Analysis Overview
SHA256
48e8c297df9937dcd80f215209ac5dfefca278643bf9138174bb25c21e252980
Threat Level: Known bad
The file 2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike
Xmrig family
Cobaltstrike family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 21:07
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 21:07
Reported
2024-05-22 21:10
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vBzIJEs.exe | N/A |
| N/A | N/A | C:\Windows\System\DcFDwvM.exe | N/A |
| N/A | N/A | C:\Windows\System\sXMrzDx.exe | N/A |
| N/A | N/A | C:\Windows\System\sGRRqdF.exe | N/A |
| N/A | N/A | C:\Windows\System\sWtOKlN.exe | N/A |
| N/A | N/A | C:\Windows\System\xFLLWrQ.exe | N/A |
| N/A | N/A | C:\Windows\System\JxEsDcZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YpuPeqj.exe | N/A |
| N/A | N/A | C:\Windows\System\bXPzJGC.exe | N/A |
| N/A | N/A | C:\Windows\System\ZBtGKbL.exe | N/A |
| N/A | N/A | C:\Windows\System\ifyplgn.exe | N/A |
| N/A | N/A | C:\Windows\System\JdYRDLb.exe | N/A |
| N/A | N/A | C:\Windows\System\dAryjjI.exe | N/A |
| N/A | N/A | C:\Windows\System\FNAkBoU.exe | N/A |
| N/A | N/A | C:\Windows\System\thduBvM.exe | N/A |
| N/A | N/A | C:\Windows\System\KXdypXO.exe | N/A |
| N/A | N/A | C:\Windows\System\QZnpINS.exe | N/A |
| N/A | N/A | C:\Windows\System\wjuFGOR.exe | N/A |
| N/A | N/A | C:\Windows\System\WAIifaW.exe | N/A |
| N/A | N/A | C:\Windows\System\KxrXlHg.exe | N/A |
| N/A | N/A | C:\Windows\System\BtthDZl.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\vBzIJEs.exe
C:\Windows\System\vBzIJEs.exe
C:\Windows\System\DcFDwvM.exe
C:\Windows\System\DcFDwvM.exe
C:\Windows\System\sXMrzDx.exe
C:\Windows\System\sXMrzDx.exe
C:\Windows\System\sGRRqdF.exe
C:\Windows\System\sGRRqdF.exe
C:\Windows\System\sWtOKlN.exe
C:\Windows\System\sWtOKlN.exe
C:\Windows\System\xFLLWrQ.exe
C:\Windows\System\xFLLWrQ.exe
C:\Windows\System\JxEsDcZ.exe
C:\Windows\System\JxEsDcZ.exe
C:\Windows\System\YpuPeqj.exe
C:\Windows\System\YpuPeqj.exe
C:\Windows\System\bXPzJGC.exe
C:\Windows\System\bXPzJGC.exe
C:\Windows\System\ZBtGKbL.exe
C:\Windows\System\ZBtGKbL.exe
C:\Windows\System\ifyplgn.exe
C:\Windows\System\ifyplgn.exe
C:\Windows\System\JdYRDLb.exe
C:\Windows\System\JdYRDLb.exe
C:\Windows\System\dAryjjI.exe
C:\Windows\System\dAryjjI.exe
C:\Windows\System\FNAkBoU.exe
C:\Windows\System\FNAkBoU.exe
C:\Windows\System\thduBvM.exe
C:\Windows\System\thduBvM.exe
C:\Windows\System\KXdypXO.exe
C:\Windows\System\KXdypXO.exe
C:\Windows\System\QZnpINS.exe
C:\Windows\System\QZnpINS.exe
C:\Windows\System\wjuFGOR.exe
C:\Windows\System\wjuFGOR.exe
C:\Windows\System\WAIifaW.exe
C:\Windows\System\WAIifaW.exe
C:\Windows\System\KxrXlHg.exe
C:\Windows\System\KxrXlHg.exe
C:\Windows\System\BtthDZl.exe
C:\Windows\System\BtthDZl.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.146:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.146:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 146.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4492-0-0x00007FF7FBBB0000-0x00007FF7FBF01000-memory.dmp
memory/4492-1-0x0000022CF86F0000-0x0000022CF8700000-memory.dmp
C:\Windows\System\vBzIJEs.exe
| MD5 | 37de40c33a526bf042c9e166c04861ad |
| SHA1 | 707916a778e3d4550c58cba1b1987d0c70ecdd7c |
| SHA256 | 20954428ad3b4c39285ac299ab0065ee1f5fe82903c4ec11b8aead656515f7e8 |
| SHA512 | 122c939812924e09e28fcd452ae28f7fe610d1dde8adb9d1346bde33d77102bda8d0989be47e7dedf540582b46e0bbff9b22d4b8e1be82a7c7cb3e484cd59086 |
C:\Windows\System\sXMrzDx.exe
| MD5 | 036d814de366482c221294b653ae3e48 |
| SHA1 | 82e32d1f1447dd5dabb48caa124ca6cae6774268 |
| SHA256 | 850bb2f083e368a06f35faf68cd54d969bf13d34f02ccb24cdbefce6aabbbbae |
| SHA512 | fae1fe3855c328fb2e7de0d4761d41f645c0f0b81b9a4ebf5cfca1edb6cbec64652aa9e31bd6743818f930f5e0571ba7d7979f1f97964da6f6daa8008ff541bb |
C:\Windows\System\DcFDwvM.exe
| MD5 | fe11f24ff6638b8cb98b1441a2ae5512 |
| SHA1 | 3b122ea9f2f8ff3a664c2f2e7b4e47b12ae12f6f |
| SHA256 | ad39b3a2d653b7aa5788fb871e574f29bc4c2583716e5efa2e21263bce3ee529 |
| SHA512 | 7742e4f5c5c149c6d0390187ad342a8bde03739d2d16dba143e971e4a23f263ce5af55e8f4575e57305b06ef6c8263b22ae400106bdbee81a7faae6fb5131804 |
memory/344-16-0x00007FF64B3B0000-0x00007FF64B701000-memory.dmp
C:\Windows\System\xFLLWrQ.exe
| MD5 | fbe66136ca75d84b7a34809b074e6e98 |
| SHA1 | b1341373c2966f2570ff28b04fac044196e0183e |
| SHA256 | 1427917ea62521c8a0e0f8eb7b92a63ab1e827d4094f43ec3006c02d81ab48e0 |
| SHA512 | a84f1a7134ebb631a839d439ab49d5255eb3d14f8d9181f4c4a0d007189fd36ed1123650e4358a2a6be9ad5e468d6fd6985ecaa6ffb2fa926628f61720628914 |
memory/1584-40-0x00007FF7714F0000-0x00007FF771841000-memory.dmp
C:\Windows\System\bXPzJGC.exe
| MD5 | cf6f0e130dcf5bc254d5f3c6ee43b18f |
| SHA1 | 50836acb1824e6392178f93f518dd56ef2a2e6fc |
| SHA256 | a9a8f9eb3cea9778dcb6c6a4c8b43b2383b004c0ea32e4f86c51ff8c7d0d116f |
| SHA512 | a3b5d08eb610f91b4f78d5f34e6310e32d4e60864f28ad192acd9e60fc2e7b9dd2bde3bc8a2aca7813fb1689a54ebd2b318591a5b13b63b605ceced159f84bfc |
memory/4968-52-0x00007FF69B770000-0x00007FF69BAC1000-memory.dmp
C:\Windows\System\YpuPeqj.exe
| MD5 | 837fceb8824ec7941819e46e718e1db9 |
| SHA1 | 169a8d443e10812407beae622a5d0649de540024 |
| SHA256 | 3a901687bad87f98ac145d4a55cc7fc8770598afed24ba5b66aa65ca3a95ab88 |
| SHA512 | e46a47ae3a6a2e7d8c129202fc6e4e0f444421142deb0de960476a8cbcdcdcca591bf557b482fc22ede73842174f4d2e53b89b5427736a8cd12e45ef7829d7cd |
C:\Windows\System\JxEsDcZ.exe
| MD5 | 12368338021b36a7fbbd8601c81baf03 |
| SHA1 | 3aa4cbb763b65cd86f5e8385c58ab4e0b179be25 |
| SHA256 | f69b804bded3e181a49ea610f9b7545db5337244be5338da0b6458f1b448e466 |
| SHA512 | cb3afc71d956c231eebd2abac1bb9f94e8058dbd969e8e0acd3f2314c292ce0bc59490034ed8c89f0d8f95759241e1d6ba116ceada3e7decb3d36ad58018394b |
memory/4540-49-0x00007FF6B5520000-0x00007FF6B5871000-memory.dmp
memory/2172-47-0x00007FF67AEF0000-0x00007FF67B241000-memory.dmp
memory/1904-37-0x00007FF7873C0000-0x00007FF787711000-memory.dmp
memory/1648-33-0x00007FF65FE60000-0x00007FF6601B1000-memory.dmp
C:\Windows\System\sWtOKlN.exe
| MD5 | 3a5315dbe59ab609e32a5e810c19c820 |
| SHA1 | da571281875870d1b4ba20f099b816f82caf6035 |
| SHA256 | 98ac9fabed96db63368bb9e97cfee067a0a04e112015d2a05779ea23663d5e8a |
| SHA512 | b52932f737e089e17ed775c3f8b2aea2ffe9a208d5693a1e319cc39563c1058c1216347cf8c6b5dd408478281f0e131dc3d4a59bb3c18b5d99d714c6880a8b36 |
C:\Windows\System\sGRRqdF.exe
| MD5 | d4bc94489f05d7f8254102538a96db32 |
| SHA1 | 64f91a5b0463d036c1d497ebc6d98f9cc8e03e90 |
| SHA256 | f34233f9dd5fa507d71de57ca4aa1a10916d5aff05e2e65d079d7dcc30a6f613 |
| SHA512 | 162998a004971fbf1809f2da577a773b288109885430e17a3330b1cf6dd044d89c03775622e6c2ca3918f7ea14990cab06893b449916969132f93f39214e9b15 |
memory/3472-27-0x00007FF6B0540000-0x00007FF6B0891000-memory.dmp
memory/632-22-0x00007FF609810000-0x00007FF609B61000-memory.dmp
C:\Windows\System\ZBtGKbL.exe
| MD5 | b69c8e30718512130f2b412793952827 |
| SHA1 | 16e2a65c169a2c918197ab37d70b0a9e83a35a5a |
| SHA256 | 9dda8090f534ffea8238f450e05f2d5c90b9f4692d893d72dcaba5c7c8f83ae2 |
| SHA512 | cd26504279316f1c35ae7d74a73a2f8e9f790e1f6246d9039b09409ca9293073ad44decb47fb5d8cccf0cd00aeeea6c86acc4589031d016c49e906a78d28507c |
memory/1992-63-0x00007FF6D7610000-0x00007FF6D7961000-memory.dmp
C:\Windows\System\ifyplgn.exe
| MD5 | 65eac8ba0bf5c059efcfd85e3a1c838a |
| SHA1 | 0eade84e5c36c6dafb5758815df1f48625fb838f |
| SHA256 | 2f2a95c715cc1d63d0d166e1503f523f8612f6282e5f0d94c793a26eff433378 |
| SHA512 | c5520e0b0b981c636efc8fa7eda76764983974ca61206e2f5ef46ba8476489f7c8830fc7f2bb61b31c72e9855efbae5cfefc5ff995a7d943c26081542e6cbdf1 |
C:\Windows\System\JdYRDLb.exe
| MD5 | 2066da0f8f2b442ce72bd34aca34b548 |
| SHA1 | c5352e28610d38bf473087cfc0b1c32ffa006c65 |
| SHA256 | 4fc4ade2ca9897639532a0b2b4e33c122ad5540024363e5a5e1f65e2afeec81d |
| SHA512 | 79ccce38bf301c3a5e72253d23f0b27c78ba40168143cb1221b0b6685c6316c5f23c2f5163cf464eb4481f1621905df3035206a9e963b3cfca67c93c018e652e |
C:\Windows\System\dAryjjI.exe
| MD5 | 6224debff468484d49308de1cba3e50e |
| SHA1 | ec99fb1dc5d3d55c27eca9961390c0a41aea5cd5 |
| SHA256 | 9ddfa3cf8746e1062732b5a2d69bfb109201619a936b9ac201e9269d6d1b5b08 |
| SHA512 | 1b1c239eb7ee63ff03860e78fad79bbd7564ec12e4f6b04d345bc8e19eb4cc7e80bd289cba611aac9cdbbb57619cb3e91b4d90a2fa736def114d608c53ba193c |
C:\Windows\System\FNAkBoU.exe
| MD5 | c1abdf1624a6700724e4bd300c820e2a |
| SHA1 | 6646e19c5944d0e44e2302851e6f2643fddddb48 |
| SHA256 | 27a5f82755760324bb8e633493802f58785ada3b802d8a3270ef3b54b166d41d |
| SHA512 | bb79e59f9a172c57dc898d8d965abb3c35e2ec06f2edecbbcaf963b201f0666caa3892d6baa4aaaa1b29ae72dabd53b92b5013d21f9e2ffab3e57ac8a10f6e89 |
C:\Windows\System\thduBvM.exe
| MD5 | 2762902c205bd65db600a060f34dada1 |
| SHA1 | 28e0bdc35d44371379795215ff6b86947af2e58e |
| SHA256 | 7d45877664c3e3cf8fee158cafbec3ef3dfcb2b9d96558756eec66b7d2340778 |
| SHA512 | 451c2d96f418d91876d7922f9a48263becd5b6fc62bd8f0f6513982045568113614561f5c43d8fb4796a58415efa01a9bff66a06956556301a0db5ae751e4e6f |
C:\Windows\System\wjuFGOR.exe
| MD5 | a078d6c5ce44bc9cae9e4bd757e7f546 |
| SHA1 | 4f78030af7ee5addd7d5ad1328f7ba2f2da6e219 |
| SHA256 | 90a437d8e61b6b9d01df38ad09eba7ceaa383de6b70cfb86d3ec9d88273ed380 |
| SHA512 | 99ef15f0a60d94cbfb488b23ff35bd85463b7bfb5aad8c2c86363487bcbea020b8bb40772f080998e3c46836015e83509f88315d010c686264145a71594db34f |
C:\Windows\System\KXdypXO.exe
| MD5 | ccfdab6800e2064d0003ceaf779ab1b7 |
| SHA1 | e5cbf0f484dfed50d626b585b69121c686bf7f32 |
| SHA256 | e06dff0ff4916906e440030e24382f3bec714fecb1eebfd63bb1843a73b1dfc1 |
| SHA512 | 5cd4bc2fdd155f637754cb621beaf564419f32b2315bf6fc232d69662d55e80e063aaa6ae92ae0b6e7d3c496f8fdcbc0c2dbafd283104d45cc8622d737c16fbc |
C:\Windows\System\WAIifaW.exe
| MD5 | 47ffcc635e02104e189642ba7022f247 |
| SHA1 | 24b7339874b6cbc31fec1098ee01f6157f471865 |
| SHA256 | b7a54a1a0845eb730840afc6712e619d186b816c7003aaa58a84c35dd0e3ca83 |
| SHA512 | 4c30c3635fa9f2bcfb41f89ae49689168017e467223a9100b4497bbd606fc2fd49401f05457799c9e161915cce40d7fa8e154870b4dfeb15a11244e6450129c1 |
C:\Windows\System\KxrXlHg.exe
| MD5 | e05c24daa3c46db53a454d717ccf8b0a |
| SHA1 | a7c702fab3c20acc67dc325782c49675c13e4550 |
| SHA256 | b0d342b558cd93f94718acacb6d2c654382d6dcdeff6bb40a698026ab00f8244 |
| SHA512 | 4c3bab0ec20b7fe7700d0bd7a137b1628144f3b38ef1651eb7819e39ba6f4c1ad361ca1c179f5a6550c1b92de722a97fb39985a5878e84bed63bf3ad7db0279c |
C:\Windows\System\BtthDZl.exe
| MD5 | 94584123f2744a12babf48dba44f2323 |
| SHA1 | caa88409e8c1113f06a3b2db0d1554b8b3535c17 |
| SHA256 | d716616a00298c7b336d0059a49c624b391ce31d8da84ff71141e55cc46e22cf |
| SHA512 | c6a70e4741555aeb40ad1c22d7abcf2151d8bb7f65c96cac51b0f4145c155d3d1b10a407b98c51f2a5526d6652d970fd2c594da3436bc9a3d69c34e0b59b305f |
memory/4440-114-0x00007FF6CC420000-0x00007FF6CC771000-memory.dmp
memory/1272-106-0x00007FF7EC1F0000-0x00007FF7EC541000-memory.dmp
memory/1204-104-0x00007FF7A94D0000-0x00007FF7A9821000-memory.dmp
C:\Windows\System\QZnpINS.exe
| MD5 | 336498fbee5713368a34e7ffc54420b2 |
| SHA1 | 83235518c7bfd24cc89c69b9c25820dc8335fd11 |
| SHA256 | 8fba17215ffb2803758654ff447804d12d82b78b30a2c63d0726210214361d2d |
| SHA512 | 8f198db5b1df394ed7288d0248eb5ac9655b42b29aa0dd6e70d62da5a8b46a5c014ce2061b70d16b4f5e515b35c494011efd74df55d26c2c4d6b25875eef0534 |
memory/632-95-0x00007FF609810000-0x00007FF609B61000-memory.dmp
memory/4492-90-0x00007FF7FBBB0000-0x00007FF7FBF01000-memory.dmp
memory/4812-89-0x00007FF63C600000-0x00007FF63C951000-memory.dmp
memory/3464-76-0x00007FF74C1E0000-0x00007FF74C531000-memory.dmp
memory/4176-75-0x00007FF657CB0000-0x00007FF658001000-memory.dmp
memory/3216-71-0x00007FF7D04D0000-0x00007FF7D0821000-memory.dmp
memory/3600-126-0x00007FF65EC80000-0x00007FF65EFD1000-memory.dmp
memory/4492-127-0x00007FF7FBBB0000-0x00007FF7FBF01000-memory.dmp
memory/2172-135-0x00007FF67AEF0000-0x00007FF67B241000-memory.dmp
memory/4968-136-0x00007FF69B770000-0x00007FF69BAC1000-memory.dmp
memory/4540-134-0x00007FF6B5520000-0x00007FF6B5871000-memory.dmp
memory/4880-138-0x00007FF79C5B0000-0x00007FF79C901000-memory.dmp
memory/1904-133-0x00007FF7873C0000-0x00007FF787711000-memory.dmp
memory/2816-139-0x00007FF77EC90000-0x00007FF77EFE1000-memory.dmp
memory/4584-140-0x00007FF659BE0000-0x00007FF659F31000-memory.dmp
memory/4176-142-0x00007FF657CB0000-0x00007FF658001000-memory.dmp
memory/3216-141-0x00007FF7D04D0000-0x00007FF7D0821000-memory.dmp
memory/4812-144-0x00007FF63C600000-0x00007FF63C951000-memory.dmp
memory/1272-146-0x00007FF7EC1F0000-0x00007FF7EC541000-memory.dmp
memory/3600-149-0x00007FF65EC80000-0x00007FF65EFD1000-memory.dmp
memory/1204-145-0x00007FF7A94D0000-0x00007FF7A9821000-memory.dmp
memory/3464-143-0x00007FF74C1E0000-0x00007FF74C531000-memory.dmp
memory/4492-152-0x00007FF7FBBB0000-0x00007FF7FBF01000-memory.dmp
memory/344-209-0x00007FF64B3B0000-0x00007FF64B701000-memory.dmp
memory/3472-210-0x00007FF6B0540000-0x00007FF6B0891000-memory.dmp
memory/632-213-0x00007FF609810000-0x00007FF609B61000-memory.dmp
memory/1648-214-0x00007FF65FE60000-0x00007FF6601B1000-memory.dmp
memory/1584-216-0x00007FF7714F0000-0x00007FF771841000-memory.dmp
memory/4968-219-0x00007FF69B770000-0x00007FF69BAC1000-memory.dmp
memory/4540-224-0x00007FF6B5520000-0x00007FF6B5871000-memory.dmp
memory/2172-223-0x00007FF67AEF0000-0x00007FF67B241000-memory.dmp
memory/1904-220-0x00007FF7873C0000-0x00007FF787711000-memory.dmp
memory/1992-227-0x00007FF6D7610000-0x00007FF6D7961000-memory.dmp
memory/3216-229-0x00007FF7D04D0000-0x00007FF7D0821000-memory.dmp
memory/4176-231-0x00007FF657CB0000-0x00007FF658001000-memory.dmp
memory/3464-233-0x00007FF74C1E0000-0x00007FF74C531000-memory.dmp
memory/4812-235-0x00007FF63C600000-0x00007FF63C951000-memory.dmp
memory/4440-237-0x00007FF6CC420000-0x00007FF6CC771000-memory.dmp
memory/1204-239-0x00007FF7A94D0000-0x00007FF7A9821000-memory.dmp
memory/2816-246-0x00007FF77EC90000-0x00007FF77EFE1000-memory.dmp
memory/4584-249-0x00007FF659BE0000-0x00007FF659F31000-memory.dmp
memory/1272-247-0x00007FF7EC1F0000-0x00007FF7EC541000-memory.dmp
memory/3600-243-0x00007FF65EC80000-0x00007FF65EFD1000-memory.dmp
memory/4880-242-0x00007FF79C5B0000-0x00007FF79C901000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 21:07
Reported
2024-05-22 21:10
Platform
win7-20240221-en
Max time kernel
141s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vBzIJEs.exe | N/A |
| N/A | N/A | C:\Windows\System\DcFDwvM.exe | N/A |
| N/A | N/A | C:\Windows\System\sXMrzDx.exe | N/A |
| N/A | N/A | C:\Windows\System\sGRRqdF.exe | N/A |
| N/A | N/A | C:\Windows\System\sWtOKlN.exe | N/A |
| N/A | N/A | C:\Windows\System\xFLLWrQ.exe | N/A |
| N/A | N/A | C:\Windows\System\JxEsDcZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YpuPeqj.exe | N/A |
| N/A | N/A | C:\Windows\System\ZBtGKbL.exe | N/A |
| N/A | N/A | C:\Windows\System\JdYRDLb.exe | N/A |
| N/A | N/A | C:\Windows\System\FNAkBoU.exe | N/A |
| N/A | N/A | C:\Windows\System\KXdypXO.exe | N/A |
| N/A | N/A | C:\Windows\System\wjuFGOR.exe | N/A |
| N/A | N/A | C:\Windows\System\KxrXlHg.exe | N/A |
| N/A | N/A | C:\Windows\System\bXPzJGC.exe | N/A |
| N/A | N/A | C:\Windows\System\ifyplgn.exe | N/A |
| N/A | N/A | C:\Windows\System\dAryjjI.exe | N/A |
| N/A | N/A | C:\Windows\System\thduBvM.exe | N/A |
| N/A | N/A | C:\Windows\System\QZnpINS.exe | N/A |
| N/A | N/A | C:\Windows\System\WAIifaW.exe | N/A |
| N/A | N/A | C:\Windows\System\BtthDZl.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\vBzIJEs.exe
C:\Windows\System\vBzIJEs.exe
C:\Windows\System\DcFDwvM.exe
C:\Windows\System\DcFDwvM.exe
C:\Windows\System\sXMrzDx.exe
C:\Windows\System\sXMrzDx.exe
C:\Windows\System\sGRRqdF.exe
C:\Windows\System\sGRRqdF.exe
C:\Windows\System\sWtOKlN.exe
C:\Windows\System\sWtOKlN.exe
C:\Windows\System\xFLLWrQ.exe
C:\Windows\System\xFLLWrQ.exe
C:\Windows\System\JxEsDcZ.exe
C:\Windows\System\JxEsDcZ.exe
C:\Windows\System\YpuPeqj.exe
C:\Windows\System\YpuPeqj.exe
C:\Windows\System\bXPzJGC.exe
C:\Windows\System\bXPzJGC.exe
C:\Windows\System\ZBtGKbL.exe
C:\Windows\System\ZBtGKbL.exe
C:\Windows\System\ifyplgn.exe
C:\Windows\System\ifyplgn.exe
C:\Windows\System\JdYRDLb.exe
C:\Windows\System\JdYRDLb.exe
C:\Windows\System\dAryjjI.exe
C:\Windows\System\dAryjjI.exe
C:\Windows\System\FNAkBoU.exe
C:\Windows\System\FNAkBoU.exe
C:\Windows\System\thduBvM.exe
C:\Windows\System\thduBvM.exe
C:\Windows\System\KXdypXO.exe
C:\Windows\System\KXdypXO.exe
C:\Windows\System\QZnpINS.exe
C:\Windows\System\QZnpINS.exe
C:\Windows\System\wjuFGOR.exe
C:\Windows\System\wjuFGOR.exe
C:\Windows\System\WAIifaW.exe
C:\Windows\System\WAIifaW.exe
C:\Windows\System\KxrXlHg.exe
C:\Windows\System\KxrXlHg.exe
C:\Windows\System\BtthDZl.exe
C:\Windows\System\BtthDZl.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2864-0-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2864-1-0x0000000000580000-0x0000000000590000-memory.dmp
\Windows\system\vBzIJEs.exe
| MD5 | 37de40c33a526bf042c9e166c04861ad |
| SHA1 | 707916a778e3d4550c58cba1b1987d0c70ecdd7c |
| SHA256 | 20954428ad3b4c39285ac299ab0065ee1f5fe82903c4ec11b8aead656515f7e8 |
| SHA512 | 122c939812924e09e28fcd452ae28f7fe610d1dde8adb9d1346bde33d77102bda8d0989be47e7dedf540582b46e0bbff9b22d4b8e1be82a7c7cb3e484cd59086 |
memory/2864-6-0x0000000002140000-0x0000000002491000-memory.dmp
memory/792-8-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
\Windows\system\DcFDwvM.exe
| MD5 | fe11f24ff6638b8cb98b1441a2ae5512 |
| SHA1 | 3b122ea9f2f8ff3a664c2f2e7b4e47b12ae12f6f |
| SHA256 | ad39b3a2d653b7aa5788fb871e574f29bc4c2583716e5efa2e21263bce3ee529 |
| SHA512 | 7742e4f5c5c149c6d0390187ad342a8bde03739d2d16dba143e971e4a23f263ce5af55e8f4575e57305b06ef6c8263b22ae400106bdbee81a7faae6fb5131804 |
C:\Windows\system\sXMrzDx.exe
| MD5 | 036d814de366482c221294b653ae3e48 |
| SHA1 | 82e32d1f1447dd5dabb48caa124ca6cae6774268 |
| SHA256 | 850bb2f083e368a06f35faf68cd54d969bf13d34f02ccb24cdbefce6aabbbbae |
| SHA512 | fae1fe3855c328fb2e7de0d4761d41f645c0f0b81b9a4ebf5cfca1edb6cbec64652aa9e31bd6743818f930f5e0571ba7d7979f1f97964da6f6daa8008ff541bb |
memory/2264-15-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2572-23-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/2864-21-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/2864-14-0x000000013FC10000-0x000000013FF61000-memory.dmp
\Windows\system\sGRRqdF.exe
| MD5 | d4bc94489f05d7f8254102538a96db32 |
| SHA1 | 64f91a5b0463d036c1d497ebc6d98f9cc8e03e90 |
| SHA256 | f34233f9dd5fa507d71de57ca4aa1a10916d5aff05e2e65d079d7dcc30a6f613 |
| SHA512 | 162998a004971fbf1809f2da577a773b288109885430e17a3330b1cf6dd044d89c03775622e6c2ca3918f7ea14990cab06893b449916969132f93f39214e9b15 |
memory/2864-28-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2864-34-0x0000000002140000-0x0000000002491000-memory.dmp
memory/2604-36-0x000000013F720000-0x000000013FA71000-memory.dmp
C:\Windows\system\xFLLWrQ.exe
| MD5 | fbe66136ca75d84b7a34809b074e6e98 |
| SHA1 | b1341373c2966f2570ff28b04fac044196e0183e |
| SHA256 | 1427917ea62521c8a0e0f8eb7b92a63ab1e827d4094f43ec3006c02d81ab48e0 |
| SHA512 | a84f1a7134ebb631a839d439ab49d5255eb3d14f8d9181f4c4a0d007189fd36ed1123650e4358a2a6be9ad5e468d6fd6985ecaa6ffb2fa926628f61720628914 |
memory/2864-41-0x0000000002140000-0x0000000002491000-memory.dmp
C:\Windows\system\sWtOKlN.exe
| MD5 | 3a5315dbe59ab609e32a5e810c19c820 |
| SHA1 | da571281875870d1b4ba20f099b816f82caf6035 |
| SHA256 | 98ac9fabed96db63368bb9e97cfee067a0a04e112015d2a05779ea23663d5e8a |
| SHA512 | b52932f737e089e17ed775c3f8b2aea2ffe9a208d5693a1e319cc39563c1058c1216347cf8c6b5dd408478281f0e131dc3d4a59bb3c18b5d99d714c6880a8b36 |
memory/2616-49-0x000000013F2F0000-0x000000013F641000-memory.dmp
\Windows\system\KxrXlHg.exe
| MD5 | e05c24daa3c46db53a454d717ccf8b0a |
| SHA1 | a7c702fab3c20acc67dc325782c49675c13e4550 |
| SHA256 | b0d342b558cd93f94718acacb6d2c654382d6dcdeff6bb40a698026ab00f8244 |
| SHA512 | 4c3bab0ec20b7fe7700d0bd7a137b1628144f3b38ef1651eb7819e39ba6f4c1ad361ca1c179f5a6550c1b92de722a97fb39985a5878e84bed63bf3ad7db0279c |
memory/2572-119-0x000000013FCE0000-0x0000000140031000-memory.dmp
C:\Windows\system\dAryjjI.exe
| MD5 | 6224debff468484d49308de1cba3e50e |
| SHA1 | ec99fb1dc5d3d55c27eca9961390c0a41aea5cd5 |
| SHA256 | 9ddfa3cf8746e1062732b5a2d69bfb109201619a936b9ac201e9269d6d1b5b08 |
| SHA512 | 1b1c239eb7ee63ff03860e78fad79bbd7564ec12e4f6b04d345bc8e19eb4cc7e80bd289cba611aac9cdbbb57619cb3e91b4d90a2fa736def114d608c53ba193c |
C:\Windows\system\WAIifaW.exe
| MD5 | 47ffcc635e02104e189642ba7022f247 |
| SHA1 | 24b7339874b6cbc31fec1098ee01f6157f471865 |
| SHA256 | b7a54a1a0845eb730840afc6712e619d186b816c7003aaa58a84c35dd0e3ca83 |
| SHA512 | 4c30c3635fa9f2bcfb41f89ae49689168017e467223a9100b4497bbd606fc2fd49401f05457799c9e161915cce40d7fa8e154870b4dfeb15a11244e6450129c1 |
memory/2864-99-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2864-98-0x0000000002140000-0x0000000002491000-memory.dmp
memory/2864-97-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/2864-96-0x000000013FCB0000-0x0000000140001000-memory.dmp
memory/2864-95-0x000000013F200000-0x000000013F551000-memory.dmp
\Windows\system\BtthDZl.exe
| MD5 | 94584123f2744a12babf48dba44f2323 |
| SHA1 | caa88409e8c1113f06a3b2db0d1554b8b3535c17 |
| SHA256 | d716616a00298c7b336d0059a49c624b391ce31d8da84ff71141e55cc46e22cf |
| SHA512 | c6a70e4741555aeb40ad1c22d7abcf2151d8bb7f65c96cac51b0f4145c155d3d1b10a407b98c51f2a5526d6652d970fd2c594da3436bc9a3d69c34e0b59b305f |
memory/2864-89-0x0000000002140000-0x0000000002491000-memory.dmp
memory/2864-87-0x0000000002140000-0x0000000002491000-memory.dmp
\Windows\system\QZnpINS.exe
| MD5 | 336498fbee5713368a34e7ffc54420b2 |
| SHA1 | 83235518c7bfd24cc89c69b9c25820dc8335fd11 |
| SHA256 | 8fba17215ffb2803758654ff447804d12d82b78b30a2c63d0726210214361d2d |
| SHA512 | 8f198db5b1df394ed7288d0248eb5ac9655b42b29aa0dd6e70d62da5a8b46a5c014ce2061b70d16b4f5e515b35c494011efd74df55d26c2c4d6b25875eef0534 |
\Windows\system\thduBvM.exe
| MD5 | 2762902c205bd65db600a060f34dada1 |
| SHA1 | 28e0bdc35d44371379795215ff6b86947af2e58e |
| SHA256 | 7d45877664c3e3cf8fee158cafbec3ef3dfcb2b9d96558756eec66b7d2340778 |
| SHA512 | 451c2d96f418d91876d7922f9a48263becd5b6fc62bd8f0f6513982045568113614561f5c43d8fb4796a58415efa01a9bff66a06956556301a0db5ae751e4e6f |
memory/2196-134-0x000000013FFC0000-0x0000000140311000-memory.dmp
\Windows\system\ifyplgn.exe
| MD5 | 65eac8ba0bf5c059efcfd85e3a1c838a |
| SHA1 | 0eade84e5c36c6dafb5758815df1f48625fb838f |
| SHA256 | 2f2a95c715cc1d63d0d166e1503f523f8612f6282e5f0d94c793a26eff433378 |
| SHA512 | c5520e0b0b981c636efc8fa7eda76764983974ca61206e2f5ef46ba8476489f7c8830fc7f2bb61b31c72e9855efbae5cfefc5ff995a7d943c26081542e6cbdf1 |
\Windows\system\bXPzJGC.exe
| MD5 | cf6f0e130dcf5bc254d5f3c6ee43b18f |
| SHA1 | 50836acb1824e6392178f93f518dd56ef2a2e6fc |
| SHA256 | a9a8f9eb3cea9778dcb6c6a4c8b43b2383b004c0ea32e4f86c51ff8c7d0d116f |
| SHA512 | a3b5d08eb610f91b4f78d5f34e6310e32d4e60864f28ad192acd9e60fc2e7b9dd2bde3bc8a2aca7813fb1689a54ebd2b318591a5b13b63b605ceced159f84bfc |
memory/2264-118-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2436-117-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2864-109-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/792-108-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/2864-107-0x0000000002140000-0x0000000002491000-memory.dmp
C:\Windows\system\wjuFGOR.exe
| MD5 | a078d6c5ce44bc9cae9e4bd757e7f546 |
| SHA1 | 4f78030af7ee5addd7d5ad1328f7ba2f2da6e219 |
| SHA256 | 90a437d8e61b6b9d01df38ad09eba7ceaa383de6b70cfb86d3ec9d88273ed380 |
| SHA512 | 99ef15f0a60d94cbfb488b23ff35bd85463b7bfb5aad8c2c86363487bcbea020b8bb40772f080998e3c46836015e83509f88315d010c686264145a71594db34f |
C:\Windows\system\KXdypXO.exe
| MD5 | ccfdab6800e2064d0003ceaf779ab1b7 |
| SHA1 | e5cbf0f484dfed50d626b585b69121c686bf7f32 |
| SHA256 | e06dff0ff4916906e440030e24382f3bec714fecb1eebfd63bb1843a73b1dfc1 |
| SHA512 | 5cd4bc2fdd155f637754cb621beaf564419f32b2315bf6fc232d69662d55e80e063aaa6ae92ae0b6e7d3c496f8fdcbc0c2dbafd283104d45cc8622d737c16fbc |
C:\Windows\system\FNAkBoU.exe
| MD5 | c1abdf1624a6700724e4bd300c820e2a |
| SHA1 | 6646e19c5944d0e44e2302851e6f2643fddddb48 |
| SHA256 | 27a5f82755760324bb8e633493802f58785ada3b802d8a3270ef3b54b166d41d |
| SHA512 | bb79e59f9a172c57dc898d8d965abb3c35e2ec06f2edecbbcaf963b201f0666caa3892d6baa4aaaa1b29ae72dabd53b92b5013d21f9e2ffab3e57ac8a10f6e89 |
C:\Windows\system\JdYRDLb.exe
| MD5 | 2066da0f8f2b442ce72bd34aca34b548 |
| SHA1 | c5352e28610d38bf473087cfc0b1c32ffa006c65 |
| SHA256 | 4fc4ade2ca9897639532a0b2b4e33c122ad5540024363e5a5e1f65e2afeec81d |
| SHA512 | 79ccce38bf301c3a5e72253d23f0b27c78ba40168143cb1221b0b6685c6316c5f23c2f5163cf464eb4481f1621905df3035206a9e963b3cfca67c93c018e652e |
C:\Windows\system\ZBtGKbL.exe
| MD5 | b69c8e30718512130f2b412793952827 |
| SHA1 | 16e2a65c169a2c918197ab37d70b0a9e83a35a5a |
| SHA256 | 9dda8090f534ffea8238f450e05f2d5c90b9f4692d893d72dcaba5c7c8f83ae2 |
| SHA512 | cd26504279316f1c35ae7d74a73a2f8e9f790e1f6246d9039b09409ca9293073ad44decb47fb5d8cccf0cd00aeeea6c86acc4589031d016c49e906a78d28507c |
C:\Windows\system\YpuPeqj.exe
| MD5 | 837fceb8824ec7941819e46e718e1db9 |
| SHA1 | 169a8d443e10812407beae622a5d0649de540024 |
| SHA256 | 3a901687bad87f98ac145d4a55cc7fc8770598afed24ba5b66aa65ca3a95ab88 |
| SHA512 | e46a47ae3a6a2e7d8c129202fc6e4e0f444421142deb0de960476a8cbcdcdcca591bf557b482fc22ede73842174f4d2e53b89b5427736a8cd12e45ef7829d7cd |
memory/2864-58-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2864-48-0x000000013F2F0000-0x000000013F641000-memory.dmp
C:\Windows\system\JxEsDcZ.exe
| MD5 | 12368338021b36a7fbbd8601c81baf03 |
| SHA1 | 3aa4cbb763b65cd86f5e8385c58ab4e0b179be25 |
| SHA256 | f69b804bded3e181a49ea610f9b7545db5337244be5338da0b6458f1b448e466 |
| SHA512 | cb3afc71d956c231eebd2abac1bb9f94e8058dbd969e8e0acd3f2314c292ce0bc59490034ed8c89f0d8f95759241e1d6ba116ceada3e7decb3d36ad58018394b |
memory/2604-136-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2864-135-0x0000000002140000-0x0000000002491000-memory.dmp
memory/2196-33-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2864-137-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2820-143-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/1720-149-0x000000013F200000-0x000000013F551000-memory.dmp
memory/3000-151-0x000000013FCB0000-0x0000000140001000-memory.dmp
memory/2808-156-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2096-154-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/3020-153-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/1520-150-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2976-148-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2516-147-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/1976-155-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2972-152-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2456-146-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2616-144-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/1748-158-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2696-157-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/2864-159-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2864-181-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/792-207-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/2264-209-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2572-211-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/2196-213-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2820-215-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/2604-217-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2616-220-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2436-236-0x000000013FEC0000-0x0000000140211000-memory.dmp