Analysis Overview
SHA256
703b35b12a84f9270e7a6379976008337f4c022d847439da1b487c3f70aa5aca
Threat Level: Known bad
The file 2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobaltstrike
Xmrig family
Cobalt Strike reflective loader
xmrig
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 00:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 00:48
Reported
2024-05-30 00:50
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IeygzgX.exe | N/A |
| N/A | N/A | C:\Windows\System\RdifDyI.exe | N/A |
| N/A | N/A | C:\Windows\System\iVdumIr.exe | N/A |
| N/A | N/A | C:\Windows\System\CodYHFw.exe | N/A |
| N/A | N/A | C:\Windows\System\yBspDjo.exe | N/A |
| N/A | N/A | C:\Windows\System\HlChjTn.exe | N/A |
| N/A | N/A | C:\Windows\System\mrCxhrE.exe | N/A |
| N/A | N/A | C:\Windows\System\HkrNPbw.exe | N/A |
| N/A | N/A | C:\Windows\System\UrSWwAt.exe | N/A |
| N/A | N/A | C:\Windows\System\EdxzvlF.exe | N/A |
| N/A | N/A | C:\Windows\System\twHQHqa.exe | N/A |
| N/A | N/A | C:\Windows\System\OCDrmoN.exe | N/A |
| N/A | N/A | C:\Windows\System\JAteAEF.exe | N/A |
| N/A | N/A | C:\Windows\System\ERMqBGh.exe | N/A |
| N/A | N/A | C:\Windows\System\wmwSWPJ.exe | N/A |
| N/A | N/A | C:\Windows\System\EUgnXPe.exe | N/A |
| N/A | N/A | C:\Windows\System\kyCiUlt.exe | N/A |
| N/A | N/A | C:\Windows\System\mWkADVy.exe | N/A |
| N/A | N/A | C:\Windows\System\cedeWaw.exe | N/A |
| N/A | N/A | C:\Windows\System\krHduXp.exe | N/A |
| N/A | N/A | C:\Windows\System\FUkwzmF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\IeygzgX.exe
C:\Windows\System\IeygzgX.exe
C:\Windows\System\RdifDyI.exe
C:\Windows\System\RdifDyI.exe
C:\Windows\System\iVdumIr.exe
C:\Windows\System\iVdumIr.exe
C:\Windows\System\CodYHFw.exe
C:\Windows\System\CodYHFw.exe
C:\Windows\System\yBspDjo.exe
C:\Windows\System\yBspDjo.exe
C:\Windows\System\HlChjTn.exe
C:\Windows\System\HlChjTn.exe
C:\Windows\System\mrCxhrE.exe
C:\Windows\System\mrCxhrE.exe
C:\Windows\System\HkrNPbw.exe
C:\Windows\System\HkrNPbw.exe
C:\Windows\System\UrSWwAt.exe
C:\Windows\System\UrSWwAt.exe
C:\Windows\System\EdxzvlF.exe
C:\Windows\System\EdxzvlF.exe
C:\Windows\System\twHQHqa.exe
C:\Windows\System\twHQHqa.exe
C:\Windows\System\OCDrmoN.exe
C:\Windows\System\OCDrmoN.exe
C:\Windows\System\JAteAEF.exe
C:\Windows\System\JAteAEF.exe
C:\Windows\System\ERMqBGh.exe
C:\Windows\System\ERMqBGh.exe
C:\Windows\System\wmwSWPJ.exe
C:\Windows\System\wmwSWPJ.exe
C:\Windows\System\EUgnXPe.exe
C:\Windows\System\EUgnXPe.exe
C:\Windows\System\kyCiUlt.exe
C:\Windows\System\kyCiUlt.exe
C:\Windows\System\mWkADVy.exe
C:\Windows\System\mWkADVy.exe
C:\Windows\System\cedeWaw.exe
C:\Windows\System\cedeWaw.exe
C:\Windows\System\krHduXp.exe
C:\Windows\System\krHduXp.exe
C:\Windows\System\FUkwzmF.exe
C:\Windows\System\FUkwzmF.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.126.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2896-0-0x00007FF698D30000-0x00007FF699081000-memory.dmp
memory/2896-1-0x000001FF8BA40000-0x000001FF8BA50000-memory.dmp
C:\Windows\System\IeygzgX.exe
| MD5 | 7bb8baa084873f040fc7a04cf5c8d37e |
| SHA1 | 17c78436fab806c42422acd36dacbd8b5e237666 |
| SHA256 | 9dcda4b48f6ee883e742447a92569d334b3dc3124bc3192e12156039d1794eda |
| SHA512 | d3fc171b15be5b4eeaeb74ee54113f8e10a88f1d59df2e90af621a216bc04320320dfb7dd976520a2a8c8cdfd3dc756deaa82e6f335fb31aa31a25c9c79de576 |
memory/1672-6-0x00007FF6FA040000-0x00007FF6FA391000-memory.dmp
C:\Windows\System\iVdumIr.exe
| MD5 | 674c9103cabc53ec65f3ec5ad50882bd |
| SHA1 | bbbd81c751d53f785c87d9442a6f2578428d6bb3 |
| SHA256 | d9603b9a9023b8fb1c5a8cbc3582289dce5164e3f238abd84793a4da52f373e7 |
| SHA512 | ed2d94d2c4893b746193e2f12954722c69f9cc4248a4e8874b4c0e4b92b2719985c9cf111b52a902e9cfa256012f86f3135906b670d40bff7ffc657a5216382e |
C:\Windows\System\RdifDyI.exe
| MD5 | ea8211ea91658bb56448023104a033a8 |
| SHA1 | 6b13e1187989df1f16515414a94c9b5328dd1025 |
| SHA256 | 9320fb36e43c0abf28504c602b17686ff60a5da95373fed688f3492ec1d4bab9 |
| SHA512 | 9fdb3de00cbd346d4a24adc5d7992a2472be4af453a0f02b5ce05c3603bf347b1afcaff92f3962954803d30b907d0d59142409c37bec1ee3fd40962f872169e6 |
memory/2572-13-0x00007FF6C2110000-0x00007FF6C2461000-memory.dmp
memory/2660-18-0x00007FF7CF970000-0x00007FF7CFCC1000-memory.dmp
C:\Windows\System\CodYHFw.exe
| MD5 | 152b752ff7003eb0efc4ee587ae747c1 |
| SHA1 | 44bd4fe29c4c3d82c6a712a66f36aea9f047121a |
| SHA256 | 48725502d15422b8ff4f5de369eca2da9973d555e4df222785f40bd850d54aa1 |
| SHA512 | c1f3c66f65ac9df72cc5c2f66afdf3cfa92da131e6a8f52cbcd0ed362b8bb0f5c0e9e587ff7fbab544ab0f136179c94765fd343ad43c6dc540e179ded26d8f73 |
memory/1704-26-0x00007FF767FA0000-0x00007FF7682F1000-memory.dmp
C:\Windows\System\yBspDjo.exe
| MD5 | c16da80218f1bd9b08f86cb63a8aacea |
| SHA1 | 9465ffbc1d184c17ea6780830ec4bafa15f9f3cb |
| SHA256 | 59b4d21a997f956bfb26b4b99084f6909735b599e6a81f716bc8ae413dba574d |
| SHA512 | 5e5b0079bef709aac01c64e11e5fe658f34a49a33781c08c64bbe2b69dbf49bed40da3c5beb24893e16e740a521b600067f470b12e1bbfe762b56826493157d0 |
C:\Windows\System\HlChjTn.exe
| MD5 | b341c8499b65f4779e0b92973f241c4f |
| SHA1 | 543ebc268ff51a61371463bdac807dbfe0b85ca2 |
| SHA256 | c51402b4b189faaca8d54f09b1658b96a543c728fdfce03b5371b76e86236dd9 |
| SHA512 | 1393fd72bae23faa46a34db84c87ab1043cf9cd5490d6a8123f6e71f6a6ca3615956a67c7e05403e8a67fcb3a13e588bebfe5b73c7bb1d6bb54113e56248f235 |
memory/4652-35-0x00007FF7AA9A0000-0x00007FF7AACF1000-memory.dmp
memory/2208-30-0x00007FF7E2CD0000-0x00007FF7E3021000-memory.dmp
C:\Windows\System\mrCxhrE.exe
| MD5 | bc89955d9e1fd2d5e1eea3458c454e99 |
| SHA1 | 1ccab6024bf49f3664bed4804c80d9855e983b9e |
| SHA256 | 7190a4230f429b62fc0ca12db8c124d2e32691d0f444bae8160f2f88b17ef138 |
| SHA512 | 94ad32ae947b17acf6ca452a0e68b55bcc4f39e15184d1b3413b7560b5f1d2a788fec7db7a3b86bcc4baf3eeb687697dbf88d36f070986b24d471b6872a95120 |
memory/4796-43-0x00007FF6219B0000-0x00007FF621D01000-memory.dmp
C:\Windows\System\HkrNPbw.exe
| MD5 | 2911931d3b0315dc8c86b763db6d2d29 |
| SHA1 | e5a7fb55096c85423a810dc41d24a6b9f350b9a5 |
| SHA256 | 8f705c895f1e9bbf6d73893f5c3d81eb4ae589219067cab952a6d81e92246ea6 |
| SHA512 | 5f733273c1b2c593f2eaae520a8369bab6b51720bea718822a97e1e485b674e078c5319b9518007ce6cd21580b19c5d39edeb18e31652bd344c00b201bc6616a |
C:\Windows\System\UrSWwAt.exe
| MD5 | 570a37348cb661bc675e644c5ce3907c |
| SHA1 | 7cd370adaa48d989a36632352bf6b66b81773427 |
| SHA256 | 1a295fa89b8ad35f76fea09bc5dce695010e06278931f6f39c90611519c46d21 |
| SHA512 | 986a0726097b1c0a01023bc15cd6a049bbbe8adf88737efc493aa846a2b6a925c4848fc2d49061b5f05156cee43a5f1f9083c0d6de843be441e43c20f8ad3332 |
memory/4992-56-0x00007FF62F7F0000-0x00007FF62FB41000-memory.dmp
C:\Windows\System\EdxzvlF.exe
| MD5 | 8b9580b9fdeed944ba64def301925e21 |
| SHA1 | 3d31da526325c188701c861207b96efc99994de1 |
| SHA256 | 53bb6f26c522bc43229d9549a149ee458afb1eac58ae76e3ca2d3a9a60e51508 |
| SHA512 | 1f569c212d8f8234bfe3aecd8a5b4cfc9666b58e6799f8163eb56d360a20ecdc0e2e562b8399a6ddcdf568c15715b6ce78a84533da0a4189e876d9ad4797511e |
memory/1228-52-0x00007FF7967F0000-0x00007FF796B41000-memory.dmp
C:\Windows\System\twHQHqa.exe
| MD5 | 90bb09044a6999c535677523d79e2f3a |
| SHA1 | 21facb5e6a9720df8c5f7d4b8fa56f328bb074c9 |
| SHA256 | 5b637cc2113cb32e18ca63603849ea25b971f514ce11ed621048a38f1e9dffdf |
| SHA512 | b6a1a5e17921f7f5df5fb4c86fd302b6b905dc4a4fba80537ee39be6a0e877e8b8bfdef01f213dd901dc8a0690e6c522e63fffef77ae666f0a80ed06d18d1d2f |
memory/3348-65-0x00007FF67E5B0000-0x00007FF67E901000-memory.dmp
memory/3384-70-0x00007FF6CA8B0000-0x00007FF6CAC01000-memory.dmp
memory/1672-69-0x00007FF6FA040000-0x00007FF6FA391000-memory.dmp
memory/2896-62-0x00007FF698D30000-0x00007FF699081000-memory.dmp
C:\Windows\System\OCDrmoN.exe
| MD5 | 0e1ecd8d787545861ac2a1ba2d6c113b |
| SHA1 | 44fca19a7ad48db844edf03399bffe3b78a68fa9 |
| SHA256 | 3664a0f62f8fe12387652ffb2bc14dbd76eb13bed513845015492e39c813aa5b |
| SHA512 | 7192eadece8cf5c9a0e9dfe153fac30923c3b6b9d399bab52de4fdc0ae7cb8f106ee41c033b3d6ff86609795572c90d011c04dbd3f7e49add762c7f16873377e |
memory/4068-99-0x00007FF7200D0000-0x00007FF720421000-memory.dmp
C:\Windows\System\kyCiUlt.exe
| MD5 | e9f1890dca0f1a527aa12a1381dff050 |
| SHA1 | f4a9e42bd9a3d69ec7152a03fdd94f8489b8e349 |
| SHA256 | 63bd35c4631d4bad51367a18436fffe43449dfbc7432977b7f0d705ae71211f6 |
| SHA512 | 55690577b29a1902f9575424912a27dade3f8df1e49f479ad7701d60d076265827a72244b5fccab4bb768af894bd9664c2d6331d9b56e4fe3a0e44fd1fe5ee34 |
C:\Windows\System\mWkADVy.exe
| MD5 | c9ef05d37a22bdffc887ba403f5b2fb8 |
| SHA1 | 57b791a0b00f76a8aa5d07c53da73040f197d525 |
| SHA256 | bc01ac5023cb52bd2052dfbd8efc87593222e46b4d32ed7ff8af0e0dec78b46f |
| SHA512 | 524c2010e2e8c5d6a3fe4445e99ff9e6913dcd648bc52cf2b4ca2f2ceb52152e82941c5232e67b77bd16f049c031f03190f8a0bf517d372e63905e0a247a315e |
memory/3064-120-0x00007FF7B4CF0000-0x00007FF7B5041000-memory.dmp
C:\Windows\System\krHduXp.exe
| MD5 | 53305762c43833b08a6b7be131e5beaf |
| SHA1 | 7cb46cc971c8eb312e82ae41c567faa4169ca633 |
| SHA256 | f1e2244afd4b72cd79d89eb1dd458f80cdb553239cc7e9a64904ba36a66b3ab0 |
| SHA512 | c349fe714686904ef99b11f9f167e80fe523171f84ad5e24ef775dc31e2bc4c03aec2c1570d7e1e03ce40f3fc62058879cf59e6dfaeeda7b210cf818c0d76405 |
C:\Windows\System\cedeWaw.exe
| MD5 | 3bc1d25d6779700122f928e7cc51b914 |
| SHA1 | 7d9ed28e096cd4d3a54b9f7817f6663d8115f9d8 |
| SHA256 | abf0573a31ed8548cfbf7c0fdb47be289842115a6e5ea366d2e3dcd5dfd22165 |
| SHA512 | 142a94083a4bc391e9c56b30d26095ca3d077868048b0a204eb8fb042fc8e481bcd3b1202d0588dabb6cc2322ec1cf254bfd2debc535c09f452257e65023ec50 |
memory/2848-123-0x00007FF799880000-0x00007FF799BD1000-memory.dmp
memory/4652-122-0x00007FF7AA9A0000-0x00007FF7AACF1000-memory.dmp
memory/3484-121-0x00007FF726DE0000-0x00007FF727131000-memory.dmp
memory/2208-117-0x00007FF7E2CD0000-0x00007FF7E3021000-memory.dmp
memory/3268-115-0x00007FF6D5480000-0x00007FF6D57D1000-memory.dmp
memory/1816-107-0x00007FF75C4B0000-0x00007FF75C801000-memory.dmp
C:\Windows\System\EUgnXPe.exe
| MD5 | 25829a209ac315159b97fc292c48e439 |
| SHA1 | ac68e092a5552877113f00f19a6843f847f2c1c4 |
| SHA256 | 05e60094b66b5de390442bff344b8c861a3b07a046cee6018ab9db923fef78fa |
| SHA512 | 57d07b7fde279ae9488986c9ee716f928b01b3a360976e5ec4dc44a3906e96a0b2c811affc542120c80776370305ef31ad8c7c09a0c62df1fbeccfa8eef79153 |
memory/3828-108-0x00007FF6B7000000-0x00007FF6B7351000-memory.dmp
C:\Windows\System\wmwSWPJ.exe
| MD5 | bb491dd4f2acf526fae41c972075910f |
| SHA1 | e9f683aca78b23832c609ef67afd96c71cdd9368 |
| SHA256 | 80b71d14b12b26c3cdbade4f92ed0d11d837c8065406fad8beabc4b282e97fd2 |
| SHA512 | f4d485f28346170c0ff460de3a61348047694dbb14b3a0cfc275f0d1c36485b44bdf3e9a423a590ef6898c589b18a22e5731c592cf9481b208ff1900f1ad2c3f |
memory/1232-91-0x00007FF67EE40000-0x00007FF67F191000-memory.dmp
memory/2660-90-0x00007FF7CF970000-0x00007FF7CFCC1000-memory.dmp
C:\Windows\System\JAteAEF.exe
| MD5 | 28173ad6129c6cfd208685517afda711 |
| SHA1 | 50158f7c832de193a8a2593863c3a237677dcc5d |
| SHA256 | e3f5000754d3beecc1af8367b4ca486b452637bdf1176888bd756f0386e6609e |
| SHA512 | 3cee5efbd53a5cebf947d004a9f0b72a8ed636b70b731957c9ca83e4d138016d05289ae82e9a9511d409edf34c1409d21535055fc81a1c9d7ff7e276713a50e8 |
C:\Windows\System\ERMqBGh.exe
| MD5 | 9db6286379a81fb865ea838347ecc246 |
| SHA1 | 749a88c88db36f7ec00b96a75eb7a01e77be05d1 |
| SHA256 | cf52df057dff245eb5ac05e03af3e5926cd79014060a9dbab4153e6e151cb899 |
| SHA512 | 8b08b8a8a1442804700ae808f3eb1f57e5111201af7cd04502481ce51fc2f1eadd68e6b1e1975f0ce1cc26c8e6f0fa8f4f64e41789a7ef7a8b03cf4b1b9fe628 |
memory/1896-77-0x00007FF64E690000-0x00007FF64E9E1000-memory.dmp
memory/2572-74-0x00007FF6C2110000-0x00007FF6C2461000-memory.dmp
memory/2896-132-0x00007FF698D30000-0x00007FF699081000-memory.dmp
memory/4796-137-0x00007FF6219B0000-0x00007FF621D01000-memory.dmp
memory/1128-140-0x00007FF639DD0000-0x00007FF63A121000-memory.dmp
C:\Windows\System\FUkwzmF.exe
| MD5 | e8e17c23c782315dbbc3d86a5438df08 |
| SHA1 | 5041a8d349b272245215b6bd9a7b919f676c75d1 |
| SHA256 | 67c553b9792a3b8eaa31181e11695715ceaa2c04b8e02543acf49c175638ba80 |
| SHA512 | 48d694ebb002c70d1fceb968dabcb25601fc993cafc91eaef7e7cb1681953dbdce265f36a2656eb449ed3899ff214b6a1965e1fe558493211ee198ea766838c5 |
memory/4992-144-0x00007FF62F7F0000-0x00007FF62FB41000-memory.dmp
memory/1896-147-0x00007FF64E690000-0x00007FF64E9E1000-memory.dmp
memory/3828-152-0x00007FF6B7000000-0x00007FF6B7351000-memory.dmp
memory/3484-155-0x00007FF726DE0000-0x00007FF727131000-memory.dmp
memory/2848-154-0x00007FF799880000-0x00007FF799BD1000-memory.dmp
memory/1816-151-0x00007FF75C4B0000-0x00007FF75C801000-memory.dmp
memory/4068-149-0x00007FF7200D0000-0x00007FF720421000-memory.dmp
memory/1232-148-0x00007FF67EE40000-0x00007FF67F191000-memory.dmp
memory/2896-157-0x00007FF698D30000-0x00007FF699081000-memory.dmp
memory/1672-202-0x00007FF6FA040000-0x00007FF6FA391000-memory.dmp
memory/2572-207-0x00007FF6C2110000-0x00007FF6C2461000-memory.dmp
memory/2660-211-0x00007FF7CF970000-0x00007FF7CFCC1000-memory.dmp
memory/1704-213-0x00007FF767FA0000-0x00007FF7682F1000-memory.dmp
memory/2208-215-0x00007FF7E2CD0000-0x00007FF7E3021000-memory.dmp
memory/4652-217-0x00007FF7AA9A0000-0x00007FF7AACF1000-memory.dmp
memory/4796-219-0x00007FF6219B0000-0x00007FF621D01000-memory.dmp
memory/1228-221-0x00007FF7967F0000-0x00007FF796B41000-memory.dmp
memory/4992-223-0x00007FF62F7F0000-0x00007FF62FB41000-memory.dmp
memory/3348-225-0x00007FF67E5B0000-0x00007FF67E901000-memory.dmp
memory/3384-229-0x00007FF6CA8B0000-0x00007FF6CAC01000-memory.dmp
memory/1896-236-0x00007FF64E690000-0x00007FF64E9E1000-memory.dmp
memory/1232-240-0x00007FF67EE40000-0x00007FF67F191000-memory.dmp
memory/4068-239-0x00007FF7200D0000-0x00007FF720421000-memory.dmp
memory/3064-244-0x00007FF7B4CF0000-0x00007FF7B5041000-memory.dmp
memory/3828-246-0x00007FF6B7000000-0x00007FF6B7351000-memory.dmp
memory/3268-243-0x00007FF6D5480000-0x00007FF6D57D1000-memory.dmp
memory/2848-248-0x00007FF799880000-0x00007FF799BD1000-memory.dmp
memory/1816-252-0x00007FF75C4B0000-0x00007FF75C801000-memory.dmp
memory/3484-251-0x00007FF726DE0000-0x00007FF727131000-memory.dmp
memory/1128-256-0x00007FF639DD0000-0x00007FF63A121000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 00:48
Reported
2024-05-30 00:50
Platform
win7-20240508-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IeygzgX.exe | N/A |
| N/A | N/A | C:\Windows\System\RdifDyI.exe | N/A |
| N/A | N/A | C:\Windows\System\iVdumIr.exe | N/A |
| N/A | N/A | C:\Windows\System\CodYHFw.exe | N/A |
| N/A | N/A | C:\Windows\System\yBspDjo.exe | N/A |
| N/A | N/A | C:\Windows\System\HlChjTn.exe | N/A |
| N/A | N/A | C:\Windows\System\mrCxhrE.exe | N/A |
| N/A | N/A | C:\Windows\System\HkrNPbw.exe | N/A |
| N/A | N/A | C:\Windows\System\UrSWwAt.exe | N/A |
| N/A | N/A | C:\Windows\System\EdxzvlF.exe | N/A |
| N/A | N/A | C:\Windows\System\twHQHqa.exe | N/A |
| N/A | N/A | C:\Windows\System\OCDrmoN.exe | N/A |
| N/A | N/A | C:\Windows\System\JAteAEF.exe | N/A |
| N/A | N/A | C:\Windows\System\ERMqBGh.exe | N/A |
| N/A | N/A | C:\Windows\System\wmwSWPJ.exe | N/A |
| N/A | N/A | C:\Windows\System\EUgnXPe.exe | N/A |
| N/A | N/A | C:\Windows\System\mWkADVy.exe | N/A |
| N/A | N/A | C:\Windows\System\krHduXp.exe | N/A |
| N/A | N/A | C:\Windows\System\kyCiUlt.exe | N/A |
| N/A | N/A | C:\Windows\System\cedeWaw.exe | N/A |
| N/A | N/A | C:\Windows\System\FUkwzmF.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\IeygzgX.exe
C:\Windows\System\IeygzgX.exe
C:\Windows\System\RdifDyI.exe
C:\Windows\System\RdifDyI.exe
C:\Windows\System\iVdumIr.exe
C:\Windows\System\iVdumIr.exe
C:\Windows\System\CodYHFw.exe
C:\Windows\System\CodYHFw.exe
C:\Windows\System\yBspDjo.exe
C:\Windows\System\yBspDjo.exe
C:\Windows\System\HlChjTn.exe
C:\Windows\System\HlChjTn.exe
C:\Windows\System\mrCxhrE.exe
C:\Windows\System\mrCxhrE.exe
C:\Windows\System\HkrNPbw.exe
C:\Windows\System\HkrNPbw.exe
C:\Windows\System\UrSWwAt.exe
C:\Windows\System\UrSWwAt.exe
C:\Windows\System\EdxzvlF.exe
C:\Windows\System\EdxzvlF.exe
C:\Windows\System\twHQHqa.exe
C:\Windows\System\twHQHqa.exe
C:\Windows\System\OCDrmoN.exe
C:\Windows\System\OCDrmoN.exe
C:\Windows\System\JAteAEF.exe
C:\Windows\System\JAteAEF.exe
C:\Windows\System\ERMqBGh.exe
C:\Windows\System\ERMqBGh.exe
C:\Windows\System\wmwSWPJ.exe
C:\Windows\System\wmwSWPJ.exe
C:\Windows\System\EUgnXPe.exe
C:\Windows\System\EUgnXPe.exe
C:\Windows\System\kyCiUlt.exe
C:\Windows\System\kyCiUlt.exe
C:\Windows\System\mWkADVy.exe
C:\Windows\System\mWkADVy.exe
C:\Windows\System\cedeWaw.exe
C:\Windows\System\cedeWaw.exe
C:\Windows\System\krHduXp.exe
C:\Windows\System\krHduXp.exe
C:\Windows\System\FUkwzmF.exe
C:\Windows\System\FUkwzmF.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2932-0-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2932-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\IeygzgX.exe
| MD5 | 7bb8baa084873f040fc7a04cf5c8d37e |
| SHA1 | 17c78436fab806c42422acd36dacbd8b5e237666 |
| SHA256 | 9dcda4b48f6ee883e742447a92569d334b3dc3124bc3192e12156039d1794eda |
| SHA512 | d3fc171b15be5b4eeaeb74ee54113f8e10a88f1d59df2e90af621a216bc04320320dfb7dd976520a2a8c8cdfd3dc756deaa82e6f335fb31aa31a25c9c79de576 |
\Windows\system\RdifDyI.exe
| MD5 | ea8211ea91658bb56448023104a033a8 |
| SHA1 | 6b13e1187989df1f16515414a94c9b5328dd1025 |
| SHA256 | 9320fb36e43c0abf28504c602b17686ff60a5da95373fed688f3492ec1d4bab9 |
| SHA512 | 9fdb3de00cbd346d4a24adc5d7992a2472be4af453a0f02b5ce05c3603bf347b1afcaff92f3962954803d30b907d0d59142409c37bec1ee3fd40962f872169e6 |
memory/2932-13-0x000000013F620000-0x000000013F971000-memory.dmp
memory/3000-15-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2012-14-0x000000013F650000-0x000000013F9A1000-memory.dmp
\Windows\system\iVdumIr.exe
| MD5 | 674c9103cabc53ec65f3ec5ad50882bd |
| SHA1 | bbbd81c751d53f785c87d9442a6f2578428d6bb3 |
| SHA256 | d9603b9a9023b8fb1c5a8cbc3582289dce5164e3f238abd84793a4da52f373e7 |
| SHA512 | ed2d94d2c4893b746193e2f12954722c69f9cc4248a4e8874b4c0e4b92b2719985c9cf111b52a902e9cfa256012f86f3135906b670d40bff7ffc657a5216382e |
C:\Windows\system\CodYHFw.exe
| MD5 | 152b752ff7003eb0efc4ee587ae747c1 |
| SHA1 | 44bd4fe29c4c3d82c6a712a66f36aea9f047121a |
| SHA256 | 48725502d15422b8ff4f5de369eca2da9973d555e4df222785f40bd850d54aa1 |
| SHA512 | c1f3c66f65ac9df72cc5c2f66afdf3cfa92da131e6a8f52cbcd0ed362b8bb0f5c0e9e587ff7fbab544ab0f136179c94765fd343ad43c6dc540e179ded26d8f73 |
memory/2932-20-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2652-28-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2932-26-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2932-31-0x00000000022B0000-0x0000000002601000-memory.dmp
\Windows\system\yBspDjo.exe
| MD5 | c16da80218f1bd9b08f86cb63a8aacea |
| SHA1 | 9465ffbc1d184c17ea6780830ec4bafa15f9f3cb |
| SHA256 | 59b4d21a997f956bfb26b4b99084f6909735b599e6a81f716bc8ae413dba574d |
| SHA512 | 5e5b0079bef709aac01c64e11e5fe658f34a49a33781c08c64bbe2b69dbf49bed40da3c5beb24893e16e740a521b600067f470b12e1bbfe762b56826493157d0 |
memory/2368-25-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2736-35-0x000000013FB50000-0x000000013FEA1000-memory.dmp
\Windows\system\HlChjTn.exe
| MD5 | b341c8499b65f4779e0b92973f241c4f |
| SHA1 | 543ebc268ff51a61371463bdac807dbfe0b85ca2 |
| SHA256 | c51402b4b189faaca8d54f09b1658b96a543c728fdfce03b5371b76e86236dd9 |
| SHA512 | 1393fd72bae23faa46a34db84c87ab1043cf9cd5490d6a8123f6e71f6a6ca3615956a67c7e05403e8a67fcb3a13e588bebfe5b73c7bb1d6bb54113e56248f235 |
memory/2644-43-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2932-40-0x00000000022B0000-0x0000000002601000-memory.dmp
C:\Windows\system\HkrNPbw.exe
| MD5 | 2911931d3b0315dc8c86b763db6d2d29 |
| SHA1 | e5a7fb55096c85423a810dc41d24a6b9f350b9a5 |
| SHA256 | 8f705c895f1e9bbf6d73893f5c3d81eb4ae589219067cab952a6d81e92246ea6 |
| SHA512 | 5f733273c1b2c593f2eaae520a8369bab6b51720bea718822a97e1e485b674e078c5319b9518007ce6cd21580b19c5d39edeb18e31652bd344c00b201bc6616a |
memory/2932-56-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2560-57-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2820-51-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2368-50-0x000000013F180000-0x000000013F4D1000-memory.dmp
C:\Windows\system\mrCxhrE.exe
| MD5 | bc89955d9e1fd2d5e1eea3458c454e99 |
| SHA1 | 1ccab6024bf49f3664bed4804c80d9855e983b9e |
| SHA256 | 7190a4230f429b62fc0ca12db8c124d2e32691d0f444bae8160f2f88b17ef138 |
| SHA512 | 94ad32ae947b17acf6ca452a0e68b55bcc4f39e15184d1b3413b7560b5f1d2a788fec7db7a3b86bcc4baf3eeb687697dbf88d36f070986b24d471b6872a95120 |
memory/2932-48-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2932-47-0x000000013F990000-0x000000013FCE1000-memory.dmp
\Windows\system\UrSWwAt.exe
| MD5 | 570a37348cb661bc675e644c5ce3907c |
| SHA1 | 7cd370adaa48d989a36632352bf6b66b81773427 |
| SHA256 | 1a295fa89b8ad35f76fea09bc5dce695010e06278931f6f39c90611519c46d21 |
| SHA512 | 986a0726097b1c0a01023bc15cd6a049bbbe8adf88737efc493aa846a2b6a925c4848fc2d49061b5f05156cee43a5f1f9083c0d6de843be441e43c20f8ad3332 |
memory/2576-66-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/2652-65-0x000000013F3B0000-0x000000013F701000-memory.dmp
\Windows\system\EdxzvlF.exe
| MD5 | 8b9580b9fdeed944ba64def301925e21 |
| SHA1 | 3d31da526325c188701c861207b96efc99994de1 |
| SHA256 | 53bb6f26c522bc43229d9549a149ee458afb1eac58ae76e3ca2d3a9a60e51508 |
| SHA512 | 1f569c212d8f8234bfe3aecd8a5b4cfc9666b58e6799f8163eb56d360a20ecdc0e2e562b8399a6ddcdf568c15715b6ce78a84533da0a4189e876d9ad4797511e |
memory/2564-73-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2932-72-0x000000013F130000-0x000000013F481000-memory.dmp
\Windows\system\twHQHqa.exe
| MD5 | 90bb09044a6999c535677523d79e2f3a |
| SHA1 | 21facb5e6a9720df8c5f7d4b8fa56f328bb074c9 |
| SHA256 | 5b637cc2113cb32e18ca63603849ea25b971f514ce11ed621048a38f1e9dffdf |
| SHA512 | b6a1a5e17921f7f5df5fb4c86fd302b6b905dc4a4fba80537ee39be6a0e877e8b8bfdef01f213dd901dc8a0690e6c522e63fffef77ae666f0a80ed06d18d1d2f |
memory/2488-80-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2736-78-0x000000013FB50000-0x000000013FEA1000-memory.dmp
C:\Windows\system\OCDrmoN.exe
| MD5 | 0e1ecd8d787545861ac2a1ba2d6c113b |
| SHA1 | 44fca19a7ad48db844edf03399bffe3b78a68fa9 |
| SHA256 | 3664a0f62f8fe12387652ffb2bc14dbd76eb13bed513845015492e39c813aa5b |
| SHA512 | 7192eadece8cf5c9a0e9dfe153fac30923c3b6b9d399bab52de4fdc0ae7cb8f106ee41c033b3d6ff86609795572c90d011c04dbd3f7e49add762c7f16873377e |
memory/1536-87-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2932-86-0x00000000022B0000-0x0000000002601000-memory.dmp
\Windows\system\JAteAEF.exe
| MD5 | 28173ad6129c6cfd208685517afda711 |
| SHA1 | 50158f7c832de193a8a2593863c3a237677dcc5d |
| SHA256 | e3f5000754d3beecc1af8367b4ca486b452637bdf1176888bd756f0386e6609e |
| SHA512 | 3cee5efbd53a5cebf947d004a9f0b72a8ed636b70b731957c9ca83e4d138016d05289ae82e9a9511d409edf34c1409d21535055fc81a1c9d7ff7e276713a50e8 |
memory/2644-93-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2932-94-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2812-95-0x000000013FBF0000-0x000000013FF41000-memory.dmp
\Windows\system\EUgnXPe.exe
| MD5 | 25829a209ac315159b97fc292c48e439 |
| SHA1 | ac68e092a5552877113f00f19a6843f847f2c1c4 |
| SHA256 | 05e60094b66b5de390442bff344b8c861a3b07a046cee6018ab9db923fef78fa |
| SHA512 | 57d07b7fde279ae9488986c9ee716f928b01b3a360976e5ec4dc44a3906e96a0b2c811affc542120c80776370305ef31ad8c7c09a0c62df1fbeccfa8eef79153 |
memory/2932-124-0x00000000022B0000-0x0000000002601000-memory.dmp
C:\Windows\system\krHduXp.exe
| MD5 | 53305762c43833b08a6b7be131e5beaf |
| SHA1 | 7cb46cc971c8eb312e82ae41c567faa4169ca633 |
| SHA256 | f1e2244afd4b72cd79d89eb1dd458f80cdb553239cc7e9a64904ba36a66b3ab0 |
| SHA512 | c349fe714686904ef99b11f9f167e80fe523171f84ad5e24ef775dc31e2bc4c03aec2c1570d7e1e03ce40f3fc62058879cf59e6dfaeeda7b210cf818c0d76405 |
C:\Windows\system\kyCiUlt.exe
| MD5 | e9f1890dca0f1a527aa12a1381dff050 |
| SHA1 | f4a9e42bd9a3d69ec7152a03fdd94f8489b8e349 |
| SHA256 | 63bd35c4631d4bad51367a18436fffe43449dfbc7432977b7f0d705ae71211f6 |
| SHA512 | 55690577b29a1902f9575424912a27dade3f8df1e49f479ad7701d60d076265827a72244b5fccab4bb768af894bd9664c2d6331d9b56e4fe3a0e44fd1fe5ee34 |
C:\Windows\system\cedeWaw.exe
| MD5 | 3bc1d25d6779700122f928e7cc51b914 |
| SHA1 | 7d9ed28e096cd4d3a54b9f7817f6663d8115f9d8 |
| SHA256 | abf0573a31ed8548cfbf7c0fdb47be289842115a6e5ea366d2e3dcd5dfd22165 |
| SHA512 | 142a94083a4bc391e9c56b30d26095ca3d077868048b0a204eb8fb042fc8e481bcd3b1202d0588dabb6cc2322ec1cf254bfd2debc535c09f452257e65023ec50 |
\Windows\system\FUkwzmF.exe
| MD5 | e8e17c23c782315dbbc3d86a5438df08 |
| SHA1 | 5041a8d349b272245215b6bd9a7b919f676c75d1 |
| SHA256 | 67c553b9792a3b8eaa31181e11695715ceaa2c04b8e02543acf49c175638ba80 |
| SHA512 | 48d694ebb002c70d1fceb968dabcb25601fc993cafc91eaef7e7cb1681953dbdce265f36a2656eb449ed3899ff214b6a1965e1fe558493211ee198ea766838c5 |
memory/2820-132-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2932-131-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
C:\Windows\system\mWkADVy.exe
| MD5 | c9ef05d37a22bdffc887ba403f5b2fb8 |
| SHA1 | 57b791a0b00f76a8aa5d07c53da73040f197d525 |
| SHA256 | bc01ac5023cb52bd2052dfbd8efc87593222e46b4d32ed7ff8af0e0dec78b46f |
| SHA512 | 524c2010e2e8c5d6a3fe4445e99ff9e6913dcd648bc52cf2b4ca2f2ceb52152e82941c5232e67b77bd16f049c031f03190f8a0bf517d372e63905e0a247a315e |
memory/1644-125-0x000000013FB30000-0x000000013FE81000-memory.dmp
C:\Windows\system\wmwSWPJ.exe
| MD5 | bb491dd4f2acf526fae41c972075910f |
| SHA1 | e9f683aca78b23832c609ef67afd96c71cdd9368 |
| SHA256 | 80b71d14b12b26c3cdbade4f92ed0d11d837c8065406fad8beabc4b282e97fd2 |
| SHA512 | f4d485f28346170c0ff460de3a61348047694dbb14b3a0cfc275f0d1c36485b44bdf3e9a423a590ef6898c589b18a22e5731c592cf9481b208ff1900f1ad2c3f |
C:\Windows\system\ERMqBGh.exe
| MD5 | 9db6286379a81fb865ea838347ecc246 |
| SHA1 | 749a88c88db36f7ec00b96a75eb7a01e77be05d1 |
| SHA256 | cf52df057dff245eb5ac05e03af3e5926cd79014060a9dbab4153e6e151cb899 |
| SHA512 | 8b08b8a8a1442804700ae808f3eb1f57e5111201af7cd04502481ce51fc2f1eadd68e6b1e1975f0ce1cc26c8e6f0fa8f4f64e41789a7ef7a8b03cf4b1b9fe628 |
memory/2560-140-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2932-139-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2932-141-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/1636-157-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2232-156-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2932-163-0x000000013F130000-0x000000013F481000-memory.dmp
memory/1740-161-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/2200-160-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/1980-159-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/788-158-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/1936-162-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2932-164-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2932-170-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/3000-211-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2012-212-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2368-214-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2652-216-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2736-223-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2644-225-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2560-227-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2820-229-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2576-231-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/2564-233-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2488-235-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/1536-237-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2812-248-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/1644-250-0x000000013FB30000-0x000000013FE81000-memory.dmp