-137-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/1836-138-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2692-139-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2912-140-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2588-141-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2616-145-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2868-144-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2920-143-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2936-142-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2844-146-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2020-152-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2644-151-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2692-150-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2332-149-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2924-148-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/1836-147-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2872-153-0x000000013F620000-0x000000013F974000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 03:03
Reported
2024-06-09 03:07
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gPuvRur.exe | N/A |
| N/A | N/A | C:\Windows\System\OAuocsi.exe | N/A |
| N/A | N/A | C:\Windows\System\sZpCIiX.exe | N/A |
| N/A | N/A | C:\Windows\System\pNQNKhM.exe | N/A |
| N/A | N/A | C:\Windows\System\LSUOzyP.exe | N/A |
| N/A | N/A | C:\Windows\System\TRYBSVU.exe | N/A |
| N/A | N/A | C:\Windows\System\wvgBkIp.exe | N/A |
| N/A | N/A | C:\Windows\System\IlBTeNl.exe | N/A |
| N/A | N/A | C:\Windows\System\gGFyegf.exe | N/A |
| N/A | N/A | C:\Windows\System\mCrqWzt.exe | N/A |
| N/A | N/A | C:\Windows\System\gUYWEXL.exe | N/A |
| N/A | N/A | C:\Windows\System\YYxoHYl.exe | N/A |
| N/A | N/A | C:\Windows\System\HCelRQk.exe | N/A |
| N/A | N/A | C:\Windows\System\pIpVhnD.exe | N/A |
| N/A | N/A | C:\Windows\System\SwzxbVZ.exe | N/A |
| N/A | N/A | C:\Windows\System\symRklM.exe | N/A |
| N/A | N/A | C:\Windows\System\WaxeNyo.exe | N/A |
| N/A | N/A | C:\Windows\System\kxpovlP.exe | N/A |
| N/A | N/A | C:\Windows\System\aSQtAuI.exe | N/A |
| N/A | N/A | C:\Windows\System\BbBoVnF.exe | N/A |
| N/A | N/A | C:\Windows\System\pIewjZz.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\gPuvRur.exe
C:\Windows\System\gPuvRur.exe
C:\Windows\System\OAuocsi.exe
C:\Windows\System\OAuocsi.exe
C:\Windows\System\sZpCIiX.exe
C:\Windows\System\sZpCIiX.exe
C:\Windows\System\pNQNKhM.exe
C:\Windows\System\pNQNKhM.exe
C:\Windows\System\LSUOzyP.exe
C:\Windows\System\LSUOzyP.exe
C:\Windows\System\TRYBSVU.exe
C:\Windows\System\TRYBSVU.exe
C:\Windows\System\wvgBkIp.exe
C:\Windows\System\wvgBkIp.exe
C:\Windows\System\IlBTeNl.exe
C:\Windows\System\IlBTeNl.exe
C:\Windows\System\gGFyegf.exe
C:\Windows\System\gGFyegf.exe
C:\Windows\System\mCrqWzt.exe
C:\Windows\System\mCrqWzt.exe
C:\Windows\System\gUYWEXL.exe
C:\Windows\System\gUYWEXL.exe
C:\Windows\System\YYxoHYl.exe
C:\Windows\System\YYxoHYl.exe
C:\Windows\System\HCelRQk.exe
C:\Windows\System\HCelRQk.exe
C:\Windows\System\pIpVhnD.exe
C:\Windows\System\pIpVhnD.exe
C:\Windows\System\SwzxbVZ.exe
C:\Windows\System\SwzxbVZ.exe
C:\Windows\System\symRklM.exe
C:\Windows\System\symRklM.exe
C:\Windows\System\WaxeNyo.exe
C:\Windows\System\WaxeNyo.exe
C:\Windows\System\kxpovlP.exe
C:\Windows\System\kxpovlP.exe
C:\Windows\System\aSQtAuI.exe
C:\Windows\System\aSQtAuI.exe
C:\Windows\System\BbBoVnF.exe
C:\Windows\System\BbBoVnF.exe
C:\Windows\System\pIewjZz.exe
C:\Windows\System\pIewjZz.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2332-0-0x00007FF7B7540000-0x00007FF7B7894000-memory.dmp
memory/2332-1-0x000001EEA0540000-0x000001EEA0550000-memory.dmp
C:\Windows\System\gPuvRur.exe
| MD5 | 6a6495ac7d8b33356e7207c225183989 |
| SHA1 | 23dedeb38c1d3462c6660c0c354675c4f10af7a7 |
| SHA256 | d9f3bbbf669847b4984bd17a89142960d54124a9f5a71fb2f0941c250b9c0f14 |
| SHA512 | eb4c77e6a03f29d1d8786020ae6c7e167d05c1f664188b7cf332670efbcd3705e1d84a496d38ccc8ffb8219f815d2d4775dfd8e8b4044d900a9255007b09696b |
memory/1992-6-0x00007FF63B130000-0x00007FF63B484000-memory.dmp
C:\Windows\System\OAuocsi.exe
| MD5 | e34686bf22933617f0b1d99f3d9650bf |
| SHA1 | 4246750d37de60b3132f078b3007f2db0d991fbd |
| SHA256 | f453ca29e9bb32500b9868ca3871362eb853c351b1738213bdf388c143309447 |
| SHA512 | 2dfb1496083b4b17c65029fb74a0505ec0e9a1fd37e5cc4852a948bca7f7be4858f54c7ceadb78274a978c02c02740961a47850dc2501655587af88e3da6d8da |
C:\Windows\System\sZpCIiX.exe
| MD5 | 0fa1a7c1e3081790624e4d27e00425e5 |
| SHA1 | a8925a76a7df0f2f4db08132007826a0fc4220d7 |
| SHA256 | d76f7575810772453f3d7b2b9913fd4fd301efc9fb4aff1a075ac2f4675e6697 |
| SHA512 | 767311ade357dcc6efadcf465d466497335c9ca040b727fc27c36c0061f581f8ee9e66646219943ebb13a407100cc3f795ff49a8d9747650f114a939061e8d63 |
C:\Windows\System\pNQNKhM.exe
| MD5 | f76666ef5e45fce65e7a5d1a18f94534 |
| SHA1 | 50d7f597048f28a6bc4ded54ec0bf478555e19e6 |
| SHA256 | 3bb5d7303efaab1772ea0cba36a586c597976bddc0dd572dd63632cb9bbcd4de |
| SHA512 | a89feee3eceb3a092cda5bc5f0b1bf9bc741386e3669efd35fe12e721e0f9b07b299bae571c0dea2aa542c3a53539c33ffa3e4a1b771ec3ec86c9c9a90d09cd9 |
C:\Windows\System\LSUOzyP.exe
| MD5 | 0fc3c7b89d24926f732e41828b0aff45 |
| SHA1 | 1c42a9036c31fe7d1a1e3772ee37b08ad069c904 |
| SHA256 | 33e33dbab8d4425727422e56491dae1bc708014e2c782dda3a43b6e55af6e235 |
| SHA512 | 13316b70b8add368f8f6d715e8a601265a4b6742b4c871bcaec320229ba7a3a10dabb6ebdcfa4518409ebb0573618d918b71c353403710a7fbf3a449bba3ce61 |
memory/1836-31-0x00007FF6D4830000-0x00007FF6D4B84000-memory.dmp
memory/3784-32-0x00007FF617F90000-0x00007FF6182E4000-memory.dmp
C:\Windows\System\TRYBSVU.exe
| MD5 | e6e25c8ed305d19e257431fa052888fe |
| SHA1 | 567e89d950ec8f50952ca0f9418ab8fc9d497249 |
| SHA256 | 2dc05c83a40f456be2bfce6337b80ce249cff8ab085752660833b793c2f8ac38 |
| SHA512 | c9a67f8dd4c619d3b2b776fe24ebafc7dffbe898e5ef3e0d927020af7ffb755fecc450106fa3512a9b1f93444240a162dbde9e37d53835f538b37c512e92bdd0 |
C:\Windows\System\wvgBkIp.exe
| MD5 | afdf94c43581756570759fb10a373194 |
| SHA1 | a68fd51ee5f81aad352a6281527916855af049dd |
| SHA256 | 163ae47279acb50830ec02b79789e088055a6e8341226f2206be0d255dd8478c |
| SHA512 | 00c856c7ac3c3aef0b9d89a6ed5bbaf78970d9d22a87e48cd731fccebd5e71d6500aaa754a82b4ce0b39c7b714fddd89b2569923f1a0c673801a335eb3819c64 |
memory/3144-38-0x00007FF7B40B0000-0x00007FF7B4404000-memory.dmp
memory/4020-30-0x00007FF669ED0000-0x00007FF66A224000-memory.dmp
memory/3964-15-0x00007FF77B8B0000-0x00007FF77BC04000-memory.dmp
memory/3724-44-0x00007FF705FE0000-0x00007FF706334000-memory.dmp
C:\Windows\System\IlBTeNl.exe
| MD5 | 01370593592887c2db697fecdc371f8d |
| SHA1 | 7678467f353ab0e45548990defb75ec09c05ad2d |
| SHA256 | 06b30f4c16221de09f64ec3c2de23e9a200c5ba6f6443db49b78a778954d8c20 |
| SHA512 | 9b7bd6600df4a89271555758b006e94a2541c259f563d373b9695858bb2a44c6dbb0f61894f6b562ef1474ddec5e02cb619ccb82a74dde17b40f27c019596f0d |
memory/4144-49-0x00007FF6384B0000-0x00007FF638804000-memory.dmp
C:\Windows\System\gGFyegf.exe
| MD5 | fbe62081b6eae9bcb8c89f46bf72b644 |
| SHA1 | c5bb97b0e55b3ef54859eabd2887a714580a4284 |
| SHA256 | cd52012c6675ebd43e61270f5d97ce131dc56aa476d4a4073e83498cdd576098 |
| SHA512 | ec6fec6e3ded3507fdf234b76ebe1f34cb5322983eedb5ff738daf4c3b0a54d95762d744caa6e3405957abc18a0be0e396b34e6dedc12a246cef86c8718440e1 |
C:\Windows\System\gUYWEXL.exe
| MD5 | 0936eba371f2f8f737013bb11af1426b |
| SHA1 | f3b0691109e4e23b1ed5882fe883a04ee188363a |
| SHA256 | 41df8c64773b34741dd22aef88fa5e6ff3fa8065de5ee810dacb6659de2ce793 |
| SHA512 | edfc791b43c65e01e1fe76f4f40f5ac08821ffd0e89bc68b3f2dce397366c1bc5a22cd2cbf533879f2173d088a0af05356e28879e24643a0e2c0086053d3c676 |
memory/4112-66-0x00007FF6F6DF0000-0x00007FF6F7144000-memory.dmp
C:\Windows\System\mCrqWzt.exe
| MD5 | 4afd6c8a74c90b9d41dbee3fd7a89ec2 |
| SHA1 | 30419adcd568d88f638da0cee70fa13f634b5a50 |
| SHA256 | 6e7e635fd441b4433df1a9e394ed8981c31c9dfebe7c5b9a1c6260153bfe084d |
| SHA512 | aa53ea5140d10bea642ad267b03f084eeec2a39ee57ac5583e2838583ea2c7c5d0df69ff24b898af4f6a41db030f9e7e581ec0e846a2616010debe009a2771a5 |
memory/2792-63-0x00007FF7BCCC0000-0x00007FF7BD014000-memory.dmp
C:\Windows\System\YYxoHYl.exe
| MD5 | 1ffd42fc6c3f39d2984d58faddde0a9c |
| SHA1 | 8a7c05b864bc6a20c9ab2990065259a46d6871e3 |
| SHA256 | cdb653e9270a894fb1342205cb6082fe9db66ed3879c5acde45094b6390ccf5d |
| SHA512 | bc9242d80dc6e29bf95ee406489d3197ddad9e1fc65151ba4dfda55d37c147243156f258025c7ed37e2aac7a6ad25cb4c35685fa72d5cafcd6ab26196fc774df |
C:\Windows\System\pIpVhnD.exe
| MD5 | 7aee1b782971b040e0bb34df87af6a54 |
| SHA1 | 7c8d73fb3285b8c4a26db66580fa6a393b43fd15 |
| SHA256 | d59b10688e2153d32464ea5bdf3007448739b7f88678f3a12871cd4034607406 |
| SHA512 | 1ca9dab696bf30caec85fe9616877399f5bd5e1dcba6ab5e23eecfff9f569773427916cfd64e78ca9b67c7d36be18a74f05830ee0a945165b5f35f0329712d1c |
C:\Windows\System\symRklM.exe
| MD5 | a0517f6051d7397584f490bfe150aedb |
| SHA1 | 13c2301ac4a93d25a846321306495075b5606b33 |
| SHA256 | 5f408207d8afe92d1f466e5774d18263694d2e070dffdec2016ae742f25e18cc |
| SHA512 | cb9c887daeaa90721da5ca420212b3c67423cf52b671040186174e78b6037d729f4be06fe93a084f99259cdceb49a8940ef564619bbca2c8733ef9aa802abdfb |
memory/2652-95-0x00007FF6923D0000-0x00007FF692724000-memory.dmp
memory/2956-97-0x00007FF75CB50000-0x00007FF75CEA4000-memory.dmp
C:\Windows\System\SwzxbVZ.exe
| MD5 | 9186682ebc23bc95e53c7c05cf946387 |
| SHA1 | 5a0a6fbc296f16f97b263fc2957f8101d42f8071 |
| SHA256 | bdde1442ef70ce9c0d9569f0b01cfae50500daf3c6674f1715da674487052297 |
| SHA512 | 2ba1903a27080202a5efdc32e3bd604ff4f0c0ee0352582828f1f6d1edf510a7fe84c1503bede0f029197699119c67f31f86736299fb2e54f648506c415126a2 |
memory/4020-96-0x00007FF669ED0000-0x00007FF66A224000-memory.dmp
memory/2404-94-0x00007FF6A5D10000-0x00007FF6A6064000-memory.dmp
memory/1028-93-0x00007FF65B330000-0x00007FF65B684000-memory.dmp
memory/1992-91-0x00007FF63B130000-0x00007FF63B484000-memory.dmp
C:\Windows\System\HCelRQk.exe
| MD5 | 946ab05db4ecb89ca92b54539ab3187a |
| SHA1 | dbb3ab65e1e64ad82a3930a1a36aff3edc04a27e |
| SHA256 | 2c62f5e2f6aa463e6953036d766310599a7904077e88b9830de703c5946e281b |
| SHA512 | b6d697e8f1d8412f6498a367ccb38354baabb2f6337046aa3f5fba11cee0aafb1ab8c3532955eb87df61db66f5dc1f78bf5c43f114b009bec258612204c00d56 |
memory/4460-79-0x00007FF760800000-0x00007FF760B54000-memory.dmp
memory/1188-78-0x00007FF7B9BD0000-0x00007FF7B9F24000-memory.dmp
memory/2332-71-0x00007FF7B7540000-0x00007FF7B7894000-memory.dmp
C:\Windows\System\WaxeNyo.exe
| MD5 | 104b32745e19e6fcbfa3e04320bfe7b1 |
| SHA1 | 8aa3ed5433428b96e0579c8864dbf2ef30d47a84 |
| SHA256 | 6eb513e13a4553ee8adbeffb7637de60e92f0daa1c91e05d4d8ec9691274b39d |
| SHA512 | cbcf0c3ddc3b705b5d25e345b4b91db345215eee286c3853e43cac92f2921b300d992a56eb25fc59790e5b30f872aac1529606e7402d87f02528a43305a7f705 |
C:\Windows\System\kxpovlP.exe
| MD5 | 91a85dccb2e21b2bac3861ad685e008d |
| SHA1 | d0250dad23562559891eb02eadd78422d5f5bfa1 |
| SHA256 | 877bc1c27d66b67306cda8c9ba32907b6981c48fce7951bf4864ccf5e4f2be52 |
| SHA512 | bef739af6c8b17f884b85f52d52f6cd93929e2f4917be8c76b7a138901df9e7f591238e0a40d46e516efcd09c5ed0864f3c8d1f218cf2303ec83e74d77fc62ae |
C:\Windows\System\aSQtAuI.exe
| MD5 | 47a4a7a6a2356df589d9ba441f55554f |
| SHA1 | 7eb12e50906a545537cfb9b9638e172b238baf17 |
| SHA256 | 060f804b2e213e4062fdc24564c6dc7ad87f71719b8c97ec5f0ba8abac25038f |
| SHA512 | be9090b3c9812658de85de96f54c696762ddc66481cd0d01e25d5009d73011a26fe83de16ee4f8a560d86613fa41cd11d7a83d7e52f6d3e8bb69139e5a5342a5 |
C:\Windows\System\BbBoVnF.exe
| MD5 | 5acc378baf509dcc061e3b67a83bc2ab |
| SHA1 | 6e041fb5477d1aa76df49abbaf7fd73c71db4fc1 |
| SHA256 | 826c9ee409a32d1f2a66372fc961eb5cdd921da0203980e408d20fd55c1220ce |
| SHA512 | b4b87aac3cf8ee4aad9bef7c7497914b8a82787e6a0c3ee87e67714a7bee53efa20ee95046bad87d20fcd29a7b142da3d45136d39edcaf2c61bf76fe9de3891b |
memory/4692-119-0x00007FF7D6380000-0x00007FF7D66D4000-memory.dmp
memory/3808-123-0x00007FF62AC50000-0x00007FF62AFA4000-memory.dmp
memory/4324-124-0x00007FF67E200000-0x00007FF67E554000-memory.dmp
C:\Windows\System\pIewjZz.exe
| MD5 | 7b0cd64d7f2f83eb9d2790da19c07907 |
| SHA1 | 52ae1623c0c198aa2ca91a6ec17bb5edce59ddb9 |
| SHA256 | 5fdb3a564df549499e23cfae47689a728b7b817aed68b46bb746e885d7e33f70 |
| SHA512 | a827682c7272db5a7e516bbff6ac2f3cb931abb962f21ce33ca6316b3b7025cae8a8715dfd5761d23180d6095133c268f9e2a3184b5f02c120751c7d0040f5ba |
memory/1012-129-0x00007FF6752A0000-0x00007FF6755F4000-memory.dmp
memory/4060-130-0x00007FF7D2C30000-0x00007FF7D2F84000-memory.dmp
memory/2792-132-0x00007FF7BCCC0000-0x00007FF7BD014000-memory.dmp
memory/4144-131-0x00007FF6384B0000-0x00007FF638804000-memory.dmp
memory/1188-133-0x00007FF7B9BD0000-0x00007FF7B9F24000-memory.dmp
memory/2652-134-0x00007FF6923D0000-0x00007FF692724000-memory.dmp
memory/2956-135-0x00007FF75CB50000-0x00007FF75CEA4000-memory.dmp
memory/1992-136-0x00007FF63B130000-0x00007FF63B484000-memory.dmp
memory/3964-137-0x00007FF77B8B0000-0x00007FF77BC04000-memory.dmp
memory/1836-139-0x00007FF6D4830000-0x00007FF6D4B84000-memory.dmp
memory/4020-138-0x00007FF669ED0000-0x00007FF66A224000-memory.dmp
memory/3784-140-0x00007FF617F90000-0x00007FF6182E4000-memory.dmp
memory/3144-141-0x00007FF7B40B0000-0x00007FF7B4404000-memory.dmp
memory/3724-142-0x00007FF705FE0000-0x00007FF706334000-memory.dmp
memory/4144-143-0x00007FF6384B0000-0x00007FF638804000-memory.dmp
memory/4112-144-0x00007FF6F6DF0000-0x00007FF6F7144000-memory.dmp
memory/2792-145-0x00007FF7BCCC0000-0x00007FF7BD014000-memory.dmp
memory/1188-147-0x00007FF7B9BD0000-0x00007FF7B9F24000-memory.dmp
memory/4460-146-0x00007FF760800000-0x00007FF760B54000-memory.dmp
memory/1028-148-0x00007FF65B330000-0x00007FF65B684000-memory.dmp
memory/2404-149-0x00007FF6A5D10000-0x00007FF6A6064000-memory.dmp
memory/2652-150-0x00007FF6923D0000-0x00007FF692724000-memory.dmp
memory/2956-151-0x00007FF75CB50000-0x00007FF75CEA4000-memory.dmp
memory/4692-152-0x00007FF7D6380000-0x00007FF7D66D4000-memory.dmp
memory/3808-153-0x00007FF62AC50000-0x00007FF62AFA4000-memory.dmp
memory/4324-154-0x00007FF67E200000-0x00007FF67E554000-memory.dmp
memory/1012-155-0x00007FF6752A0000-0x00007FF6755F4000-memory.dmp
memory/4060-156-0x00007FF7D2C30000-0x00007FF7D2F84000-memory.dmp