Analysis Overview
SHA256
875402486c494101baa0b535acb3fb9ee73d4e55be9094327427592172fd65d8
Threat Level: Known bad
The file 2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
xmrig
Cobaltstrike family
UPX dump on OEP (original entry point)
Xmrig family
Detects Reflective DLL injection artifacts
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 20:55
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 20:54
Reported
2024-05-29 20:57
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ogLydMJ.exe | N/A |
| N/A | N/A | C:\Windows\System\FCiOZbv.exe | N/A |
| N/A | N/A | C:\Windows\System\WbzbEej.exe | N/A |
| N/A | N/A | C:\Windows\System\FzupgGq.exe | N/A |
| N/A | N/A | C:\Windows\System\cHLptxM.exe | N/A |
| N/A | N/A | C:\Windows\System\SiFdHRG.exe | N/A |
| N/A | N/A | C:\Windows\System\mFekmPY.exe | N/A |
| N/A | N/A | C:\Windows\System\mKmYvEn.exe | N/A |
| N/A | N/A | C:\Windows\System\XTaKVPf.exe | N/A |
| N/A | N/A | C:\Windows\System\qZmstFD.exe | N/A |
| N/A | N/A | C:\Windows\System\ldBwevM.exe | N/A |
| N/A | N/A | C:\Windows\System\ZyqaGcP.exe | N/A |
| N/A | N/A | C:\Windows\System\JEYHItk.exe | N/A |
| N/A | N/A | C:\Windows\System\WUuOzlP.exe | N/A |
| N/A | N/A | C:\Windows\System\BSAcfwo.exe | N/A |
| N/A | N/A | C:\Windows\System\WRrcnbE.exe | N/A |
| N/A | N/A | C:\Windows\System\gSyuQuV.exe | N/A |
| N/A | N/A | C:\Windows\System\zliRDKW.exe | N/A |
| N/A | N/A | C:\Windows\System\TbrkopN.exe | N/A |
| N/A | N/A | C:\Windows\System\kqaBemO.exe | N/A |
| N/A | N/A | C:\Windows\System\UUJerys.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ogLydMJ.exe
C:\Windows\System\ogLydMJ.exe
C:\Windows\System\FCiOZbv.exe
C:\Windows\System\FCiOZbv.exe
C:\Windows\System\WbzbEej.exe
C:\Windows\System\WbzbEej.exe
C:\Windows\System\FzupgGq.exe
C:\Windows\System\FzupgGq.exe
C:\Windows\System\cHLptxM.exe
C:\Windows\System\cHLptxM.exe
C:\Windows\System\SiFdHRG.exe
C:\Windows\System\SiFdHRG.exe
C:\Windows\System\mFekmPY.exe
C:\Windows\System\mFekmPY.exe
C:\Windows\System\mKmYvEn.exe
C:\Windows\System\mKmYvEn.exe
C:\Windows\System\XTaKVPf.exe
C:\Windows\System\XTaKVPf.exe
C:\Windows\System\qZmstFD.exe
C:\Windows\System\qZmstFD.exe
C:\Windows\System\ldBwevM.exe
C:\Windows\System\ldBwevM.exe
C:\Windows\System\ZyqaGcP.exe
C:\Windows\System\ZyqaGcP.exe
C:\Windows\System\JEYHItk.exe
C:\Windows\System\JEYHItk.exe
C:\Windows\System\WUuOzlP.exe
C:\Windows\System\WUuOzlP.exe
C:\Windows\System\BSAcfwo.exe
C:\Windows\System\BSAcfwo.exe
C:\Windows\System\gSyuQuV.exe
C:\Windows\System\gSyuQuV.exe
C:\Windows\System\WRrcnbE.exe
C:\Windows\System\WRrcnbE.exe
C:\Windows\System\zliRDKW.exe
C:\Windows\System\zliRDKW.exe
C:\Windows\System\TbrkopN.exe
C:\Windows\System\TbrkopN.exe
C:\Windows\System\kqaBemO.exe
C:\Windows\System\kqaBemO.exe
C:\Windows\System\UUJerys.exe
C:\Windows\System\UUJerys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| NL | 52.111.243.31:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2436-0-0x00007FF65A1D0000-0x00007FF65A521000-memory.dmp
memory/2436-1-0x0000024AA0390000-0x0000024AA03A0000-memory.dmp
C:\Windows\System\ogLydMJ.exe
| MD5 | d431712c669fdda2a9efa1899d53f7f5 |
| SHA1 | 682ec5556905b0380edca28cce5ada164f75a012 |
| SHA256 | cd9c6816381c86c6744486549e4379ea8315646d694ca99bc347988f26d20013 |
| SHA512 | 4e9a8aeff091d00fc744e4bf93a274e03fde47114e06cf9313304f36faacb8c7a68dda7934b40ec31a71660270d7e3e2861a27e6eef626af4e7fd46d6721e821 |
memory/4604-8-0x00007FF662090000-0x00007FF6623E1000-memory.dmp
C:\Windows\System\WbzbEej.exe
| MD5 | 9c16d803a7c590e5b742bc59bb1078c3 |
| SHA1 | b2032d75520d75bb87eba99b3cdce119a30699ff |
| SHA256 | 20374d95e56a8b74bd60c1f7f2cadf719534c22be5d3e0ca3f1e2bd3410b477a |
| SHA512 | a7129fb7ce4f30656264ada5d8993faea359be152f9befe0acb9b359a72028155a8f97aec04a739bcd076f81d1899fb57086ab10e2e8ea672d832236eb69220e |
C:\Windows\System\FzupgGq.exe
| MD5 | 00862a608af64b39768b54522a4f0d78 |
| SHA1 | 2eeadee677efd837987dcc1263128b662a65f8f8 |
| SHA256 | f10c3a6cf72f197f9b060dd23060598468e8460ff6856e47be377b280c973fca |
| SHA512 | f6aebde56feab7cd59e45fc29beaf54e9f56d18299a1211afced75f0ab3451c0b98cd38b18605794e301030dc938312a68c1e3346352331adb31f2635d737d36 |
C:\Windows\System\SiFdHRG.exe
| MD5 | 35952b90b5103f011c68c9ce595e813f |
| SHA1 | 5ce7dc4cf8afee8ae492483764a3a7b70a9691b1 |
| SHA256 | 94c914fc87335a9615b7fa8bad2978d5c15ec0f99075586b373f83947d6631d3 |
| SHA512 | b75321a7dd515fe4444273288b1f156dfdc6a841807c4323b6cde9a12c0f88075069f8d5ca3e23626c2400ca3a763ddce927922270db99a8196e5b285e04e5b6 |
C:\Windows\System\qZmstFD.exe
| MD5 | 5d3fe28b64395aa6f0be09badaed7047 |
| SHA1 | e680b989ac8604053648968b60c983e9e48bf55c |
| SHA256 | 3194f4cb839c5d558e8e4377edf58bd97c63837c42ead5d650d4879c2ac6af02 |
| SHA512 | c640fcf2aeb96f19d1bc00e3e7f034b831b1de778688fb7ee2b8a493463111f73dbc83f6c9ce951cb967f348032f673f27d837789f2f805267efb99ededfe633 |
C:\Windows\System\mFekmPY.exe
| MD5 | 6f882a8a76639f0902dde88362fd0081 |
| SHA1 | 61d4baa7ad68bca631440e257ed351a05e57c722 |
| SHA256 | 8235de2a932da140afcfc73e1715d277deefb85a118f6df0b0fe6a6fafe9d744 |
| SHA512 | 7167a47914cbd5710c9a2b461fda9928993106536f239f60014778a816d95c22f30efecfa9d76fe50a8c711a87cbd7deea568c73bd032f8c2f3d05b7beca76f6 |
C:\Windows\System\BSAcfwo.exe
| MD5 | 8aa45d876fb81ee3d0435e98da0b4f9c |
| SHA1 | 2ad30ea7ac8af8223f5c39c30945a84554fa2b51 |
| SHA256 | e530f8207fcde8e52d39f08de111a99294187b1154a1e978bfcce652ce2776ef |
| SHA512 | 4f7ede61d2daffde3e452424f5efb31a3a94cce5a1ed4c31b73484343745635c45ff14f130bfa0a2d11fb5d8b0c4838f5d5554b150ba50e14e9db5da26233b86 |
C:\Windows\System\WRrcnbE.exe
| MD5 | 41bbb08ac49ade1a8fd7c312ecfc0507 |
| SHA1 | fdf5f85acbedf649a26defd128044a7bd791a190 |
| SHA256 | cd90405a29879ff06d4b46587a0cf9bffdce7be77814c3c9df4acc5a01cd76d4 |
| SHA512 | 2518c83ab649441ae093feca27e6be514f8797f26d66ca4719e5f6a1acc38cd4d8f370ca5398d0b630cca992a186c9891bb6e26722732c746eae4567e44f2ec1 |
C:\Windows\System\WUuOzlP.exe
| MD5 | b232b05c0f6891d6375f69c9442bd06a |
| SHA1 | ab399343b5486ecca952fb55a138a415b26a2a2e |
| SHA256 | 526285f63a210f8f62d94440244176e1906d90502909a45fa6bf1bb1da8d6ebf |
| SHA512 | 9fce5e14432444403784fa284d4b12deb3357f7b7d718d6032b35c52ed3d458e39e1ca2f641cda838c7a0657020ebebcf92399ac1aefc36f9ff8cfeb0597b2c6 |
C:\Windows\System\kqaBemO.exe
| MD5 | 1ff84e07c04b60ec169719e9313fb480 |
| SHA1 | 8ec28e7fa8a82edb6c204ee859f77c9a4d7c4af6 |
| SHA256 | 4b86e43b79e561cbf295d2ee520eca1c5f7026189daa961e484842e94db16a0f |
| SHA512 | 01a6bfd78f8d475f3f013c3967521c086eae5c5070d67d8f12ee12cf409291e65099989980e3e79f5422ed7a2e9a26cbee07dcaff579cdf08243df7d51cfd0c9 |
C:\Windows\System\UUJerys.exe
| MD5 | ec5c76fa91c4d0c50918fd22acfa4fc5 |
| SHA1 | 2a0ace0bdcb4b8c4d0097138af78d3615c7e2133 |
| SHA256 | a0b145f2fee3ca14910e1de9632b716d02658136a994c0de6e983da41a3cf9ce |
| SHA512 | a8aee27f8831a1f7892915e9e921c8b8c468bcea1f9fa96d88474a8dd2f107c178ad7fcada85dabbdd1ba7d4cdbeceefc887b1e5540cbba8388f37c3c1d85bd0 |
memory/2988-124-0x00007FF742BE0000-0x00007FF742F31000-memory.dmp
memory/4616-127-0x00007FF7D5660000-0x00007FF7D59B1000-memory.dmp
memory/4452-126-0x00007FF748560000-0x00007FF7488B1000-memory.dmp
memory/4808-125-0x00007FF684240000-0x00007FF684591000-memory.dmp
memory/4532-123-0x00007FF793B50000-0x00007FF793EA1000-memory.dmp
memory/932-122-0x00007FF731520000-0x00007FF731871000-memory.dmp
memory/2576-118-0x00007FF790D40000-0x00007FF791091000-memory.dmp
memory/840-117-0x00007FF6BF090000-0x00007FF6BF3E1000-memory.dmp
C:\Windows\System\zliRDKW.exe
| MD5 | 5a4a47704c7282ddb4cd188a9745a0a9 |
| SHA1 | decabda3a76ae06b5626fbdf5b11e923fb88b2fb |
| SHA256 | 92d009cbd27f5c55b7d4e3dbd5342e30d7b4c9bac6bc1508fd4764588c1f9c03 |
| SHA512 | 057ec4bfe7377793171eae7f7638d915705c7f34fa3f3cce54bfe1e9dc6cec0147ee5cea75b387ce761d611f61adec583b4680fe22ce16c16dd78fc0411b7432 |
C:\Windows\System\gSyuQuV.exe
| MD5 | b37bf14797121b9f67f339842618ef2a |
| SHA1 | 1d73c0678aa4368ba2ee7a0628fd59370e93472a |
| SHA256 | 82dc37c5140cd3c60ae630222e2a91c8a985edf149eb76c47cdc1f3d429450dd |
| SHA512 | 561e301552777158753d1663616d1ef122248253078976e5e171e1be795f99b911827c305a288b3ac36c59c1425a98bc8904da288ef53b571f64d4d54e9e3d3f |
memory/2680-112-0x00007FF6CF9A0000-0x00007FF6CFCF1000-memory.dmp
C:\Windows\System\TbrkopN.exe
| MD5 | 3ed894aff6c3974a0674e7dac10ba92d |
| SHA1 | e4febc6b6df5aeda5c6422c2edc6b04735bee8f6 |
| SHA256 | 2a4387bc4299ed24d662b7f414cb8f15dc8f8a161f02fafe018fda80b338012e |
| SHA512 | 4dc222565f40253e768660852ea0ab731ccb6b57bfbb78edabfafb831ddcb0f218aeed25a938772c3879f3e9affefe8a4b0336b251b82cba1c3a819f9667a46a |
memory/5100-104-0x00007FF62DF70000-0x00007FF62E2C1000-memory.dmp
memory/3980-103-0x00007FF77D370000-0x00007FF77D6C1000-memory.dmp
C:\Windows\System\JEYHItk.exe
| MD5 | ce70868610aee82b3271df848f1eb24a |
| SHA1 | e288baca20002bba998af6a8f22c0e9a74157825 |
| SHA256 | 6702c0941eceb437aca560713a842cba061d73e9f05fd293f8cc7c03738dfef9 |
| SHA512 | 8ab0391353a65df54560a620fe94528bff08d860640a37c6d7b7b50f8a39bcb0383a6407dbae014e0e58e7bb01b6024e2e357dc5600ff48131fb4b2868eae8a1 |
memory/2108-91-0x00007FF69BE70000-0x00007FF69C1C1000-memory.dmp
memory/4036-83-0x00007FF722E00000-0x00007FF723151000-memory.dmp
C:\Windows\System\ZyqaGcP.exe
| MD5 | a287527eeff9c17f58c7ef2c75d5f980 |
| SHA1 | c538fb442b63c6fbbc4d5f6c6e61d3f60eda87b1 |
| SHA256 | c096b875cea312d3124082f6be45e48da1f36547b2ea5cc797d125a9bc57cca1 |
| SHA512 | 0ee619696b9d0178a89f031ed4dff8b22d4e0f5a9f20cf0880a47d0545046d9b63d1d7dec8af95c834b2e1738b187507a1d10b98cfed71a3c091e538bbf5cfdc |
memory/1596-71-0x00007FF7BEBF0000-0x00007FF7BEF41000-memory.dmp
C:\Windows\System\XTaKVPf.exe
| MD5 | e1c825090657e3f5b600596b9e58510f |
| SHA1 | a05683d293f7112fef53590c384f2c2696a2d5ec |
| SHA256 | cb36bd63317dee56bd5aaee959ddedb622926067a6ad1469dea6b498f10dd787 |
| SHA512 | efe97e5ceeb59d9c09c625a79909a3f681433b440a18d9337e181bc9ca79333ba62cafc3f42d3395f2d90780759f8d4c821f1a3475111082f2b60a1ffb71b0de |
C:\Windows\System\ldBwevM.exe
| MD5 | e5d5f4ea41207ed141e733d6f3e9c488 |
| SHA1 | 63d865599960af56b3e793d0a1f8d6e6272f3f71 |
| SHA256 | 221812bcdc7b8c9841f0efa617e954c7e964f8c18d7b8a5bea1423cc1d9982a5 |
| SHA512 | 2d1f163beb1f06f6b54f2122f6499ac54496e672e8495b941be9e14542a05aea836d038d782c79ed6f6d2384580a716186102e8c50b3e1b3e5d108a826a47563 |
C:\Windows\System\mKmYvEn.exe
| MD5 | 4c542877b55d03a4ea4ffe9d7576ad00 |
| SHA1 | 9d4273d527a5504006e39342fbff32d30103a5b4 |
| SHA256 | 91804fe21389e927a356842f7a988cef9ed19214f46e17102e45fdd17e2d223a |
| SHA512 | ab249255382140cc2cb9b720def5144ed5a6af83842de0539b402018309ae594f15e2a6c08b69e2a1dce79beb7d63613e43d4cb2f6cb21647e0e60bb72d3c1c5 |
memory/1548-55-0x00007FF731430000-0x00007FF731781000-memory.dmp
memory/5036-66-0x00007FF7CFFA0000-0x00007FF7D02F1000-memory.dmp
memory/2504-48-0x00007FF6695D0000-0x00007FF669921000-memory.dmp
C:\Windows\System\cHLptxM.exe
| MD5 | 5a4452f1095cf2d4e872499a358b18ff |
| SHA1 | c959b2e6802847215647314bd09fc55b4691d17f |
| SHA256 | 2f290466bd6fcbaa96ffc04730363e8fbb62313326664ded79ae223d611fb6da |
| SHA512 | 251227406fd8b661640801a675ff5d5fee76157d01d25d411eb44fc22c1cea4edb2fe1cf26e7234e7f0dfc957ccf01d5df29fb2434d6991132c60bfb37099777 |
memory/2940-36-0x00007FF638F30000-0x00007FF639281000-memory.dmp
memory/400-22-0x00007FF63CA00000-0x00007FF63CD51000-memory.dmp
C:\Windows\System\FCiOZbv.exe
| MD5 | 27365a44384057989f57b91cf2728531 |
| SHA1 | 97bb72718a2336fbcc1384f9ce1777a8088c00c0 |
| SHA256 | 327af3b7c75cdd1a3715dc175f2bc06e2b6c2be5bc10f36bfe5f3cad659b79b7 |
| SHA512 | 6736c6e88f3e9297903aedc68597e64368ed493bd4f0158478a35319e662aac9e5ea735a025a62c0caf0a6a9c2848668e63f5ac3fede7552f17f4a508de43c7c |
memory/2524-12-0x00007FF6463D0000-0x00007FF646721000-memory.dmp
memory/2436-128-0x00007FF65A1D0000-0x00007FF65A521000-memory.dmp
memory/2524-130-0x00007FF6463D0000-0x00007FF646721000-memory.dmp
memory/400-131-0x00007FF63CA00000-0x00007FF63CD51000-memory.dmp
memory/1548-136-0x00007FF731430000-0x00007FF731781000-memory.dmp
memory/5036-137-0x00007FF7CFFA0000-0x00007FF7D02F1000-memory.dmp
memory/2108-143-0x00007FF69BE70000-0x00007FF69C1C1000-memory.dmp
memory/4036-140-0x00007FF722E00000-0x00007FF723151000-memory.dmp
memory/1596-139-0x00007FF7BEBF0000-0x00007FF7BEF41000-memory.dmp
memory/840-141-0x00007FF6BF090000-0x00007FF6BF3E1000-memory.dmp
memory/2504-134-0x00007FF6695D0000-0x00007FF669921000-memory.dmp
memory/2940-132-0x00007FF638F30000-0x00007FF639281000-memory.dmp
memory/2436-150-0x00007FF65A1D0000-0x00007FF65A521000-memory.dmp
memory/2436-151-0x00007FF65A1D0000-0x00007FF65A521000-memory.dmp
memory/4604-198-0x00007FF662090000-0x00007FF6623E1000-memory.dmp
memory/2524-200-0x00007FF6463D0000-0x00007FF646721000-memory.dmp
memory/400-202-0x00007FF63CA00000-0x00007FF63CD51000-memory.dmp
memory/2940-204-0x00007FF638F30000-0x00007FF639281000-memory.dmp
memory/3980-206-0x00007FF77D370000-0x00007FF77D6C1000-memory.dmp
memory/5100-208-0x00007FF62DF70000-0x00007FF62E2C1000-memory.dmp
memory/1548-210-0x00007FF731430000-0x00007FF731781000-memory.dmp
memory/2504-212-0x00007FF6695D0000-0x00007FF669921000-memory.dmp
memory/2680-218-0x00007FF6CF9A0000-0x00007FF6CFCF1000-memory.dmp
memory/1596-216-0x00007FF7BEBF0000-0x00007FF7BEF41000-memory.dmp
memory/4036-215-0x00007FF722E00000-0x00007FF723151000-memory.dmp
memory/4808-223-0x00007FF684240000-0x00007FF684591000-memory.dmp
memory/5036-221-0x00007FF7CFFA0000-0x00007FF7D02F1000-memory.dmp
memory/840-234-0x00007FF6BF090000-0x00007FF6BF3E1000-memory.dmp
memory/4532-237-0x00007FF793B50000-0x00007FF793EA1000-memory.dmp
memory/4452-233-0x00007FF748560000-0x00007FF7488B1000-memory.dmp
memory/932-230-0x00007FF731520000-0x00007FF731871000-memory.dmp
memory/2988-228-0x00007FF742BE0000-0x00007FF742F31000-memory.dmp
memory/2108-226-0x00007FF69BE70000-0x00007FF69C1C1000-memory.dmp
memory/2576-225-0x00007FF790D40000-0x00007FF791091000-memory.dmp
memory/4616-238-0x00007FF7D5660000-0x00007FF7D59B1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 20:54
Reported
2024-05-29 20:57
Platform
win7-20240508-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YOyqEqv.exe | N/A |
| N/A | N/A | C:\Windows\System\WbOyOPy.exe | N/A |
| N/A | N/A | C:\Windows\System\TYDcmVL.exe | N/A |
| N/A | N/A | C:\Windows\System\OrtYgQu.exe | N/A |
| N/A | N/A | C:\Windows\System\rMiOqCe.exe | N/A |
| N/A | N/A | C:\Windows\System\zXImhNx.exe | N/A |
| N/A | N/A | C:\Windows\System\wssTifm.exe | N/A |
| N/A | N/A | C:\Windows\System\pKzlCVU.exe | N/A |
| N/A | N/A | C:\Windows\System\UBAWINe.exe | N/A |
| N/A | N/A | C:\Windows\System\ToMtzkO.exe | N/A |
| N/A | N/A | C:\Windows\System\VFxsbkl.exe | N/A |
| N/A | N/A | C:\Windows\System\hgMmmdq.exe | N/A |
| N/A | N/A | C:\Windows\System\lOnAvJn.exe | N/A |
| N/A | N/A | C:\Windows\System\sdLRVuf.exe | N/A |
| N/A | N/A | C:\Windows\System\Omgwnjh.exe | N/A |
| N/A | N/A | C:\Windows\System\foMSQhX.exe | N/A |
| N/A | N/A | C:\Windows\System\qyytaQw.exe | N/A |
| N/A | N/A | C:\Windows\System\FvBCPyd.exe | N/A |
| N/A | N/A | C:\Windows\System\hfyZUAX.exe | N/A |
| N/A | N/A | C:\Windows\System\VANIDEy.exe | N/A |
| N/A | N/A | C:\Windows\System\OAdjMDw.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\YOyqEqv.exe
C:\Windows\System\YOyqEqv.exe
C:\Windows\System\WbOyOPy.exe
C:\Windows\System\WbOyOPy.exe
C:\Windows\System\TYDcmVL.exe
C:\Windows\System\TYDcmVL.exe
C:\Windows\System\OrtYgQu.exe
C:\Windows\System\OrtYgQu.exe
C:\Windows\System\rMiOqCe.exe
C:\Windows\System\rMiOqCe.exe
C:\Windows\System\zXImhNx.exe
C:\Windows\System\zXImhNx.exe
C:\Windows\System\wssTifm.exe
C:\Windows\System\wssTifm.exe
C:\Windows\System\pKzlCVU.exe
C:\Windows\System\pKzlCVU.exe
C:\Windows\System\UBAWINe.exe
C:\Windows\System\UBAWINe.exe
C:\Windows\System\ToMtzkO.exe
C:\Windows\System\ToMtzkO.exe
C:\Windows\System\VFxsbkl.exe
C:\Windows\System\VFxsbkl.exe
C:\Windows\System\hgMmmdq.exe
C:\Windows\System\hgMmmdq.exe
C:\Windows\System\lOnAvJn.exe
C:\Windows\System\lOnAvJn.exe
C:\Windows\System\sdLRVuf.exe
C:\Windows\System\sdLRVuf.exe
C:\Windows\System\Omgwnjh.exe
C:\Windows\System\Omgwnjh.exe
C:\Windows\System\foMSQhX.exe
C:\Windows\System\foMSQhX.exe
C:\Windows\System\qyytaQw.exe
C:\Windows\System\qyytaQw.exe
C:\Windows\System\FvBCPyd.exe
C:\Windows\System\FvBCPyd.exe
C:\Windows\System\hfyZUAX.exe
C:\Windows\System\hfyZUAX.exe
C:\Windows\System\VANIDEy.exe
C:\Windows\System\VANIDEy.exe
C:\Windows\System\OAdjMDw.exe
C:\Windows\System\OAdjMDw.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2232-0-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2232-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\YOyqEqv.exe
| MD5 | 33a2d1fd389083a19598bd74da2bcebf |
| SHA1 | 34101378dd2dfe7be49fe84306dcd28acc28224b |
| SHA256 | 04bb675257958e2a4860d2d9ef5766e564ceaa27d3ad302302a43089a90deb87 |
| SHA512 | ca963d3f2c9faeb0260ea91ae3f2d79e43f654133afb1bd8595db9d9c871b72ef8db1f7f3b9247cb35ddb7b2a500697e4c0894961bd2a3715b056aca96221eef |
memory/2232-6-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2596-8-0x000000013FA00000-0x000000013FD51000-memory.dmp
C:\Windows\system\WbOyOPy.exe
| MD5 | 90ba5826269e571fd44d433ac13779d1 |
| SHA1 | 569ecf90d43e940e4dbc4f657fbc5bc5ec34f50b |
| SHA256 | 4f42d79df68b0c3465b85a906fd3291a4203cbfff0f541af6f64a3a1494f25c5 |
| SHA512 | 58fe2c70039136eaf68ef61e92501388a7f5410e935cb72a5a1e2bc3ddde15ece7d1008cadc0e69ecaca01f79b08f9f4a8bbef640b3cf09f0ffcaeebe2072022 |
memory/2232-14-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2944-15-0x000000013F110000-0x000000013F461000-memory.dmp
C:\Windows\system\TYDcmVL.exe
| MD5 | e7c1ad43880aad343e68144135f676df |
| SHA1 | aa6c20517a39060adaddf13582f31de28a3044c1 |
| SHA256 | f66c0946f6422d9aedc98b0edaa647cbde4b04f391df9adbe14eb52dde5e57db |
| SHA512 | f525d6c72ddc445f8024ce205438cfd43225744e10b83d579082f57d4dc8fc9b7b7b2fe0307430d3d99365ebeeeee856d1912bc3ec95a065a01fdc0bae093f99 |
memory/2652-22-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2232-24-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/2740-29-0x000000013FDA0000-0x00000001400F1000-memory.dmp
C:\Windows\system\OrtYgQu.exe
| MD5 | 537d0ac235353094397982c3b51c53f4 |
| SHA1 | d9ee034aef9d0641d18560fb5738a0ee706b9811 |
| SHA256 | 979269307722ade951875696398c8d6eddf4f5d7c7f3f5e47339aeeea834311f |
| SHA512 | 8a735151293468b3ebd874b6812948fa07fb4d977e4aa1ef19d4a0895cb6082c6c36175d2f074a93a855082212828232e3970c91735657f4047d79dae659f0f2 |
C:\Windows\system\zXImhNx.exe
| MD5 | 5aaff2f3e4de2624ff57c9d943d2cafa |
| SHA1 | 9b8b0a8e37790c9d3944b54496a2565cd3f08135 |
| SHA256 | c91ae6921ad096822891d55a4b8859e2ee4ab4ac6262926264e23a6dc3fca807 |
| SHA512 | 4c5020363c95c5ccac7b449c4c45c9c7d213bb3a570ea5acd7f2af01e95cc993535537437d57839b43ebebbe961464ea6f098ff2fb7b328d2d1fba6885852626 |
memory/2232-40-0x000000013F8E0000-0x000000013FC31000-memory.dmp
C:\Windows\system\rMiOqCe.exe
| MD5 | ad907c76044c36d14840cdd831049206 |
| SHA1 | bb302cac84b6a8bae27d5fa5e32e33bc0e32e561 |
| SHA256 | c1657529a8d07a73856a48a4ad221844c5242d2d4d7a650baed6a15bcd5ca453 |
| SHA512 | 347cf3090fdc05e20fe227fff24d0ab7c975843b218391e5f6688f724a366a97b3de432ef02c75afb94c0e89b7b2d357a7ba516d337cedb7db5cc9090cb81742 |
memory/2596-54-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2132-55-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2944-56-0x000000013F110000-0x000000013F461000-memory.dmp
memory/1232-49-0x000000013F9C0000-0x000000013FD11000-memory.dmp
\Windows\system\ToMtzkO.exe
| MD5 | 200e85a485f55adb897770eb1e8e91b9 |
| SHA1 | 5c72e24a7bd438d0a46cf7ab5740c88f27c954fd |
| SHA256 | 822ecae00ccc7899c1074dd68395a302f4970d372243c0c9da9f0acf831c6046 |
| SHA512 | 1787cfda7a1d00894c15715db5a768cf20548a7b3cfe3f4b559d49c1806e07f14a120bb3ed4b807f5d9ddcb43f6a74908d08294397a01881e8778e2d8b7730a6 |
C:\Windows\system\VFxsbkl.exe
| MD5 | 6c10a7e66136650cc26e4a71be6d1ecf |
| SHA1 | 403a5875fe0f8779f01ba7fa5ee7eecf2e729e18 |
| SHA256 | 6353151cded459b1efc530293826f4a1376379a4cb1fe31c37865dd21404abd6 |
| SHA512 | 42b277d9922899dbf4e0c3bbd62bbb0fa82ffb7dfd77c8283527ecf117f9db65fe1068340a9d1f271a9e0e58a1ad6c7557fb7d709553c5320497980ac6c95faf |
memory/3032-86-0x000000013FF80000-0x00000001402D1000-memory.dmp
C:\Windows\system\sdLRVuf.exe
| MD5 | a7cb2d4d4987574193d7891fbaf4e4f2 |
| SHA1 | 0d0084c302c2a56d124fa4ce181c51d14c07d423 |
| SHA256 | 1e7b1348b44ee10562bb623667fcb369325ddfc17f297de4fbab8b09d943cef7 |
| SHA512 | fbc5c99d480030bf6858827efea17714a46ce12642ffe9fe9cf33db2c713fa7190f428c648d804f47abf92ab8005bcd79d45f836b80f153575d3bd2248192ad7 |
memory/2880-102-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2368-94-0x000000013F780000-0x000000013FAD1000-memory.dmp
C:\Windows\system\qyytaQw.exe
| MD5 | 80e32da2a959cf66892a6235afcfc9a8 |
| SHA1 | 89225b3c6978fe08c1a3ce2c5e5a9a3e011da42f |
| SHA256 | dd89f60e17332bcaca3f083ae08bafd8477f5c76435f67d06d51f807c6d13e87 |
| SHA512 | 2cadb54e7c38ef782d5c8f875790eda3cb783c222db2f057dca80945e433e2defc6e0c58907b5917b2010abc530b5fe6fbb6d77e291026875944b63bbe7abd51 |
\Windows\system\OAdjMDw.exe
| MD5 | 23b84a0af38c93fec3072aa16aaafc7e |
| SHA1 | be3de13bf840391741901ac6d668960c818776a1 |
| SHA256 | 8266ba34ccc75935bd094f0be4bf14dce42dce3798d15e69fb7755fc8f6d4f18 |
| SHA512 | 2fb38cf65281c67371b00401478aa69332ee6e995780934594f80bc1e15d3fa08c071ea59c828e95c6a354ae22f409312e4853114dff53e3c926dad941cf9a97 |
C:\Windows\system\VANIDEy.exe
| MD5 | 24ade996d92b482c6e5ecbc1867a25ba |
| SHA1 | 8c7cd7ae247c96918ad31bb388c2ba5f1482c048 |
| SHA256 | 274d8af4216dda93698c686355c8975ea5648d7c79d704ef7467fbb1e70c9da5 |
| SHA512 | 7a6a182720c67fcd5f3ce2da76c38afaea4852b056232e5359e58eb666e584e9d1dbc725281691744a328b922acda29247edea85730668a9a851f390457a4a3c |
C:\Windows\system\hfyZUAX.exe
| MD5 | 041161e56f433a1ca92aa105dc77a33a |
| SHA1 | f58b1ea251e36d92430d6682f2b57eed683e19ef |
| SHA256 | b39acb728e228fd51dbefbb1fb4b395edeaf0179de3a018f51bb60eb33a2b4bf |
| SHA512 | 172ce68c813fd35f15c31ff7ca62f7ec3ed5ceb17e806ba31083af9b29aa7dce4931249c3f240864f3ecaf6121b244e587255656850253209c258e6a2a9f0ed7 |
C:\Windows\system\FvBCPyd.exe
| MD5 | 9bfc54910627d4dcfe5ce5cb96590f82 |
| SHA1 | ab03a7324f2a6f35015ac30d638ccf038f130863 |
| SHA256 | 241df7309539daf8f414fea577c6b2e656a9dba75483ac53808240598ba6c65e |
| SHA512 | be96dbdbcb23344a25570423669b4c8c803a797ce1bbc849011db6f23556b75acdd383d8cc06c395432708d222f9d6519e38380c58cba8a255eae8b1f06b52ec |
C:\Windows\system\foMSQhX.exe
| MD5 | 87453b62e76ed56b846a6fe8e5cb0321 |
| SHA1 | 03aacebdc1b80c30f6a7cd93ac00bf9b9884992d |
| SHA256 | e1fce56d85f903f7553ba0da960af360e7900396b217895834afc27e91d6a2e9 |
| SHA512 | b456c58e038b6fc3fdc1c00302a7ae66874c999e51a5035f5f2c4931ba24e631f07b2127690de101923de27d99818b16550348f2576472f9e5bc88530c06ed06 |
memory/2232-109-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/1232-108-0x000000013F9C0000-0x000000013FD11000-memory.dmp
C:\Windows\system\Omgwnjh.exe
| MD5 | 91ad49ad045041d9076ed565ed0f65af |
| SHA1 | 76e59060063f2ad77436a002dfde3a9f1c13a194 |
| SHA256 | 8de47242f593ec8ec92291261a5c4a90b8f74f103e0975a3a3bffb994b110ab2 |
| SHA512 | cf834f653619cab45537bed8588c4cc1a2f4448eba89e9668b0a687c48aad969e16c5e0c4d492af0f5a562183bcd6aca573b67e8e5eb0de30385e02b16951383 |
memory/2232-93-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2616-92-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2232-101-0x000000013F670000-0x000000013F9C1000-memory.dmp
C:\Windows\system\lOnAvJn.exe
| MD5 | 686e4f778dd7be324d5f2663a7a3e48a |
| SHA1 | 576aaf98ab2f5967e5c9e53aade92c3ea40bcf45 |
| SHA256 | 0b9522026e24392c5babb300284a26c972fdf39f492bc3b820388f31c1585d66 |
| SHA512 | 0901240ba7fee2f79b78ea02f9f10e2a78030eb111a6ae16b22cab30e6b7dcc12984a1817283fc8206c1144e2cc4ef1e20d83d7141e9ede7694cabf2cf2bfe65 |
memory/2520-100-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2232-85-0x000000013FF80000-0x00000001402D1000-memory.dmp
C:\Windows\system\hgMmmdq.exe
| MD5 | c4fdd889d7050c9cb93e4fb17b1222c4 |
| SHA1 | 8442ed3fb0d6a44d88b3ca6daa4330eadf1973f7 |
| SHA256 | 3010aaafa4d98a679a61ac94944987e99e7245dfacac6253125070363d813616 |
| SHA512 | f8c138d91a8c987fa29033f3f7305a014c9860562ccea984c544912fcd778bb3612ba3d5c75de1faa05a27262673842cd1b55b5703471f6e336fe91d395aeea0 |
memory/3012-79-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2232-78-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2816-72-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2232-71-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2652-70-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2132-140-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2624-62-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2232-61-0x000000013F420000-0x000000013F771000-memory.dmp
C:\Windows\system\UBAWINe.exe
| MD5 | b9bbd07a570f51fcd30cfa4a537a2179 |
| SHA1 | e2ec4cb32506049a75c4c41f42a28a114c8f0462 |
| SHA256 | 9988dd32881c04171a5c0489778cfebdb526f64534fccd096bc98a209c94b3f5 |
| SHA512 | f285f9d27fc9aec3f369e8853d0c365a72a32ab996034aaa9db237420147bc433b9b8955d993bd2f743ed30c1c27296131bc8a13088605739e255193afd8246d |
C:\Windows\system\wssTifm.exe
| MD5 | a8ee833c2fa8e99a21df54811cd543ec |
| SHA1 | b6f4fe6e68a2db5465b42347bca86b8985a653b7 |
| SHA256 | f246540697cfbbabb890dc6352f717a22fdb04bdc82d540e35f59a26f0403bf0 |
| SHA512 | ad5bd0a5ae29628c337e99eec2dfc3647afce44d13ecab97f8e1a1fc55f05d41118fcd33c4a4f333f5853e0b03a9104ff643eb05b13c0c07525fc817f431657a |
memory/2232-47-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2616-35-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2232-34-0x000000013F570000-0x000000013F8C1000-memory.dmp
C:\Windows\system\pKzlCVU.exe
| MD5 | bdd189ffba8bfe3b17f9f339b028e323 |
| SHA1 | 72bc6b370ce4e5e8745a80e7735f704375c780b1 |
| SHA256 | d6dbc929bda9e09ac6785884071d6734217f0f166e6e280736b18aa9fec5f0be |
| SHA512 | 8f5a194e034fed6c1fbffc39d3309a99e2cc08c0e040f84d45b6e53bec3b00184e0da712bb1a415165465a3ce8da60f1c47fe3995aaf06b5435cd7154301488e |
memory/2520-41-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2232-20-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2232-142-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2616-147-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2232-153-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2624-154-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2816-152-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2880-158-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2784-160-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2908-164-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2232-166-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/804-165-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2892-163-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2248-161-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2788-159-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/2368-157-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/3032-156-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/1744-162-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/3012-155-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2232-167-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2232-168-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2232-176-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2232-191-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2232-192-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/2596-216-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2944-218-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2740-220-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/2520-224-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2652-223-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/1232-226-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2132-230-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2624-229-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2816-246-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/3012-248-0x000000013F300000-0x000000013F651000-memory.dmp
memory/3032-250-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2368-252-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2880-254-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2616-265-0x000000013F570000-0x000000013F8C1000-memory.dmp