Analysis Overview
SHA256
cca4bfa4f0a43fda6b2362704760d62e9bbc9c7fa60d66dd73b29f70f450d1ce
Threat Level: Known bad
The file 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Xmrig family
XMRig Miner payload
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 00:32
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 00:32
Reported
2024-06-01 00:34
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IMGfHfd.exe | N/A |
| N/A | N/A | C:\Windows\System\zjHMvUc.exe | N/A |
| N/A | N/A | C:\Windows\System\rPAPjPI.exe | N/A |
| N/A | N/A | C:\Windows\System\mjuHzQK.exe | N/A |
| N/A | N/A | C:\Windows\System\KzHuCuY.exe | N/A |
| N/A | N/A | C:\Windows\System\dAzmTul.exe | N/A |
| N/A | N/A | C:\Windows\System\oXIFNVU.exe | N/A |
| N/A | N/A | C:\Windows\System\OMCymCG.exe | N/A |
| N/A | N/A | C:\Windows\System\nteFmYg.exe | N/A |
| N/A | N/A | C:\Windows\System\OXivdMJ.exe | N/A |
| N/A | N/A | C:\Windows\System\YNfGhGY.exe | N/A |
| N/A | N/A | C:\Windows\System\sNccuAy.exe | N/A |
| N/A | N/A | C:\Windows\System\obJvWOq.exe | N/A |
| N/A | N/A | C:\Windows\System\kDeQZSW.exe | N/A |
| N/A | N/A | C:\Windows\System\ICrOyOp.exe | N/A |
| N/A | N/A | C:\Windows\System\lzdgTZH.exe | N/A |
| N/A | N/A | C:\Windows\System\bHKntbb.exe | N/A |
| N/A | N/A | C:\Windows\System\dBSTeWl.exe | N/A |
| N/A | N/A | C:\Windows\System\IACfwoW.exe | N/A |
| N/A | N/A | C:\Windows\System\IwQpjtY.exe | N/A |
| N/A | N/A | C:\Windows\System\gXnETnq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\IMGfHfd.exe
C:\Windows\System\IMGfHfd.exe
C:\Windows\System\zjHMvUc.exe
C:\Windows\System\zjHMvUc.exe
C:\Windows\System\rPAPjPI.exe
C:\Windows\System\rPAPjPI.exe
C:\Windows\System\mjuHzQK.exe
C:\Windows\System\mjuHzQK.exe
C:\Windows\System\KzHuCuY.exe
C:\Windows\System\KzHuCuY.exe
C:\Windows\System\dAzmTul.exe
C:\Windows\System\dAzmTul.exe
C:\Windows\System\oXIFNVU.exe
C:\Windows\System\oXIFNVU.exe
C:\Windows\System\OMCymCG.exe
C:\Windows\System\OMCymCG.exe
C:\Windows\System\nteFmYg.exe
C:\Windows\System\nteFmYg.exe
C:\Windows\System\OXivdMJ.exe
C:\Windows\System\OXivdMJ.exe
C:\Windows\System\YNfGhGY.exe
C:\Windows\System\YNfGhGY.exe
C:\Windows\System\sNccuAy.exe
C:\Windows\System\sNccuAy.exe
C:\Windows\System\obJvWOq.exe
C:\Windows\System\obJvWOq.exe
C:\Windows\System\kDeQZSW.exe
C:\Windows\System\kDeQZSW.exe
C:\Windows\System\ICrOyOp.exe
C:\Windows\System\ICrOyOp.exe
C:\Windows\System\bHKntbb.exe
C:\Windows\System\bHKntbb.exe
C:\Windows\System\lzdgTZH.exe
C:\Windows\System\lzdgTZH.exe
C:\Windows\System\dBSTeWl.exe
C:\Windows\System\dBSTeWl.exe
C:\Windows\System\IACfwoW.exe
C:\Windows\System\IACfwoW.exe
C:\Windows\System\IwQpjtY.exe
C:\Windows\System\IwQpjtY.exe
C:\Windows\System\gXnETnq.exe
C:\Windows\System\gXnETnq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2968-0-0x00007FF6A6920000-0x00007FF6A6C74000-memory.dmp
memory/2968-1-0x00000208A8050000-0x00000208A8060000-memory.dmp
C:\Windows\System\IMGfHfd.exe
| MD5 | 4ec11e717d41f5f11f382fda587e6940 |
| SHA1 | 55568acedea52eec497a2bde9e2e8a92e6719728 |
| SHA256 | 8844199e1d64d1086bb52d4cb773443c104ad71d8f1e9952c1935e2b5604fb4c |
| SHA512 | bc3e7f31a07faf522c5631d2a6fe92bffbcb0b18169124219c8ef5b8e9a692a535a124973301188238f5ec1a714484ee86573dd1f285a9a93638c6a3be452758 |
C:\Windows\System\zjHMvUc.exe
| MD5 | 3c01e170710c2ca1b72b34439eef8be6 |
| SHA1 | 307d51a6856c3046cae3527691fe463e147e45d8 |
| SHA256 | fb49ee3c01386c618592e6ba6f9d1b50e8ea6e464e68aaa3dbdcb78dacdbaf97 |
| SHA512 | f8decc6c9c390bd003230bf5e620bcc11368b931b58ddd75cc1d8193cf42e2171fc179406df815e36b97b387d060a93a713295171f0c51e804715e4217b15e97 |
C:\Windows\System\rPAPjPI.exe
| MD5 | 44f7eb60c3ec02ba3be8f2fab7de5487 |
| SHA1 | fd978fa62ee5c26567e49f97cdd921af50248c85 |
| SHA256 | aefd3efb296d0ac39ef0f55203d9499b9aaf13072fe2e00d9eed82495f7ce731 |
| SHA512 | b139b71ad988890557d792d6d0ac62c2f623765c30c509f4bfffb09d136d9c5af27a879e235c06158554be9bae87a1cec54dfcdaee8c02721303039212be018d |
memory/3740-25-0x00007FF7828E0000-0x00007FF782C34000-memory.dmp
C:\Windows\System\mjuHzQK.exe
| MD5 | 3b1f5000148f4a6d8bfdfcfc73c51f4a |
| SHA1 | 0b1115cd58dfa0fbbb974be41066f36a0058a29f |
| SHA256 | 85858479a938fa748cc87e153968a78b87cbc48ef66f65c293172a986d38ef6b |
| SHA512 | 1803e1c6fe25820544cefcad52687dad7674ed364bc056e0afc7e00e4ecdd460bd4ca61adaa05d876bbdf6a0bb44a29ac7c8aac5cb1e9f86c6da63b911df8e09 |
C:\Windows\System\dAzmTul.exe
| MD5 | 60a6c3fee6862201e6dac742cd1feeee |
| SHA1 | b3b8b9fe1bb4fd317baa0f036d8dbd8a0ec85f4c |
| SHA256 | 3b2e20cf90537c01ba8d5b545df6b17d2804f869fc2723c03b557a578ed44988 |
| SHA512 | 57456d10c544e7d77568039215a9ae8108b610ebf1731918eb503915c0e0a6c6e576cbea9f4c90fedbb5fdfaea62e57b598278d26cfa73bae3f21e448a84036f |
C:\Windows\System\oXIFNVU.exe
| MD5 | c9a1d13b355164b12ba61b9314c281a8 |
| SHA1 | 66c4777dd4a9e20aa265fd5027287e416f155154 |
| SHA256 | 0b0512a16dd97d7b82b8a00504e985480577253ac6559ffeb3d63a9a20aec8f3 |
| SHA512 | a675063ec7ff1ebf70b7e32f97fe81d5168bb7ffc6a11477af9bacdb74e8bbfb1534cbae171f6f7ec13fa34f9f8c04586b9d2fb02a580e208ce967ebd43f7054 |
C:\Windows\System\nteFmYg.exe
| MD5 | f2f3260cc76592544cb6b5d9f2b28c1f |
| SHA1 | 915c9bd39465f829f702961dc1334dfb8bcee443 |
| SHA256 | 7a3e75430ceee7090d5742f149f4d30f0246ea191ee502f5a0673e4fc706b75a |
| SHA512 | 6761095833cfcab93645006a222e12db9a728f5bccd0824b08ab54aa5c4ff748061748c2c552f62ea2609454db81c601173b6a870fdc6508776231db951d352f |
memory/4512-54-0x00007FF7F2000000-0x00007FF7F2354000-memory.dmp
memory/4904-53-0x00007FF745930000-0x00007FF745C84000-memory.dmp
C:\Windows\System\OMCymCG.exe
| MD5 | d3a6c1b14106368e95adf2aa86cd6717 |
| SHA1 | ccf737b534eba31f840cae357651a2545ea4caa1 |
| SHA256 | 9398037d4c76ee236694afc027f06a79152f97060c6df6c3ebd39f89c82148e0 |
| SHA512 | 35c836cb74f51ed1d994d2d5ee413f4b8ee32d8e08293f3f43172a1fdb39fabe97a8ce6bf4154f91bcde4c96628bd627d99825ddd336bc1ac5359fe8c0862583 |
memory/2940-48-0x00007FF634EF0000-0x00007FF635244000-memory.dmp
memory/3840-44-0x00007FF6CFC80000-0x00007FF6CFFD4000-memory.dmp
memory/564-42-0x00007FF7E13C0000-0x00007FF7E1714000-memory.dmp
memory/3592-41-0x00007FF7BF660000-0x00007FF7BF9B4000-memory.dmp
C:\Windows\System\KzHuCuY.exe
| MD5 | e57762736c9536c18a0d4e99e75fadd4 |
| SHA1 | 4255b7ae160ef5f9cd60004fb3e666c494f45ec9 |
| SHA256 | cc1c16b42b05cb7216f5b3fb53789dab9e75eca21db12987dba00d776d12ef69 |
| SHA512 | d4c8a4dfab3125e4daff952f3d2415d0ddc77dbbef64838dcfb470a541ed168ce4547d5e3fe15ef757c1654ae140525e571a0024cc642098577b985b9d660fc5 |
memory/4932-21-0x00007FF78DEE0000-0x00007FF78E234000-memory.dmp
memory/4768-15-0x00007FF7AEB10000-0x00007FF7AEE64000-memory.dmp
C:\Windows\System\OXivdMJ.exe
| MD5 | 4ff731363d840945a35397940d49a14b |
| SHA1 | 60fe36c99226d090e4d9b7eee525f2613eb1c53d |
| SHA256 | 6fb3ec50e6f594314cdc067b0a70b264f673554ecee8d4d33f97f7745d16dc93 |
| SHA512 | 8e15516554471bfa872f62e501f56d40a7db7514a525c0cd6a35bd8502f1bb5ccea274667e9444b00790a90995b1717c6d8a767fb84836f20b578465a7eb6966 |
memory/3348-60-0x00007FF6A0A70000-0x00007FF6A0DC4000-memory.dmp
C:\Windows\System\YNfGhGY.exe
| MD5 | f2de52387f86444895abf431220b2ce1 |
| SHA1 | 5c10000a4f08f3e6cd292c857064874824f49403 |
| SHA256 | ab103f09f8a371532168214375ea7f1d53c83e102aa009f544c0751978ce7126 |
| SHA512 | ad0d4d2499a9a06c7348c7dea7c1d34d7dce555bb393d970821b2485efdaecc8c11b170f6209cab3a3455f17230e806468aa184bb53622c13f25c04623c2c9f7 |
memory/1228-66-0x00007FF666D00000-0x00007FF667054000-memory.dmp
C:\Windows\System\sNccuAy.exe
| MD5 | d7afe95a0e90ca8fa1fcfa71522bbf80 |
| SHA1 | 73d49a2164b71daf3aa73ce83505008a2a1a04e3 |
| SHA256 | 2752e057c4d0bb20c29d634afa30b22d6a51bbfafbcbf87891e9c2633bb49011 |
| SHA512 | 48c0dc9bd4d0c7d10f5c8122219b2cb37e7a52c991d48050dccf66442b0c0465306e3ff9b5e8aa127913bfd4f8302511f57dddef0e1e32cc43b12e7383e02eba |
memory/1216-74-0x00007FF6D0DB0000-0x00007FF6D1104000-memory.dmp
C:\Windows\System\obJvWOq.exe
| MD5 | cdb320bb855d23ae8b19f70e5c668c44 |
| SHA1 | cdcd2a52d6faf9fc490eee8fcdfad6e16f6c7139 |
| SHA256 | d4f5d75deb40d2bad3d91998ee13f56089e822ebeed1a4dbbb5cd571bacbb705 |
| SHA512 | 3360afa4137f07ca485dff204af3b2ae2882c66eac746f648e3cab5b4bab28fd1bd03e1df0b9d799a8a2b4ce3c4e5e872fc849379185fc704f05cee078d50ba4 |
memory/704-80-0x00007FF706460000-0x00007FF7067B4000-memory.dmp
C:\Windows\System\kDeQZSW.exe
| MD5 | 42ea0c9d2295c1d067a23eb5292ae1a5 |
| SHA1 | cbfe6f7606a333c60063d91cd5a2f94e700f61c8 |
| SHA256 | 16b45e7e650e88f8c8a14311f6e1939c08b8b366a12b578c4057001991ae5c3f |
| SHA512 | 528dbdbb4593c0c2005297fd49522665d58d549caf09bd63c77d8e05b79b249b3c3547c1b3857b9fea09e6f01a465914cea85d2780b4d609d7c22574b7bcc266 |
C:\Windows\System\lzdgTZH.exe
| MD5 | 1e12f7d3aea495c9e6f3dc1b94009b2c |
| SHA1 | f13b7c56a991151b8079988c3c3566f5a5d35584 |
| SHA256 | e660ec83d5e7221f936bf7c24dfc8a71408b60e450a0aac6e51e27d04158a5eb |
| SHA512 | a082b973d45d51ae36db5454d97a0da3fe25b5caef9f80636d493d1cc2609acc7d1c0f511ac776d3c29602de9aba314d0d312cd7479a739939d4a6004c1504d6 |
C:\Windows\System\bHKntbb.exe
| MD5 | 2b340e898d947006fe0b4c296c2bc6de |
| SHA1 | 3defae3b5213f674ddf642fd4fbe298a5450d379 |
| SHA256 | 27dbd43af11a0ca7bf30a7501ac7a50851bdcd2960a568f96d0e53fc8372d767 |
| SHA512 | 71d01e71b05d3c88f1338a7f0d02fccad4f95d44dd98aefbea71fd547461eaf718abc1696297272b144213723dcac8a0b670d329d8ba22caf0ba22b6923aa864 |
C:\Windows\System\dBSTeWl.exe
| MD5 | ebb32630365a7d6730550d8197b8741c |
| SHA1 | a19ac6ad7553ddc55848d65f372eebcf238b7748 |
| SHA256 | 00a3404738eeb9fdb63ca4700ffa0c1acb00c7043df389feb626f26511e2f1c7 |
| SHA512 | 8357c899e54c0feb5a22ccab57e2df2553932c1ec3a2220da2a2f730e89722e94ed8170217fbd2d5a4f1c32548d017ee17fd05477076569e9020af847bc26b82 |
memory/1924-109-0x00007FF722670000-0x00007FF7229C4000-memory.dmp
C:\Windows\System\IACfwoW.exe
| MD5 | 4108c5d7740e8f70d359e7554d79c782 |
| SHA1 | 9411c95287c41db5af312cc3afd02066b34d173e |
| SHA256 | 414578a5bcc69fa9b550735b68c3bad4b0dadbce6cdd2c65d131453c4a604e4a |
| SHA512 | 8f3e7b87ed9634fe0b0e65f77c1b079a0d47bb889c5a7c6275653e6bfaa4840ff13fd3fc189b10d2f1eb911efdc6776095c29612d77ede4c24e8f9cc89d59bb3 |
memory/2596-116-0x00007FF761F80000-0x00007FF7622D4000-memory.dmp
C:\Windows\System\gXnETnq.exe
| MD5 | c138c7c2e8febbe1e31975ae82fc44cf |
| SHA1 | 7dfa7bef0ef3906fa124c82b4a76a95b31f3f527 |
| SHA256 | e60fd70c639b948e2f3b72584b655b5c0dc44e25924f96812722752917a27c5c |
| SHA512 | 4959006274f926b4b574f02710b569d1178b2c41c92cadb6cf1638f5eeb48e262752b383f69202e397afd071c11cac02cf87838cee40dc5913cdc2a2aed7a1e9 |
C:\Windows\System\IwQpjtY.exe
| MD5 | 03bcc13922121dd6b7dfc0791f17132d |
| SHA1 | 27a9b6e7059a23cb710747cb5f27a74ef02c05a3 |
| SHA256 | c945ffc9a464fa721cc2b5eca0b489727edf4c06c2ca34bf3928ed7722690732 |
| SHA512 | 21fe2295dd58cef199cca4c4b5cf5fc01c10c4e7f3f46bb5c2b5144bc077dfffa981b50f99611351b7110dbddd5d6df383dc309d9ad63901b28a037fc96f8ea3 |
memory/1692-120-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp
memory/1592-112-0x00007FF633910000-0x00007FF633C64000-memory.dmp
memory/1296-108-0x00007FF688150000-0x00007FF6884A4000-memory.dmp
memory/3344-100-0x00007FF698230000-0x00007FF698584000-memory.dmp
C:\Windows\System\ICrOyOp.exe
| MD5 | 7606e4a28cb007e97ca502c595822637 |
| SHA1 | 0a597ae9c7f0e0279b4d2696dcce407bab308a0a |
| SHA256 | f85f1d6f5d1492af6204966887fe02ffb8b2a0691957408798bfdc2ae33cfecd |
| SHA512 | 33f6ba2d496148af5d308146949540dec8a94b06163e410687a981a6da52edf5d5584371db850cdd0b7d932897abf8bfefda9bc793ecc6882ce8e8838ada6b3b |
memory/2968-91-0x00007FF6A6920000-0x00007FF6A6C74000-memory.dmp
memory/4932-94-0x00007FF78DEE0000-0x00007FF78E234000-memory.dmp
memory/4904-127-0x00007FF745930000-0x00007FF745C84000-memory.dmp
memory/1392-129-0x00007FF68DAD0000-0x00007FF68DE24000-memory.dmp
memory/4008-128-0x00007FF698130000-0x00007FF698484000-memory.dmp
memory/3840-131-0x00007FF6CFC80000-0x00007FF6CFFD4000-memory.dmp
memory/4512-132-0x00007FF7F2000000-0x00007FF7F2354000-memory.dmp
memory/3348-133-0x00007FF6A0A70000-0x00007FF6A0DC4000-memory.dmp
memory/1228-134-0x00007FF666D00000-0x00007FF667054000-memory.dmp
memory/1296-135-0x00007FF688150000-0x00007FF6884A4000-memory.dmp
memory/1924-136-0x00007FF722670000-0x00007FF7229C4000-memory.dmp
memory/1592-137-0x00007FF633910000-0x00007FF633C64000-memory.dmp
memory/1692-138-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp
memory/4008-139-0x00007FF698130000-0x00007FF698484000-memory.dmp
memory/4768-140-0x00007FF7AEB10000-0x00007FF7AEE64000-memory.dmp
memory/3740-141-0x00007FF7828E0000-0x00007FF782C34000-memory.dmp
memory/4932-142-0x00007FF78DEE0000-0x00007FF78E234000-memory.dmp
memory/3592-143-0x00007FF7BF660000-0x00007FF7BF9B4000-memory.dmp
memory/2940-144-0x00007FF634EF0000-0x00007FF635244000-memory.dmp
memory/564-145-0x00007FF7E13C0000-0x00007FF7E1714000-memory.dmp
memory/4904-147-0x00007FF745930000-0x00007FF745C84000-memory.dmp
memory/4512-146-0x00007FF7F2000000-0x00007FF7F2354000-memory.dmp
memory/3840-148-0x00007FF6CFC80000-0x00007FF6CFFD4000-memory.dmp
memory/3348-149-0x00007FF6A0A70000-0x00007FF6A0DC4000-memory.dmp
memory/1216-150-0x00007FF6D0DB0000-0x00007FF6D1104000-memory.dmp
memory/1228-151-0x00007FF666D00000-0x00007FF667054000-memory.dmp
memory/704-152-0x00007FF706460000-0x00007FF7067B4000-memory.dmp
memory/3344-153-0x00007FF698230000-0x00007FF698584000-memory.dmp
memory/2596-154-0x00007FF761F80000-0x00007FF7622D4000-memory.dmp
memory/1924-155-0x00007FF722670000-0x00007FF7229C4000-memory.dmp
memory/1296-156-0x00007FF688150000-0x00007FF6884A4000-memory.dmp
memory/1692-158-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp
memory/1392-157-0x00007FF68DAD0000-0x00007FF68DE24000-memory.dmp
memory/1592-159-0x00007FF633910000-0x00007FF633C64000-memory.dmp
memory/4008-160-0x00007FF698130000-0x00007FF698484000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 00:32
Reported
2024-06-01 00:34
Platform
win7-20240419-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FkmAxEk.exe | N/A |
| N/A | N/A | C:\Windows\System\nAOEtln.exe | N/A |
| N/A | N/A | C:\Windows\System\QYYkaEF.exe | N/A |
| N/A | N/A | C:\Windows\System\MbRxepY.exe | N/A |
| N/A | N/A | C:\Windows\System\uYSzhNe.exe | N/A |
| N/A | N/A | C:\Windows\System\TrUyFMZ.exe | N/A |
| N/A | N/A | C:\Windows\System\mmKVVfK.exe | N/A |
| N/A | N/A | C:\Windows\System\vFQCpAl.exe | N/A |
| N/A | N/A | C:\Windows\System\uoRnUIg.exe | N/A |
| N/A | N/A | C:\Windows\System\sJmqyGe.exe | N/A |
| N/A | N/A | C:\Windows\System\CBzqmLd.exe | N/A |
| N/A | N/A | C:\Windows\System\svglGRI.exe | N/A |
| N/A | N/A | C:\Windows\System\hTljCJw.exe | N/A |
| N/A | N/A | C:\Windows\System\HyYlTuI.exe | N/A |
| N/A | N/A | C:\Windows\System\JeGQDzF.exe | N/A |
| N/A | N/A | C:\Windows\System\SbWbmsY.exe | N/A |
| N/A | N/A | C:\Windows\System\VyPpxEc.exe | N/A |
| N/A | N/A | C:\Windows\System\gxnLWxf.exe | N/A |
| N/A | N/A | C:\Windows\System\PaJSGVF.exe | N/A |
| N/A | N/A | C:\Windows\System\BEjTuwT.exe | N/A |
| N/A | N/A | C:\Windows\System\UefhLkZ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\FkmAxEk.exe
C:\Windows\System\FkmAxEk.exe
C:\Windows\System\nAOEtln.exe
C:\Windows\System\nAOEtln.exe
C:\Windows\System\QYYkaEF.exe
C:\Windows\System\QYYkaEF.exe
C:\Windows\System\MbRxepY.exe
C:\Windows\System\MbRxepY.exe
C:\Windows\System\uYSzhNe.exe
C:\Windows\System\uYSzhNe.exe
C:\Windows\System\TrUyFMZ.exe
C:\Windows\System\TrUyFMZ.exe
C:\Windows\System\mmKVVfK.exe
C:\Windows\System\mmKVVfK.exe
C:\Windows\System\vFQCpAl.exe
C:\Windows\System\vFQCpAl.exe
C:\Windows\System\sJmqyGe.exe
C:\Windows\System\sJmqyGe.exe
C:\Windows\System\uoRnUIg.exe
C:\Windows\System\uoRnUIg.exe
C:\Windows\System\CBzqmLd.exe
C:\Windows\System\CBzqmLd.exe
C:\Windows\System\svglGRI.exe
C:\Windows\System\svglGRI.exe
C:\Windows\System\hTljCJw.exe
C:\Windows\System\hTljCJw.exe
C:\Windows\System\HyYlTuI.exe
C:\Windows\System\HyYlTuI.exe
C:\Windows\System\JeGQDzF.exe
C:\Windows\System\JeGQDzF.exe
C:\Windows\System\SbWbmsY.exe
C:\Windows\System\SbWbmsY.exe
C:\Windows\System\VyPpxEc.exe
C:\Windows\System\VyPpxEc.exe
C:\Windows\System\gxnLWxf.exe
C:\Windows\System\gxnLWxf.exe
C:\Windows\System\PaJSGVF.exe
C:\Windows\System\PaJSGVF.exe
C:\Windows\System\BEjTuwT.exe
C:\Windows\System\BEjTuwT.exe
C:\Windows\System\UefhLkZ.exe
C:\Windows\System\UefhLkZ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2068-0-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2068-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\FkmAxEk.exe
| MD5 | 2fa3fb4c1fc35c70b917e4c935ae08fb |
| SHA1 | b42b6dadf98b0a9f22c3a8da10fcb0ddc1940a8f |
| SHA256 | e3433dfb9bbc873ecb4fa9e9d0af814888a889a2b36b8031a9a1efe4e0cbd9ab |
| SHA512 | e3fd48448ac35fcb5ea5e14cca489d1f8a45b52f4b8d67d08061c2e40891173ad401d5671b071bc189b709673a1f29dc8c3413061e4103fe713738dafceb9a56 |
memory/2068-7-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/1664-9-0x000000013F040000-0x000000013F394000-memory.dmp
\Windows\system\nAOEtln.exe
| MD5 | f33b4dddfe72b1eb6825eadcbcb3f746 |
| SHA1 | 5fa7f4edfa48ec6367f078546cd250a00ed9d887 |
| SHA256 | 11528cbb4c1d8ed1931421bfc4848b8d268ea5b455721936510e0d726153fdf7 |
| SHA512 | 0c1d8a63a5de62969fa1d810b0f221ba75f6f3f77c6aac0410a61773833e5b58cca56263d70106915f81abb39cc4921cefc79cfb1dea6e84b42190b58ca0b39e |
memory/2068-13-0x000000013F860000-0x000000013FBB4000-memory.dmp
C:\Windows\system\QYYkaEF.exe
| MD5 | b971d7a0d33d39f947e9eea7f72f59b6 |
| SHA1 | 37b813cfe76bcfb02b460d5541b755da1039f181 |
| SHA256 | 63920a860cb2a2b81a7e5964133323c7343ff428802f974de937afc54d39d363 |
| SHA512 | 834fd22707f0c8f91b7b38dd22909e99f58065bad3214f8ead12b564d8427d18334677e98bbac4458404263105310ae6ed9e4b926751486adfd02dfb42ed82a2 |
memory/2928-35-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2452-33-0x000000013F050000-0x000000013F3A4000-memory.dmp
C:\Windows\system\uYSzhNe.exe
| MD5 | d6b920a896c8e68105e436db589a081a |
| SHA1 | 4a617256a85ef98bb6d219fac1e21d109657f354 |
| SHA256 | e8f648e5c0ac7768050db1704f7da44d7f9c3f2f3bb3ee13e4f79f80cf922f89 |
| SHA512 | aebfc47c80db9c7975bd692d01dbc2d27994cc55736006b72fd245f99ef986c02f3ee0662ea13cbdcb63e253dfc8748f07bf1259617d9233707c29b477e4b89c |
C:\Windows\system\MbRxepY.exe
| MD5 | 4d92dd77d7b93a26aff1db9dc0ce6fc1 |
| SHA1 | f5876b93651d3fb1cb1da81861402fb61bdcd215 |
| SHA256 | cd65824bdb9df17d47ceebb672c95510ca254658172cff393fb2eb85b46a04de |
| SHA512 | a89b9ed588e2524be10258a0463d1e317cb26fb847fee7a723df93ae6990de4f689cc18dcfe692b8cb6569def30c2e26fc24a7f5709ac81435f1c1307cd04cfa |
memory/2068-29-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/2916-25-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2780-15-0x000000013F860000-0x000000013FBB4000-memory.dmp
C:\Windows\system\TrUyFMZ.exe
| MD5 | 026145a1e02d70adc5c3037c82206d84 |
| SHA1 | 72af845368177641507cdad91bb4de2a6281d66b |
| SHA256 | 008fca83f42787bd8cba30930bc98d78f84602dc3a3db16732ce1c38c1a94933 |
| SHA512 | 6fe299a55f239cfb0c7727bbc59c2fa86f6752a9c05f1fc1e546aa6457bdf824642b9386879244c5538a07a9a0dabd30f222349bc1adc882f1c6e5ed8df02033 |
memory/2068-40-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/2668-41-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2068-55-0x000000013FFF0000-0x0000000140344000-memory.dmp
\Windows\system\uoRnUIg.exe
| MD5 | 3a4af91ef29297f29bf1409fd348a66a |
| SHA1 | feca1fffe27114b34ee0bfefa19343875833b303 |
| SHA256 | 0a7888f7453e62735bafcc9375adf12f78be97f87d908d2c59f1af87fec34585 |
| SHA512 | 523a5188030731f7efa5e801a4c6f2980ca65bcbf7bd3a1533914c96a5d1f3f9ae9eea846cdd32703349753dd7c413520f76793b77b8990d4d9a52cf8ee9318e |
\Windows\system\mmKVVfK.exe
| MD5 | 24236efda85f76b9955e8311c627aa99 |
| SHA1 | ba54e1daafc761a6815361c514e891e0fff3b4df |
| SHA256 | 0afcb9ce81096a23f5262506e12d34ca7dbd0bba9e3792769ddf12ce1d0a315f |
| SHA512 | 28657e0633cebb82e6e1a2c00f45efad1fb9e945c23c0f7c77d7c3633ae5f294f1bb40abc59a99dcfe0630f5f29765bb183838924eea3b42199f9597dad478b7 |
memory/2068-54-0x000000013F330000-0x000000013F684000-memory.dmp
C:\Windows\system\vFQCpAl.exe
| MD5 | eb1a3e8b66d8c37bfcc47aa86ee3f62e |
| SHA1 | 79f2cc6c21ebe7eac33627f7d92c1070bbc88a50 |
| SHA256 | 53966012b3269d4ccfd2e787da5d01a424a4730d094483828561cd2f98b41d06 |
| SHA512 | 744a295fba7dc234a4bc58bcc21398caed645548d038fc5e2cfdd08a0cf205680fc2187dc1a3272e1e12debea93d7221de2db04e9e599114ba1eb3ab7afd2557 |
C:\Windows\system\CBzqmLd.exe
| MD5 | a933b963295c79358766d57ad5ac6034 |
| SHA1 | 4f838409cc78082438f39f09dab926fd7fcb3fe9 |
| SHA256 | 60bdb1f264890f38a92ea7f09b8ac11764924bb5794072db2b6a74f2c7d38c62 |
| SHA512 | 9d415b76325b270b226e1fa0db12428922daf69d3db5a891a6582973f105cab9cccd234d15e5888686d2143f19355519de76b7a7da16e5b13ccf510aa08b4175 |
memory/2068-80-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2916-79-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/3004-75-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2836-74-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2780-73-0x000000013F860000-0x000000013FBB4000-memory.dmp
C:\Windows\system\sJmqyGe.exe
| MD5 | e58f4bbe6e35c515c399cbc2762f8d64 |
| SHA1 | 6ab8c0fc0564847bf7a6216be3b047f4586dd554 |
| SHA256 | 04f88c0a032db0d7dabbee95bb7de8fc03edb5dc247e87f8c1feb5b1eea8f5e3 |
| SHA512 | d9950590a3f7875639865eb20b125abf5186c408f0e95feda5616a32ccab8b28a86ca801544302e6bb095721eea86961a91644294f8c5de9fd9cc3fc0093195b |
memory/2068-69-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2656-66-0x000000013F9B0000-0x000000013FD04000-memory.dmp
\Windows\system\svglGRI.exe
| MD5 | 4b01037ecb53788672ac5aca7e009191 |
| SHA1 | 9ef2d12264c092ef12059a5b54a225c33ef53617 |
| SHA256 | 7c6cb53e802603841a064c8340d12a5b63d4af482116c0fc8fb8d5a7aa0be18e |
| SHA512 | 07d1efa478f9b4e6a09f8fbb5d425cfcea2ad0c1fc2902931cbf36e50e517f91fc8dec90dff443ff99ce95a4b066a85a921a0157bbd080bb4963b3361c95e605 |
memory/2420-85-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2452-95-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2068-96-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/2940-91-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2068-90-0x000000013FD20000-0x0000000140074000-memory.dmp
C:\Windows\system\hTljCJw.exe
| MD5 | d87f9f56a8a7acd109668aeceb10197a |
| SHA1 | d02cac39e8fe0b85a97ca4d9a6221381cbd98bc8 |
| SHA256 | df63815eb86c09e36a58e83851014c4cb06ecb4bc00bc8211b6a5ed678e4249b |
| SHA512 | 5fa52d382ecb36aecfcb2b7147a0e7e5a9c1169bf72b1319ff5951f249f1ec3d93da481b54193baaa26c35c9e1cc2478c4ac01702a3306d5fbe7f3d455522a04 |
memory/1052-97-0x000000013F620000-0x000000013F974000-memory.dmp
C:\Windows\system\HyYlTuI.exe
| MD5 | 4d4a55d4c5a67e31948746f611235129 |
| SHA1 | 519177a2bcca1df365f306d87b155aa92b92dfa0 |
| SHA256 | 01194ef15d03543b103dd042c260fb5f4fd6638c46ea2a14570b2c354bf3781b |
| SHA512 | 88366d6ebdf2fe1ad959cbd513d714ea8ae8bb5546c0cf11df62ad4d3a0c6511d6779ef2e4031c1cfd174f0c4fdac4f56f3c386014d06de402f39cdaf0558e20 |
\Windows\system\UefhLkZ.exe
| MD5 | 107a542680a3cac679459f9c76d3bd32 |
| SHA1 | f995be0a376cded62343a481c8316b3d8ef8a40a |
| SHA256 | f2e02d332fccdb846c3cf1fb3815a26b82fb637805b0d7805fef4e8546eb9e7a |
| SHA512 | ec8a4e45fa00f4f1290bab361632cdc6b8dfe9d87d87f3cb4c5ce955990ee99379d5d6f5b71a65e21d5c88babaf8882b08c05c69e05fa0c5fc5897bb957edc6a |
C:\Windows\system\PaJSGVF.exe
| MD5 | 7a985fb91afcb086bc82c5e42b273d88 |
| SHA1 | 217cff9360aea03e8188cc93dbe0487b4dff1c3a |
| SHA256 | 9d7355a7bd58dd8958e061d2306eaa9daa4777405fc801a120e4e23e8c676e09 |
| SHA512 | ac667426476b1d69efd8b4109ff5bc5d63ba1d17788d5546fcc6b800f3e7db4173d4995bee715771af19a91af2538d2f159f9704aaada3ecb67d107f9b6d5208 |
C:\Windows\system\BEjTuwT.exe
| MD5 | 9bb976c5e11ce23370a83c19dd3621d4 |
| SHA1 | 09e090b82989cfeb19c80e27df2fe7202830227b |
| SHA256 | 83dcde576e01acd8b5ab5fb84678a5f54ff3c4dc161101bea00bafdc53fb8ef2 |
| SHA512 | 2a487339bd0246d68d21f473610380947de70b181d82e137cc2ca7aef25ee1e0aa6ea7e3b7bed3285e713dfdaf57733eb61f02cad3b6cc6dd77faada176ea961 |
C:\Windows\system\VyPpxEc.exe
| MD5 | 48c2b12e1fb7f27e17e16d8d14b3e71f |
| SHA1 | 3081e20a33c35064ba4ec45104686fdcf79b92e2 |
| SHA256 | 43fb81a57099ddf3c046b892896fdbc60e463d03d94e3441969f8841c8ecc31c |
| SHA512 | 0958fab851b541a05f98c97c98c3586fc71b6ea510c856af56124b9a2bf742b575f19b04beeb4d8e5c92d2b1d86ac6d054ee23f60888c80a5b0062ead3d3bd72 |
C:\Windows\system\gxnLWxf.exe
| MD5 | 03a41ce0ad6b16aea26aade8ae2100d3 |
| SHA1 | 7fc9032a13710592b1b9e60efbbf3842a335a25a |
| SHA256 | c5ffe0baf99f13e6d4bc40e500afdcf74ce506d0650f59472879a7372a451c84 |
| SHA512 | d197d7a0b07d15b2e76b5a41042cc456be5eb551830005b24291055d43c8dc6c0c1eecb426c78b70f1b74964755ef11b14332e9b9d4256761bf971850ca10274 |
memory/2068-104-0x00000000021E0000-0x0000000002534000-memory.dmp
C:\Windows\system\SbWbmsY.exe
| MD5 | 13381a96e5a5b9c7ab0406bca980cdcd |
| SHA1 | 482ebb11c01b6626bbb37d74e0a7c55101cdb816 |
| SHA256 | 636c79f86fff413525e030478212443ae4209a463524564f655ea66404ba7b20 |
| SHA512 | e1a80e385dd3af6dabac10a42ad8d0a281ae7b08ce6b111dab4c7b179dc4b06dfc1117a603a1d525d234b6f5b779c33ae560511b5e0396034dcaac716f32687b |
memory/2668-103-0x000000013F530000-0x000000013F884000-memory.dmp
C:\Windows\system\JeGQDzF.exe
| MD5 | 42c44e7d9f98eb898828396688adb76e |
| SHA1 | a195c6ce85fc700d881c0eaf8ebf0273fd421129 |
| SHA256 | dc940099b270941a29b5181a7e9ba7819e2f5046df985add3261b0a61569051b |
| SHA512 | 49ec42c13e3a5a7f9c6e21cf37603a263b19cad849269bf4adf52c042c3c55e0a4a04ef11f3f979a9ec7d5f77e317a3f12ceaf894867b4fff5d5aeb9b1efa3ec |
memory/2776-137-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2528-136-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2776-59-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2528-48-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2068-47-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2068-138-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2656-139-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2836-141-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/3004-142-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2068-143-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2068-144-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2940-145-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2068-146-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/1052-147-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1664-148-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2916-149-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2780-150-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2452-151-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2928-152-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2668-153-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2528-154-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2776-155-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2656-156-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2836-158-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/3004-157-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2420-159-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/1052-160-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2940-161-0x000000013FD20000-0x0000000140074000-memory.dmp