Analysis Overview
SHA256
cd34b8e00cb45d08dc75220bd1662e5d3ea507767e299be0e2a5f1372f13835a
Threat Level: Known bad
The file 2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
Cobaltstrike family
Xmrig family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 03:10
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 03:10
Reported
2024-06-01 03:12
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BnjdsRe.exe | N/A |
| N/A | N/A | C:\Windows\System\AlNImhh.exe | N/A |
| N/A | N/A | C:\Windows\System\gPvoOtE.exe | N/A |
| N/A | N/A | C:\Windows\System\gEwOPZC.exe | N/A |
| N/A | N/A | C:\Windows\System\OWtJYXw.exe | N/A |
| N/A | N/A | C:\Windows\System\vvCbclK.exe | N/A |
| N/A | N/A | C:\Windows\System\Prfefkt.exe | N/A |
| N/A | N/A | C:\Windows\System\qRDWWeX.exe | N/A |
| N/A | N/A | C:\Windows\System\tGcyBse.exe | N/A |
| N/A | N/A | C:\Windows\System\hSozHdm.exe | N/A |
| N/A | N/A | C:\Windows\System\qZCBKrp.exe | N/A |
| N/A | N/A | C:\Windows\System\NsatQWA.exe | N/A |
| N/A | N/A | C:\Windows\System\ceMJisU.exe | N/A |
| N/A | N/A | C:\Windows\System\QRPxZAK.exe | N/A |
| N/A | N/A | C:\Windows\System\dRTJSFl.exe | N/A |
| N/A | N/A | C:\Windows\System\pChntBH.exe | N/A |
| N/A | N/A | C:\Windows\System\WrqGOZO.exe | N/A |
| N/A | N/A | C:\Windows\System\JCTchQi.exe | N/A |
| N/A | N/A | C:\Windows\System\zLwjeqD.exe | N/A |
| N/A | N/A | C:\Windows\System\PGOZoVV.exe | N/A |
| N/A | N/A | C:\Windows\System\OzMWeof.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\BnjdsRe.exe
C:\Windows\System\BnjdsRe.exe
C:\Windows\System\AlNImhh.exe
C:\Windows\System\AlNImhh.exe
C:\Windows\System\gPvoOtE.exe
C:\Windows\System\gPvoOtE.exe
C:\Windows\System\gEwOPZC.exe
C:\Windows\System\gEwOPZC.exe
C:\Windows\System\OWtJYXw.exe
C:\Windows\System\OWtJYXw.exe
C:\Windows\System\vvCbclK.exe
C:\Windows\System\vvCbclK.exe
C:\Windows\System\Prfefkt.exe
C:\Windows\System\Prfefkt.exe
C:\Windows\System\qRDWWeX.exe
C:\Windows\System\qRDWWeX.exe
C:\Windows\System\tGcyBse.exe
C:\Windows\System\tGcyBse.exe
C:\Windows\System\hSozHdm.exe
C:\Windows\System\hSozHdm.exe
C:\Windows\System\qZCBKrp.exe
C:\Windows\System\qZCBKrp.exe
C:\Windows\System\NsatQWA.exe
C:\Windows\System\NsatQWA.exe
C:\Windows\System\ceMJisU.exe
C:\Windows\System\ceMJisU.exe
C:\Windows\System\QRPxZAK.exe
C:\Windows\System\QRPxZAK.exe
C:\Windows\System\dRTJSFl.exe
C:\Windows\System\dRTJSFl.exe
C:\Windows\System\pChntBH.exe
C:\Windows\System\pChntBH.exe
C:\Windows\System\WrqGOZO.exe
C:\Windows\System\WrqGOZO.exe
C:\Windows\System\JCTchQi.exe
C:\Windows\System\JCTchQi.exe
C:\Windows\System\zLwjeqD.exe
C:\Windows\System\zLwjeqD.exe
C:\Windows\System\PGOZoVV.exe
C:\Windows\System\PGOZoVV.exe
C:\Windows\System\OzMWeof.exe
C:\Windows\System\OzMWeof.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/220-0-0x00007FF6DF2C0000-0x00007FF6DF614000-memory.dmp
memory/220-1-0x000002D01D170000-0x000002D01D180000-memory.dmp
memory/4408-8-0x00007FF72D110000-0x00007FF72D464000-memory.dmp
C:\Windows\System\gPvoOtE.exe
| MD5 | 7f9c01dc5b554e8c3fb580379a0f0632 |
| SHA1 | b65fd8fa9fa0105fa8585e7ae583ad877f211d19 |
| SHA256 | cf623629bfecc4346bd935b2f367bdc59cb923a53fe16a4d79dbb3f0d6a59931 |
| SHA512 | a210e4594ea56c8d4a6e67c17ef4a1af64459f3bb87b69c9adfd0b10aae5210158ea9447248227bdd4329ced257a5f00e69c851b28abfc97da7e8e7e4a83f537 |
memory/4228-18-0x00007FF62F910000-0x00007FF62FC64000-memory.dmp
memory/2028-14-0x00007FF729E80000-0x00007FF72A1D4000-memory.dmp
C:\Windows\System\AlNImhh.exe
| MD5 | 65c23169b2b4ffc9902f118d80a8ff93 |
| SHA1 | d8bc2f0f09c031751b63af4ceb3162294ae54197 |
| SHA256 | 1d78914277aa6969fe4398b3f103428024de871eb84673e9ac7743ac621097c5 |
| SHA512 | c78380b835eb4ecef4f6987883dffac42f013ad22b994fbcd55fe9128c84305eb74ad9379c05c23a996f7ff925321fd7bb18949af26ed2d5b28f5b90407dab11 |
C:\Windows\System\BnjdsRe.exe
| MD5 | fdc78aa1f5403a26053e959f6096a193 |
| SHA1 | ccbf42422a23cf4016c7a11163bd7283286f6d92 |
| SHA256 | 71c22e3dd868d8f2c2b69b304d51c42d35a405da58b8835714ccd28a36b29643 |
| SHA512 | 792ea9d367a650c125de92febc0fd5e2af4c12b705bf9acfd5281ff29240da5255fa6bdacfc422a183dc8c1318170acec87a70ce0b4b529593c538ddd701baf0 |
C:\Windows\System\gEwOPZC.exe
| MD5 | 1a06892bd220daff48a94daed8c14b9c |
| SHA1 | ce1736d7553679b54274243dfc0f036e3315e175 |
| SHA256 | a691be5fdfce684d57f5cc112fe1ea38f0a9ce4523d4c88df8abda28fd9d7f4b |
| SHA512 | 586ab168ccf1647abf69b2bd908899f55fe9cc6cb55540b53fb7c4aa53026075052e5f47e13964b04a6e009d137b27c0ca843a996b8401ceeb6ff29f3888f3b2 |
memory/4124-26-0x00007FF736A20000-0x00007FF736D74000-memory.dmp
C:\Windows\System\OWtJYXw.exe
| MD5 | 886e94560734670d61c22bb889c763a3 |
| SHA1 | 163f60c6c980570bb6ec04853192795205277d2a |
| SHA256 | a24f8cfbbc4d7ac30a93dc2ed495dcd370938c4ce2315382c16f073577badf0f |
| SHA512 | bedd646aadab24e996ce9832000b0c4f91186d1628005a1d488b5cb13d67251ce310a03ab3f59424a47a85726d97894e24aaf65c35124e122bcb5b03d04d0f97 |
memory/4788-38-0x00007FF6593D0000-0x00007FF659724000-memory.dmp
C:\Windows\System\vvCbclK.exe
| MD5 | 28e8e9a266668989683c90d98c290695 |
| SHA1 | 779001dba62c705ea96520409fc798b48dc0a753 |
| SHA256 | 70f73d8fcb789278199cae53bd448bd68ff93bd319ab7257ce9219e0aa5fcc20 |
| SHA512 | d3d9fbfdab38084ba3b79478d64855ac5b2a22ca4b6e77496a32767247063a833d188879d464717538f1dddbedc0dd49ca742db7205e7230d971f451e13095df |
C:\Windows\System\Prfefkt.exe
| MD5 | 05f99cd8feb91768b1d53a968f17f17d |
| SHA1 | 916938d5eebb7c60beddd3be3c1fb30a3ff0ce53 |
| SHA256 | f58186c8173f4c70225be6245c24908b01ab591ba8130b40e6c7c3897b8d74a5 |
| SHA512 | 49db844c3b917ca5edde0ba681c2b979e771118f8ba58218b43c88ccd2b9f4ee1c999600ca5172b78612e2a950d3e92a5f5361895a1e0f78001981a93d3f4189 |
C:\Windows\System\qRDWWeX.exe
| MD5 | 0e030cf73bbe0fd792a321c2aa7212bc |
| SHA1 | 2c0813d5684913d0414774fd19a5ec18d5414d35 |
| SHA256 | 47fb3fb340643257bb7c80570177d3ef94fb5504735629e47eb3fb2e913a6343 |
| SHA512 | 1fa36202797a3f4bbe4205c23de3b6e9a3808d636b5a59ad07322cc9303b7633c3235bf5eeace95d19ac5f71da8de82bdda61f1d34f9a72ea7361e3d99d484a8 |
memory/5068-48-0x00007FF73C820000-0x00007FF73CB74000-memory.dmp
memory/3904-43-0x00007FF645FF0000-0x00007FF646344000-memory.dmp
memory/684-33-0x00007FF753B20000-0x00007FF753E74000-memory.dmp
memory/1044-57-0x00007FF748830000-0x00007FF748B84000-memory.dmp
C:\Windows\System\hSozHdm.exe
| MD5 | d8ad53448b733219c4ad2fb55e357a87 |
| SHA1 | fe716acfee84473de546ea4a558689add86b6491 |
| SHA256 | 7ae2a7614da2edc7157f2ae8c7d07001950b5dc86de944a12301abf9fb8a48da |
| SHA512 | f30ea7f8785721a056cff8cbec975a912c89ad640b5e4dfe38f8c107014bf56d68b4bcbece59af0e24f16b5b955c9f51cae9d34ce80cfa40f1184ad43639ec73 |
C:\Windows\System\tGcyBse.exe
| MD5 | 540d05df016b0ee4f005638f029ad12b |
| SHA1 | 7c12246174748f6daa091376be92955a8213e490 |
| SHA256 | bc0ba02544910a4fb5c0b78395f350320a56412c7b5059c8afad0e6b8fcd18af |
| SHA512 | cd7a21d33d478f7b40d2cd606e003857daa001caadd6dd494a6f054387e56b1ca00622e3799a30c6cc2f3ebbf79284aa166dcac4e8115a162ca7dc017982f8e4 |
C:\Windows\System\qZCBKrp.exe
| MD5 | ce0c16f9ec84d26511c6d2912396f228 |
| SHA1 | 97e71346221071ee879aa86b30eb21af054fc593 |
| SHA256 | a8d5af4b0cd88d1fb3af423a86f16157ae15138d5822234b28fa6174a4b46424 |
| SHA512 | 8d6cd1d4e70ae00cfd4e9c4b7275adfec4e0dc649cade97b6550ef3f9353915a361978886a141893e80d49c57c6b6ab4a20f187dcf66310fc69dee755960f496 |
memory/4108-70-0x00007FF788220000-0x00007FF788574000-memory.dmp
C:\Windows\System\NsatQWA.exe
| MD5 | 2b260b2746db5c3ac9f10fd976599f8d |
| SHA1 | 703a0dc8ef80433b49c82da0ca7eae0ed6beb259 |
| SHA256 | ef3d56e6e9c36c90d25b76a9a540f1932f0df514fe573e082378eb23dcc6bdad |
| SHA512 | 9d98f7fc1da6bd9a63eb3c0dbab515e63d2e1080509cc4a53f2eb0cc4aa170e0fc807aee48bc0a917be4ea0d8aa5ff0d45b59a46d09d171ff22ae8935e40bddc |
memory/4060-76-0x00007FF7E5ED0000-0x00007FF7E6224000-memory.dmp
memory/4408-67-0x00007FF72D110000-0x00007FF72D464000-memory.dmp
memory/4624-63-0x00007FF7DCED0000-0x00007FF7DD224000-memory.dmp
memory/220-61-0x00007FF6DF2C0000-0x00007FF6DF614000-memory.dmp
C:\Windows\System\QRPxZAK.exe
| MD5 | cb528f98a76bb462a9797f14fd2aaa81 |
| SHA1 | 5462c4a94289be39bedb5befbb82b82f53b5ca10 |
| SHA256 | 7a57aa679a048f1c5c15080f9ff62184bd9cc425242b03c22f978bc248c83cea |
| SHA512 | e75697019dc755d85dc33de8963c52bc59f887fd68b24b1400bd93a50abbd9a65653e5c8527e28c32c6652d4438f65810c7f6fb7e76e256c011ae4235a8aaccb |
C:\Windows\System\pChntBH.exe
| MD5 | 0510bf5e4180f00b8beaf26c1ab9188f |
| SHA1 | fc209056ed2b97317d5efe7003106fd44c3ef8c3 |
| SHA256 | c18735c08c1366f469fdebabc0c5867c63cc939149a1607137d4a0e44615c9f1 |
| SHA512 | 5e3b29352477b82041375a422527d75cf385f7f3c44b49994d40b211846f0db3a1a90f1117a67fb47fe781a006e008aea054dd3f55caa6495d30c4ff4dd08c5c |
memory/2008-111-0x00007FF6A0520000-0x00007FF6A0874000-memory.dmp
memory/4656-110-0x00007FF68AD80000-0x00007FF68B0D4000-memory.dmp
memory/4788-109-0x00007FF6593D0000-0x00007FF659724000-memory.dmp
memory/2500-108-0x00007FF715FE0000-0x00007FF716334000-memory.dmp
C:\Windows\System\JCTchQi.exe
| MD5 | 63bd4735384cb1e318fffca82852449a |
| SHA1 | 03b387bb99c87aca117ec85f332d09eb0373034c |
| SHA256 | 62f34eb4b6e20ab1c8d8958838207d5156b863639026f9c9dc34ed1859a3649c |
| SHA512 | 7e55da18b501e7c404986d72ecf3880cb9885a6890bb98adf13e6499b0314c66e1c12e021bea16a6a3e57b44c68fed6eb4b44d25ee4e0c6a17e4116c95364f2e |
memory/2984-102-0x00007FF7A6A60000-0x00007FF7A6DB4000-memory.dmp
memory/684-97-0x00007FF753B20000-0x00007FF753E74000-memory.dmp
C:\Windows\System\WrqGOZO.exe
| MD5 | 59a41fec87d9705fd6c85c76f892dacb |
| SHA1 | 211a4f6fc89ac675ca49f65e2fdc71a54a272f3c |
| SHA256 | 0bd724d51e09bb59033cf89b9f926ebb06553b88c7b78dd726640482892288f3 |
| SHA512 | 68b7b8db5b5ac5bbfca50b95247262adc574785b74415f05b028aa9aed5e0a00277af5b85d9cd1e8a65807f371fc6e33706fa689201a5f38976fe5430547f988 |
C:\Windows\System\dRTJSFl.exe
| MD5 | b522893dc31aa653a237e4c2db56f6cb |
| SHA1 | 57adda40a7c46f56dec15babff057c19d98ccd2a |
| SHA256 | 3ac2232f07db04d0cbb90ef15d19254111caaff72f4748c019cf59f98b457c2d |
| SHA512 | f1bffe005aea86b0556abae0e73e8bab14246ed4ab5677dc2b814c3fb964aa862d9fc4440427c95d3b89926347c9d2a315f9def1d47a6731c5472f4343b87a85 |
memory/1632-91-0x00007FF618570000-0x00007FF6188C4000-memory.dmp
memory/2924-83-0x00007FF79C0C0000-0x00007FF79C414000-memory.dmp
memory/4228-82-0x00007FF62F910000-0x00007FF62FC64000-memory.dmp
C:\Windows\System\ceMJisU.exe
| MD5 | 01a37e5a422dfec88ab7431e11bc2e2d |
| SHA1 | 27f0846ea2cc66b514834acef6ab8ed6c8b94436 |
| SHA256 | 0f1361316deff8deab38d92bb3608536da8d104a479b97da5e333e65bee2c250 |
| SHA512 | f9dff287a49f7f24071c3a56d15bacd1d120084a692056a0e08cd4442dd6e7f89a8423a8907c7d9c26178855269b5c4a43edbc331661297c030540c39db2cffc |
C:\Windows\System\PGOZoVV.exe
| MD5 | 76f79506e4202d3fa4a9bb67c6bf9db2 |
| SHA1 | cced7cc66c03a45e924c1738e09e2c47b30fdcaf |
| SHA256 | d62660ca4703e31e72a4f287152e81c66b4c4f92146143847bbd2899b774cc2b |
| SHA512 | ff287cb514ff1f96752b9a618634bdee6d36004077636216465b9261b8186fb5622a0e6fcbc7f251bd058c1f5d7668063f306350e66f132cd120c7d3a1d9f658 |
C:\Windows\System\OzMWeof.exe
| MD5 | 389c422864475e3bfbc81868556796fc |
| SHA1 | d8e4ca52ff59c2900349bc380c20946ffe2b9cc1 |
| SHA256 | 43db9693aaba4830216e0781b7f375fa2db5c5302cc58121fc582ed384228165 |
| SHA512 | c7a874d0182a4d0791097ce16761ca03bee0cbd2bce60c08ec5ddf6f70faeef84fb2a990945195ec52110ea8300c71a34f12f6d88a2f7390a7a184a04abbdbfb |
memory/5068-129-0x00007FF73C820000-0x00007FF73CB74000-memory.dmp
memory/3904-119-0x00007FF645FF0000-0x00007FF646344000-memory.dmp
C:\Windows\System\zLwjeqD.exe
| MD5 | 8483979184c04b7469fd3f088323bd93 |
| SHA1 | 8c3d5de8c537935584bd359fb6544dd4738d988a |
| SHA256 | 70dc64d516f7d7d150e85b13264ebbd393fc0520bc5b8bf7d4aa589e4abf1a08 |
| SHA512 | 07877f0ff5daa4315e6a9497d731e6ab1ed444211347eaa2c547ec4bad4946d68bb234d7d902f7f5650b38e954d602fb545ea308b0a1eb91f05183bb237b6cf4 |
memory/4644-122-0x00007FF64FB90000-0x00007FF64FEE4000-memory.dmp
memory/3504-133-0x00007FF774480000-0x00007FF7747D4000-memory.dmp
memory/1044-135-0x00007FF748830000-0x00007FF748B84000-memory.dmp
memory/700-134-0x00007FF7423D0000-0x00007FF742724000-memory.dmp
memory/4624-136-0x00007FF7DCED0000-0x00007FF7DD224000-memory.dmp
memory/4108-137-0x00007FF788220000-0x00007FF788574000-memory.dmp
memory/2500-138-0x00007FF715FE0000-0x00007FF716334000-memory.dmp
memory/2008-139-0x00007FF6A0520000-0x00007FF6A0874000-memory.dmp
memory/4644-140-0x00007FF64FB90000-0x00007FF64FEE4000-memory.dmp
memory/4408-141-0x00007FF72D110000-0x00007FF72D464000-memory.dmp
memory/2028-142-0x00007FF729E80000-0x00007FF72A1D4000-memory.dmp
memory/4228-143-0x00007FF62F910000-0x00007FF62FC64000-memory.dmp
memory/4124-144-0x00007FF736A20000-0x00007FF736D74000-memory.dmp
memory/4788-146-0x00007FF6593D0000-0x00007FF659724000-memory.dmp
memory/684-145-0x00007FF753B20000-0x00007FF753E74000-memory.dmp
memory/3904-147-0x00007FF645FF0000-0x00007FF646344000-memory.dmp
memory/5068-148-0x00007FF73C820000-0x00007FF73CB74000-memory.dmp
memory/1044-149-0x00007FF748830000-0x00007FF748B84000-memory.dmp
memory/4624-150-0x00007FF7DCED0000-0x00007FF7DD224000-memory.dmp
memory/4108-151-0x00007FF788220000-0x00007FF788574000-memory.dmp
memory/4060-152-0x00007FF7E5ED0000-0x00007FF7E6224000-memory.dmp
memory/2924-153-0x00007FF79C0C0000-0x00007FF79C414000-memory.dmp
memory/1632-154-0x00007FF618570000-0x00007FF6188C4000-memory.dmp
memory/2984-155-0x00007FF7A6A60000-0x00007FF7A6DB4000-memory.dmp
memory/4656-156-0x00007FF68AD80000-0x00007FF68B0D4000-memory.dmp
memory/2008-157-0x00007FF6A0520000-0x00007FF6A0874000-memory.dmp
memory/2500-158-0x00007FF715FE0000-0x00007FF716334000-memory.dmp
memory/4644-159-0x00007FF64FB90000-0x00007FF64FEE4000-memory.dmp
memory/3504-160-0x00007FF774480000-0x00007FF7747D4000-memory.dmp
memory/700-161-0x00007FF7423D0000-0x00007FF742724000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 03:10
Reported
2024-06-01 03:12
Platform
win7-20240221-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yKHxaym.exe | N/A |
| N/A | N/A | C:\Windows\System\gCUIkGk.exe | N/A |
| N/A | N/A | C:\Windows\System\xYLJxjB.exe | N/A |
| N/A | N/A | C:\Windows\System\GESEuxR.exe | N/A |
| N/A | N/A | C:\Windows\System\yvwOCqB.exe | N/A |
| N/A | N/A | C:\Windows\System\teYnOEx.exe | N/A |
| N/A | N/A | C:\Windows\System\FOiCnDr.exe | N/A |
| N/A | N/A | C:\Windows\System\qWkjVac.exe | N/A |
| N/A | N/A | C:\Windows\System\LFWcPEu.exe | N/A |
| N/A | N/A | C:\Windows\System\XKSaZUC.exe | N/A |
| N/A | N/A | C:\Windows\System\VrXqyZJ.exe | N/A |
| N/A | N/A | C:\Windows\System\NZeDknR.exe | N/A |
| N/A | N/A | C:\Windows\System\VWwxOea.exe | N/A |
| N/A | N/A | C:\Windows\System\nMKSTVw.exe | N/A |
| N/A | N/A | C:\Windows\System\etqLXzB.exe | N/A |
| N/A | N/A | C:\Windows\System\geBjeaM.exe | N/A |
| N/A | N/A | C:\Windows\System\FqkXkDb.exe | N/A |
| N/A | N/A | C:\Windows\System\OdwWnYd.exe | N/A |
| N/A | N/A | C:\Windows\System\DGEzedP.exe | N/A |
| N/A | N/A | C:\Windows\System\MGodZsc.exe | N/A |
| N/A | N/A | C:\Windows\System\AWhvAZY.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\yKHxaym.exe
C:\Windows\System\yKHxaym.exe
C:\Windows\System\gCUIkGk.exe
C:\Windows\System\gCUIkGk.exe
C:\Windows\System\xYLJxjB.exe
C:\Windows\System\xYLJxjB.exe
C:\Windows\System\GESEuxR.exe
C:\Windows\System\GESEuxR.exe
C:\Windows\System\yvwOCqB.exe
C:\Windows\System\yvwOCqB.exe
C:\Windows\System\teYnOEx.exe
C:\Windows\System\teYnOEx.exe
C:\Windows\System\FOiCnDr.exe
C:\Windows\System\FOiCnDr.exe
C:\Windows\System\XKSaZUC.exe
C:\Windows\System\XKSaZUC.exe
C:\Windows\System\qWkjVac.exe
C:\Windows\System\qWkjVac.exe
C:\Windows\System\VrXqyZJ.exe
C:\Windows\System\VrXqyZJ.exe
C:\Windows\System\LFWcPEu.exe
C:\Windows\System\LFWcPEu.exe
C:\Windows\System\NZeDknR.exe
C:\Windows\System\NZeDknR.exe
C:\Windows\System\VWwxOea.exe
C:\Windows\System\VWwxOea.exe
C:\Windows\System\nMKSTVw.exe
C:\Windows\System\nMKSTVw.exe
C:\Windows\System\etqLXzB.exe
C:\Windows\System\etqLXzB.exe
C:\Windows\System\geBjeaM.exe
C:\Windows\System\geBjeaM.exe
C:\Windows\System\FqkXkDb.exe
C:\Windows\System\FqkXkDb.exe
C:\Windows\System\MGodZsc.exe
C:\Windows\System\MGodZsc.exe
C:\Windows\System\OdwWnYd.exe
C:\Windows\System\OdwWnYd.exe
C:\Windows\System\AWhvAZY.exe
C:\Windows\System\AWhvAZY.exe
C:\Windows\System\DGEzedP.exe
C:\Windows\System\DGEzedP.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2080-0-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2080-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\yKHxaym.exe
| MD5 | ec7e098d8ae23e6383dc6aade506d171 |
| SHA1 | 8f067b44a9f9447b562ede87fbcebad01b10074e |
| SHA256 | badf5529e3ab85404048343dbf17c159d465155459e5ec2c53cc9adb55383b1d |
| SHA512 | 1dc2c30c373a65ebeb7fc52ab6c2eb23aa380cf9f6004d9f49cef684ffb681fdf3614ccd63c46a95825b8eb55639eb0538d1ab360135e1fac592f15b93940375 |
C:\Windows\system\xYLJxjB.exe
| MD5 | 7169cfd39b226188f48cbaded6150d1c |
| SHA1 | 8867c34eefd16b0171b4e8055dc74e1160626bff |
| SHA256 | ead91792a8ec3ec00ad6fa4ea51ed8e5bee0ce292505e701052441784007a203 |
| SHA512 | 33c4114a3d2cb4426941eb5b62a21a49ad43a265298fa9060939e9b50b65454d4f317fbb8e7c0181d6e4abd81e3f1ff5da3ca4315f3df8aebc3e9586f147db0a |
memory/2636-15-0x000000013F6C0000-0x000000013FA14000-memory.dmp
C:\Windows\system\gCUIkGk.exe
| MD5 | 98e7106fd0d105ea4823bf2f2b6c92f6 |
| SHA1 | e2ee5ccd85eada979cb9988def7d2c76a48b47dd |
| SHA256 | a37a5b5b76f0c565bcbcea12bb5ca952c12ca5089e9408ebe8e443adeac38c51 |
| SHA512 | d92de766c780658d9ae7660d9ad0eb110d49ed58782b15cc07a46039e72e66b71d529cbc3fe3a1dd1d5cfac0623312545cc87295dc20a7fbeaad829886a9d00b |
memory/3064-20-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2580-22-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2080-21-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2080-18-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\GESEuxR.exe
| MD5 | 4f04421412367079bb9c4faaae839599 |
| SHA1 | 5f16a02f9a4154d9477a4dc2323d30b7e8ba3370 |
| SHA256 | a9e58667933291717f3c651bb9e03f0033acd37406f1bc990eaf827e4bba38c3 |
| SHA512 | 1e594c1deedc19750c8187a8f1c5dee7fe4d441eca5aee53e1373ad7fb98390c817a792560751867fd2f54fe8c84065ace36a7b23dd0edbe9272707b8ce56222 |
C:\Windows\system\yvwOCqB.exe
| MD5 | d80fcea7ad56329e8f1185514cc16833 |
| SHA1 | 9f5711ec8e0540377ea80673dffa93b5b420eb1d |
| SHA256 | 3c23e83855be266fdcf96e5b0c8339fd34abf30ffef90974ec40b460b7710f0d |
| SHA512 | 47c26bc4ec28dc5f1245d0a22d37204e4b32ba9062e886ab56ab47d223179097b4bf0797ee43cf12b004dba342ba37b5e154bfaf9a93e6ddef6e0350b2c902a0 |
memory/2736-28-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2584-36-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2772-65-0x000000013F3E0000-0x000000013F734000-memory.dmp
C:\Windows\system\VrXqyZJ.exe
| MD5 | 6374cf0f07b50c32579e3d4525f38842 |
| SHA1 | 9f4bc0e15c49fee1cd16a75d35d02890cd24325d |
| SHA256 | cae7cf0b2d35041194e357ec8654062f0a7f0e206084164a8910d57edadbc8a8 |
| SHA512 | 3361c0f944f45e4a9cd60016af44157e46ff914355ef0dbaed36f363c0424cfd80a8226bc57a1dac71fae0cb76b7820e1ec0f10ae7838e9adc02ac11a8682c99 |
C:\Windows\system\teYnOEx.exe
| MD5 | 61c3bf8566d1eb27b2a29a5abd7df277 |
| SHA1 | c246715d82719ce38da49d52f98b7968e8afb06a |
| SHA256 | 359b52df7e88592c7fb1c136d724ae20a1855ffb82ff0f33695125e58183cd93 |
| SHA512 | b750dec555e36696c4db2b546be14a61aa3c1d69a6badddcf3d4f8d670133c30d8e4825725013d2727492988f9b5aba9c0c8629b4e239235f505f7514095146e |
\Windows\system\LFWcPEu.exe
| MD5 | bbda182e20d9a03ac5128bfa72cf9f83 |
| SHA1 | 640fd716e9f335ec1ebb5f14123235b507795c1e |
| SHA256 | dd2517ddc63c7e629cce0b2081c439c5dbfa9df417491c2d9af898abf83c9a90 |
| SHA512 | 46e0ec902706cc8d702ba73981b953b0f2bd1f5ee6117c6762675ec1f683e05c56ff7a49315b75885d1ab623c842321cdfa4ab76e6b68f7a899a31dd71c327a3 |
memory/2080-56-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2844-55-0x000000013FE40000-0x0000000140194000-memory.dmp
C:\Windows\system\qWkjVac.exe
| MD5 | 9ac55b898874895b21957b868123e330 |
| SHA1 | 46295b46ac98d92d926ebeeab2745aff8a4f62f8 |
| SHA256 | 13194219d00ec7c089e1e7a52a28f6df975e241e9a6aac8efe71bc98431623c2 |
| SHA512 | f5e385816574c6abc148b4ae495327e0fcf99f3460e9870118fd8def946ce226585ed680f74a2d55172895d25115566d1779ff7cfabf21d9ea541e99b9d33341 |
memory/2080-53-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2484-51-0x000000013F500000-0x000000013F854000-memory.dmp
\Windows\system\FOiCnDr.exe
| MD5 | 210881f6c054d9b94d0353727b52d098 |
| SHA1 | 1575ec8b765ce67e7ed3150ed2c364108c228286 |
| SHA256 | 605f99993e992f7c861f7681dee825b05492c173f3442c047d2cc94c7183d7b9 |
| SHA512 | f6d85e8d5fee317e9746fd9c6f5ce8b1c58f5959568482b0cbb2c49703ed1308d6afc9e741f6ee51b4a0450472e4f4f35fe71c3871b325d97db5c7f8d39c75e0 |
C:\Windows\system\XKSaZUC.exe
| MD5 | 114c0024ae084524d6a8029fb7f3cdff |
| SHA1 | 3bd288f867c7714274bd06ec15a561ea355f98a7 |
| SHA256 | 34d45ba41546b0bbc901a5a153ea550d1084e3ff573e93f425de8e8ef7db2d2e |
| SHA512 | 31b847deebc779de8f417ca7c9bf3daa40361820e769ca913cadcf845fe60ea2fb5e6b57d4202c31f75de90635a408fe71030f6919aedf4aff8e01e3520fca54 |
memory/2524-83-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2272-84-0x000000013F940000-0x000000013FC94000-memory.dmp
\Windows\system\DGEzedP.exe
| MD5 | a37fa1498fbb88008b3a33b24e3af33b |
| SHA1 | af57f2b540a3a2ba70180f0eb8b04b0bde815841 |
| SHA256 | 1f7e8d4e85fa1d1ab43d867b8ea48881a697d6213eee26ce86da4ae39ccd47a7 |
| SHA512 | 8b30e112d8921c2fa99f2c42bf33ee5b2dc75cb9c5d9bdfc0c0a42401ecebea36956f6e8b230a99aee473566d04f1f392891516b52833faf9ebf06b201562f1a |
\Windows\system\AWhvAZY.exe
| MD5 | 5ea0d9ce3d2c02c193b95c1f0df0f54a |
| SHA1 | 0218b9301757461143de06cf197922917e5eb372 |
| SHA256 | 6f1b3093fefe76ae73bb71b62e3630657753b4af7fa0c319d96224ba67cf98d8 |
| SHA512 | 646d705e7a49f643689bc6181f5000f78ae4fb8381adc4aa5610522a1b5ada98eb0bfc6d4009faa08eb51bf04cc2d901aa4517ca56b80693ca661f2975d70c5f |
\Windows\system\MGodZsc.exe
| MD5 | ffa4e689c72943477c13df0006c8129c |
| SHA1 | 2d35cf889577d5547fd48d674f636d880bb13428 |
| SHA256 | dcadc49d41145381c726ca5da20a327b0f1e6364608eaf1dfe2097f923f09337 |
| SHA512 | 649b0569a96c769a6efcc4841b5162711137f13e163c878784e0f2f25e9ff6bb14de178be8ba3a3b6ecbd2715426df3cec55df7979df291196d93e91795d16b9 |
C:\Windows\system\geBjeaM.exe
| MD5 | d433df1790868195e50f6086b9b49f51 |
| SHA1 | c4b51f235d2909e7d4db85edf6161404b863301e |
| SHA256 | 384c465870cc5c146f878515a1c654f54eed2b8c6ca3a9f8b27aab3e33661527 |
| SHA512 | 852d65f8ce6a915ab35b207891f78e797549018ac6f05b046f17899b15cdda8077a54c4f6ebee329d06cf885ecb98043e5848fdd5125254ee427c41e529d6324 |
memory/2080-108-0x000000013FA70000-0x000000013FDC4000-memory.dmp
C:\Windows\system\OdwWnYd.exe
| MD5 | 74ebab36d7af5cf2b5e099b10ad0d05a |
| SHA1 | 10421c400baad3bcd7990440c825afaa4dbb6b82 |
| SHA256 | 25e0a5b5d0c323b0bb769dad6ba13f6619dd3a724f6083c4e7380a4c85029208 |
| SHA512 | ce9ee7f41ea4544e77eb0af5a184342198c4405378a1a8ae255a804f0731fcc3c64b24fa7a29645d07cbe39edb1c2606464230f0dc44bfb975101c374c49fbb6 |
memory/1532-99-0x000000013F0C0000-0x000000013F414000-memory.dmp
C:\Windows\system\FqkXkDb.exe
| MD5 | c0f8e61b3990c87290c129c4551f7fcc |
| SHA1 | 6c60fee77e44ef3b57d897277dd44a48e3e3a580 |
| SHA256 | 997392bf04072846ceef5aacbfe3178e1cabbc7c4ec81c7853b3d97ca5a06c5b |
| SHA512 | 0c6bf654d386c125db23226c9ab7a8f875d4e611cc02d6916372ad58cb68c4a88da0d19ebab397e0d22d551d0497b1f5d843eefa26f76a2f83d9f34a159f958f |
C:\Windows\system\etqLXzB.exe
| MD5 | b729f67da70172a4b7affdf4fcec0faa |
| SHA1 | dbf0d65d532e374e2e2f0127d71919cfdefd2d45 |
| SHA256 | f6216396ad85ff05b6f26c8b87e53fa6a07587f4860ff2d8d9d31ee2396a79ec |
| SHA512 | 2733d57a8bb440c0f603ef534caf9d5eeb7282e4780ce804159898bc0b26545fa8b0dd2ebc40894a7bf302b46ba237315cdf0df904bb8ba4b8d875ba18e3624f |
memory/2080-98-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\nMKSTVw.exe
| MD5 | b6c75d7c2979aaef6a08b5eacb8e8267 |
| SHA1 | 0e2f3230f9f93a4ebae7626756b917862e1bbb2c |
| SHA256 | c9ea3517bf5fedb30956f3dc59645521a1d2855c8b84b13db91e6f9e88bfaeff |
| SHA512 | 8a88505847c2381573f2b71e16f173a4460952995dc644b3d1b58733d508f626764d05aafb4fbdb6568fdda0e440d03066726894cece756459601679e1620168 |
memory/2684-91-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2080-90-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2080-89-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1624-82-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2080-81-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\NZeDknR.exe
| MD5 | 795c801ffced024e2174d5c935002876 |
| SHA1 | 018cb75a67eca5f0f135549541ca90e695636cd8 |
| SHA256 | c29ec0587cc86dbe587660876c0b8705b326e8d5a18323083ece8b6c89fb88a3 |
| SHA512 | a369b8d2ed4e1029497e095b2d8b9354c3a71f5a351ced8c26ce2b70311d74ca4f441fdfa942fbef87b736785fee6a2ff7b19f626b406afe7f98977775900449 |
C:\Windows\system\VWwxOea.exe
| MD5 | 173aa17917aa3378021f0b93aebb4a85 |
| SHA1 | 0bdb036e064acb64a6559cf2048a0ffafe59d947 |
| SHA256 | e932149500d3315aaaa36abb4038a2e037883a5c75b91cab892e4a291934e410 |
| SHA512 | 84b3575666ff821f5f6ebbd6bd5b185c1b1bce50cab27de27d25b05f0707a09a28d89a76587fcbb6cde491e274399321ea7d7f540b65a4c1f96b45694806d8a6 |
memory/3020-74-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2080-73-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2080-70-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2080-69-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2736-135-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2080-33-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2080-27-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2484-137-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2584-136-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2080-138-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2684-139-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2080-140-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2636-141-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/3064-142-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2580-143-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2584-144-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2736-145-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2844-146-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2772-148-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2484-147-0x000000013F500000-0x000000013F854000-memory.dmp
memory/3020-149-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/1624-150-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2524-151-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2272-152-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2684-154-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1532-153-0x000000013F0C0000-0x000000013F414000-memory.dmp