Analysis Overview
SHA256
ddfee2a689fb51786f36360f2c80e3a08d89b91f9549f06eaee57e0c3191f90b
Threat Level: Known bad
The file 2024-05-30_866ccef6e69777c049b405b535536727_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
UPX dump on OEP (original entry point)
xmrig
Cobaltstrike
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 10:06
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 10:06
Reported
2024-05-30 10:09
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zTvFWNQ.exe | N/A |
| N/A | N/A | C:\Windows\System\QRvxPTh.exe | N/A |
| N/A | N/A | C:\Windows\System\ZAMnRJK.exe | N/A |
| N/A | N/A | C:\Windows\System\GAhatzi.exe | N/A |
| N/A | N/A | C:\Windows\System\kjQqksP.exe | N/A |
| N/A | N/A | C:\Windows\System\rvejgtM.exe | N/A |
| N/A | N/A | C:\Windows\System\vHDWlFW.exe | N/A |
| N/A | N/A | C:\Windows\System\EIsIuRe.exe | N/A |
| N/A | N/A | C:\Windows\System\vkCfCKh.exe | N/A |
| N/A | N/A | C:\Windows\System\bwLBdeK.exe | N/A |
| N/A | N/A | C:\Windows\System\KnIwTGQ.exe | N/A |
| N/A | N/A | C:\Windows\System\GvfRfzy.exe | N/A |
| N/A | N/A | C:\Windows\System\RQXIkBs.exe | N/A |
| N/A | N/A | C:\Windows\System\zkxwaDG.exe | N/A |
| N/A | N/A | C:\Windows\System\rULncLB.exe | N/A |
| N/A | N/A | C:\Windows\System\BUkYsRi.exe | N/A |
| N/A | N/A | C:\Windows\System\OcRGzlK.exe | N/A |
| N/A | N/A | C:\Windows\System\ofzQBXp.exe | N/A |
| N/A | N/A | C:\Windows\System\HBiyMVH.exe | N/A |
| N/A | N/A | C:\Windows\System\FNxPrpi.exe | N/A |
| N/A | N/A | C:\Windows\System\vlICcsR.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_866ccef6e69777c049b405b535536727_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_866ccef6e69777c049b405b535536727_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_866ccef6e69777c049b405b535536727_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_866ccef6e69777c049b405b535536727_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\zTvFWNQ.exe
C:\Windows\System\zTvFWNQ.exe
C:\Windows\System\QRvxPTh.exe
C:\Windows\System\QRvxPTh.exe
C:\Windows\System\ZAMnRJK.exe
C:\Windows\System\ZAMnRJK.exe
C:\Windows\System\GAhatzi.exe
C:\Windows\System\GAhatzi.exe
C:\Windows\System\kjQqksP.exe
C:\Windows\System\kjQqksP.exe
C:\Windows\System\rvejgtM.exe
C:\Windows\System\rvejgtM.exe
C:\Windows\System\vHDWlFW.exe
C:\Windows\System\vHDWlFW.exe
C:\Windows\System\EIsIuRe.exe
C:\Windows\System\EIsIuRe.exe
C:\Windows\System\vkCfCKh.exe
C:\Windows\System\vkCfCKh.exe
C:\Windows\System\bwLBdeK.exe
C:\Windows\System\bwLBdeK.exe
C:\Windows\System\KnIwTGQ.exe
C:\Windows\System\KnIwTGQ.exe
C:\Windows\System\GvfRfzy.exe
C:\Windows\System\GvfRfzy.exe
C:\Windows\System\RQXIkBs.exe
C:\Windows\System\RQXIkBs.exe
C:\Windows\System\zkxwaDG.exe
C:\Windows\System\zkxwaDG.exe
C:\Windows\System\rULncLB.exe
C:\Windows\System\rULncLB.exe
C:\Windows\System\BUkYsRi.exe
C:\Windows\System\BUkYsRi.exe
C:\Windows\System\OcRGzlK.exe
C:\Windows\System\OcRGzlK.exe
C:\Windows\System\ofzQBXp.exe
C:\Windows\System\ofzQBXp.exe
C:\Windows\System\HBiyMVH.exe
C:\Windows\System\HBiyMVH.exe
C:\Windows\System\FNxPrpi.exe
C:\Windows\System\FNxPrpi.exe
C:\Windows\System\vlICcsR.exe
C:\Windows\System\vlICcsR.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4572,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 184.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3544-0-0x00007FF7039D0000-0x00007FF703D24000-memory.dmp
memory/3544-1-0x0000025AED290000-0x0000025AED2A0000-memory.dmp
C:\Windows\System\zTvFWNQ.exe
| MD5 | 548e59a7832bcd1a0980ddde262b708f |
| SHA1 | a8608e325f325bd8a058c41d90d6e6f828ae9e32 |
| SHA256 | 4966fbabf495310a74d290a31b4aa79c1f5c63d262e555fd894123d13cf50f8b |
| SHA512 | febe25d66fc97b6d1985e65bafe096ed3602c504154825d9cdb6f5d48dacb2cea99557047e2e8792830bb5ee7101f5547b87710b09c9bcd8c14baf2ef7376feb |
memory/4724-6-0x00007FF728790000-0x00007FF728AE4000-memory.dmp
C:\Windows\System\QRvxPTh.exe
| MD5 | e0d1bb12a960adfbbb09316428a3ccd0 |
| SHA1 | 982873e5c9be82b639b7ee30f3e3bb0120134b7f |
| SHA256 | 1e54ec344228ed3ece09a98b247f2d85d84df9e201971e52dd1728f963855d7d |
| SHA512 | b172c87c303a99ab53bf52e18f2c53038db11e07673231e176179b3d25e3891c84c433f5ad5bc10f09f41ba1a7922c521ead6a5009b7744358cd586194a3d687 |
C:\Windows\System\ZAMnRJK.exe
| MD5 | f7a8abc49a7f67afb030963a62e33540 |
| SHA1 | 834a116cd112d9df0031c23fa569690071bf4ace |
| SHA256 | b910f71744ffd844c878f00ba208e273449a5257ce75b126ecbfd8fec3bd61e9 |
| SHA512 | 6af09143c40c8789888cd0e571339839ab4e39b058c756e24206b2739ce80be4fd39322df8e108f690cd028788b0df729ec10e8dfd8503ab7dff84edfc96bdda |
C:\Windows\System\kjQqksP.exe
| MD5 | 32bbbae671ae8903650d165f96a2db16 |
| SHA1 | af936117a97d9d86ea3be05aadf67e9f53c54ff2 |
| SHA256 | fbbf78294591af37bfa66373729cd576a8a4955271e32465be6e38ee11996f31 |
| SHA512 | d282adbe751f1c9d4b6539afdbfdf0ccfed4cba16032caf4ad5332cd97a149f37e8f18b430eb741a56d2fcd3dfee763d34bd482052873079d4382c1577875fa7 |
C:\Windows\System\GAhatzi.exe
| MD5 | 3f32d752d4d20d73fde06c9af25df5c9 |
| SHA1 | ebbf34c50849367015c59adf3b4ed130d2cfb07a |
| SHA256 | 5837ad861d4abfcfc7cc5a012dcdb5295c36e21fd9f3dd9dc79ba05c78479339 |
| SHA512 | 64d2129df0489c54178efb5c985b6231b7b7e2622405a45ec08dda44a0cfc676b38ee0e4956101e1d294e0d0147ad0a16c1b5341eb954bb3ac5d00e47b8a9f76 |
C:\Windows\System\rvejgtM.exe
| MD5 | f16f64fc5009c02e1be55bd733b0564b |
| SHA1 | 0305fa4a2030a8a265acfbc9069482d6f080e501 |
| SHA256 | 4b0fb15fccb93397b643018725bcaa77d172a5a5c5579896fa0108ac74070b28 |
| SHA512 | 725e9048effc6b4a054f2abea907653e6bccf0479e9e4899a35d102b72a1873e75ee654f3639fc3d6d014d32bfa687ddf319f155d5b7ecaf2af9b9e675a4edeb |
C:\Windows\System\vHDWlFW.exe
| MD5 | d1465e56c94b99cf03ca818466b827dd |
| SHA1 | 1b181e7f6c063ea52213a9df029f659e8d1ca582 |
| SHA256 | 1e828b3b0b1204dfdc971be6a7ccae77787cf3e54a482a20f51c73e4da0d888b |
| SHA512 | ec02f371711bb0fda462b4d33ecc0cceeb901891eaf39a095264486fc59ec384e05a16b234f379f323d86741cf624bd321dc61d6706116f7297814037c98c153 |
C:\Windows\System\EIsIuRe.exe
| MD5 | 4166d414b4bb4efbffa10f46be58a1fe |
| SHA1 | 295d11349b73f7f8da742c7ec63235dc375c27e8 |
| SHA256 | 85950bfc47c40910a7bb6b842257700eaa466a8f4d2a4855f6e2429ccc65631c |
| SHA512 | a521f0b288e69586e04d4a5a5750e9bd1fbf1ee5a635467e26e02560a15bfa954d812c7a58e4db0460d5152845616d46da851685f244179b1e093b6c49294dd2 |
C:\Windows\System\vkCfCKh.exe
| MD5 | 46e20eae6d80fadf66296a0b7b6cd82c |
| SHA1 | 5cc5c29738112b00102dd996db0dcf02b5ecedf8 |
| SHA256 | ec59ffee2fdbfdda5f29d5d3cd4e7ee0a9621b5d1f01c3b5c89de089d8bc7bbe |
| SHA512 | a27dd678f89027b4be417bbf490d315387081cbe6a5c07059eb10105e14eb2d47204412ed48598fb1b1da7afe026fa291f570d7f451f3762f57f54ae8be899a6 |
C:\Windows\System\KnIwTGQ.exe
| MD5 | ab3cf66d5aa6dc4da5a2c9f2b9024dad |
| SHA1 | 5ad472a322d99f0eb4b4befda7caa5123ecde577 |
| SHA256 | eff556f84807622009379b3d6b762c752f54f0339f1b87358bc6d5e44f10745c |
| SHA512 | 8a0ead89a296113a43b6bea404f4afdb699ac944ce44985adac0161fd930bd5180df534c47a0f891dfb345e6b8f968db2b2d73a7d60bb530d7568aedb2a967de |
C:\Windows\System\zkxwaDG.exe
| MD5 | df0b5f4d9e57bcebd1d8dd92a49b03be |
| SHA1 | 41f2f5da5b216bc2f1e0917b8b81a332803df0a1 |
| SHA256 | d14349ce9f19e88d1fdef5046e2b0dbdd4ec6b4aa800475e2214cce08ced69e8 |
| SHA512 | a40c3cc7d7ea724a79647d16a274c47ecc31f2e89cc8ce7e04f6f4ff5ac95872f1dc3099d711ac57b8df98ee1ebc919fd0637b3af2d4442cacdc6605a8e098c9 |
C:\Windows\System\BUkYsRi.exe
| MD5 | e4fcad642974fc5e5c43b2fb45c608ee |
| SHA1 | 5384fb69fc8cc12d72eba0a36d58711f221d9c38 |
| SHA256 | eba56c434f7dd18aa12cd7807d9bc64f592bef820aa5b5d113d7af1f30b06b33 |
| SHA512 | 6c15bad0119ece6d31e74d20cb61e2436bc47c6ee550a8c9a13f927145238c9f2ae0e2a4464e4823ceaf064d2421d10ffd37bd1b264b242622a3d134b630dbcf |
C:\Windows\System\ofzQBXp.exe
| MD5 | adbb322861e2f49cfd75d02efbd2d769 |
| SHA1 | 4e1d2425b3b8cec2ff6c0f1e93cc56c42223eafd |
| SHA256 | 247e0518ec541cb12592afb17ff074ebd403633d0253fe2e2f8d2c12b55ed05a |
| SHA512 | 5dba20378fd7d97b8e231f4a966747103cf57f0a64cc24fe4e28a7570c8a44e3baff997488422863f09596a58b30b0a2b45b774bf8c222a72bdf33515f3d73c9 |
C:\Windows\System\HBiyMVH.exe
| MD5 | 1b055079ba509e919e298998ba2adc3a |
| SHA1 | 478a5d6b7bea6c333997c81a154cfd62d2759d33 |
| SHA256 | b0e95e54001279993c535efb422df09d193d068f19e95fe0870677ac8d43fda8 |
| SHA512 | d40280f2ed9cd2a96a0298831adda7c944e2e74212bd359e667dc0dcefeef1a087fe6fa04f295f3407bdf04879e94c526d17ba7b6f2fddc0b5a46ed0887873df |
C:\Windows\System\vlICcsR.exe
| MD5 | 032db5013f8f77dfe5c94fa5909abd05 |
| SHA1 | 2aa531f01ef9768c26147fb3238fbbb37618ebf9 |
| SHA256 | c065c063b9fb481ecc822eb3e4cac60736a9784c19b1c68a01636083f88e1689 |
| SHA512 | 8adb9e4eb5c08b3ef7da876a85f93cb4b90383cba480cc40337a4cc7249a124ac3c7610a62f194134a0d300b56a4c48ebcdcbbc13601b85906601fceb132c55f |
C:\Windows\System\FNxPrpi.exe
| MD5 | bf4956fd11c3a730c8494c82e20b29cd |
| SHA1 | ea82696e44c0224590c677ff95bf4f14bcea30af |
| SHA256 | 82d7ebd9990bb00ec6987ab192b5a48dca58a8790193dc924b4e772bd93846b6 |
| SHA512 | 9927a8fd72b66ae5bd0f28fbcf3c333f993770d57e5bc96af440e76036705b2cfff9d5398d0bf027fb76e4c6933eda29d04ba5ce77c026e00207a4db34a67ea8 |
C:\Windows\System\OcRGzlK.exe
| MD5 | 27b988b5261f186fd222176793c68401 |
| SHA1 | 5cb675bfb7a886a7ac3da41fe290b09eacfbd489 |
| SHA256 | 07ad6b667aa4089d7ae543b7285de337092bba5b2da0280a10dd3251b9c6ac9d |
| SHA512 | 75d22042ffa5949306f066515fac6944d80f7fdec250f53a7e09a350ba0a341e1b81ec911f038510700a3d19fec478c6b48d09d3c84320e55a92c717489ac590 |
C:\Windows\System\rULncLB.exe
| MD5 | 757403990381d820164961e76f981af7 |
| SHA1 | 3ab898c9ad3b5aaa90cc684ca48f7de7f53a9f09 |
| SHA256 | ffda6c4fb65b8339ed5856d7e7c99292a534fb4007c64318f7c172c3166f8eb9 |
| SHA512 | 87b405fe98cb023c5ca7b4ecfd983cb4add700227bb87fb3a5ad978e7576e9814d1af4e4480a144798f0aba7b35ce91a9dd49c6e5dce2a3d3aa9c3a376e1adab |
C:\Windows\System\RQXIkBs.exe
| MD5 | 450cf46588ee83248dcf4e37dfe31c35 |
| SHA1 | 7b8db36a52c2bf47380190bd96a925ae7f90c285 |
| SHA256 | 0d493b6c5e76f626d3c4b0e43c48f158e39e21edc7bb29cf5a68342c6ed58465 |
| SHA512 | 4fe07056ecdb69eb61422b93a7bf2d06ef879e00c9850b1b30816be298b1fa187e5f92665b7d1deed3d4e4633961d6565f311eb53e95e4970e15e65bc343fb60 |
C:\Windows\System\GvfRfzy.exe
| MD5 | dbdab90944903ad02f503c5d1be8eee5 |
| SHA1 | b9aa24a144d2d92d99328e5cba6a81c07a09fbe0 |
| SHA256 | 8ad2c3fc9cf028d466acdee8e36c1f22b017a188de65c1fdd2e84e19f4859797 |
| SHA512 | 7b0966cbba1ed4c9d376a5d37bd09afa078ccfd203398a8075a1fe48f2087ee813505705602a6a1f080aa60732bb5415e7d537edd4d532c5d9060daac9823af3 |
C:\Windows\System\bwLBdeK.exe
| MD5 | 2e3d7e678e9f80894e72e856792dacc8 |
| SHA1 | 7050410bb373bb5b8d8724361ea1ed8022da0d1a |
| SHA256 | e2824f066013bb8253ccba8b50da4b2ebbc464fde32592d2b3bedfdcd94a1d20 |
| SHA512 | 1f97fa72d90b1f1a23bbc6df853d335b6da2641936b68f440767c66533f7c9a40108aec246d6a32503dc515441016e3d62b3f9fdb4f6fbc6f957c962a9775902 |
memory/2016-23-0x00007FF60A340000-0x00007FF60A694000-memory.dmp
memory/2216-16-0x00007FF7CB770000-0x00007FF7CBAC4000-memory.dmp
memory/2276-110-0x00007FF6FAB70000-0x00007FF6FAEC4000-memory.dmp
memory/3320-111-0x00007FF7E3B80000-0x00007FF7E3ED4000-memory.dmp
memory/2256-112-0x00007FF6C3750000-0x00007FF6C3AA4000-memory.dmp
memory/4160-114-0x00007FF68DCF0000-0x00007FF68E044000-memory.dmp
memory/4520-115-0x00007FF6ECB60000-0x00007FF6ECEB4000-memory.dmp
memory/4408-116-0x00007FF6C8AC0000-0x00007FF6C8E14000-memory.dmp
memory/4828-117-0x00007FF730A60000-0x00007FF730DB4000-memory.dmp
memory/4764-118-0x00007FF6678A0000-0x00007FF667BF4000-memory.dmp
memory/4992-113-0x00007FF6FC420000-0x00007FF6FC774000-memory.dmp
memory/4140-120-0x00007FF624C80000-0x00007FF624FD4000-memory.dmp
memory/4680-119-0x00007FF797240000-0x00007FF797594000-memory.dmp
memory/3992-121-0x00007FF6C1AE0000-0x00007FF6C1E34000-memory.dmp
memory/3400-123-0x00007FF6B5370000-0x00007FF6B56C4000-memory.dmp
memory/3456-124-0x00007FF66E7A0000-0x00007FF66EAF4000-memory.dmp
memory/448-122-0x00007FF653410000-0x00007FF653764000-memory.dmp
memory/1444-125-0x00007FF7A5CC0000-0x00007FF7A6014000-memory.dmp
memory/2924-126-0x00007FF76D9C0000-0x00007FF76DD14000-memory.dmp
memory/1412-127-0x00007FF6558F0000-0x00007FF655C44000-memory.dmp
memory/3544-128-0x00007FF7039D0000-0x00007FF703D24000-memory.dmp
memory/4724-129-0x00007FF728790000-0x00007FF728AE4000-memory.dmp
memory/2016-130-0x00007FF60A340000-0x00007FF60A694000-memory.dmp
memory/4724-131-0x00007FF728790000-0x00007FF728AE4000-memory.dmp
memory/2216-132-0x00007FF7CB770000-0x00007FF7CBAC4000-memory.dmp
memory/2016-133-0x00007FF60A340000-0x00007FF60A694000-memory.dmp
memory/2276-134-0x00007FF6FAB70000-0x00007FF6FAEC4000-memory.dmp
memory/1412-135-0x00007FF6558F0000-0x00007FF655C44000-memory.dmp
memory/3320-136-0x00007FF7E3B80000-0x00007FF7E3ED4000-memory.dmp
memory/2256-137-0x00007FF6C3750000-0x00007FF6C3AA4000-memory.dmp
memory/4160-139-0x00007FF68DCF0000-0x00007FF68E044000-memory.dmp
memory/4520-138-0x00007FF6ECB60000-0x00007FF6ECEB4000-memory.dmp
memory/4992-140-0x00007FF6FC420000-0x00007FF6FC774000-memory.dmp
memory/4764-141-0x00007FF6678A0000-0x00007FF667BF4000-memory.dmp
memory/4828-142-0x00007FF730A60000-0x00007FF730DB4000-memory.dmp
memory/4408-143-0x00007FF6C8AC0000-0x00007FF6C8E14000-memory.dmp
memory/3456-145-0x00007FF66E7A0000-0x00007FF66EAF4000-memory.dmp
memory/1444-151-0x00007FF7A5CC0000-0x00007FF7A6014000-memory.dmp
memory/4680-150-0x00007FF797240000-0x00007FF797594000-memory.dmp
memory/4140-149-0x00007FF624C80000-0x00007FF624FD4000-memory.dmp
memory/3992-148-0x00007FF6C1AE0000-0x00007FF6C1E34000-memory.dmp
memory/448-147-0x00007FF653410000-0x00007FF653764000-memory.dmp
memory/2924-146-0x00007FF76D9C0000-0x00007FF76DD14000-memory.dmp
memory/3400-144-0x00007FF6B5370000-0x00007FF6B56C4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 10:06
Reported
2024-05-30 10:09
Platform
win7-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wjTZEmX.exe | N/A |
| N/A | N/A | C:\Windows\System\viCpNks.exe | N/A |
| N/A | N/A | C:\Windows\System\rIdIIzH.exe | N/A |
| N/A | N/A | C:\Windows\System\gsEQYPo.exe | N/A |
| N/A | N/A | C:\Windows\System\UITwPLN.exe | N/A |
| N/A | N/A | C:\Windows\System\olzvSMA.exe | N/A |
| N/A | N/A | C:\Windows\System\lWGttPN.exe | N/A |
| N/A | N/A | C:\Windows\System\eszExGB.exe | N/A |
| N/A | N/A | C:\Windows\System\tzKQWkf.exe | N/A |
| N/A | N/A | C:\Windows\System\occfYTV.exe | N/A |
| N/A | N/A | C:\Windows\System\KIHwHwy.exe | N/A |
| N/A | N/A | C:\Windows\System\HVulUah.exe | N/A |
| N/A | N/A | C:\Windows\System\GVjbrRP.exe | N/A |
| N/A | N/A | C:\Windows\System\WXjRUYs.exe | N/A |
| N/A | N/A | C:\Windows\System\swbpZwZ.exe | N/A |
| N/A | N/A | C:\Windows\System\sxwUdif.exe | N/A |
| N/A | N/A | C:\Windows\System\xbLXdPW.exe | N/A |
| N/A | N/A | C:\Windows\System\riUIkzc.exe | N/A |
| N/A | N/A | C:\Windows\System\WbqmNCp.exe | N/A |
| N/A | N/A | C:\Windows\System\qVPlutd.exe | N/A |
| N/A | N/A | C:\Windows\System\ksJnVhB.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_866ccef6e69777c049b405b535536727_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_866ccef6e69777c049b405b535536727_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_866ccef6e69777c049b405b535536727_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_866ccef6e69777c049b405b535536727_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\wjTZEmX.exe
C:\Windows\System\wjTZEmX.exe
C:\Windows\System\viCpNks.exe
C:\Windows\System\viCpNks.exe
C:\Windows\System\rIdIIzH.exe
C:\Windows\System\rIdIIzH.exe
C:\Windows\System\gsEQYPo.exe
C:\Windows\System\gsEQYPo.exe
C:\Windows\System\UITwPLN.exe
C:\Windows\System\UITwPLN.exe
C:\Windows\System\olzvSMA.exe
C:\Windows\System\olzvSMA.exe
C:\Windows\System\lWGttPN.exe
C:\Windows\System\lWGttPN.exe
C:\Windows\System\eszExGB.exe
C:\Windows\System\eszExGB.exe
C:\Windows\System\tzKQWkf.exe
C:\Windows\System\tzKQWkf.exe
C:\Windows\System\HVulUah.exe
C:\Windows\System\HVulUah.exe
C:\Windows\System\occfYTV.exe
C:\Windows\System\occfYTV.exe
C:\Windows\System\GVjbrRP.exe
C:\Windows\System\GVjbrRP.exe
C:\Windows\System\KIHwHwy.exe
C:\Windows\System\KIHwHwy.exe
C:\Windows\System\WXjRUYs.exe
C:\Windows\System\WXjRUYs.exe
C:\Windows\System\swbpZwZ.exe
C:\Windows\System\swbpZwZ.exe
C:\Windows\System\sxwUdif.exe
C:\Windows\System\sxwUdif.exe
C:\Windows\System\xbLXdPW.exe
C:\Windows\System\xbLXdPW.exe
C:\Windows\System\riUIkzc.exe
C:\Windows\System\riUIkzc.exe
C:\Windows\System\WbqmNCp.exe
C:\Windows\System\WbqmNCp.exe
C:\Windows\System\qVPlutd.exe
C:\Windows\System\qVPlutd.exe
C:\Windows\System\ksJnVhB.exe
C:\Windows\System\ksJnVhB.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1192-0-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1192-1-0x0000000000080000-0x0000000000090000-memory.dmp
memory/2872-9-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/1192-8-0x0000000002290000-0x00000000025E4000-memory.dmp
C:\Windows\system\wjTZEmX.exe
| MD5 | e1e79e4f2eaa8ae7a8fa602fe0103e1a |
| SHA1 | 8fc90a207ece14b0f41ad4cfa57a509a7f7ca563 |
| SHA256 | df161a878acafb5f11e3750c81340d93c0ad25c886d60d0c0177233309b9f338 |
| SHA512 | bc7ed989fc3d29ef308440388fcdd3c06a3888917075059d625f01732ec46064f6151a6ec5ff04b6cc19f50fd86850f2ca1444fa5d999a0f8e10ee9061e8d344 |
\Windows\system\viCpNks.exe
| MD5 | e967fe5b0250873008cb8ee34f9f4dbd |
| SHA1 | 9a06a2993eb0ea0f1335609c73faa77a2596ce43 |
| SHA256 | dcc3b717986cf625e04888c83b8e865eca6b62307132c1110233a1c114dcbfc7 |
| SHA512 | 7881392de487c0e2e61a5a6366ade487631d01ed3f8286139f4e0bd8b7c6e86c883eca9c7e38ee92fc922282e3b3f3c828fdf16cb117e8aae4675204d5973160 |
\Windows\system\rIdIIzH.exe
| MD5 | b823de3949f58ac68b35e10f7aee62a2 |
| SHA1 | d8c96013cfa5fbdc7d950c9fb5a4d03b51940c5b |
| SHA256 | 75bb71a9dbbca257a800d3993b32be2772d055735ac0df3e1e5a5c4c2c60f3c6 |
| SHA512 | 6ab8f5373b09947c323af6c67fc10f133df9ecdd1f1332e598dc35d4943c21198280cad2b6f1e21935cc64b2997d5013c77aa73e100b3c4fc15ba5faf6f4de2c |
memory/2892-22-0x000000013FDB0000-0x0000000140104000-memory.dmp
C:\Windows\system\gsEQYPo.exe
| MD5 | 68d1c8009463cb80e414a3d10b7acbc2 |
| SHA1 | 0950fe016333e2ecd3756642344aa726c93dfd09 |
| SHA256 | f767c3aafa9ac9063a8a1c08079226c2bd9dcb0103f3f62f5f98d759b8cc6795 |
| SHA512 | 0566f4a1c268c6097031e7998a977ca7fbf45e216e41487233a3a67df0abca8675a2bf1cba2564258711617639a5b75c61b522917b7d47828e69304f0fdf86ed |
C:\Windows\system\UITwPLN.exe
| MD5 | 5f0aa86c214a53f2a6aec4591e332bb5 |
| SHA1 | 9740b9e862daf3f3f0bb060c1b2c8b701dc93805 |
| SHA256 | 338e28db015b94bbd7b4ef976839f6746b9560948a28d75883f0f1898b289034 |
| SHA512 | e344a4e6617be41e54e4e6058a9cb717d50ac0b8941126ae59b28b183f77af85926c5014f611ae82bc698654835ac0611cfe95b5b92edc1a61c6f99380b61ae6 |
memory/2644-34-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
\Windows\system\olzvSMA.exe
| MD5 | fb03bf981d6364df159057322d819707 |
| SHA1 | 156732741513ad14c69b9faf84195d814ce68a96 |
| SHA256 | 7f9150eb91b1fe91c090ddec3cf130015bd814d10349356ad75214c32d471d2d |
| SHA512 | 8571390dba14a317f002b92064c17d8bd77ddddc44f6c777a9c3e0f11eb0700a0f1c16a58dfcd360b3f2c210cf19017cb636e0cdf4a8a8c3a7d4134a7f7a72cd |
memory/2728-40-0x000000013F3B0000-0x000000013F704000-memory.dmp
C:\Windows\system\eszExGB.exe
| MD5 | 91a7890f8be0d63ae806bbc636731359 |
| SHA1 | 3e5046a8f0246505caeb446e5a9b2b04672e6ac1 |
| SHA256 | 8aacbfff657e42e24109a55d74010dde530ff6aac8017411feeeab17bc962210 |
| SHA512 | b1a579faf7bcb552341a8d8b5813d2aa5342da41f8eb7c40d4d6e6d849656df41924d18e535cdb6d4bc4d35a706705fc443ce7fe71e82957460bf656833eb593 |
memory/3064-90-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2512-96-0x000000013FDA0000-0x00000001400F4000-memory.dmp
C:\Windows\system\xbLXdPW.exe
| MD5 | 62fa9b94cd946e15e20d3e17b321af9f |
| SHA1 | 3862073da4edb9e29bc99099b350b77fe0d5cc7f |
| SHA256 | 76bb4ee0dcdf9d4ce8c0c0f5aeb1d3a2c5a4b232a9f2eda60761a1446c52bc6a |
| SHA512 | 2cd697d234a859a20b3764bccd00b845ab6a22f6498df784b19f7d77572d3747fb6af2e49e6b10834c5e9826869f2b62cf850a0055fb016b482bb2dd7362f9b7 |
C:\Windows\system\qVPlutd.exe
| MD5 | 35635dec0276f0c0b9128ae9f51e1e3f |
| SHA1 | 7f85e239fa4fcebc27b0255cfd13cb3ed4c44da8 |
| SHA256 | 13b69682ccc553057a9f9a9580c8f12c5d4d173db94b1efcd0258c6d3525418f |
| SHA512 | cb5b53a0934165046dcbb624af65c8b432d47fc28080e84e93cf4bbfd4d3ed8467e97bd480f3b139f519fbecd87ba3d4e92e0bde05357bb42d44ecb74a161d52 |
C:\Windows\system\ksJnVhB.exe
| MD5 | 90e12531db47c0965e4bf8487c3ed130 |
| SHA1 | 4a1d033006a57aacf596f64afb6f7f3c507a0474 |
| SHA256 | b783908c9c96d4f8dacea047374270222065895e16fa4070d17432177933dcd7 |
| SHA512 | 077647b2e3652cf4946b3f1c3798e4ec163ad90666d0572a7aaafc94809c311412b8c1075e0b455d38ee74403c5cf80ab21d3df09357eabf79c779b20e534b4b |
C:\Windows\system\WbqmNCp.exe
| MD5 | 1b9962d4ad91fee9a151a9f3afe013cc |
| SHA1 | 460d18cbc0ddc83dab6204dc244dbd6c8073050b |
| SHA256 | 876f477ada76c079d6e20001a46add53f5a52f3b6b43621294ace9cdd68c5f1a |
| SHA512 | db966d5e2d051c1eef313fd88ea54e856fe9f64dec001ed9f6226d6aa60925c7a0071453ebb48acfe0d5d7d91db2d6152d28da34aea73b2fe82e250b60704c82 |
C:\Windows\system\riUIkzc.exe
| MD5 | d1526c12ca8aafdd4f9dd7e0f426a656 |
| SHA1 | 666adf42c38748628686b6e62b906c495214f642 |
| SHA256 | 48809f55d2810b5760eda4cedb23746587f20f45e1a5f810b943afe38cddec7b |
| SHA512 | 8d823a6be327e365351b0b9bb98139c3911bcfebdbb2c1042cdba66c50f432ce674ff385efef780d634741aa4ac8e59983337b852326539ac1f30762f1c8e979 |
memory/2624-141-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
C:\Windows\system\sxwUdif.exe
| MD5 | 1c8e45415838618a907ad9c447eb6352 |
| SHA1 | 4c05f21f3503e6290e5d1c72865591762beca401 |
| SHA256 | cfe9c7a03b03e66da24047f9efa88cb8581b267dfd4fdb89a77a74f5637dc075 |
| SHA512 | 5371a2a95acfd19588ddd41da1109549f56647c841336ceb943c75a3d45ec4728ebbcfbedaf2fea3b0667a83b00f52a1676d869f08719160c80ac2fdff1a608f |
memory/1192-110-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2728-109-0x000000013F3B0000-0x000000013F704000-memory.dmp
C:\Windows\system\swbpZwZ.exe
| MD5 | 20c5efb5385b57dfa5975b736f5b8cc6 |
| SHA1 | 59b23c88d306de068d984b00b0648cfb4549b82d |
| SHA256 | 521a033c722525ce2f3834dfa93b77d77ed0973a9f3a885ded2b13fe207fe8c8 |
| SHA512 | 35ca318313e285a30962220f607c50967aaef97dc2e764f73c71827c61dcbd0835bd3157afa391fa08efe47087f071c28ae6df87e2b8c70152d3a954853e5e5e |
memory/1960-104-0x000000013F640000-0x000000013F994000-memory.dmp
memory/1192-103-0x0000000002290000-0x00000000025E4000-memory.dmp
C:\Windows\system\WXjRUYs.exe
| MD5 | 45e2cff38ad059bb503aa421738c52e3 |
| SHA1 | 868358b9dc52de76a593dddd0ddcc6c8b395ff3f |
| SHA256 | ff8b2d3a081e9bb6527bfc3123386480eae44f5ae3fce04f0e266d5c8b6b85e4 |
| SHA512 | f528102e16adc8e2a255e1e9a354f1e4b91395667e44c24f29814591ede338a9fa7a61251fd100352f4dc3b8660b34e5a8548407b583dba250816fdaf26ca619 |
memory/2932-95-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2748-143-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2772-142-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2716-73-0x000000013FBD0000-0x000000013FF24000-memory.dmp
\Windows\system\GVjbrRP.exe
| MD5 | 30dbaa5ac57174f900ffccefcf6cca9c |
| SHA1 | 4f338ba43c88426b64301ddd854e3c4efe2da615 |
| SHA256 | a2acbbd9cce11de4cbdfc46f9226860bbc3ed9ddaf652464b0f4616889d07d1d |
| SHA512 | f6fcd8ce04e642db13423125bd0771ba4bac874213663d7f81d2c3e2684572d0c00b54d1001ff8bf0524725dd5fc3c5af8935df515c2e6ecdf05ee21714c5d4d |
memory/2644-94-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
\Windows\system\HVulUah.exe
| MD5 | 568e8264452a119de9629a86abd495c9 |
| SHA1 | 5303528028a29082eac91a36da46a0dbd707a265 |
| SHA256 | 8bd6ed2bfcefcc02c66c63f8175a2b7e484e7d5667cf963ed00ab385ef253dd4 |
| SHA512 | 240d0f52b7ec61a723120954c2c1fe9b3e04676a98488fab9f94bed977bb19e76473d106ce6b85ad01c9b2bc32d7cff0ce13766347b27650ab12b28acf71b84b |
memory/2568-88-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2772-52-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/1192-51-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2892-87-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/1192-86-0x000000013FDA0000-0x00000001400F4000-memory.dmp
C:\Windows\system\KIHwHwy.exe
| MD5 | e911da1aa98706026e8af08265cc058d |
| SHA1 | fed21e16f17e1e8a0029f6de23748d4be3c734c4 |
| SHA256 | d9de4d9aa90760a7d20c68251443fee477c1af4aaf273381623143d0975004ab |
| SHA512 | a9376dca90b745c72972852d1adab1ff3b62fc7312ba062e37d3a184305d436a5ddbca7e7d3304d6bb75f6db131b3c9b88b805eb945d3b25b551e7062b0d473a |
memory/1192-69-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/1192-68-0x000000013F240000-0x000000013F594000-memory.dmp
C:\Windows\system\occfYTV.exe
| MD5 | 6207eb4b6f8a30ddb718178e633d9b00 |
| SHA1 | 884d641366cc4eb44684e33366e98f71da147a34 |
| SHA256 | c6931a5f246991f713f94cab6282bc5659cb2ab3898015230810803c2fa4b21e |
| SHA512 | 19d3c03aca9730ed2e14e68c9edb0d546869169644edb6d840a528596ce3a52c8acc464e595a73ac76ff1a397690c2f390543cc2b13caf6f121376e6839583fb |
memory/2312-66-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/1192-65-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2748-63-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/1192-57-0x0000000002290000-0x00000000025E4000-memory.dmp
C:\Windows\system\tzKQWkf.exe
| MD5 | c9d755bcc9ead58fb04abe960a06dfc4 |
| SHA1 | f09ecc00b799b3c3b8b246392b457a466b27d7ee |
| SHA256 | bab16a98a76ddcc6e4ce210c718aa853414709efdd6351146119f743142d12ed |
| SHA512 | 24863bdb772a9e6c17de9918f42be2d1997d481e4454ecdd55b0559f371b40e31f29956f7f66f4c5713923802b8fa82edb44001cda15a71c751518f52ad73783 |
memory/2624-46-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1192-45-0x0000000002290000-0x00000000025E4000-memory.dmp
C:\Windows\system\lWGttPN.exe
| MD5 | 779c25bc7ff4afd18873c62f6c5b28a0 |
| SHA1 | 6fbcdef2861205447523566dd115c76bc98c1a80 |
| SHA256 | 0bf5e3522b2a7586fff86fff52db4523cb62975433076bc97293bd3d7f745a41 |
| SHA512 | d085d2c275840ce23e06fe40cf0fa514685c41c9d3abcc6e2aa0c1b3d4b7958d6c1f23103969737f393e27d3332278b0a7d6b6b27cfd377a9650fea9374ba08b |
memory/1192-38-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2716-145-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/1192-144-0x000000013F240000-0x000000013F594000-memory.dmp
memory/1192-33-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/3064-28-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/1192-27-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/1192-19-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2312-15-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/1192-14-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2512-146-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/1192-147-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/1192-148-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2872-149-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2312-150-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2892-152-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/3064-151-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2568-158-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2716-159-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2748-157-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2624-156-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2772-155-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2644-154-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2728-153-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2932-160-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2512-162-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/1960-161-0x000000013F640000-0x000000013F994000-memory.dmp