Analysis Overview
SHA256
d66066b015540d58cd29c7a0fd45de79a910fa030ce2f5306db180aed421ecaf
Threat Level: Known bad
The file 2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
xmrig
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Cobaltstrike
Xmrig family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:10
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:10
Reported
2024-06-01 07:13
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NuzbXZs.exe | N/A |
| N/A | N/A | C:\Windows\System\AEfrqRg.exe | N/A |
| N/A | N/A | C:\Windows\System\eOPJhjW.exe | N/A |
| N/A | N/A | C:\Windows\System\iMdBUIB.exe | N/A |
| N/A | N/A | C:\Windows\System\qfrnDHo.exe | N/A |
| N/A | N/A | C:\Windows\System\PPuVgYE.exe | N/A |
| N/A | N/A | C:\Windows\System\gPieZXo.exe | N/A |
| N/A | N/A | C:\Windows\System\zHdZObn.exe | N/A |
| N/A | N/A | C:\Windows\System\FBcCPxK.exe | N/A |
| N/A | N/A | C:\Windows\System\taDxAxQ.exe | N/A |
| N/A | N/A | C:\Windows\System\IwMeUqM.exe | N/A |
| N/A | N/A | C:\Windows\System\IySehsC.exe | N/A |
| N/A | N/A | C:\Windows\System\BdoYMuH.exe | N/A |
| N/A | N/A | C:\Windows\System\VxHrIBq.exe | N/A |
| N/A | N/A | C:\Windows\System\sOcVNkP.exe | N/A |
| N/A | N/A | C:\Windows\System\CYpfQJD.exe | N/A |
| N/A | N/A | C:\Windows\System\GdxxlEs.exe | N/A |
| N/A | N/A | C:\Windows\System\xSksBod.exe | N/A |
| N/A | N/A | C:\Windows\System\kSPXtBD.exe | N/A |
| N/A | N/A | C:\Windows\System\ruykizz.exe | N/A |
| N/A | N/A | C:\Windows\System\ZgIrgkq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\NuzbXZs.exe
C:\Windows\System\NuzbXZs.exe
C:\Windows\System\AEfrqRg.exe
C:\Windows\System\AEfrqRg.exe
C:\Windows\System\eOPJhjW.exe
C:\Windows\System\eOPJhjW.exe
C:\Windows\System\iMdBUIB.exe
C:\Windows\System\iMdBUIB.exe
C:\Windows\System\qfrnDHo.exe
C:\Windows\System\qfrnDHo.exe
C:\Windows\System\PPuVgYE.exe
C:\Windows\System\PPuVgYE.exe
C:\Windows\System\gPieZXo.exe
C:\Windows\System\gPieZXo.exe
C:\Windows\System\zHdZObn.exe
C:\Windows\System\zHdZObn.exe
C:\Windows\System\FBcCPxK.exe
C:\Windows\System\FBcCPxK.exe
C:\Windows\System\taDxAxQ.exe
C:\Windows\System\taDxAxQ.exe
C:\Windows\System\IwMeUqM.exe
C:\Windows\System\IwMeUqM.exe
C:\Windows\System\IySehsC.exe
C:\Windows\System\IySehsC.exe
C:\Windows\System\BdoYMuH.exe
C:\Windows\System\BdoYMuH.exe
C:\Windows\System\VxHrIBq.exe
C:\Windows\System\VxHrIBq.exe
C:\Windows\System\sOcVNkP.exe
C:\Windows\System\sOcVNkP.exe
C:\Windows\System\CYpfQJD.exe
C:\Windows\System\CYpfQJD.exe
C:\Windows\System\GdxxlEs.exe
C:\Windows\System\GdxxlEs.exe
C:\Windows\System\xSksBod.exe
C:\Windows\System\xSksBod.exe
C:\Windows\System\kSPXtBD.exe
C:\Windows\System\kSPXtBD.exe
C:\Windows\System\ruykizz.exe
C:\Windows\System\ruykizz.exe
C:\Windows\System\ZgIrgkq.exe
C:\Windows\System\ZgIrgkq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
Files
memory/4188-0-0x00007FF686560000-0x00007FF6868B4000-memory.dmp
memory/4188-1-0x0000017DF88B0000-0x0000017DF88C0000-memory.dmp
C:\Windows\System\NuzbXZs.exe
| MD5 | 6dee589603a188f849419a9cb305e68c |
| SHA1 | 7afbf7beb89afedee216419bd391d54bed00800d |
| SHA256 | 4fdfcc0914b18c783f54ac49c76f128810e2be591f0ea411f0fb871e29309d7c |
| SHA512 | bea0bc7c3bca0a8ad1102d7a8a7d9712d675cc63a8e729ad96b4be8738efb58119ee21a93ab05bf18fa37d1c032391d94033bee7033b7a7c8442b307d575e69e |
memory/3496-7-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp
C:\Windows\System\eOPJhjW.exe
| MD5 | a3ea85434f0ee7674207b97e76cf3775 |
| SHA1 | a1483aa83bbe7dbe7aec18fea4ecd611e2f772b0 |
| SHA256 | 8bee33a6e061a8e9e5d3325e4f92479b1a032427e0c304df4c07ceeeedb032bc |
| SHA512 | b99fa98a112a94831215269c37daffffb5abda14f80662f118cd1cb12385578c8d6420f95e61d1e109b66e129386eeea194c2952e63f9d95060ff3e0a0541b2a |
memory/704-14-0x00007FF7B1CC0000-0x00007FF7B2014000-memory.dmp
C:\Windows\System\AEfrqRg.exe
| MD5 | dde70bd27b4d64e0148727fbe400e6ee |
| SHA1 | 0701e77083b354501d0780fde1364e2d10777b8e |
| SHA256 | ce1c5390d99482d5982a98c632348658c08497596cba6d9c41d93c7269f6b258 |
| SHA512 | b40be983c573bc9c54a06dffb8835daacee74f58d031fa1819e6bead134725225f74155065953110e3a0a3232cf2cac54644f194ad3cd978ca19377b49d4d420 |
memory/1184-20-0x00007FF6AF9F0000-0x00007FF6AFD44000-memory.dmp
C:\Windows\System\iMdBUIB.exe
| MD5 | ac9aaf6b576717a5b4e7e91e33dff8c9 |
| SHA1 | 0f6ba2f04fe93375c42a9714ce2f2d1c4efe34b5 |
| SHA256 | d69319ffd2de69c4ea5716870feab63bff692e8785fe78eab79907b16fa7027c |
| SHA512 | 15fc4865c63d046ad0886a2d9d866c9274e2d2477a907a0a16f2f75901d8d1b4940ae369b82af4973bc5afe81dae55097b32ce01d50d05dd37ab1311fe6556fa |
memory/1056-28-0x00007FF73B090000-0x00007FF73B3E4000-memory.dmp
C:\Windows\System\qfrnDHo.exe
| MD5 | 2796ead894ffbde5f3f4ad6f8989a530 |
| SHA1 | 32057434b1804f7031dcd106ee549ed98869c1cb |
| SHA256 | 3a0473f05fed080b2ebfa260f6c0613a534f976d41d7620051b1334430eaa327 |
| SHA512 | 6aff3b5512958260b46188761ee052f7caa459588ba70587f5ed14e941ca6be42c990cc944097c76a0937f2096c89d34d96a79bab1b5990746ade4e6c4de6051 |
C:\Windows\System\PPuVgYE.exe
| MD5 | 21f47f9d1941000e2132f19a9d81f461 |
| SHA1 | 637e9b30f624c612b89f3728591d569ff4961e7c |
| SHA256 | 42e51a7f828e384858edcaf90d381b26323efa8c040c736239434b93474555aa |
| SHA512 | 17703b74dffe876eac83b981eea77de3f2ab58ad9e37b34638f1b4917bbce77f60efc7a37fdf4117bae6392fb436252e33724cda405fcdd0cd3a02037ec1a913 |
memory/3256-36-0x00007FF62FB40000-0x00007FF62FE94000-memory.dmp
memory/1620-32-0x00007FF6630A0000-0x00007FF6633F4000-memory.dmp
C:\Windows\System\gPieZXo.exe
| MD5 | 4b365f3502c7511a2a892147e216e0ea |
| SHA1 | e3c9881ab2953522166a2b31ed1034f5bf674163 |
| SHA256 | 7726ac1039bc40657045246554bfd81908dd9a6066eaa09e9e3cd02c5f4d89fd |
| SHA512 | e8de649b0dfbdb9ac8a2fa62e0165c76c20f751e24adf363d7310702042f3fb17dde2fa6f303a60e329e30ed14edd2a71cee9296f854cfd7ea8ea08082e2435a |
C:\Windows\System\zHdZObn.exe
| MD5 | 13ebecd255bc678761024ac4a7a67e9c |
| SHA1 | 0bf1eca8d93d96d1fa326ce5df1baca68cddf32a |
| SHA256 | 673d9691ba54f495bd00ff56ce939128ed3d03c442709b72cef6d86c6d8ce655 |
| SHA512 | e1407e650ad2da05f5158ec02e9460ee896f0544079679eb38e2596b040e9c71a5dd120277c88fffbc8d1474ede53de4ebadd61e0928ad0db3c257e2d97e1dac |
memory/4996-44-0x00007FF6A94D0000-0x00007FF6A9824000-memory.dmp
C:\Windows\System\FBcCPxK.exe
| MD5 | e8bcff000fb6d796fbdc7943b69cb8f2 |
| SHA1 | 29bbfa52ba14aa874defeafc3cd722fcad93ed2a |
| SHA256 | e276716287b86af80b2ca77baf44c87d19d4217a310466a59c466c47dbdc3fe2 |
| SHA512 | 1b80c4c1bc9f22758939a78f12791d8dc6716e69efa6c35fcc286c32a8601f4bef53894df5a5df8181e824deb1db6c57a0e2056c0e01f3ed7d00666e765c9f0a |
memory/3172-59-0x00007FF6ECC10000-0x00007FF6ECF64000-memory.dmp
C:\Windows\System\taDxAxQ.exe
| MD5 | 3ce5fcb34801c8ce3dd83cb3566c9947 |
| SHA1 | cf06088f24b65d0861eecfd276c4112ac817f347 |
| SHA256 | 1ebc3eb95f8299dec44cb531d4e0e0a0e1e189afb15324b5ffa61fd8a5eadaae |
| SHA512 | efc2c0a34d7e9ca4707f555361f8bb8f595c9b759a31018758fbe86863047744d8774a17a9b81242b86644aa03b1f2811868c5f630e65e26747571dedda0d159 |
memory/1544-60-0x00007FF68B770000-0x00007FF68BAC4000-memory.dmp
memory/872-57-0x00007FF7F7DF0000-0x00007FF7F8144000-memory.dmp
C:\Windows\System\IwMeUqM.exe
| MD5 | 778587e887020145f461a096772e161b |
| SHA1 | b187da06c1949a44f41d300db4ffdeb364f0a55c |
| SHA256 | 8f2412e6da84a740674d4d118597b6d9e5a9ab69c7127f9f3e814e24f36ae37c |
| SHA512 | 786b4ab4e1a75525e7316907b9b3ba87ef1243130081a322209d481924b76472a3ae640f223da32edb889bf616f05f98d23f1566010ac4edc638e4a789c734c9 |
memory/3488-67-0x00007FF684DD0000-0x00007FF685124000-memory.dmp
C:\Windows\System\IySehsC.exe
| MD5 | efbc9dffac468d1bef42f49be97b6cd4 |
| SHA1 | 16082337d6fb9eb22fdf647de8f0e2d17c63fb6d |
| SHA256 | 1bf4f05434bb3e52ff070f9aa8f0b93d049f50640069827c64c219d039d15afe |
| SHA512 | 01598f20f85769c512a0ba507774788ea9018ccb4787b03b8a66bac7af982945ecffa9bc41dec9a0ca84ec696b475548bab7a82d9a3b57088a56ca48fee43298 |
memory/4188-66-0x00007FF686560000-0x00007FF6868B4000-memory.dmp
memory/2712-77-0x00007FF7017D0000-0x00007FF701B24000-memory.dmp
C:\Windows\System\BdoYMuH.exe
| MD5 | d8d3f577bc07963afb5261a52c70baaf |
| SHA1 | ea72cd2aaf3e48a23e6ab33efc1f4762473af0ed |
| SHA256 | 4a157eac5bbd9fc94a6c6272b255b8ff10728492cbb900b0f16ba81fde74cdac |
| SHA512 | 7a2e296ab69926d3eaa0cefbd9dc0de041553e29f5a71cf53ac3987d9ac92c83b2f4215e7a6f9875c74ea1e2d0b3c54ebd2e6557129048ac1aaa93852e84e10a |
memory/3496-75-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp
C:\Windows\System\VxHrIBq.exe
| MD5 | f97d4bfb3f029b468a47ceb2195e01b6 |
| SHA1 | edd7e793360bdeea54042059fc394746ee270119 |
| SHA256 | ac9b17b328b2e4fb6c15ca4f92c01ed182c87d9110f51cc0a38b53f15e0fbec7 |
| SHA512 | 833b70725159bc77d7e1fb7b2c0f7d39a473df2cf3992df43f64c1a757579516599a279c5b85baa146030f0c46f2df5b84d9cf6f0e6f07c7487a1e00e19a5506 |
memory/1584-82-0x00007FF644A50000-0x00007FF644DA4000-memory.dmp
C:\Windows\System\sOcVNkP.exe
| MD5 | d38110df71cce51fa4a018fe9089f5c5 |
| SHA1 | 54df4a1e413ea5055af75a1d714e032ca2e0f978 |
| SHA256 | 771cb7fd06a2d1776492da351b97a7838bbd79b2a4d9ec12064a879608afd64c |
| SHA512 | e07f2e76e4cb1d54c65244693a54c9f4fc0d10f5ec725c1ec5edef314fcff656bb6b220f7abefb6b6a064d219cf7b8114236b094071741b67ec59339294ee011 |
memory/4800-86-0x00007FF7B2330000-0x00007FF7B2684000-memory.dmp
memory/1056-94-0x00007FF73B090000-0x00007FF73B3E4000-memory.dmp
memory/1820-95-0x00007FF6617C0000-0x00007FF661B14000-memory.dmp
C:\Windows\System\CYpfQJD.exe
| MD5 | b4dc529791113ca3a7f17dfd751b40db |
| SHA1 | 2bf4a48578e653244021a5bf9bec8ecb78e8e95f |
| SHA256 | cc120951c755537b4253c5fcb93de2f6a23e738374576937c43b8b5b58f009b0 |
| SHA512 | 052f0c3cd6b0ee9fed8eb356562139663ed68c3b42c9d67735b81a3609682727ee3d6cfd9072fe47a6c82489071f4fa76920056f9409b9a5fd993faf3742b646 |
memory/1084-101-0x00007FF70C400000-0x00007FF70C754000-memory.dmp
C:\Windows\System\GdxxlEs.exe
| MD5 | a06cb1100020704c34f3c095400dc258 |
| SHA1 | 5daedc44b5621f0d910550714c50d05d91b473f1 |
| SHA256 | 53526ca3627d74578a3710fe0f8c2192610db4d65680ea47c8298c7b9a8c5a2f |
| SHA512 | f8c86f633d31273f32ae24bf103e360243c7edce0dcb37c8654c21a523fafc89ec6b0fb1288511675cdbf14218371e2055f9ddf826aec612352d9543f8b3201d |
memory/2884-107-0x00007FF664B70000-0x00007FF664EC4000-memory.dmp
C:\Windows\System\xSksBod.exe
| MD5 | 82e6fe5b47c0496173e447fe67b405a7 |
| SHA1 | 2536c730fb2d0bb9a72d32adea12ba4d8ad0b0b2 |
| SHA256 | 90c3bf30321e10018bcae916cca49d8dc4af2587ffaa919a5269ade22e6e23f0 |
| SHA512 | a88baf3731ebc859c10e36524bf1838820cf23091d85c13b85a84eb09c08f115def5f39f7ac0f270f42bd3545530295f102759f53d6ae247978d51238109434e |
memory/3256-106-0x00007FF62FB40000-0x00007FF62FE94000-memory.dmp
memory/4040-114-0x00007FF7ADBC0000-0x00007FF7ADF14000-memory.dmp
C:\Windows\System\kSPXtBD.exe
| MD5 | f7b7c6ee3bc0ec0d86bfaf8e3c7adab1 |
| SHA1 | f8e229b3b55559d5cce337ec1ca46b8fa0ea5146 |
| SHA256 | 7c8a67e9cd8cc55cce9dbd6888f70a5942d36a9e41acf78dae27d4f1387aa6be |
| SHA512 | 7d590dc10b27e3653c961bd81b83c4c2b8266ace0e4285d0350dc88976b096874e8cf06cc33eeb4f498c77c9b37958f90ad0fb41b81a3ceb81bbed25f3e477e7 |
C:\Windows\System\ruykizz.exe
| MD5 | da3298ca1e81916aef01ca9957376fee |
| SHA1 | 33413c577c444eb6433d73866872e3787920536c |
| SHA256 | 93cb7785987ecef822e2b3466b883970a5e3c0c57f31521281e9414298312eb4 |
| SHA512 | 2e9a3a18cc075c82d356f04e589f6ec094359886ef00bef2a04d9a35db75d55e3a110d9d02fdefed6c1553fbf6790e775c3a20ea41a722ba3eee680e22042c22 |
memory/884-122-0x00007FF60C3D0000-0x00007FF60C724000-memory.dmp
memory/4020-127-0x00007FF64ED10000-0x00007FF64F064000-memory.dmp
memory/1544-125-0x00007FF68B770000-0x00007FF68BAC4000-memory.dmp
C:\Windows\System\ZgIrgkq.exe
| MD5 | db4cc54d40e951a2828b32883bab48f8 |
| SHA1 | 0ee3098e142ab21e01f1f709ba5991330df48716 |
| SHA256 | f2ff4ce75c484f5b863c09e6a148ca63106c3d7f25029931e504118354ee0311 |
| SHA512 | 72bc98624500dcfc4b2963625abdc10ee3ca83acabb6fc9e1a9e18db6fb3ac705c913ae4a595e7f555da1a49559514607d5a73f81065231b7cb9a69d17f15d77 |
memory/3488-132-0x00007FF684DD0000-0x00007FF685124000-memory.dmp
memory/5012-133-0x00007FF671B20000-0x00007FF671E74000-memory.dmp
memory/4800-134-0x00007FF7B2330000-0x00007FF7B2684000-memory.dmp
memory/2884-135-0x00007FF664B70000-0x00007FF664EC4000-memory.dmp
memory/884-136-0x00007FF60C3D0000-0x00007FF60C724000-memory.dmp
memory/4020-137-0x00007FF64ED10000-0x00007FF64F064000-memory.dmp
memory/3496-138-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp
memory/704-139-0x00007FF7B1CC0000-0x00007FF7B2014000-memory.dmp
memory/1184-140-0x00007FF6AF9F0000-0x00007FF6AFD44000-memory.dmp
memory/1056-141-0x00007FF73B090000-0x00007FF73B3E4000-memory.dmp
memory/1620-142-0x00007FF6630A0000-0x00007FF6633F4000-memory.dmp
memory/3256-143-0x00007FF62FB40000-0x00007FF62FE94000-memory.dmp
memory/4996-144-0x00007FF6A94D0000-0x00007FF6A9824000-memory.dmp
memory/872-145-0x00007FF7F7DF0000-0x00007FF7F8144000-memory.dmp
memory/3172-146-0x00007FF6ECC10000-0x00007FF6ECF64000-memory.dmp
memory/1544-147-0x00007FF68B770000-0x00007FF68BAC4000-memory.dmp
memory/3488-148-0x00007FF684DD0000-0x00007FF685124000-memory.dmp
memory/2712-149-0x00007FF7017D0000-0x00007FF701B24000-memory.dmp
memory/1584-150-0x00007FF644A50000-0x00007FF644DA4000-memory.dmp
memory/4800-151-0x00007FF7B2330000-0x00007FF7B2684000-memory.dmp
memory/1820-152-0x00007FF6617C0000-0x00007FF661B14000-memory.dmp
memory/1084-153-0x00007FF70C400000-0x00007FF70C754000-memory.dmp
memory/2884-154-0x00007FF664B70000-0x00007FF664EC4000-memory.dmp
memory/4040-155-0x00007FF7ADBC0000-0x00007FF7ADF14000-memory.dmp
memory/884-156-0x00007FF60C3D0000-0x00007FF60C724000-memory.dmp
memory/4020-157-0x00007FF64ED10000-0x00007FF64F064000-memory.dmp
memory/5012-158-0x00007FF671B20000-0x00007FF671E74000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:10
Reported
2024-06-01 07:13
Platform
win7-20240220-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NuzbXZs.exe | N/A |
| N/A | N/A | C:\Windows\System\AEfrqRg.exe | N/A |
| N/A | N/A | C:\Windows\System\eOPJhjW.exe | N/A |
| N/A | N/A | C:\Windows\System\iMdBUIB.exe | N/A |
| N/A | N/A | C:\Windows\System\qfrnDHo.exe | N/A |
| N/A | N/A | C:\Windows\System\PPuVgYE.exe | N/A |
| N/A | N/A | C:\Windows\System\gPieZXo.exe | N/A |
| N/A | N/A | C:\Windows\System\zHdZObn.exe | N/A |
| N/A | N/A | C:\Windows\System\FBcCPxK.exe | N/A |
| N/A | N/A | C:\Windows\System\taDxAxQ.exe | N/A |
| N/A | N/A | C:\Windows\System\IwMeUqM.exe | N/A |
| N/A | N/A | C:\Windows\System\IySehsC.exe | N/A |
| N/A | N/A | C:\Windows\System\BdoYMuH.exe | N/A |
| N/A | N/A | C:\Windows\System\VxHrIBq.exe | N/A |
| N/A | N/A | C:\Windows\System\sOcVNkP.exe | N/A |
| N/A | N/A | C:\Windows\System\CYpfQJD.exe | N/A |
| N/A | N/A | C:\Windows\System\GdxxlEs.exe | N/A |
| N/A | N/A | C:\Windows\System\xSksBod.exe | N/A |
| N/A | N/A | C:\Windows\System\kSPXtBD.exe | N/A |
| N/A | N/A | C:\Windows\System\ruykizz.exe | N/A |
| N/A | N/A | C:\Windows\System\ZgIrgkq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\NuzbXZs.exe
C:\Windows\System\NuzbXZs.exe
C:\Windows\System\AEfrqRg.exe
C:\Windows\System\AEfrqRg.exe
C:\Windows\System\eOPJhjW.exe
C:\Windows\System\eOPJhjW.exe
C:\Windows\System\iMdBUIB.exe
C:\Windows\System\iMdBUIB.exe
C:\Windows\System\qfrnDHo.exe
C:\Windows\System\qfrnDHo.exe
C:\Windows\System\PPuVgYE.exe
C:\Windows\System\PPuVgYE.exe
C:\Windows\System\gPieZXo.exe
C:\Windows\System\gPieZXo.exe
C:\Windows\System\zHdZObn.exe
C:\Windows\System\zHdZObn.exe
C:\Windows\System\FBcCPxK.exe
C:\Windows\System\FBcCPxK.exe
C:\Windows\System\taDxAxQ.exe
C:\Windows\System\taDxAxQ.exe
C:\Windows\System\IwMeUqM.exe
C:\Windows\System\IwMeUqM.exe
C:\Windows\System\IySehsC.exe
C:\Windows\System\IySehsC.exe
C:\Windows\System\BdoYMuH.exe
C:\Windows\System\BdoYMuH.exe
C:\Windows\System\VxHrIBq.exe
C:\Windows\System\VxHrIBq.exe
C:\Windows\System\sOcVNkP.exe
C:\Windows\System\sOcVNkP.exe
C:\Windows\System\CYpfQJD.exe
C:\Windows\System\CYpfQJD.exe
C:\Windows\System\GdxxlEs.exe
C:\Windows\System\GdxxlEs.exe
C:\Windows\System\xSksBod.exe
C:\Windows\System\xSksBod.exe
C:\Windows\System\kSPXtBD.exe
C:\Windows\System\kSPXtBD.exe
C:\Windows\System\ruykizz.exe
C:\Windows\System\ruykizz.exe
C:\Windows\System\ZgIrgkq.exe
C:\Windows\System\ZgIrgkq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2204-0-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2204-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\NuzbXZs.exe
| MD5 | 6dee589603a188f849419a9cb305e68c |
| SHA1 | 7afbf7beb89afedee216419bd391d54bed00800d |
| SHA256 | 4fdfcc0914b18c783f54ac49c76f128810e2be591f0ea411f0fb871e29309d7c |
| SHA512 | bea0bc7c3bca0a8ad1102d7a8a7d9712d675cc63a8e729ad96b4be8738efb58119ee21a93ab05bf18fa37d1c032391d94033bee7033b7a7c8442b307d575e69e |
memory/3048-9-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2204-7-0x0000000002230000-0x0000000002584000-memory.dmp
\Windows\system\AEfrqRg.exe
| MD5 | dde70bd27b4d64e0148727fbe400e6ee |
| SHA1 | 0701e77083b354501d0780fde1364e2d10777b8e |
| SHA256 | ce1c5390d99482d5982a98c632348658c08497596cba6d9c41d93c7269f6b258 |
| SHA512 | b40be983c573bc9c54a06dffb8835daacee74f58d031fa1819e6bead134725225f74155065953110e3a0a3232cf2cac54644f194ad3cd978ca19377b49d4d420 |
memory/2204-13-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2524-15-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2204-20-0x000000013F270000-0x000000013F5C4000-memory.dmp
C:\Windows\system\eOPJhjW.exe
| MD5 | a3ea85434f0ee7674207b97e76cf3775 |
| SHA1 | a1483aa83bbe7dbe7aec18fea4ecd611e2f772b0 |
| SHA256 | 8bee33a6e061a8e9e5d3325e4f92479b1a032427e0c304df4c07ceeeedb032bc |
| SHA512 | b99fa98a112a94831215269c37daffffb5abda14f80662f118cd1cb12385578c8d6420f95e61d1e109b66e129386eeea194c2952e63f9d95060ff3e0a0541b2a |
memory/2668-22-0x000000013F270000-0x000000013F5C4000-memory.dmp
C:\Windows\system\iMdBUIB.exe
| MD5 | ac9aaf6b576717a5b4e7e91e33dff8c9 |
| SHA1 | 0f6ba2f04fe93375c42a9714ce2f2d1c4efe34b5 |
| SHA256 | d69319ffd2de69c4ea5716870feab63bff692e8785fe78eab79907b16fa7027c |
| SHA512 | 15fc4865c63d046ad0886a2d9d866c9274e2d2477a907a0a16f2f75901d8d1b4940ae369b82af4973bc5afe81dae55097b32ce01d50d05dd37ab1311fe6556fa |
memory/2204-33-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\qfrnDHo.exe
| MD5 | 2796ead894ffbde5f3f4ad6f8989a530 |
| SHA1 | 32057434b1804f7031dcd106ee549ed98869c1cb |
| SHA256 | 3a0473f05fed080b2ebfa260f6c0613a534f976d41d7620051b1334430eaa327 |
| SHA512 | 6aff3b5512958260b46188761ee052f7caa459588ba70587f5ed14e941ca6be42c990cc944097c76a0937f2096c89d34d96a79bab1b5990746ade4e6c4de6051 |
memory/2688-39-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2204-43-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2656-44-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2204-41-0x0000000002230000-0x0000000002584000-memory.dmp
C:\Windows\system\PPuVgYE.exe
| MD5 | 21f47f9d1941000e2132f19a9d81f461 |
| SHA1 | 637e9b30f624c612b89f3728591d569ff4961e7c |
| SHA256 | 42e51a7f828e384858edcaf90d381b26323efa8c040c736239434b93474555aa |
| SHA512 | 17703b74dffe876eac83b981eea77de3f2ab58ad9e37b34638f1b4917bbce77f60efc7a37fdf4117bae6392fb436252e33724cda405fcdd0cd3a02037ec1a913 |
memory/2560-37-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2204-48-0x000000013F960000-0x000000013FCB4000-memory.dmp
\Windows\system\gPieZXo.exe
| MD5 | 4b365f3502c7511a2a892147e216e0ea |
| SHA1 | e3c9881ab2953522166a2b31ed1034f5bf674163 |
| SHA256 | 7726ac1039bc40657045246554bfd81908dd9a6066eaa09e9e3cd02c5f4d89fd |
| SHA512 | e8de649b0dfbdb9ac8a2fa62e0165c76c20f751e24adf363d7310702042f3fb17dde2fa6f303a60e329e30ed14edd2a71cee9296f854cfd7ea8ea08082e2435a |
memory/2460-52-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/3048-51-0x000000013FB40000-0x000000013FE94000-memory.dmp
\Windows\system\zHdZObn.exe
| MD5 | 13ebecd255bc678761024ac4a7a67e9c |
| SHA1 | 0bf1eca8d93d96d1fa326ce5df1baca68cddf32a |
| SHA256 | 673d9691ba54f495bd00ff56ce939128ed3d03c442709b72cef6d86c6d8ce655 |
| SHA512 | e1407e650ad2da05f5158ec02e9460ee896f0544079679eb38e2596b040e9c71a5dd120277c88fffbc8d1474ede53de4ebadd61e0928ad0db3c257e2d97e1dac |
memory/2584-59-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2204-56-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2524-65-0x000000013FBD0000-0x000000013FF24000-memory.dmp
C:\Windows\system\FBcCPxK.exe
| MD5 | e8bcff000fb6d796fbdc7943b69cb8f2 |
| SHA1 | 29bbfa52ba14aa874defeafc3cd722fcad93ed2a |
| SHA256 | e276716287b86af80b2ca77baf44c87d19d4217a310466a59c466c47dbdc3fe2 |
| SHA512 | 1b80c4c1bc9f22758939a78f12791d8dc6716e69efa6c35fcc286c32a8601f4bef53894df5a5df8181e824deb1db6c57a0e2056c0e01f3ed7d00666e765c9f0a |
memory/2832-67-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2204-66-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2204-73-0x000000013F410000-0x000000013F764000-memory.dmp
C:\Windows\system\taDxAxQ.exe
| MD5 | 3ce5fcb34801c8ce3dd83cb3566c9947 |
| SHA1 | cf06088f24b65d0861eecfd276c4112ac817f347 |
| SHA256 | 1ebc3eb95f8299dec44cb531d4e0e0a0e1e189afb15324b5ffa61fd8a5eadaae |
| SHA512 | efc2c0a34d7e9ca4707f555361f8bb8f595c9b759a31018758fbe86863047744d8774a17a9b81242b86644aa03b1f2811868c5f630e65e26747571dedda0d159 |
memory/1656-74-0x000000013F410000-0x000000013F764000-memory.dmp
C:\Windows\system\IwMeUqM.exe
| MD5 | 778587e887020145f461a096772e161b |
| SHA1 | b187da06c1949a44f41d300db4ffdeb364f0a55c |
| SHA256 | 8f2412e6da84a740674d4d118597b6d9e5a9ab69c7127f9f3e814e24f36ae37c |
| SHA512 | 786b4ab4e1a75525e7316907b9b3ba87ef1243130081a322209d481924b76472a3ae640f223da32edb889bf616f05f98d23f1566010ac4edc638e4a789c734c9 |
memory/1196-81-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2204-80-0x000000013F240000-0x000000013F594000-memory.dmp
C:\Windows\system\IySehsC.exe
| MD5 | efbc9dffac468d1bef42f49be97b6cd4 |
| SHA1 | 16082337d6fb9eb22fdf647de8f0e2d17c63fb6d |
| SHA256 | 1bf4f05434bb3e52ff070f9aa8f0b93d049f50640069827c64c219d039d15afe |
| SHA512 | 01598f20f85769c512a0ba507774788ea9018ccb4787b03b8a66bac7af982945ecffa9bc41dec9a0ca84ec696b475548bab7a82d9a3b57088a56ca48fee43298 |
memory/1044-88-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2204-87-0x000000013F390000-0x000000013F6E4000-memory.dmp
C:\Windows\system\BdoYMuH.exe
| MD5 | d8d3f577bc07963afb5261a52c70baaf |
| SHA1 | ea72cd2aaf3e48a23e6ab33efc1f4762473af0ed |
| SHA256 | 4a157eac5bbd9fc94a6c6272b255b8ff10728492cbb900b0f16ba81fde74cdac |
| SHA512 | 7a2e296ab69926d3eaa0cefbd9dc0de041553e29f5a71cf53ac3987d9ac92c83b2f4215e7a6f9875c74ea1e2d0b3c54ebd2e6557129048ac1aaa93852e84e10a |
memory/2204-97-0x0000000002230000-0x0000000002584000-memory.dmp
C:\Windows\system\CYpfQJD.exe
| MD5 | b4dc529791113ca3a7f17dfd751b40db |
| SHA1 | 2bf4a48578e653244021a5bf9bec8ecb78e8e95f |
| SHA256 | cc120951c755537b4253c5fcb93de2f6a23e738374576937c43b8b5b58f009b0 |
| SHA512 | 052f0c3cd6b0ee9fed8eb356562139663ed68c3b42c9d67735b81a3609682727ee3d6cfd9072fe47a6c82489071f4fa76920056f9409b9a5fd993faf3742b646 |
\Windows\system\ruykizz.exe
| MD5 | da3298ca1e81916aef01ca9957376fee |
| SHA1 | 33413c577c444eb6433d73866872e3787920536c |
| SHA256 | 93cb7785987ecef822e2b3466b883970a5e3c0c57f31521281e9414298312eb4 |
| SHA512 | 2e9a3a18cc075c82d356f04e589f6ec094359886ef00bef2a04d9a35db75d55e3a110d9d02fdefed6c1553fbf6790e775c3a20ea41a722ba3eee680e22042c22 |
\Windows\system\ZgIrgkq.exe
| MD5 | db4cc54d40e951a2828b32883bab48f8 |
| SHA1 | 0ee3098e142ab21e01f1f709ba5991330df48716 |
| SHA256 | f2ff4ce75c484f5b863c09e6a148ca63106c3d7f25029931e504118354ee0311 |
| SHA512 | 72bc98624500dcfc4b2963625abdc10ee3ca83acabb6fc9e1a9e18db6fb3ac705c913ae4a595e7f555da1a49559514607d5a73f81065231b7cb9a69d17f15d77 |
C:\Windows\system\kSPXtBD.exe
| MD5 | f7b7c6ee3bc0ec0d86bfaf8e3c7adab1 |
| SHA1 | f8e229b3b55559d5cce337ec1ca46b8fa0ea5146 |
| SHA256 | 7c8a67e9cd8cc55cce9dbd6888f70a5942d36a9e41acf78dae27d4f1387aa6be |
| SHA512 | 7d590dc10b27e3653c961bd81b83c4c2b8266ace0e4285d0350dc88976b096874e8cf06cc33eeb4f498c77c9b37958f90ad0fb41b81a3ceb81bbed25f3e477e7 |
C:\Windows\system\xSksBod.exe
| MD5 | 82e6fe5b47c0496173e447fe67b405a7 |
| SHA1 | 2536c730fb2d0bb9a72d32adea12ba4d8ad0b0b2 |
| SHA256 | 90c3bf30321e10018bcae916cca49d8dc4af2587ffaa919a5269ade22e6e23f0 |
| SHA512 | a88baf3731ebc859c10e36524bf1838820cf23091d85c13b85a84eb09c08f115def5f39f7ac0f270f42bd3545530295f102759f53d6ae247978d51238109434e |
C:\Windows\system\GdxxlEs.exe
| MD5 | a06cb1100020704c34f3c095400dc258 |
| SHA1 | 5daedc44b5621f0d910550714c50d05d91b473f1 |
| SHA256 | 53526ca3627d74578a3710fe0f8c2192610db4d65680ea47c8298c7b9a8c5a2f |
| SHA512 | f8c86f633d31273f32ae24bf103e360243c7edce0dcb37c8654c21a523fafc89ec6b0fb1288511675cdbf14218371e2055f9ddf826aec612352d9543f8b3201d |
C:\Windows\system\sOcVNkP.exe
| MD5 | d38110df71cce51fa4a018fe9089f5c5 |
| SHA1 | 54df4a1e413ea5055af75a1d714e032ca2e0f978 |
| SHA256 | 771cb7fd06a2d1776492da351b97a7838bbd79b2a4d9ec12064a879608afd64c |
| SHA512 | e07f2e76e4cb1d54c65244693a54c9f4fc0d10f5ec725c1ec5edef314fcff656bb6b220f7abefb6b6a064d219cf7b8114236b094071741b67ec59339294ee011 |
memory/2204-106-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2204-105-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1776-103-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1632-100-0x000000013F940000-0x000000013FC94000-memory.dmp
C:\Windows\system\VxHrIBq.exe
| MD5 | f97d4bfb3f029b468a47ceb2195e01b6 |
| SHA1 | edd7e793360bdeea54042059fc394746ee270119 |
| SHA256 | ac9b17b328b2e4fb6c15ca4f92c01ed182c87d9110f51cc0a38b53f15e0fbec7 |
| SHA512 | 833b70725159bc77d7e1fb7b2c0f7d39a473df2cf3992df43f64c1a757579516599a279c5b85baa146030f0c46f2df5b84d9cf6f0e6f07c7487a1e00e19a5506 |
memory/2204-138-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2204-139-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2204-140-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2204-141-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2204-142-0x0000000002230000-0x0000000002584000-memory.dmp
memory/1776-143-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2204-144-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/3048-145-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2668-146-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2524-147-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2560-148-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2688-149-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2656-150-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2460-151-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2584-152-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2832-153-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/1656-154-0x000000013F410000-0x000000013F764000-memory.dmp
memory/1196-155-0x000000013F240000-0x000000013F594000-memory.dmp
memory/1044-156-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/1632-157-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/1776-158-0x000000013F280000-0x000000013F5D4000-memory.dmp