Analysis Overview
SHA256
57c501cb95104b1d038195f4431802be7d344be26274097e7248f7dd2ec710d6
Threat Level: Known bad
The file 2024-06-08_20d7d63e9e90012c575da3d39f08861f_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Xmrig family
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 11:25
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 11:25
Reported
2024-06-08 11:27
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WqotNfu.exe | N/A |
| N/A | N/A | C:\Windows\System\vdtaNlf.exe | N/A |
| N/A | N/A | C:\Windows\System\WPDyhKC.exe | N/A |
| N/A | N/A | C:\Windows\System\lfEfIni.exe | N/A |
| N/A | N/A | C:\Windows\System\xvOYJFZ.exe | N/A |
| N/A | N/A | C:\Windows\System\GsNgUAg.exe | N/A |
| N/A | N/A | C:\Windows\System\LKYtQAp.exe | N/A |
| N/A | N/A | C:\Windows\System\nzfPutX.exe | N/A |
| N/A | N/A | C:\Windows\System\jcePZeU.exe | N/A |
| N/A | N/A | C:\Windows\System\fWXpBbV.exe | N/A |
| N/A | N/A | C:\Windows\System\BVAYXGJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZFnSgMg.exe | N/A |
| N/A | N/A | C:\Windows\System\hJLHSJP.exe | N/A |
| N/A | N/A | C:\Windows\System\bdxApnf.exe | N/A |
| N/A | N/A | C:\Windows\System\zjrrdip.exe | N/A |
| N/A | N/A | C:\Windows\System\aZePIMr.exe | N/A |
| N/A | N/A | C:\Windows\System\jXqtdJv.exe | N/A |
| N/A | N/A | C:\Windows\System\wgNAIGU.exe | N/A |
| N/A | N/A | C:\Windows\System\VYScpaD.exe | N/A |
| N/A | N/A | C:\Windows\System\HwMTgYl.exe | N/A |
| N/A | N/A | C:\Windows\System\bsJMGlq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_20d7d63e9e90012c575da3d39f08861f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_20d7d63e9e90012c575da3d39f08861f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_20d7d63e9e90012c575da3d39f08861f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_20d7d63e9e90012c575da3d39f08861f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\WqotNfu.exe
C:\Windows\System\WqotNfu.exe
C:\Windows\System\vdtaNlf.exe
C:\Windows\System\vdtaNlf.exe
C:\Windows\System\WPDyhKC.exe
C:\Windows\System\WPDyhKC.exe
C:\Windows\System\lfEfIni.exe
C:\Windows\System\lfEfIni.exe
C:\Windows\System\xvOYJFZ.exe
C:\Windows\System\xvOYJFZ.exe
C:\Windows\System\GsNgUAg.exe
C:\Windows\System\GsNgUAg.exe
C:\Windows\System\LKYtQAp.exe
C:\Windows\System\LKYtQAp.exe
C:\Windows\System\nzfPutX.exe
C:\Windows\System\nzfPutX.exe
C:\Windows\System\jcePZeU.exe
C:\Windows\System\jcePZeU.exe
C:\Windows\System\fWXpBbV.exe
C:\Windows\System\fWXpBbV.exe
C:\Windows\System\BVAYXGJ.exe
C:\Windows\System\BVAYXGJ.exe
C:\Windows\System\ZFnSgMg.exe
C:\Windows\System\ZFnSgMg.exe
C:\Windows\System\hJLHSJP.exe
C:\Windows\System\hJLHSJP.exe
C:\Windows\System\bdxApnf.exe
C:\Windows\System\bdxApnf.exe
C:\Windows\System\zjrrdip.exe
C:\Windows\System\zjrrdip.exe
C:\Windows\System\aZePIMr.exe
C:\Windows\System\aZePIMr.exe
C:\Windows\System\jXqtdJv.exe
C:\Windows\System\jXqtdJv.exe
C:\Windows\System\wgNAIGU.exe
C:\Windows\System\wgNAIGU.exe
C:\Windows\System\VYScpaD.exe
C:\Windows\System\VYScpaD.exe
C:\Windows\System\HwMTgYl.exe
C:\Windows\System\HwMTgYl.exe
C:\Windows\System\bsJMGlq.exe
C:\Windows\System\bsJMGlq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3760-0-0x00007FF60A4A0000-0x00007FF60A7F4000-memory.dmp
memory/3760-1-0x000002C87A300000-0x000002C87A310000-memory.dmp
C:\Windows\System\WqotNfu.exe
| MD5 | 3ee82894cbcf64cd1790fb2b6fd37250 |
| SHA1 | 21ae0cd0fed73bad1dc2029eb2a2a0162fe9cd83 |
| SHA256 | 7f4bdc1e40f1324ea6e18960e576a9cc04a509718efac2f956ed08270d86a3e7 |
| SHA512 | d8eec143f9f89f021e4745f303e8eacb0671e005da4ef00ecfe2fa5dd381197da62dc6e4cba911baea72f308706b44616ad69df083429988c29423439b01801b |
C:\Windows\System\WPDyhKC.exe
| MD5 | 95e22a2367da9506c3f0db58b2cbaa59 |
| SHA1 | 1cb1193ef1fa9c39e9ac45a5c4b03d01084c70f4 |
| SHA256 | 81e375da6e56465b44f70ce0b4ec2a9987efb2c107398d0acc39de04352ef1d0 |
| SHA512 | 4a7e2a8fe274ca3990741b1140d907e1f41015a2557604916ea290f05c0485130de9d2be04d50e6b5868ff9bf93f1263e492cda9a461c40cf6d881cde3173175 |
memory/4484-17-0x00007FF6A0FA0000-0x00007FF6A12F4000-memory.dmp
C:\Windows\System\lfEfIni.exe
| MD5 | cc80f943b4cce0eb932c46232eb7a349 |
| SHA1 | 2e8f549de17e0b4d5090958d729801574ca3571c |
| SHA256 | 93541a5fef64dd30f00cbf2270a791fd4b465292629180c93f1b24cbefc4c42a |
| SHA512 | 8c9736da37bb1449fd5d25e2e1ab6cb670175b15224de6fbb4db0ce228155d365224e2c2ab583c72b66b62dc33ebce9205bd2f101dfdf6d9f0ad4f478842b114 |
C:\Windows\System\LKYtQAp.exe
| MD5 | f79ff1f8c94c6672b2762d21ad755b95 |
| SHA1 | 23645587d097eb873f560e22800f409fdbd69d80 |
| SHA256 | 81b78896e9d0cf09ab3e06af981ada40fd61c9ab32223c2f263b35cf38ebd4ab |
| SHA512 | 99cd5f75edbacea17eae660d4c29fe62ae51a77e8b7afa8d5bacf737a3f01bb6ead8a44545d7ee168fe820f13441a7c5be184d05d8eda45c3d1b717129eed400 |
C:\Windows\System\fWXpBbV.exe
| MD5 | e41e6b6c0f5dc22063ad3c6d0358e685 |
| SHA1 | 3aea1c49b63f8b7a97c26dc82530a8237877f4e2 |
| SHA256 | b113fd86677e3ff7bc5fd03af57fc7b7ecbd398a41c4971357138062be0bbe4c |
| SHA512 | c03e83307b6355800bbf2b8a873f8b1952bbcf66a7094026ff1f88fff3d9663973df3c503ff06190c5ece710f8fca27ec3bdbde5c6b274423d00da141a36e551 |
C:\Windows\System\BVAYXGJ.exe
| MD5 | 2480216a710cb53fe131b647db46cb33 |
| SHA1 | 7e340d3230fc4da3d5dda536ba92669c9e4b611d |
| SHA256 | 14821fd8b37d7810a5a30b130e6595ccbd14179e9a81c67b6fce1d0bd53cc76b |
| SHA512 | b5ffb622b7f777208bd26013c01cc3ef2b89a32660a7893959847d0456c1c03bb59cd8b40274036d9d9fa976322120529ee4d19832d1f0a56ff7bffa98011a61 |
memory/2440-70-0x00007FF7EBA00000-0x00007FF7EBD54000-memory.dmp
memory/1316-73-0x00007FF7C5480000-0x00007FF7C57D4000-memory.dmp
memory/1104-82-0x00007FF666300000-0x00007FF666654000-memory.dmp
memory/4132-86-0x00007FF7F1B60000-0x00007FF7F1EB4000-memory.dmp
memory/532-91-0x00007FF76BF80000-0x00007FF76C2D4000-memory.dmp
memory/2472-92-0x00007FF7D4600000-0x00007FF7D4954000-memory.dmp
memory/1396-90-0x00007FF7C4FB0000-0x00007FF7C5304000-memory.dmp
memory/1648-89-0x00007FF602B20000-0x00007FF602E74000-memory.dmp
C:\Windows\System\zjrrdip.exe
| MD5 | ac33b1ecd802b014f7fa15c2a3cec742 |
| SHA1 | 678c72ad5030ba1dc9983632e8ccfab85ca385ac |
| SHA256 | 05e4e944b36c7a663592fa79cc5a9b363584d271b3fb7d9c49e1b9f6bcac50f9 |
| SHA512 | d1f0842f740feab573c515360c0c9280f9eb227dc192df65e79466d55e4b56240aae6ef65088bab202496a33786010d8f212fe0d57ead3970b4503b6df5bb047 |
memory/612-85-0x00007FF7F5200000-0x00007FF7F5554000-memory.dmp
memory/628-84-0x00007FF7A76D0000-0x00007FF7A7A24000-memory.dmp
memory/2864-83-0x00007FF6797B0000-0x00007FF679B04000-memory.dmp
memory/2684-81-0x00007FF66E580000-0x00007FF66E8D4000-memory.dmp
C:\Windows\System\bdxApnf.exe
| MD5 | bcac6f630e5324ce78cd12647e76eef9 |
| SHA1 | 0e76cf15f78e4a19a64acfdea8a63d58b0bfdb21 |
| SHA256 | a855f82dc6271bcd79754b28cb2fc45801905c227128437386a55e2c9034294f |
| SHA512 | 3e73f1c2be4754cc605392f261644445ebd9de6ce630bf4510ec23083b31e45eecf00e4aaf147ed6bddf81c4b328d9601072f2a079dfb900c68698f555c84e71 |
C:\Windows\System\hJLHSJP.exe
| MD5 | 73dd36936d7cc54081fd9a5e987a00be |
| SHA1 | 01b67ed038c815eaa237c72f8dabde671b37fafd |
| SHA256 | e66d2388a96efc62b2848bd8635df3ae5b075244aa3a2c87c8b910ac72dfb9d6 |
| SHA512 | 8e9313d82659450c5667d2c872369a0ea2fcd741903d200867f692613f21148e251cb3c1051df63e222d79c44c7ca5e34194bef0d326a103a381d4b93b2e8c6a |
C:\Windows\System\ZFnSgMg.exe
| MD5 | 0cbe2b55c1cca1c28de9a9d062211ce5 |
| SHA1 | d25064ce9219cc7e93b9410b5e5ce8e5861f4c55 |
| SHA256 | b8606428f9dd7b1208d16ab2a75938f0739fe6ba2a11fa6378336a2499587dba |
| SHA512 | 95a93694ca9d7d8314b1ed71540be3362ff48fff6e9f91ddf438a4903865550f0a7309a4b8080166db5337dbec708dafa91d1807876763bcd7c6f8d17dafff54 |
memory/3620-63-0x00007FF6450B0000-0x00007FF645404000-memory.dmp
C:\Windows\System\jcePZeU.exe
| MD5 | 3cbfe46e3882937d75d627f9c8c9b2df |
| SHA1 | 8b8170d2649a9592ac153cbf5943e516c910dd31 |
| SHA256 | c3fae2e99fea247835a1618acc150876fb102adea4e5c50788d7673f798413f0 |
| SHA512 | c2a01c3961ff0a4c02c32d1a3845ea2ae86cb640dca8b663220a25bab4f0cd0aba5310618da63145cba3d0994aed795445d7ad4008e5d7c2b794cdc35df4a05a |
C:\Windows\System\nzfPutX.exe
| MD5 | 5f60b8883e19b2df964fc227ef037e42 |
| SHA1 | 69d2e7a2cf752f81e4b303c7659331e37985d67e |
| SHA256 | 19d9d2a424714f6a4c822e17ecdd9e9442e2cabc6ec2fc079747822013e77201 |
| SHA512 | f0a40680e2a0e689d5f37de90be6a52a0d654eb6c8f647f6bbebd6fbef5a3d48e5bcbda2e2b1d2ca2fc2a906fbe332b6ef70d68c89d79c9ec69d6431eafd766c |
C:\Windows\System\GsNgUAg.exe
| MD5 | 50ff78c48be6839c1ed8c89d8e691304 |
| SHA1 | 2d9c314bab598cc33060e059761921ddc1072653 |
| SHA256 | 4e629e3d1170160e84e9e5fadf53fb93a6e85f96bc3aa5273bba43817bfd3579 |
| SHA512 | 2bdc330a02279413fd4d05a991d60e8e48d6d540b45f26b0c29f7d8f25daf9c87159a20b06de7e29714741ba39e365f376494bfc906bfb6de488a2e74c1c8061 |
C:\Windows\System\xvOYJFZ.exe
| MD5 | e1430998f11048704ac95cd7030bd8e6 |
| SHA1 | d5298d6ae7cb7b617ea059b4959a6ae9553d6748 |
| SHA256 | c628bc62fc4a6884ed33291791ab8170780d1e49b4341368ac0b20395da16bea |
| SHA512 | b472979f96222c07499593da54ff20d4ea91f19d87f71a40b0c308e9142e8577015ec34074bffd63eb9d3cd126ce50af8b273ebba5840849ba614a1bf6d5da42 |
memory/2708-14-0x00007FF77F4B0000-0x00007FF77F804000-memory.dmp
C:\Windows\System\vdtaNlf.exe
| MD5 | 51ef747c77f9a39c5f5a87a9c8cbe488 |
| SHA1 | 746a644a5e558355993e263aac3ddb7981c03419 |
| SHA256 | 825f977b90861c0afeeecdc70896c559f8ae6c9ffc61c390e20fe2a54178e089 |
| SHA512 | a17b89205c82a1a54bfb69a7802974dbe0624d8c63415742bd850773390d59c8965bdaaf322d4921cdbb64255f9806d11495c7952be2bd99452e7e4c4f64df21 |
C:\Windows\System\aZePIMr.exe
| MD5 | d12b647aa52790e982f9b969426e08af |
| SHA1 | 648cc91cbd80daf8197d6d48808e15a1215206d9 |
| SHA256 | 12fb84ce5655585202ea3d1908fd69c2947952b34d13f4ad196ab4da0a112c26 |
| SHA512 | 7905de672b35c4a124badd47989f74cb44e906f5eb0325c02937e85b35a59a82f837aef3cb6119043d62037456c3affe41f0c87f38d21976bbed5e607791147d |
memory/1108-98-0x00007FF757690000-0x00007FF7579E4000-memory.dmp
C:\Windows\System\jXqtdJv.exe
| MD5 | 8c55eac1bd5bb8aa0d38abe3bb7d761e |
| SHA1 | ac9dde5bdb59d4a6fe137fc43b05627065835547 |
| SHA256 | 71e457c94069e62eaa4c8b47e3d15a73384a3421cadd4fe6a0ab27c62258231b |
| SHA512 | 641f6d34ef64a227e99449fab9ceb71c7d7ddc9c3e3846818435fe4b7a10660d3ef1ad0d7248ce4690cf0892d8c6df3c21e027351975e9e3e27e590299a22536 |
C:\Windows\System\VYScpaD.exe
| MD5 | a973196241383a273d68d9230d2f39f8 |
| SHA1 | 7862476635ed15201fb11f605ae4a5a09411483c |
| SHA256 | 2e6e5b3203ce027c2addafd68ab0d425e0ed1c3471e72451a6b2976cb8ca4207 |
| SHA512 | 929b25e7ed62555b8056ca077d06dbdbd19e14a24f8387f996f21f8a8155260b466a773331a5ec4bd381235044cd7948f06cb51596ddf4696090bcce3cc73106 |
C:\Windows\System\bsJMGlq.exe
| MD5 | b27fe693d0c8f0aaa9755f6b9b844b04 |
| SHA1 | b2a08dac1f35be3e4aa408cfdea18e2724abfef6 |
| SHA256 | eb082097ad7483e2484f55654d90bc8962c87489c242314ad8dd88398b65b42a |
| SHA512 | bb370c68b400132f05c361dc9067de2363556104995dee63b88923f3a92c9a237b81d2ec1ce74adbf083b862d8e6cc2bd73f5f12b9451dada05ecbe2c6594f54 |
memory/4472-120-0x00007FF758740000-0x00007FF758A94000-memory.dmp
C:\Windows\System\HwMTgYl.exe
| MD5 | c1d055c4708407dc326e2769178a675a |
| SHA1 | 52a2451f9ca3e513db81bea97fb180651717bd97 |
| SHA256 | ca96326073bd24851f436b55437439c18777e87e75678adee33e14ac6489f609 |
| SHA512 | 48910c1e0b62b393ffd74b8da5463969f4058ddaa03a86e453c60062154d3c8984da97353f8ac57addaae7fb74357edb82368b2732403fb15f91284c12e361b4 |
memory/1100-125-0x00007FF78F440000-0x00007FF78F794000-memory.dmp
memory/4056-117-0x00007FF6A8560000-0x00007FF6A88B4000-memory.dmp
memory/856-112-0x00007FF6619E0000-0x00007FF661D34000-memory.dmp
memory/3392-111-0x00007FF77BF10000-0x00007FF77C264000-memory.dmp
C:\Windows\System\wgNAIGU.exe
| MD5 | a94e54c5f7bd590aa0a120e008344347 |
| SHA1 | 418423a9e0690ed47b9afbe0b2179058be3b5850 |
| SHA256 | 787eb2991fab107983eb63b6175a74a5f8d460e4be2971aa064ae8c1c8013ec3 |
| SHA512 | f805d60fdb56c73f3dd9e05f6715c7cf8c83f6823c925710d9c0b75b3ab475889c0ee5ef4395542c970a878f053e6785e689904f68783abddb060cadfcc5c3fd |
memory/3760-128-0x00007FF60A4A0000-0x00007FF60A7F4000-memory.dmp
memory/4056-129-0x00007FF6A8560000-0x00007FF6A88B4000-memory.dmp
memory/4472-130-0x00007FF758740000-0x00007FF758A94000-memory.dmp
memory/1100-131-0x00007FF78F440000-0x00007FF78F794000-memory.dmp
memory/2708-132-0x00007FF77F4B0000-0x00007FF77F804000-memory.dmp
memory/4484-133-0x00007FF6A0FA0000-0x00007FF6A12F4000-memory.dmp
memory/3620-134-0x00007FF6450B0000-0x00007FF645404000-memory.dmp
memory/1396-135-0x00007FF7C4FB0000-0x00007FF7C5304000-memory.dmp
memory/2440-136-0x00007FF7EBA00000-0x00007FF7EBD54000-memory.dmp
memory/2684-137-0x00007FF66E580000-0x00007FF66E8D4000-memory.dmp
memory/1316-138-0x00007FF7C5480000-0x00007FF7C57D4000-memory.dmp
memory/628-139-0x00007FF7A76D0000-0x00007FF7A7A24000-memory.dmp
memory/2864-140-0x00007FF6797B0000-0x00007FF679B04000-memory.dmp
memory/1104-141-0x00007FF666300000-0x00007FF666654000-memory.dmp
memory/612-143-0x00007FF7F5200000-0x00007FF7F5554000-memory.dmp
memory/1648-144-0x00007FF602B20000-0x00007FF602E74000-memory.dmp
memory/4132-142-0x00007FF7F1B60000-0x00007FF7F1EB4000-memory.dmp
memory/532-145-0x00007FF76BF80000-0x00007FF76C2D4000-memory.dmp
memory/2472-146-0x00007FF7D4600000-0x00007FF7D4954000-memory.dmp
memory/1108-147-0x00007FF757690000-0x00007FF7579E4000-memory.dmp
memory/3392-148-0x00007FF77BF10000-0x00007FF77C264000-memory.dmp
memory/856-149-0x00007FF6619E0000-0x00007FF661D34000-memory.dmp
memory/4472-151-0x00007FF758740000-0x00007FF758A94000-memory.dmp
memory/4056-150-0x00007FF6A8560000-0x00007FF6A88B4000-memory.dmp
memory/1100-152-0x00007FF78F440000-0x00007FF78F794000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 11:25
Reported
2024-06-08 11:27
Platform
win7-20240221-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WqotNfu.exe | N/A |
| N/A | N/A | C:\Windows\System\vdtaNlf.exe | N/A |
| N/A | N/A | C:\Windows\System\WPDyhKC.exe | N/A |
| N/A | N/A | C:\Windows\System\lfEfIni.exe | N/A |
| N/A | N/A | C:\Windows\System\xvOYJFZ.exe | N/A |
| N/A | N/A | C:\Windows\System\GsNgUAg.exe | N/A |
| N/A | N/A | C:\Windows\System\LKYtQAp.exe | N/A |
| N/A | N/A | C:\Windows\System\nzfPutX.exe | N/A |
| N/A | N/A | C:\Windows\System\jcePZeU.exe | N/A |
| N/A | N/A | C:\Windows\System\BVAYXGJ.exe | N/A |
| N/A | N/A | C:\Windows\System\fWXpBbV.exe | N/A |
| N/A | N/A | C:\Windows\System\hJLHSJP.exe | N/A |
| N/A | N/A | C:\Windows\System\zjrrdip.exe | N/A |
| N/A | N/A | C:\Windows\System\jXqtdJv.exe | N/A |
| N/A | N/A | C:\Windows\System\VYScpaD.exe | N/A |
| N/A | N/A | C:\Windows\System\bsJMGlq.exe | N/A |
| N/A | N/A | C:\Windows\System\ZFnSgMg.exe | N/A |
| N/A | N/A | C:\Windows\System\bdxApnf.exe | N/A |
| N/A | N/A | C:\Windows\System\aZePIMr.exe | N/A |
| N/A | N/A | C:\Windows\System\wgNAIGU.exe | N/A |
| N/A | N/A | C:\Windows\System\HwMTgYl.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_20d7d63e9e90012c575da3d39f08861f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_20d7d63e9e90012c575da3d39f08861f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_20d7d63e9e90012c575da3d39f08861f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_20d7d63e9e90012c575da3d39f08861f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\WqotNfu.exe
C:\Windows\System\WqotNfu.exe
C:\Windows\System\vdtaNlf.exe
C:\Windows\System\vdtaNlf.exe
C:\Windows\System\WPDyhKC.exe
C:\Windows\System\WPDyhKC.exe
C:\Windows\System\lfEfIni.exe
C:\Windows\System\lfEfIni.exe
C:\Windows\System\xvOYJFZ.exe
C:\Windows\System\xvOYJFZ.exe
C:\Windows\System\GsNgUAg.exe
C:\Windows\System\GsNgUAg.exe
C:\Windows\System\LKYtQAp.exe
C:\Windows\System\LKYtQAp.exe
C:\Windows\System\nzfPutX.exe
C:\Windows\System\nzfPutX.exe
C:\Windows\System\jcePZeU.exe
C:\Windows\System\jcePZeU.exe
C:\Windows\System\fWXpBbV.exe
C:\Windows\System\fWXpBbV.exe
C:\Windows\System\BVAYXGJ.exe
C:\Windows\System\BVAYXGJ.exe
C:\Windows\System\ZFnSgMg.exe
C:\Windows\System\ZFnSgMg.exe
C:\Windows\System\hJLHSJP.exe
C:\Windows\System\hJLHSJP.exe
C:\Windows\System\bdxApnf.exe
C:\Windows\System\bdxApnf.exe
C:\Windows\System\zjrrdip.exe
C:\Windows\System\zjrrdip.exe
C:\Windows\System\aZePIMr.exe
C:\Windows\System\aZePIMr.exe
C:\Windows\System\jXqtdJv.exe
C:\Windows\System\jXqtdJv.exe
C:\Windows\System\wgNAIGU.exe
C:\Windows\System\wgNAIGU.exe
C:\Windows\System\VYScpaD.exe
C:\Windows\System\VYScpaD.exe
C:\Windows\System\HwMTgYl.exe
C:\Windows\System\HwMTgYl.exe
C:\Windows\System\bsJMGlq.exe
C:\Windows\System\bsJMGlq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1500-0-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/1500-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\WqotNfu.exe
| MD5 | 3ee82894cbcf64cd1790fb2b6fd37250 |
| SHA1 | 21ae0cd0fed73bad1dc2029eb2a2a0162fe9cd83 |
| SHA256 | 7f4bdc1e40f1324ea6e18960e576a9cc04a509718efac2f956ed08270d86a3e7 |
| SHA512 | d8eec143f9f89f021e4745f303e8eacb0671e005da4ef00ecfe2fa5dd381197da62dc6e4cba911baea72f308706b44616ad69df083429988c29423439b01801b |
C:\Windows\system\vdtaNlf.exe
| MD5 | 51ef747c77f9a39c5f5a87a9c8cbe488 |
| SHA1 | 746a644a5e558355993e263aac3ddb7981c03419 |
| SHA256 | 825f977b90861c0afeeecdc70896c559f8ae6c9ffc61c390e20fe2a54178e089 |
| SHA512 | a17b89205c82a1a54bfb69a7802974dbe0624d8c63415742bd850773390d59c8965bdaaf322d4921cdbb64255f9806d11495c7952be2bd99452e7e4c4f64df21 |
memory/2300-18-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/1500-22-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/1500-34-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2404-36-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2628-28-0x000000013F4E0000-0x000000013F834000-memory.dmp
C:\Windows\system\lfEfIni.exe
| MD5 | cc80f943b4cce0eb932c46232eb7a349 |
| SHA1 | 2e8f549de17e0b4d5090958d729801574ca3571c |
| SHA256 | 93541a5fef64dd30f00cbf2270a791fd4b465292629180c93f1b24cbefc4c42a |
| SHA512 | 8c9736da37bb1449fd5d25e2e1ab6cb670175b15224de6fbb4db0ce228155d365224e2c2ab583c72b66b62dc33ebce9205bd2f101dfdf6d9f0ad4f478842b114 |
C:\Windows\system\GsNgUAg.exe
| MD5 | 50ff78c48be6839c1ed8c89d8e691304 |
| SHA1 | 2d9c314bab598cc33060e059761921ddc1072653 |
| SHA256 | 4e629e3d1170160e84e9e5fadf53fb93a6e85f96bc3aa5273bba43817bfd3579 |
| SHA512 | 2bdc330a02279413fd4d05a991d60e8e48d6d540b45f26b0c29f7d8f25daf9c87159a20b06de7e29714741ba39e365f376494bfc906bfb6de488a2e74c1c8061 |
memory/1500-44-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/2732-42-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/1500-40-0x000000013F0B0000-0x000000013F404000-memory.dmp
\Windows\system\LKYtQAp.exe
| MD5 | f79ff1f8c94c6672b2762d21ad755b95 |
| SHA1 | 23645587d097eb873f560e22800f409fdbd69d80 |
| SHA256 | 81b78896e9d0cf09ab3e06af981ada40fd61c9ab32223c2f263b35cf38ebd4ab |
| SHA512 | 99cd5f75edbacea17eae660d4c29fe62ae51a77e8b7afa8d5bacf737a3f01bb6ead8a44545d7ee168fe820f13441a7c5be184d05d8eda45c3d1b717129eed400 |
memory/2900-26-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/1500-25-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/1500-24-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/2896-23-0x000000013F150000-0x000000013F4A4000-memory.dmp
C:\Windows\system\xvOYJFZ.exe
| MD5 | e1430998f11048704ac95cd7030bd8e6 |
| SHA1 | d5298d6ae7cb7b617ea059b4959a6ae9553d6748 |
| SHA256 | c628bc62fc4a6884ed33291791ab8170780d1e49b4341368ac0b20395da16bea |
| SHA512 | b472979f96222c07499593da54ff20d4ea91f19d87f71a40b0c308e9142e8577015ec34074bffd63eb9d3cd126ce50af8b273ebba5840849ba614a1bf6d5da42 |
C:\Windows\system\WPDyhKC.exe
| MD5 | 95e22a2367da9506c3f0db58b2cbaa59 |
| SHA1 | 1cb1193ef1fa9c39e9ac45a5c4b03d01084c70f4 |
| SHA256 | 81e375da6e56465b44f70ce0b4ec2a9987efb2c107398d0acc39de04352ef1d0 |
| SHA512 | 4a7e2a8fe274ca3990741b1140d907e1f41015a2557604916ea290f05c0485130de9d2be04d50e6b5868ff9bf93f1263e492cda9a461c40cf6d881cde3173175 |
\Windows\system\fWXpBbV.exe
| MD5 | e41e6b6c0f5dc22063ad3c6d0358e685 |
| SHA1 | 3aea1c49b63f8b7a97c26dc82530a8237877f4e2 |
| SHA256 | b113fd86677e3ff7bc5fd03af57fc7b7ecbd398a41c4971357138062be0bbe4c |
| SHA512 | c03e83307b6355800bbf2b8a873f8b1952bbcf66a7094026ff1f88fff3d9663973df3c503ff06190c5ece710f8fca27ec3bdbde5c6b274423d00da141a36e551 |
\Windows\system\jcePZeU.exe
| MD5 | 3cbfe46e3882937d75d627f9c8c9b2df |
| SHA1 | 8b8170d2649a9592ac153cbf5943e516c910dd31 |
| SHA256 | c3fae2e99fea247835a1618acc150876fb102adea4e5c50788d7673f798413f0 |
| SHA512 | c2a01c3961ff0a4c02c32d1a3845ea2ae86cb640dca8b663220a25bab4f0cd0aba5310618da63145cba3d0994aed795445d7ad4008e5d7c2b794cdc35df4a05a |
\Windows\system\bsJMGlq.exe
| MD5 | b27fe693d0c8f0aaa9755f6b9b844b04 |
| SHA1 | b2a08dac1f35be3e4aa408cfdea18e2724abfef6 |
| SHA256 | eb082097ad7483e2484f55654d90bc8962c87489c242314ad8dd88398b65b42a |
| SHA512 | bb370c68b400132f05c361dc9067de2363556104995dee63b88923f3a92c9a237b81d2ec1ce74adbf083b862d8e6cc2bd73f5f12b9451dada05ecbe2c6594f54 |
\Windows\system\ZFnSgMg.exe
| MD5 | 0cbe2b55c1cca1c28de9a9d062211ce5 |
| SHA1 | d25064ce9219cc7e93b9410b5e5ce8e5861f4c55 |
| SHA256 | b8606428f9dd7b1208d16ab2a75938f0739fe6ba2a11fa6378336a2499587dba |
| SHA512 | 95a93694ca9d7d8314b1ed71540be3362ff48fff6e9f91ddf438a4903865550f0a7309a4b8080166db5337dbec708dafa91d1807876763bcd7c6f8d17dafff54 |
memory/1500-117-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/1500-116-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/1500-115-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/1500-114-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/844-113-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2376-112-0x000000013F4F0000-0x000000013F844000-memory.dmp
\Windows\system\HwMTgYl.exe
| MD5 | c1d055c4708407dc326e2769178a675a |
| SHA1 | 52a2451f9ca3e513db81bea97fb180651717bd97 |
| SHA256 | ca96326073bd24851f436b55437439c18777e87e75678adee33e14ac6489f609 |
| SHA512 | 48910c1e0b62b393ffd74b8da5463969f4058ddaa03a86e453c60062154d3c8984da97353f8ac57addaae7fb74357edb82368b2732403fb15f91284c12e361b4 |
\Windows\system\wgNAIGU.exe
| MD5 | a94e54c5f7bd590aa0a120e008344347 |
| SHA1 | 418423a9e0690ed47b9afbe0b2179058be3b5850 |
| SHA256 | 787eb2991fab107983eb63b6175a74a5f8d460e4be2971aa064ae8c1c8013ec3 |
| SHA512 | f805d60fdb56c73f3dd9e05f6715c7cf8c83f6823c925710d9c0b75b3ab475889c0ee5ef4395542c970a878f053e6785e689904f68783abddb060cadfcc5c3fd |
memory/2904-96-0x000000013FA80000-0x000000013FDD4000-memory.dmp
C:\Windows\system\zjrrdip.exe
| MD5 | ac33b1ecd802b014f7fa15c2a3cec742 |
| SHA1 | 678c72ad5030ba1dc9983632e8ccfab85ca385ac |
| SHA256 | 05e4e944b36c7a663592fa79cc5a9b363584d271b3fb7d9c49e1b9f6bcac50f9 |
| SHA512 | d1f0842f740feab573c515360c0c9280f9eb227dc192df65e79466d55e4b56240aae6ef65088bab202496a33786010d8f212fe0d57ead3970b4503b6df5bb047 |
\Windows\system\aZePIMr.exe
| MD5 | d12b647aa52790e982f9b969426e08af |
| SHA1 | 648cc91cbd80daf8197d6d48808e15a1215206d9 |
| SHA256 | 12fb84ce5655585202ea3d1908fd69c2947952b34d13f4ad196ab4da0a112c26 |
| SHA512 | 7905de672b35c4a124badd47989f74cb44e906f5eb0325c02937e85b35a59a82f837aef3cb6119043d62037456c3affe41f0c87f38d21976bbed5e607791147d |
memory/1500-136-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/1500-135-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2428-87-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/1500-86-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/1500-85-0x000000013F7E0000-0x000000013FB34000-memory.dmp
C:\Windows\system\hJLHSJP.exe
| MD5 | 73dd36936d7cc54081fd9a5e987a00be |
| SHA1 | 01b67ed038c815eaa237c72f8dabde671b37fafd |
| SHA256 | e66d2388a96efc62b2848bd8635df3ae5b075244aa3a2c87c8b910ac72dfb9d6 |
| SHA512 | 8e9313d82659450c5667d2c872369a0ea2fcd741903d200867f692613f21148e251cb3c1051df63e222d79c44c7ca5e34194bef0d326a103a381d4b93b2e8c6a |
\Windows\system\bdxApnf.exe
| MD5 | bcac6f630e5324ce78cd12647e76eef9 |
| SHA1 | 0e76cf15f78e4a19a64acfdea8a63d58b0bfdb21 |
| SHA256 | a855f82dc6271bcd79754b28cb2fc45801905c227128437386a55e2c9034294f |
| SHA512 | 3e73f1c2be4754cc605392f261644445ebd9de6ce630bf4510ec23083b31e45eecf00e4aaf147ed6bddf81c4b328d9601072f2a079dfb900c68698f555c84e71 |
memory/1500-76-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2516-73-0x000000013F8F0000-0x000000013FC44000-memory.dmp
C:\Windows\system\VYScpaD.exe
| MD5 | a973196241383a273d68d9230d2f39f8 |
| SHA1 | 7862476635ed15201fb11f605ae4a5a09411483c |
| SHA256 | 2e6e5b3203ce027c2addafd68ab0d425e0ed1c3471e72451a6b2976cb8ca4207 |
| SHA512 | 929b25e7ed62555b8056ca077d06dbdbd19e14a24f8387f996f21f8a8155260b466a773331a5ec4bd381235044cd7948f06cb51596ddf4696090bcce3cc73106 |
C:\Windows\system\jXqtdJv.exe
| MD5 | 8c55eac1bd5bb8aa0d38abe3bb7d761e |
| SHA1 | ac9dde5bdb59d4a6fe137fc43b05627065835547 |
| SHA256 | 71e457c94069e62eaa4c8b47e3d15a73384a3421cadd4fe6a0ab27c62258231b |
| SHA512 | 641f6d34ef64a227e99449fab9ceb71c7d7ddc9c3e3846818435fe4b7a10660d3ef1ad0d7248ce4690cf0892d8c6df3c21e027351975e9e3e27e590299a22536 |
memory/1500-105-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/2396-80-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/1500-68-0x000000013FA80000-0x000000013FDD4000-memory.dmp
C:\Windows\system\BVAYXGJ.exe
| MD5 | 2480216a710cb53fe131b647db46cb33 |
| SHA1 | 7e340d3230fc4da3d5dda536ba92669c9e4b611d |
| SHA256 | 14821fd8b37d7810a5a30b130e6595ccbd14179e9a81c67b6fce1d0bd53cc76b |
| SHA512 | b5ffb622b7f777208bd26013c01cc3ef2b89a32660a7893959847d0456c1c03bb59cd8b40274036d9d9fa976322120529ee4d19832d1f0a56ff7bffa98011a61 |
memory/3040-66-0x000000013F780000-0x000000013FAD4000-memory.dmp
C:\Windows\system\nzfPutX.exe
| MD5 | 5f60b8883e19b2df964fc227ef037e42 |
| SHA1 | 69d2e7a2cf752f81e4b303c7659331e37985d67e |
| SHA256 | 19d9d2a424714f6a4c822e17ecdd9e9442e2cabc6ec2fc079747822013e77201 |
| SHA512 | f0a40680e2a0e689d5f37de90be6a52a0d654eb6c8f647f6bbebd6fbef5a3d48e5bcbda2e2b1d2ca2fc2a906fbe332b6ef70d68c89d79c9ec69d6431eafd766c |
memory/2404-138-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2628-137-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2732-139-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/1500-140-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/2516-141-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/844-142-0x000000013F210000-0x000000013F564000-memory.dmp
memory/1500-143-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2300-144-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2900-145-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2896-146-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2628-147-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2404-148-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2732-149-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/3040-150-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2396-151-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2428-152-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2904-153-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2516-154-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2376-155-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/844-156-0x000000013F210000-0x000000013F564000-memory.dmp