Analysis Overview
SHA256
a211816f3d87545a1962f50902bfb93e03a82a7f88b8c203babd645d5cee23dd
Threat Level: Known bad
The file 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Xmrig family
XMRig Miner payload
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 02:26
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 02:26
Reported
2024-06-01 02:29
Platform
win7-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bZBcKzc.exe | N/A |
| N/A | N/A | C:\Windows\System\xjkEfSI.exe | N/A |
| N/A | N/A | C:\Windows\System\LBbcrKJ.exe | N/A |
| N/A | N/A | C:\Windows\System\pXXqDPk.exe | N/A |
| N/A | N/A | C:\Windows\System\nLcrwxV.exe | N/A |
| N/A | N/A | C:\Windows\System\dcglPUa.exe | N/A |
| N/A | N/A | C:\Windows\System\aKezGQi.exe | N/A |
| N/A | N/A | C:\Windows\System\zOKwBQx.exe | N/A |
| N/A | N/A | C:\Windows\System\ivunZda.exe | N/A |
| N/A | N/A | C:\Windows\System\PzwpBvI.exe | N/A |
| N/A | N/A | C:\Windows\System\nCcGIFX.exe | N/A |
| N/A | N/A | C:\Windows\System\OpCbVIq.exe | N/A |
| N/A | N/A | C:\Windows\System\vwMwavL.exe | N/A |
| N/A | N/A | C:\Windows\System\XCfbCIl.exe | N/A |
| N/A | N/A | C:\Windows\System\SDZChUs.exe | N/A |
| N/A | N/A | C:\Windows\System\smizcLM.exe | N/A |
| N/A | N/A | C:\Windows\System\DqqUGoO.exe | N/A |
| N/A | N/A | C:\Windows\System\aWwiPwM.exe | N/A |
| N/A | N/A | C:\Windows\System\eThapiE.exe | N/A |
| N/A | N/A | C:\Windows\System\zodSnjL.exe | N/A |
| N/A | N/A | C:\Windows\System\zvgxOzs.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\bZBcKzc.exe
C:\Windows\System\bZBcKzc.exe
C:\Windows\System\xjkEfSI.exe
C:\Windows\System\xjkEfSI.exe
C:\Windows\System\LBbcrKJ.exe
C:\Windows\System\LBbcrKJ.exe
C:\Windows\System\pXXqDPk.exe
C:\Windows\System\pXXqDPk.exe
C:\Windows\System\dcglPUa.exe
C:\Windows\System\dcglPUa.exe
C:\Windows\System\nLcrwxV.exe
C:\Windows\System\nLcrwxV.exe
C:\Windows\System\aKezGQi.exe
C:\Windows\System\aKezGQi.exe
C:\Windows\System\zOKwBQx.exe
C:\Windows\System\zOKwBQx.exe
C:\Windows\System\ivunZda.exe
C:\Windows\System\ivunZda.exe
C:\Windows\System\PzwpBvI.exe
C:\Windows\System\PzwpBvI.exe
C:\Windows\System\nCcGIFX.exe
C:\Windows\System\nCcGIFX.exe
C:\Windows\System\OpCbVIq.exe
C:\Windows\System\OpCbVIq.exe
C:\Windows\System\vwMwavL.exe
C:\Windows\System\vwMwavL.exe
C:\Windows\System\XCfbCIl.exe
C:\Windows\System\XCfbCIl.exe
C:\Windows\System\SDZChUs.exe
C:\Windows\System\SDZChUs.exe
C:\Windows\System\smizcLM.exe
C:\Windows\System\smizcLM.exe
C:\Windows\System\DqqUGoO.exe
C:\Windows\System\DqqUGoO.exe
C:\Windows\System\aWwiPwM.exe
C:\Windows\System\aWwiPwM.exe
C:\Windows\System\eThapiE.exe
C:\Windows\System\eThapiE.exe
C:\Windows\System\zodSnjL.exe
C:\Windows\System\zodSnjL.exe
C:\Windows\System\zvgxOzs.exe
C:\Windows\System\zvgxOzs.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1036-0-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/1036-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\bZBcKzc.exe
| MD5 | bdf795eb141a0ecb33eb3f53b38d1132 |
| SHA1 | d2ab9a825acba8aa230aa176e9e20d5c8348960f |
| SHA256 | 344d4030fb9fcc662462c67f0a5af2a794b5e759050a8bf2712e1e19d7d102a3 |
| SHA512 | 37f7ce7a52d85c2cad39c537936ab86d28a69af7f2b69abc7a5177a217d94f09b4b7afdece901e787a4bf85dd751dc77057b721933df7ea53471a25cecc86eef |
memory/2860-8-0x000000013FDF0000-0x0000000140144000-memory.dmp
\Windows\system\xjkEfSI.exe
| MD5 | 6a20f7d5346fffe5e21de3b8e026186c |
| SHA1 | 71161180fac08740e09902ca3d7c6cd061c26f35 |
| SHA256 | 992efb97a7bebdc127fb5f0e32a181736cc3ad6be5d0ef91e28fa09779f66d48 |
| SHA512 | 1e0e6802b613440cad229fd26b20e3660c155d7dc7edfcad9f1ce066a0ebf9a60e5fbd4c094adadcf64349b01ec76e069d6f4cab7fc9d8928801964b3b111e2b |
memory/1036-11-0x000000013F8F0000-0x000000013FC44000-memory.dmp
C:\Windows\system\LBbcrKJ.exe
| MD5 | 3f42e911022ce096230ad0c8f4a416a2 |
| SHA1 | 513ae265a1944cbd51a9681a2c68055d51f72553 |
| SHA256 | b33615ec51873e23c4378aa26b88c38b4aa64625344d976823b7065db0520098 |
| SHA512 | 5ecde2c413116b5c01c7ce752a4e38962bee81ab565df123042be4236a6fa36c8ac0dc65dcc22f59fc756bbf6c7e64433665b63ae545581a535ee60dfedf0d7d |
C:\Windows\system\pXXqDPk.exe
| MD5 | 9ebc43eddf1817c0e0d7e8a837424166 |
| SHA1 | 588ccaf50e983806377108111aba97e31edf5ac3 |
| SHA256 | 35bd96971a1adb3ab31d3ca1cbb767a3c0b8dc62a625b8dbdd193da1ccb17be3 |
| SHA512 | 2a994e6698cacbd8fdbc9418813ac56889ba33c003ce73a503bb546fe71d1c6cff1554006c969fd59a24ecb2817cfcf35b2087b05bbcd4912c60041438785812 |
\Windows\system\nLcrwxV.exe
| MD5 | b168e024d14945b488567a1377a3cf16 |
| SHA1 | 8f5f9d1d4d02e9717c8974e964fc4ee228588466 |
| SHA256 | 07c7e759c09765e4b70352829a4bf469265496acbc41fe08ec15698110403505 |
| SHA512 | 5e27387b8d8a710243c1df0152dfa7a193196368f718d9091e9448ea64f494e34ab20beb40c2ca922b1b22f656500538e7e189ace8c9b6cba47209e937442493 |
memory/1036-39-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
C:\Windows\system\dcglPUa.exe
| MD5 | 502a1f68665756007c0bcf346702b13f |
| SHA1 | 65b0cd798c140848c6cc5e190d5efc9416f82ccf |
| SHA256 | 13e3836116de8887561cbc6091e33227df7b3a19c0d39f10f5c48401d8252f23 |
| SHA512 | 3de516a417a54f7373f3410f8c9fc26da0ef035adec334f09f6d12a28064a603e329f4887e891858d70a0a4243913679e0fc002aa56bc7ecfbd2b7f22cf3197f |
memory/2680-40-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2576-20-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/1036-36-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/1036-33-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1036-23-0x000000013F850000-0x000000013FBA4000-memory.dmp
C:\Windows\system\zOKwBQx.exe
| MD5 | 8213e6932656ab2391af223acc55f415 |
| SHA1 | d3d8bd22fcd3e98ef16497623d0878425732e093 |
| SHA256 | b3593a598523e5499437b2aa838a7bf0b16e4c30a205ae8343f998241693c2a0 |
| SHA512 | a029fa54f350f1cf5878372a022df026e3c6976ed81c057995595acaa572b31a7e13e19f8ce9395d467cef8985940861587e8bacc9486268f27e0456a26bdcbb |
memory/1036-65-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1664-74-0x000000013F5D0000-0x000000013F924000-memory.dmp
C:\Windows\system\OpCbVIq.exe
| MD5 | 646df2377bd1d973faf8039b6c1b4339 |
| SHA1 | 8f628623bfc814a27688903a725eae54b2f55607 |
| SHA256 | 29a7f7f9cc61502861951e5604e30e85e01856630a2b868329f76749c6af4579 |
| SHA512 | a91f26e81a5b5296c823b273b48e18884c49fef27a68df75027eed98d975ffcf97fdf2fbf88184687c511202b2da2583aba545197702f9bab6069d396d11fc4a |
memory/620-88-0x000000013F6F0000-0x000000013FA44000-memory.dmp
C:\Windows\system\XCfbCIl.exe
| MD5 | 3cfdafbb87b737304ea9384884c5b0c4 |
| SHA1 | 218d1c5368991caa67b34031d8786dd4355e9fab |
| SHA256 | 2d5915ee6c17b68343d22deddbd2cb7c9e40ec1ce58f4dca3d080fb00bd23d54 |
| SHA512 | bfa7841e552e8b1768ed0df1286fbc4180c838cc24300613178bceacc65da9c9b1369a6ee76cfc4eaf1f947579cac2458089633d97445d25608321bc53c0f9a6 |
memory/1780-101-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\aWwiPwM.exe
| MD5 | 8d322c43341778598176737c2197b5ec |
| SHA1 | cb5733dd54dbc12f7ae22b14b44bd9344d067f8d |
| SHA256 | df44521c8a6491639e67c777c1771c822412f6ee22c864b4d2f1c0569df257c1 |
| SHA512 | 34eb3469265b04a404bde881779a827126effa1c85e21bd67850e63b9b3078f9a1da51e8584ffeba83b5d8b5a8c96f39646ca355e533a57cc79562bb0b0f2eb7 |
\Windows\system\zvgxOzs.exe
| MD5 | 2fb8631c8009f7858c034313122615d9 |
| SHA1 | 28ae6c60e9f854a84217671efd9157b6b321dee1 |
| SHA256 | 18cadf7532312a7644c6afe1d5546e3e97eb8105521aa519fae6087d352853fd |
| SHA512 | 7a47336aceda7f37891deec7a3be54669c9f465c67203835f6e4120b82715044b6cc5dbfe11c327aa9f4b9e93f0f083265b65afc20eae3052e6e0ca5c9d5c730 |
C:\Windows\system\eThapiE.exe
| MD5 | d2a2f07ff92391072e4b1fdfeb12049d |
| SHA1 | d415581d9f34ef6a86b311adc90ae2a0cde7d36e |
| SHA256 | be9e7281bb17909de9374356d52d2c5dd273ec4ac279d984e29e69285d01221d |
| SHA512 | dbf3fc0154a3a02a04575058cc3eec3d7285099e133103a7e75ff4ea712ce5e33fca7e91287f3aa8053d487343e2db1f6e5e063b0943cd27e2b3077e55300f36 |
C:\Windows\system\zodSnjL.exe
| MD5 | f31516ab1c05692400741243805ad203 |
| SHA1 | 744798c3c10236318417a5d421ae14d5ebb8ceaf |
| SHA256 | 59c84dfd798a1406b2d4e2cb046b9e9183cb4d901257cca37522d0a50c065779 |
| SHA512 | e025025e92f49661b058ae5f67c4ddcc32822d9e53fb55135e54f2c4c5a09e2270cabdb57a5e4c8636d1e95d4bfb5b72ac80e73666584dea378697927f266715 |
C:\Windows\system\DqqUGoO.exe
| MD5 | 36bf6dac6004e748ef1d5bb50bac67ab |
| SHA1 | 5cfeb1f9045cc408716c0e2e90b474848bebd884 |
| SHA256 | a68251d02741faf31211f17aaed9cc580e5fbd80ab0552b3c98584143bbe87e7 |
| SHA512 | 39784ac905e3c268f8ab30ab13d8795b6c2f8ea51e0ff6f2541c9638e71bc8a151274af70fbe5ed0e7b579e684ecd50fb89f38589dbc97aa43269ccd4b325123 |
C:\Windows\system\SDZChUs.exe
| MD5 | 1967caf5093ca39cf2073e3e12192120 |
| SHA1 | d9b6e5c55c252b81da899d56124fdbfbc332720b |
| SHA256 | cf6abeced2fb3646d23e2d351c5c14f7cda0dc113af7d1999c8300e130046881 |
| SHA512 | b58ebbe207085fc273a7cb90b7b48dc08e2cfae25bfa68e2a13e0fbfb97c23bf416e7642218a6585ef495f8a78b3b548c692c2241db17135f54610a55624c42a |
memory/1036-108-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2556-107-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2872-140-0x000000013FAD0000-0x000000013FE24000-memory.dmp
C:\Windows\system\smizcLM.exe
| MD5 | 9070590d875fff4aa8fa0e20e25c74f0 |
| SHA1 | d058bc9f4104c5ce94bb94d6e7e644af69f31429 |
| SHA256 | 21d8dcf18d725373a6177804f3251afe0b37bfee37d0b61a5e6dc59e86b124e9 |
| SHA512 | 538e8d4bc8d69d6a6b60093338e302fa1858122bad8ddd2424368a94ee2789c50b32059d2d2d7c8b1c7d6d891c39226139886389d1c0308514232209c8923e2e |
memory/2420-96-0x000000013F690000-0x000000013F9E4000-memory.dmp
C:\Windows\system\vwMwavL.exe
| MD5 | dc219ee98ac78f692226d21b8240f632 |
| SHA1 | 93570aff8e687202739756fdd9aef97f80b2b9fb |
| SHA256 | d62fc57ad1f7e38cbc3877d3d93fef6eed73c0bb51519ac999675578ab902a58 |
| SHA512 | 4d428140183c0868fecbb6bc735f5d13e84c478d7e69457a56cbb60f8ff0773b5aa5ddeed50a6a3099b470f2b95b5147729a534c2cbefb8e6e4b1920a68fb7bf |
memory/1036-92-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/1036-87-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/1604-82-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2464-142-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/1036-141-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/1036-81-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2664-80-0x000000013F850000-0x000000013FBA4000-memory.dmp
C:\Windows\system\nCcGIFX.exe
| MD5 | 5bd13186f2337b0899ee6230de844dce |
| SHA1 | a3d51b6dfa71740bb74024682ee40d4d90fccdc9 |
| SHA256 | 7015169b09866f3d8546297cc81d4d259c7f2a93e766d13e9c85fdd1e65e9b2b |
| SHA512 | 0acd15b76d5638798cbb69f05e49c36f2aa92764e5c9c3e9503f15dd352c9b3d69496afc6610ba3bff6fc344316071d5649df1ea13508a9c5d8593545e9bae54 |
memory/1036-73-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2576-72-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2852-66-0x000000013F9E0000-0x000000013FD34000-memory.dmp
C:\Windows\system\ivunZda.exe
| MD5 | 4f5504a9f0d585c5d63fc17bd982f1fb |
| SHA1 | 6a7d295dd68c60e6589de0608fcd745757913a2f |
| SHA256 | 0f41ca0fee510b1bab01186baa67defa9a7e308caddaf13e433d42b99a840bbd |
| SHA512 | 5f0b77d94337f6ff40e24a58f347cb3457e4d2551cb6e1486042340ee40835952f6fb3900d3826374d68e0f4918938c014618f59a2dc0a18aa4c3ab8399479b4 |
C:\Windows\system\PzwpBvI.exe
| MD5 | dac102cebf9d643780a175f1ba30b162 |
| SHA1 | cb9ffbf7bdb6869c1d1e264fc52f53eaa4b37d35 |
| SHA256 | 4fa15cda6f4c12d99f1798609ae86fafe41f23309fb0d5dd271297818c05a5ff |
| SHA512 | 88880c6a63ad243cc819d9fb578a131351be1d2482d8b8a74368a04019c8d1908b45850ad867cdc5d691c6eae2b36d8d9401ab517b010797fdc2bd4ffa0979fa |
memory/2852-144-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1036-143-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2464-59-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/1036-58-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2524-57-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2872-51-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/1036-50-0x000000013F8F0000-0x000000013FC44000-memory.dmp
C:\Windows\system\aKezGQi.exe
| MD5 | d259f496469bb7be69df4f7dc9100943 |
| SHA1 | c76a3da28fa720bf0415e4efecf768fff3fd81a6 |
| SHA256 | aa47225c930f30661a459c395651b7b7dd2c912e1bc4982ae41405afb9771131 |
| SHA512 | 095a54f9f3adf1558908ce3b3bf6be7919b79daa3eca5312a59e68476782e0e0c3fe0b05cee493950af0088743be0b1582f66990d20c40736ad935e7747f9903 |
memory/2556-47-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2860-46-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1036-45-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2664-30-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/1036-18-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/1664-146-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/1036-145-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/1604-148-0x000000013F320000-0x000000013F674000-memory.dmp
memory/1036-147-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1036-149-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/620-150-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/1036-151-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2420-152-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/1036-153-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/1780-154-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2860-155-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2524-156-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2664-157-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2576-158-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2680-159-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2556-160-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2872-161-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2464-162-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2852-163-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1664-164-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/1604-165-0x000000013F320000-0x000000013F674000-memory.dmp
memory/620-166-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2420-167-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/1780-168-0x000000013FD80000-0x00000001400D4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 02:26
Reported
2024-06-01 02:29
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UEFJhyr.exe | N/A |
| N/A | N/A | C:\Windows\System\IJxwbze.exe | N/A |
| N/A | N/A | C:\Windows\System\BZRSQpD.exe | N/A |
| N/A | N/A | C:\Windows\System\hPQNOLF.exe | N/A |
| N/A | N/A | C:\Windows\System\xSmvYNd.exe | N/A |
| N/A | N/A | C:\Windows\System\GwsmVkY.exe | N/A |
| N/A | N/A | C:\Windows\System\jkTPMho.exe | N/A |
| N/A | N/A | C:\Windows\System\OsnwzEG.exe | N/A |
| N/A | N/A | C:\Windows\System\mjLANlW.exe | N/A |
| N/A | N/A | C:\Windows\System\jpNQjnD.exe | N/A |
| N/A | N/A | C:\Windows\System\mXQIaXh.exe | N/A |
| N/A | N/A | C:\Windows\System\OwLCBAZ.exe | N/A |
| N/A | N/A | C:\Windows\System\qfgZdcn.exe | N/A |
| N/A | N/A | C:\Windows\System\brUSiyA.exe | N/A |
| N/A | N/A | C:\Windows\System\czEPjyg.exe | N/A |
| N/A | N/A | C:\Windows\System\SjFrNsO.exe | N/A |
| N/A | N/A | C:\Windows\System\WpXuGxv.exe | N/A |
| N/A | N/A | C:\Windows\System\gdmazGA.exe | N/A |
| N/A | N/A | C:\Windows\System\IMoAAxN.exe | N/A |
| N/A | N/A | C:\Windows\System\VMOLuqB.exe | N/A |
| N/A | N/A | C:\Windows\System\kIQLHlK.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UEFJhyr.exe
C:\Windows\System\UEFJhyr.exe
C:\Windows\System\IJxwbze.exe
C:\Windows\System\IJxwbze.exe
C:\Windows\System\BZRSQpD.exe
C:\Windows\System\BZRSQpD.exe
C:\Windows\System\hPQNOLF.exe
C:\Windows\System\hPQNOLF.exe
C:\Windows\System\xSmvYNd.exe
C:\Windows\System\xSmvYNd.exe
C:\Windows\System\jkTPMho.exe
C:\Windows\System\jkTPMho.exe
C:\Windows\System\GwsmVkY.exe
C:\Windows\System\GwsmVkY.exe
C:\Windows\System\OsnwzEG.exe
C:\Windows\System\OsnwzEG.exe
C:\Windows\System\mjLANlW.exe
C:\Windows\System\mjLANlW.exe
C:\Windows\System\jpNQjnD.exe
C:\Windows\System\jpNQjnD.exe
C:\Windows\System\mXQIaXh.exe
C:\Windows\System\mXQIaXh.exe
C:\Windows\System\OwLCBAZ.exe
C:\Windows\System\OwLCBAZ.exe
C:\Windows\System\qfgZdcn.exe
C:\Windows\System\qfgZdcn.exe
C:\Windows\System\brUSiyA.exe
C:\Windows\System\brUSiyA.exe
C:\Windows\System\czEPjyg.exe
C:\Windows\System\czEPjyg.exe
C:\Windows\System\SjFrNsO.exe
C:\Windows\System\SjFrNsO.exe
C:\Windows\System\WpXuGxv.exe
C:\Windows\System\WpXuGxv.exe
C:\Windows\System\gdmazGA.exe
C:\Windows\System\gdmazGA.exe
C:\Windows\System\IMoAAxN.exe
C:\Windows\System\IMoAAxN.exe
C:\Windows\System\VMOLuqB.exe
C:\Windows\System\VMOLuqB.exe
C:\Windows\System\kIQLHlK.exe
C:\Windows\System\kIQLHlK.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
memory/996-0-0x00007FF65A8D0000-0x00007FF65AC24000-memory.dmp
memory/996-1-0x000002E125B10000-0x000002E125B20000-memory.dmp
C:\Windows\System\UEFJhyr.exe
| MD5 | 5d9ca81f3d091f084841f9f0c6796b57 |
| SHA1 | 03473ad00928c1e19e3fd83a5255b9ec6936bf6a |
| SHA256 | ada4274eed3e25fb190061a6e16f4c47e716b1269bea1fbfa21129584988b6fd |
| SHA512 | a0d128c2771ed514475714893879b57721171068d038e2d7165bceae6b04d9f48eebfb8fcccf8055519e8421bb999c38159f47829e33ba8146951dd42481a917 |
memory/404-8-0x00007FF69CA60000-0x00007FF69CDB4000-memory.dmp
C:\Windows\System\IJxwbze.exe
| MD5 | 57d84755f1aa157b2e6f2c360c0996a5 |
| SHA1 | a5c475868c9f010111e6da2b725c7e9f6e5eb2ff |
| SHA256 | 1148b516e61530380d6def80825ad2a21d4f1d0a5d6e32a3669e7b8e04dd0228 |
| SHA512 | 1088910b610cc96716a951026aea7dd9089e5b7390d72dd6a373beacefd2ad66133b479c4354e63223ec0c56d4d907257085342423c44ec27dfa88853a9fcc40 |
C:\Windows\System\BZRSQpD.exe
| MD5 | 770af445eb854d6dacf948a36d32bbba |
| SHA1 | aa44ae5214f62baa552996d60508fe3d56821df3 |
| SHA256 | fb1b47fd8a8c365150869b5b3bb0d4324efc46abffaa30b7979e71cdba972ca5 |
| SHA512 | 402fbfd6a9d9c9787895a53f09a5b4aaf788c366d128664e453172fc7ce337025c789420abeb2e7b23c0c2210be3615e270bdbc5a1ef64e7980108962f304bf6 |
memory/3600-13-0x00007FF756270000-0x00007FF7565C4000-memory.dmp
C:\Windows\System\hPQNOLF.exe
| MD5 | 2e59797b79a636a0f07d442a3c675e54 |
| SHA1 | f3e57c807fb81d13f990b57a135de1a4ae9cfd3a |
| SHA256 | 6eea9dfdaa8863458ad13b592b82e8c19ca0fbf9a0cbc25e620ed875a92aeee3 |
| SHA512 | 204d83c4f4a660c7fb49e25cdba0bad4368ccb78538138359897f555fc04a629e453070a287c98babe52a38efdc4fc93cf48ef6aa148a6a3e35bc4c6a7bcab6e |
memory/4128-24-0x00007FF74E280000-0x00007FF74E5D4000-memory.dmp
C:\Windows\System\xSmvYNd.exe
| MD5 | b6400ae0bf6be6e4267cb91149e45e47 |
| SHA1 | a4e7b3a64bd4fdb8ae1bd32a068b10080b1486a6 |
| SHA256 | 0dd13e8b889c86015d73215b53efdae019c77ee6714c7a9ceb3b4390093c0a13 |
| SHA512 | 82f17e60ed138b48fc1427ac1c8b2ffe5f09c3b31aa1edd47751d17dff358160574bf8286dac15c4cfb59b8a93ba1dfde4b2bd6b3b1a4357c1e2f0fe5debf66a |
C:\Windows\System\GwsmVkY.exe
| MD5 | 5f746a240f1b4aaefd945d15dae0b1e7 |
| SHA1 | 96289f13fb1b2a3a025ed0070d32e57e41d27818 |
| SHA256 | e46f2db07bb0c0e0f481a65c9ae181acc0e985d08d088d12cdb5fcbe56e64e59 |
| SHA512 | 3cbdf44a39cafbcdfa02aca13053663cfc6778f819c8664396e4884bdf950628562c0019d8235b9134a47a4ee3393486464a31d67a106a24236d8d8e88ab7b5b |
C:\Windows\System\jkTPMho.exe
| MD5 | 0c1b9ded468650dce1ee689f1113045b |
| SHA1 | 7019b138bc247077e60646d5914636f888908fe7 |
| SHA256 | 1082e091454b24f9907a15e198211ab4a2f5fe18d277507ad8f90ef91f2fda14 |
| SHA512 | 2de29b1621e019460ed99799bb8a5c570cc90eb4de6ec268b82cffdfcd7e74e0b4e89be005dc357606c11b81447ae443c4b52887cba64d72ae0e7f3bf8b1b014 |
memory/4984-44-0x00007FF668750000-0x00007FF668AA4000-memory.dmp
memory/4288-42-0x00007FF76ACC0000-0x00007FF76B014000-memory.dmp
C:\Windows\System\OsnwzEG.exe
| MD5 | 2bbe0a05da4cb2e1c29f0a434f774a23 |
| SHA1 | 01bd2a77bd80168cdc6c6e92fb1272290e9ed232 |
| SHA256 | 7b58932650ed00d8765458face4d90812cad128885cdbc6029d05b88d3118d96 |
| SHA512 | 3c76ff3464401c127fb92a4f4578b2cd6cdc83f0bd7934717c4d81a2f0375f8d6a1e23048fe0c28ff221db3ba7999c0b889be7d7bdeb7ec50284b5d04a8004e7 |
memory/644-31-0x00007FF758A10000-0x00007FF758D64000-memory.dmp
memory/4264-18-0x00007FF69B4A0000-0x00007FF69B7F4000-memory.dmp
memory/4952-49-0x00007FF6FA530000-0x00007FF6FA884000-memory.dmp
C:\Windows\System\jpNQjnD.exe
| MD5 | e83c90b47d31812005d14dcc8263da08 |
| SHA1 | 82f0ad844a8cd482fbefea9bb4ad42e0753e29cb |
| SHA256 | 8e7cc3dbf72313d74dd059dd1299caabe09ba8ef76eadd8c3a87dcde45b2705c |
| SHA512 | 266bb2d0ab2422499b262934315e10cb28400c2d6267849e16778b396aff275de18eeeadec822f7156b7f8f36b475575f5781b2119fcf40d9a87b4198fa5b324 |
C:\Windows\System\mXQIaXh.exe
| MD5 | 59becea4a178ca48b2be223626446ba2 |
| SHA1 | 798446d7d53715dde900b267ede6b5c209bad3c3 |
| SHA256 | 7f7dd94762f58c3623548a96dd61c9fa0055fa12240cac386d4be2f7c327d2a2 |
| SHA512 | 0ff5eb1941c3d2f0c0108988838803ff74e419bd3699f7297657e81c1003b813a8c6f5506ded8e4c4caea6866b60cb6688e7817bb674143fb5eef6044b6118bd |
memory/3588-76-0x00007FF7D6C20000-0x00007FF7D6F74000-memory.dmp
memory/404-85-0x00007FF69CA60000-0x00007FF69CDB4000-memory.dmp
C:\Windows\System\czEPjyg.exe
| MD5 | ac6910eda21a5ddd739b73b30fbae3f6 |
| SHA1 | 7b6b5a30a3f088614b5a00349e20962cba1fc726 |
| SHA256 | ddc091b2ac0d25a9356a65e6c5e412e61072ad7c217e92f391eaeb8e0054bb0c |
| SHA512 | 59491546f9eec7f41a3c0c593daaeb7ffbd482d7ab49e38881d674e95473f0c03cd5ceb3a2a171134f4210284140a32c1a702b2ffdbbb1d7ddfac2ba8a849da8 |
C:\Windows\System\SjFrNsO.exe
| MD5 | 3b401ca04859a0d52515b7b2ddf34635 |
| SHA1 | 905d0d276febcdcaacca4747250da819d5129b51 |
| SHA256 | 9b9932467387b8be6b1594dcf72c4682bd434265299c18f1693e84d4cb53e7e3 |
| SHA512 | f1d68a46db0aa2ea2a9cc0a738f6dea37c5ca8d7b75874dccca29f579eb11493ddd4ef89647a453072711af5c2fcd1cc1c4de427ba7565342df8ccd86560ba55 |
memory/3600-97-0x00007FF756270000-0x00007FF7565C4000-memory.dmp
memory/3204-99-0x00007FF6EA7A0000-0x00007FF6EAAF4000-memory.dmp
memory/5076-98-0x00007FF7308D0000-0x00007FF730C24000-memory.dmp
C:\Windows\System\brUSiyA.exe
| MD5 | 21bd3dbb62c940d510d3e4fe7cdc9ef8 |
| SHA1 | d981373b8450c1e516e6b8d721d8863cb16d5a3d |
| SHA256 | 0a690096466cbdf9a02d2be16519428f943f55e9cdb1d03568c54923b25ce881 |
| SHA512 | 0512e96ef07512ed92bdc43ee27cdb5f6485db93938627e5299d5d382c3ee1a4c7c0cfc831613a76d7842356a01dc1498c3207ac384a886f0fea8fd3b4cbfbaf |
memory/396-86-0x00007FF7399E0000-0x00007FF739D34000-memory.dmp
memory/3956-84-0x00007FF68F350000-0x00007FF68F6A4000-memory.dmp
C:\Windows\System\qfgZdcn.exe
| MD5 | 03686cfd6bbb43c8ac4dc50889b137b9 |
| SHA1 | 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee |
| SHA256 | ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471 |
| SHA512 | 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2 |
memory/2896-79-0x00007FF7C91B0000-0x00007FF7C9504000-memory.dmp
memory/996-77-0x00007FF65A8D0000-0x00007FF65AC24000-memory.dmp
memory/3996-70-0x00007FF6039C0000-0x00007FF603D14000-memory.dmp
C:\Windows\System\OwLCBAZ.exe
| MD5 | ca9b052436019ac5dfa3122b21c4050f |
| SHA1 | e11c5fa85a0947fbe179f472a6489a21a9e8c4b5 |
| SHA256 | 02e9c05c5daec122036b6094693923ac801d802ab995bdb2ffb6b8675b74cb97 |
| SHA512 | c602240e1d5ca9bf01a6fd817bcb4c2fc488595b481607cd51efa48f8ccb2f0f23ed68666fa8eaf8f587e43c4c90f7965d15361fe8477ce6970451be4eefaf5a |
C:\Windows\System\mjLANlW.exe
| MD5 | 06335ea2a90ed2c26fd7b30c8367e42b |
| SHA1 | 6f182c7b7517b333c7a8395b4416566eec761a46 |
| SHA256 | 84b348870d953605c27209a056b61548e85bb807f987fc7dc83141d53be4a376 |
| SHA512 | 232b5830376e7faf25aa7064b9c7cabe6c32fd27748cb1e461b198bae3680403461290a180ef86ecb5ab89890a62fa981c7de3fc038b026e5e69a4826a0c2137 |
memory/3480-54-0x00007FF674210000-0x00007FF674564000-memory.dmp
C:\Windows\System\WpXuGxv.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
memory/4264-108-0x00007FF69B4A0000-0x00007FF69B7F4000-memory.dmp
C:\Windows\System\IMoAAxN.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
C:\Windows\System\kIQLHlK.exe
| MD5 | b170a63cc779c45f18a0771e5f859c0a |
| SHA1 | f636def61b9d00902f8b1bfee6fdad335e4d118e |
| SHA256 | 17748baf841ebad4183a37a9c8c1e0fbe63d073f02196e2748aea4b02a0ad877 |
| SHA512 | 41c3a1d667572fd6ecc6294cd43fd3734a2f024da6f6764d10785f9db613962eea5cebbe5876659ceb788f6b9e1621878cfd04e5db5cca5621648158451e8ba1 |
memory/3820-123-0x00007FF75D150000-0x00007FF75D4A4000-memory.dmp
C:\Windows\System\VMOLuqB.exe
| MD5 | 05e1356a0d856137a03d056c65b16222 |
| SHA1 | 462e69c9ee12c3f7df02ef7a9e94470b534c4c76 |
| SHA256 | 82b22d9916e7d0de0801889913b443da6f1c1d5cf1b19957607acd726d6104cd |
| SHA512 | 4cd73f7193a1d8c2587bf1d26cf45dcbee92621ed99e4cd2a85d0b06e47378fed2d99463727608184f2a9a21bd5a9d5b266086e1a53ef7d0f8fabae168885229 |
memory/644-119-0x00007FF758A10000-0x00007FF758D64000-memory.dmp
C:\Windows\System\gdmazGA.exe
| MD5 | 9a6f6b27fa65d697d9f84ec5e9c20fb3 |
| SHA1 | bdca14285a03999a8b0a55890bf5a1200d7fe3c9 |
| SHA256 | b529ef82cb1ef02a06805d27424e54bdfff2baafdca43cf33060a3d49065a706 |
| SHA512 | e4a31cf4d80abd8ec5fa34d56522f10f6653913244290f9a73bbc5fda4ae4ac42f8fcb0db5edd335975ec2d6a9be6b759c82535d1e6db3d59f9a3fbc27b9ff3a |
memory/1832-116-0x00007FF60AE80000-0x00007FF60B1D4000-memory.dmp
memory/4128-113-0x00007FF74E280000-0x00007FF74E5D4000-memory.dmp
memory/4608-112-0x00007FF7B97F0000-0x00007FF7B9B44000-memory.dmp
C:\Windows\System\IMoAAxN.exe
| MD5 | 2127d64a32af87f4ef05b2be722551d9 |
| SHA1 | 0a7b04c97fb2f925c3a48a6a8529d707749b3c08 |
| SHA256 | 0f44b54ded9f58f8179ab537915384130a258cce457b35eaf1bdef09b235b784 |
| SHA512 | 7d133fbb916ab5211dce8bb0f4a93c2cd841db69a3c28f464b68ae3a6c3b49a9af0117d062aa4681768a9d2ce0fe9ae2e7d8363d65baeeeaf6e1310700435a4d |
C:\Windows\System\WpXuGxv.exe
| MD5 | 9e650eb2d97191c3995a6557dbb43ba3 |
| SHA1 | 82553242c5d7d931a035fbc11254a469ea3ebd03 |
| SHA256 | fc49146c4bdf398995bdc03bd7d82342be8c32ba8c801faa3ce395506307d999 |
| SHA512 | d2533522df44f3159318f0146cb72e1baefc19d4eb0a7cb251eaaf6aa19b649280b99df6ba6426b0c68feba6ccd32a4e720d6b86cf9728bae001f8401c7e9e07 |
memory/1500-132-0x00007FF6D4780000-0x00007FF6D4AD4000-memory.dmp
memory/1264-133-0x00007FF680860000-0x00007FF680BB4000-memory.dmp
memory/3480-134-0x00007FF674210000-0x00007FF674564000-memory.dmp
memory/3588-135-0x00007FF7D6C20000-0x00007FF7D6F74000-memory.dmp
memory/3956-136-0x00007FF68F350000-0x00007FF68F6A4000-memory.dmp
memory/396-137-0x00007FF7399E0000-0x00007FF739D34000-memory.dmp
memory/3204-138-0x00007FF6EA7A0000-0x00007FF6EAAF4000-memory.dmp
memory/1832-139-0x00007FF60AE80000-0x00007FF60B1D4000-memory.dmp
memory/3820-140-0x00007FF75D150000-0x00007FF75D4A4000-memory.dmp
memory/404-141-0x00007FF69CA60000-0x00007FF69CDB4000-memory.dmp
memory/3600-142-0x00007FF756270000-0x00007FF7565C4000-memory.dmp
memory/4264-143-0x00007FF69B4A0000-0x00007FF69B7F4000-memory.dmp
memory/4128-144-0x00007FF74E280000-0x00007FF74E5D4000-memory.dmp
memory/4288-145-0x00007FF76ACC0000-0x00007FF76B014000-memory.dmp
memory/644-146-0x00007FF758A10000-0x00007FF758D64000-memory.dmp
memory/4984-147-0x00007FF668750000-0x00007FF668AA4000-memory.dmp
memory/4952-148-0x00007FF6FA530000-0x00007FF6FA884000-memory.dmp
memory/3480-149-0x00007FF674210000-0x00007FF674564000-memory.dmp
memory/3996-150-0x00007FF6039C0000-0x00007FF603D14000-memory.dmp
memory/3588-152-0x00007FF7D6C20000-0x00007FF7D6F74000-memory.dmp
memory/2896-151-0x00007FF7C91B0000-0x00007FF7C9504000-memory.dmp
memory/3956-153-0x00007FF68F350000-0x00007FF68F6A4000-memory.dmp
memory/396-154-0x00007FF7399E0000-0x00007FF739D34000-memory.dmp
memory/5076-155-0x00007FF7308D0000-0x00007FF730C24000-memory.dmp
memory/3204-156-0x00007FF6EA7A0000-0x00007FF6EAAF4000-memory.dmp
memory/4608-157-0x00007FF7B97F0000-0x00007FF7B9B44000-memory.dmp
memory/1832-158-0x00007FF60AE80000-0x00007FF60B1D4000-memory.dmp
memory/1500-159-0x00007FF6D4780000-0x00007FF6D4AD4000-memory.dmp
memory/1264-160-0x00007FF680860000-0x00007FF680BB4000-memory.dmp
memory/3820-161-0x00007FF75D150000-0x00007FF75D4A4000-memory.dmp