Analysis Overview
SHA256
af215c92e62b2df8474dacbc810f565dc05c903e439eabb23e25a31e0e232093
Threat Level: Known bad
The file 2024-06-01_a6cae7bc4f9a4df97f7fa26e1292580c_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
Xmrig family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 08:09
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 08:09
Reported
2024-06-01 08:11
Platform
win7-20240508-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xQMcXys.exe | N/A |
| N/A | N/A | C:\Windows\System\kLHJTiv.exe | N/A |
| N/A | N/A | C:\Windows\System\QDsJRsm.exe | N/A |
| N/A | N/A | C:\Windows\System\ZmxTFfQ.exe | N/A |
| N/A | N/A | C:\Windows\System\FDrExdv.exe | N/A |
| N/A | N/A | C:\Windows\System\NVOeWOq.exe | N/A |
| N/A | N/A | C:\Windows\System\OgaPIVi.exe | N/A |
| N/A | N/A | C:\Windows\System\CSWAXHO.exe | N/A |
| N/A | N/A | C:\Windows\System\cRUclwk.exe | N/A |
| N/A | N/A | C:\Windows\System\PlqwcdS.exe | N/A |
| N/A | N/A | C:\Windows\System\BKNwiOP.exe | N/A |
| N/A | N/A | C:\Windows\System\CFgXmGe.exe | N/A |
| N/A | N/A | C:\Windows\System\beZOmkj.exe | N/A |
| N/A | N/A | C:\Windows\System\IpvnmID.exe | N/A |
| N/A | N/A | C:\Windows\System\VMFlDTZ.exe | N/A |
| N/A | N/A | C:\Windows\System\cABCleO.exe | N/A |
| N/A | N/A | C:\Windows\System\PuRuktr.exe | N/A |
| N/A | N/A | C:\Windows\System\FLFEYtR.exe | N/A |
| N/A | N/A | C:\Windows\System\vPQxvVo.exe | N/A |
| N/A | N/A | C:\Windows\System\BoqRfWM.exe | N/A |
| N/A | N/A | C:\Windows\System\fUMSQas.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_a6cae7bc4f9a4df97f7fa26e1292580c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_a6cae7bc4f9a4df97f7fa26e1292580c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_a6cae7bc4f9a4df97f7fa26e1292580c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_a6cae7bc4f9a4df97f7fa26e1292580c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\xQMcXys.exe
C:\Windows\System\xQMcXys.exe
C:\Windows\System\kLHJTiv.exe
C:\Windows\System\kLHJTiv.exe
C:\Windows\System\ZmxTFfQ.exe
C:\Windows\System\ZmxTFfQ.exe
C:\Windows\System\QDsJRsm.exe
C:\Windows\System\QDsJRsm.exe
C:\Windows\System\FDrExdv.exe
C:\Windows\System\FDrExdv.exe
C:\Windows\System\NVOeWOq.exe
C:\Windows\System\NVOeWOq.exe
C:\Windows\System\OgaPIVi.exe
C:\Windows\System\OgaPIVi.exe
C:\Windows\System\CSWAXHO.exe
C:\Windows\System\CSWAXHO.exe
C:\Windows\System\PlqwcdS.exe
C:\Windows\System\PlqwcdS.exe
C:\Windows\System\cRUclwk.exe
C:\Windows\System\cRUclwk.exe
C:\Windows\System\BKNwiOP.exe
C:\Windows\System\BKNwiOP.exe
C:\Windows\System\CFgXmGe.exe
C:\Windows\System\CFgXmGe.exe
C:\Windows\System\beZOmkj.exe
C:\Windows\System\beZOmkj.exe
C:\Windows\System\IpvnmID.exe
C:\Windows\System\IpvnmID.exe
C:\Windows\System\VMFlDTZ.exe
C:\Windows\System\VMFlDTZ.exe
C:\Windows\System\cABCleO.exe
C:\Windows\System\cABCleO.exe
C:\Windows\System\PuRuktr.exe
C:\Windows\System\PuRuktr.exe
C:\Windows\System\FLFEYtR.exe
C:\Windows\System\FLFEYtR.exe
C:\Windows\System\vPQxvVo.exe
C:\Windows\System\vPQxvVo.exe
C:\Windows\System\BoqRfWM.exe
C:\Windows\System\BoqRfWM.exe
C:\Windows\System\fUMSQas.exe
C:\Windows\System\fUMSQas.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2124-0-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2124-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\xQMcXys.exe
| MD5 | 6dd57e57778fc74008470324b0bce157 |
| SHA1 | 6c6d87ee4ca41ef44e3fe67a8be1428c378aa6d5 |
| SHA256 | 61e055639876bb83977afe940f2807da2db673ce0216dd77da7aa0438304114b |
| SHA512 | 482de2ec12e0f3f923057f28faebcc110f4245f4f9d6486320868462df99397f4188ac7c31c7b774a6173bae08bb3d8d7967be93b4e0e05482e1a32f14c98096 |
memory/2124-6-0x000000013F350000-0x000000013F6A4000-memory.dmp
\Windows\system\ZmxTFfQ.exe
| MD5 | 9ff6671f66ae89eab94a23866438630e |
| SHA1 | f5203fd7c28b24131b9105c19c4a534ef9a25d19 |
| SHA256 | 0ac685c4ef9f65326e22b9f138c26063965d6f00d5b315cf9788d1c5b888df23 |
| SHA512 | 22300afc971dc56986aa21879e703ed8d05b37cfbfa2062cecc1ca3d24f4e8a95f54a601bc2e300b32df08b0353c06be6a1a7cb254b7714b14780a124b79208c |
C:\Windows\system\QDsJRsm.exe
| MD5 | 3de492cb9d6afe040c881d03267aadc6 |
| SHA1 | c1c02e382e1032e479ad61fdb4304388d5039c34 |
| SHA256 | 4ddf9e3ea99cc829951ca9de27aa2b792ec9130ebc3276d39da93b008f432e5c |
| SHA512 | f941c37e9c48b2b1e4c3fc41d7f41c6158167d5b535632c8ea44308012754d2bc218f2421cf55db4617473db84930a41e6bd4ec54fd316f8a53259891fc55624 |
memory/2144-27-0x000000013F720000-0x000000013FA74000-memory.dmp
\Windows\system\NVOeWOq.exe
| MD5 | 7db7ea42524e72691c6fb6ff1c3485a0 |
| SHA1 | bc008dfa7a9c8434224dbb2cc9890d305072f324 |
| SHA256 | 6d7a8cb4edf98af1207267b1231520c9529ef915b78b56d8430d4cf9ce380bfc |
| SHA512 | 6fd582d383cfb0e01ccb645fdf4d00181cab9b001ce0eab4e033640935b2c7e9dae54fed8ebe05c2c33e2470e2e9f9d00de566432621654dfbceccfe669e4eff |
memory/2124-33-0x00000000021F0000-0x0000000002544000-memory.dmp
memory/2124-35-0x00000000021F0000-0x0000000002544000-memory.dmp
memory/2124-34-0x00000000021F0000-0x0000000002544000-memory.dmp
memory/2124-15-0x00000000021F0000-0x0000000002544000-memory.dmp
C:\Windows\system\FDrExdv.exe
| MD5 | 7b611103ffc3e1d54a408e55ac5aa183 |
| SHA1 | ab5025640c52131447767fce0c7b2cbe49259eac |
| SHA256 | 9944aca8c88a3f8222fa64bf8057156a50c2f3aeb5774f32ba09a63d2b34c5c4 |
| SHA512 | 9c58d8852b5da0ff22bbc46243f5153badb39dfa2cfb1876eace065e8d25bb53f35453d49b002825a31a2d3236fad6baadb370aa05f7331875be753304c309bb |
C:\Windows\system\kLHJTiv.exe
| MD5 | 2d4a638f605dd25b679521c87293e7e1 |
| SHA1 | fdae2cf7f6bf0f2f881abd905f9edc6d2ae02fc2 |
| SHA256 | 466fef5a918739df8ba2f25c1b17b742e3aa6a40361812f4a8dfc0d10c954f5d |
| SHA512 | b79f0d485f5939ba8c421d0dc582acbaa877f0b2656e7edcda71f5510808cb60b2f5bcd1593bd9220a61381ddcde44b368fd39231ce2668aef729ede14142030 |
memory/2884-31-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2688-39-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2124-53-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2692-54-0x000000013FF20000-0x0000000140274000-memory.dmp
C:\Windows\system\cRUclwk.exe
| MD5 | ce7f58b7297da500f486fda74300e0d8 |
| SHA1 | 24bbf74038458263ce3d32ca2fd0cbb06844dd81 |
| SHA256 | 6dc053d5bfd554eb401e40965c14fd5d23f1ac208e5bb2eb25ec5444f6221224 |
| SHA512 | 05ae3b697abbb09587235cc44ea0a4c94115bae83d508386f06dfcd0daa52edee785368195d18260889dc5a1757bb833fb8ee127f936cd55ce4192186e58b083 |
memory/1544-66-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/888-67-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
C:\Windows\system\OgaPIVi.exe
| MD5 | 2f4ac39934933d6f55992833c5445031 |
| SHA1 | 8a75e80e2549b98ff2f34065e2920685f5b87537 |
| SHA256 | c5a0221d96f73045b45d27894e2fb69cbdcfe7f19eabb07950e90bf1ad12d3d4 |
| SHA512 | 10f9dddbf13f53bf59037e9a65a0c84526831ca47a422b5466c2189cd0381a5fdada342353d5ba84e62c8b65fe897faa378166942974c14f0c75b69c6bfce6ba |
memory/2860-76-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2544-80-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2852-85-0x000000013F050000-0x000000013F3A4000-memory.dmp
\Windows\system\IpvnmID.exe
| MD5 | da79d05571bca01665058c03dbab8f5d |
| SHA1 | 96ba5107012841d0b299e0f5906bd8022479566c |
| SHA256 | 261f5ed46c00bc1686e449a5eb576b828dc0d407220ca51433b144077ae54d6b |
| SHA512 | a904fd40e722d04ba32faed8d4a2724c0e88a9e8a33738370efef76616f242075bf78b9c404056ba4ff3c4a25a10659ab8b4fafb664bd339291cce45449d7e68 |
C:\Windows\system\PuRuktr.exe
| MD5 | 108e6332a1b8443c17398e2008d235e7 |
| SHA1 | 3ca746194e8e0fab2b08757863cd65db33c02302 |
| SHA256 | 961496cd19628fcd4f89dd548bd85361c5b6b8012544556388a2d32bd1b6ce40 |
| SHA512 | 8498b718a9ef1d32c59bdd2ce4486baf90df30eadb42d65c46681750df765f53df9480203d11f587d8bddaaedfbb8a3a8322f967c3416720ce1deb3cec71f501 |
\Windows\system\fUMSQas.exe
| MD5 | 535b0285531578fe31e18b704940af90 |
| SHA1 | 90ffff53fca4ee003b72b04b0f997205d30a0181 |
| SHA256 | e61dae94fd7f22aa911e022683328ea5e4b4bb521d74e436bbe2718850112055 |
| SHA512 | e658034c94413c375479148f8e4555ac84813e3888ed5cd1be89387fb191879402c75c0f9c8d2946f40923d0ef714bd6d81f80c03f58d5fb862cdc59954cfbdf |
C:\Windows\system\vPQxvVo.exe
| MD5 | 2ebeb884456ff9a22e581b74fe6a2ce8 |
| SHA1 | 92a188da5fbdfb8dc92a7d22c9a19f6b80b8fbb4 |
| SHA256 | f68555beb489929d7bf51da7922649aec2d20885b98329f23889616b69f9eede |
| SHA512 | fd67845fda8a2b955f31879b96c6fb633b6905b89bca74011e5c7c5cd80d9225e96966a8f85722d2110379955ba247da588e511a00a54968894d285f1585c570 |
C:\Windows\system\BoqRfWM.exe
| MD5 | 591a5e691090638b91f68fa926223eb4 |
| SHA1 | 8548313d21ae35d03fb089777098ffcbeb0b88af |
| SHA256 | b72b8b5b66c766ebbc12b0c47b8115eedab9dd4b25e879bad6b9401cba60b108 |
| SHA512 | a5c6f8ebb91ac988d0a902ed595db2936fd79ff7a5915b7ec15a379d0992c46ec4a3031610c53660b3349af21802f9b0c802c60b41a995b3d42272ea5400939d |
C:\Windows\system\FLFEYtR.exe
| MD5 | ce020339bb81dd5e711d64745eb9240d |
| SHA1 | 99de17ae562c16451d30616c58bb3ec06c771a9f |
| SHA256 | 8d642c81bf76cc64d7304ffdcd6192b83fd7ea1134890b2b55ad55a77866bff3 |
| SHA512 | 62cf9cbfec23aa2cee3e034943e923e4e48e4153b59798f2a786d6c809339ce116493a65524b636a7e7bd0bc197cc184bed056243e3d9cf455e0b13d7f6302f3 |
memory/2124-108-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2656-107-0x000000013F280000-0x000000013F5D4000-memory.dmp
C:\Windows\system\VMFlDTZ.exe
| MD5 | 2258402741e8792d80bc3e68a702986b |
| SHA1 | 6f5ad1dd5da110c5003e71064bb20a7e9490c268 |
| SHA256 | b0ed86a76851547308aa88aec0810872fc1a8dd6d2179a4726b7827507fbf6c5 |
| SHA512 | 1f5c7501147b00530ddc2085c9c8e6874fd0d8d4ec57ed37021aa00f2044ff37f728a65dcc93e1862ca62d86bd806e3d4a338f23fbda3f5855372b919b43812d |
memory/2692-140-0x000000013FF20000-0x0000000140274000-memory.dmp
C:\Windows\system\cABCleO.exe
| MD5 | 75c4e0a890e1301e67964524edb4731a |
| SHA1 | 3cb934eae41a332cd4c63061abf1c184e06c0dd2 |
| SHA256 | 179cf8d90bbe30ffdaa53bff43dc6716d5cf27017bdc30f2e29edf1b6287ae3a |
| SHA512 | 9660f0e28349c445720f5eef4562a1dd394059df7fa0db048a1ac02ba541b2566223be918c22314019d1a859ba518f513695bd5a59d40cc9511c372ed77dfb91 |
memory/1360-100-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2124-99-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2568-93-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2124-92-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2688-91-0x000000013F8E0000-0x000000013FC34000-memory.dmp
C:\Windows\system\beZOmkj.exe
| MD5 | d71a632201300427ba23c18258018478 |
| SHA1 | 03e719537e93157b1af60c56a2bb7ae450551d04 |
| SHA256 | 14a2e4416a5fefc782b7796915b3054b22b34ba1ecf4d2ac93cf408b62194fd3 |
| SHA512 | a6e613784590bb3d26ec13d8430c0eebdde8618cd6c54ec7a02e8d64a36160b6b8d765edd2f90766160fb63932914a6804409890c6652d70b1d225cfa6e98dec |
memory/2124-84-0x000000013F050000-0x000000013F3A4000-memory.dmp
C:\Windows\system\BKNwiOP.exe
| MD5 | ba4cd124bcf819d2f2fa8f945e087f48 |
| SHA1 | e904eb1a30e3c1d46ca6cdc797f395eb41e3457c |
| SHA256 | 7455d3fe886c47bbab677c45724a255dd7cf82e9addef65dc2fdb52d9996b695 |
| SHA512 | 54ca2273e8e0fc137ffabbd3ed69d1dee38f48de35dc8cec758f8a22a22d798a76a6bfc31cd0decbf98a4b1eff780b4ba100fc2d6ef4b0a6a621ac9ce0f30d3f |
C:\Windows\system\CFgXmGe.exe
| MD5 | 479d3b7c78aab47c9de14169ebaa830c |
| SHA1 | 1fe3290232341087381d5d1d88300c824e89213f |
| SHA256 | 18db1b7040f0289c5e00b3229d061ecaf8b7dc8330dc8286f1e560c3ab7b4186 |
| SHA512 | 1a56c416d36254d9c0c1127de0f368ebaa6157db870b9a9c40768aeaa899b0efaf3040fa1322b227d5b4b8ed85d29fd50ed3a919f57305dd117166aac50b6584 |
C:\Windows\system\PlqwcdS.exe
| MD5 | 3d52a074066e914aec801154a06e6a50 |
| SHA1 | 886d1c20a89a1065e1c8d8ab405253c4889c4c7b |
| SHA256 | efceb112a818fe0d313ba39ad73b98b61f32c14c4e18cce10aad5d2730f8b9b6 |
| SHA512 | d7d1e638ee51f60ac43b5ae9b3a9d5e7f0ae7c75cfe7afdc0a1200456220ee7cefddca83eed5d8afea1e67aa169b146462067a40335ce83faefc44ab45d72ed9 |
memory/2124-73-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2256-72-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2124-71-0x00000000021F0000-0x0000000002544000-memory.dmp
memory/2124-58-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2656-48-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2124-47-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2124-65-0x000000013F350000-0x000000013F6A4000-memory.dmp
C:\Windows\system\CSWAXHO.exe
| MD5 | f7662f777568dd94da88ca6374d42a73 |
| SHA1 | 15da3a1cb57b9e746c641e0c3dfff87d288ab9d9 |
| SHA256 | df38809ded0b008cbb2d563559890b1b9571dc9eb6ad084da0080df5912fc529 |
| SHA512 | 63b89e7344ef14a8ead040505416ea7d25b3a37323df84acf8457aeef6e0dc5ee3ea85a7e33047c637f0e71b0d0ed24a80db5905997d57878ef45d2a9e3a1c40 |
memory/888-141-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2124-37-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2256-21-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/1544-10-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2124-142-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2860-143-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2852-144-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2124-145-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2568-146-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2124-147-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/1360-148-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2124-149-0x000000013F400000-0x000000013F754000-memory.dmp
memory/1544-150-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2256-151-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2884-153-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2144-152-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2688-154-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2656-156-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2692-155-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/888-157-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2860-158-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2544-159-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2852-160-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2568-161-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/1360-162-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2788-163-0x000000013F210000-0x000000013F564000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 08:09
Reported
2024-06-01 08:11
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gyzMqUe.exe | N/A |
| N/A | N/A | C:\Windows\System\CsntIWy.exe | N/A |
| N/A | N/A | C:\Windows\System\ObtUoXs.exe | N/A |
| N/A | N/A | C:\Windows\System\ZozsRBy.exe | N/A |
| N/A | N/A | C:\Windows\System\UIGluhO.exe | N/A |
| N/A | N/A | C:\Windows\System\tKRnwBh.exe | N/A |
| N/A | N/A | C:\Windows\System\RboGwcE.exe | N/A |
| N/A | N/A | C:\Windows\System\FTkMegv.exe | N/A |
| N/A | N/A | C:\Windows\System\NTYIWbR.exe | N/A |
| N/A | N/A | C:\Windows\System\xYtdsbv.exe | N/A |
| N/A | N/A | C:\Windows\System\mmJsnLp.exe | N/A |
| N/A | N/A | C:\Windows\System\LmBbSyF.exe | N/A |
| N/A | N/A | C:\Windows\System\DwgziJl.exe | N/A |
| N/A | N/A | C:\Windows\System\fyTqAQT.exe | N/A |
| N/A | N/A | C:\Windows\System\jXkFLOR.exe | N/A |
| N/A | N/A | C:\Windows\System\jNXilRQ.exe | N/A |
| N/A | N/A | C:\Windows\System\kiYLWij.exe | N/A |
| N/A | N/A | C:\Windows\System\LVXpchh.exe | N/A |
| N/A | N/A | C:\Windows\System\BTXmaXz.exe | N/A |
| N/A | N/A | C:\Windows\System\ezdYEgw.exe | N/A |
| N/A | N/A | C:\Windows\System\ashXugw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_a6cae7bc4f9a4df97f7fa26e1292580c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_a6cae7bc4f9a4df97f7fa26e1292580c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_a6cae7bc4f9a4df97f7fa26e1292580c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_a6cae7bc4f9a4df97f7fa26e1292580c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\gyzMqUe.exe
C:\Windows\System\gyzMqUe.exe
C:\Windows\System\CsntIWy.exe
C:\Windows\System\CsntIWy.exe
C:\Windows\System\ObtUoXs.exe
C:\Windows\System\ObtUoXs.exe
C:\Windows\System\ZozsRBy.exe
C:\Windows\System\ZozsRBy.exe
C:\Windows\System\UIGluhO.exe
C:\Windows\System\UIGluhO.exe
C:\Windows\System\tKRnwBh.exe
C:\Windows\System\tKRnwBh.exe
C:\Windows\System\RboGwcE.exe
C:\Windows\System\RboGwcE.exe
C:\Windows\System\FTkMegv.exe
C:\Windows\System\FTkMegv.exe
C:\Windows\System\NTYIWbR.exe
C:\Windows\System\NTYIWbR.exe
C:\Windows\System\xYtdsbv.exe
C:\Windows\System\xYtdsbv.exe
C:\Windows\System\mmJsnLp.exe
C:\Windows\System\mmJsnLp.exe
C:\Windows\System\LmBbSyF.exe
C:\Windows\System\LmBbSyF.exe
C:\Windows\System\DwgziJl.exe
C:\Windows\System\DwgziJl.exe
C:\Windows\System\fyTqAQT.exe
C:\Windows\System\fyTqAQT.exe
C:\Windows\System\jXkFLOR.exe
C:\Windows\System\jXkFLOR.exe
C:\Windows\System\jNXilRQ.exe
C:\Windows\System\jNXilRQ.exe
C:\Windows\System\kiYLWij.exe
C:\Windows\System\kiYLWij.exe
C:\Windows\System\LVXpchh.exe
C:\Windows\System\LVXpchh.exe
C:\Windows\System\BTXmaXz.exe
C:\Windows\System\BTXmaXz.exe
C:\Windows\System\ezdYEgw.exe
C:\Windows\System\ezdYEgw.exe
C:\Windows\System\ashXugw.exe
C:\Windows\System\ashXugw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1320-0-0x00007FF7BF6D0000-0x00007FF7BFA24000-memory.dmp
memory/1320-1-0x000001591CF90000-0x000001591CFA0000-memory.dmp
C:\Windows\System\gyzMqUe.exe
| MD5 | 02ae8cc556d9928da9d187e8e60a27ef |
| SHA1 | 297c5ba1365c859e014dba4815db13388867c6da |
| SHA256 | 116b6acec32f386df34f5abd9d74a3131d37b60a32b10bb5702b3f96df441784 |
| SHA512 | 0c37983bf0e0acc8802059f8bea566eb29fad640a2029d95d881b2f30bd6d2475cad67423d01ae3c7a44ebba279ebf08e6a2eb380c754aa414f1e2cf599a6aa3 |
memory/4600-8-0x00007FF78E840000-0x00007FF78EB94000-memory.dmp
memory/4808-28-0x00007FF62F300000-0x00007FF62F654000-memory.dmp
C:\Windows\System\tKRnwBh.exe
| MD5 | ab1948cc2f74337f4845f31497e941f1 |
| SHA1 | 73c4e46a786c3daea26d9dc33099a04b2fa96144 |
| SHA256 | 69f0638b1b55824dd9bf2ed952aae88037dc30b86c2f7bed321578140cf07ffd |
| SHA512 | 941c20a0e0865c9a4ad42ad4e4eb0bfaa9fd1284fe5f22ce47fa2df3d6cfe79e9050c31ff203bfa7a6d11960f011f780a3ebaa6deac44dae81fca130ad64beb3 |
memory/4796-34-0x00007FF78B340000-0x00007FF78B694000-memory.dmp
C:\Windows\System\FTkMegv.exe
| MD5 | 70714f661a67891d0fe2bec5bee1f1cc |
| SHA1 | f4caba47251638d37a95c2104171d38a73d73909 |
| SHA256 | 19b2f48afd44ecd2f137ee298f60a54b8a753282a5bdda5ad45b86ab73ce3d7b |
| SHA512 | a00aeb20ec4322c1ba89c77d69d995059015b8b7a8959940c77a70ce522e751fc5ec8157f9497c6a8d3903af1f510a4389ca23533c46e591b753f2021407e4b0 |
C:\Windows\System\NTYIWbR.exe
| MD5 | c4ffef17972ff3a477ac1ef1eaf774ed |
| SHA1 | 47750204069fc991ee75de5ec997961b46be4cf1 |
| SHA256 | 32c4005b887040205c823c3238fd4ae834717d653062ede89915607528bed38a |
| SHA512 | 7c5600bb8e072af12b397ba43fcbf7d5f4c6e01655e50a3bbfaa4d7151302a2c0491691101e5865b2926a9dcc44ff7999f3ae923522d46e5d87ee866e0d994e0 |
C:\Windows\System\mmJsnLp.exe
| MD5 | 2fae770bc10b23ffe82ff3947bf7953b |
| SHA1 | d986f3cd30f94a283f10877129ffd9363d1332bd |
| SHA256 | f16d94bda111eeaf38a6e744e6f2455b9e02f146801057f5d328ffe846ad3b95 |
| SHA512 | 406cb753308846a046efb69d2a0a03bdaed2638bc485a8133a0b3a94dc8ab5f96f7d1be9db15c5e37a9c8d9906fba5b41e0c46eded3049d6b4b6c077169e737b |
C:\Windows\System\xYtdsbv.exe
| MD5 | ea0e47233abaad459a702d3ca5e3980e |
| SHA1 | 37b1118d1f15690bb0ad48c84cb8da2652f3233b |
| SHA256 | fa3714cd9438c0fddc07275af15f18a7b538e5279f10e9727d935b4891851a62 |
| SHA512 | 0f3af520ea7ae3d4752eade1592eb40ac8a45f75b78dc3d52828147dedf795fc634ba6c2f80f33848ca69cc8dabe4030795be344907a9764b20664e1f267f73b |
C:\Windows\System\LmBbSyF.exe
| MD5 | 75d0fd7679a396d6469967a74787dc9f |
| SHA1 | c6ee5f73d0304f013c615078a84687b61e6b8030 |
| SHA256 | 6c4d630bbc32da88abcde4494a2f26314fba9701643a8b6be7978d63f322a92c |
| SHA512 | 109799090f7fede577a34547ac00bf24b9de2c2756f089f5d0677b17de5d64848788d1b1143b31e55892fbafc7d512247cc72134bef61b6530f35ab7d1394fe2 |
memory/228-76-0x00007FF7958E0000-0x00007FF795C34000-memory.dmp
C:\Windows\System\DwgziJl.exe
| MD5 | f84d629a33a7180c7750f49ba39305c9 |
| SHA1 | 0fb27c2d33ecccbc530c135720e2f9d21ca644b1 |
| SHA256 | 694cbaa4795f595e675f51a52e79457969ed7b9d47366f8e9a5c2b8ae8f4640e |
| SHA512 | d2e4c46b613a4ad63d7a806abbc43943d24fc04349c0fd0bde0b9948734111d3c24fb225e11f53492436b61dfc5b3a8ebbcf4ba99841dc7ec6b39babfffe1203 |
memory/2188-78-0x00007FF615110000-0x00007FF615464000-memory.dmp
memory/4984-77-0x00007FF6E1300000-0x00007FF6E1654000-memory.dmp
memory/4432-62-0x00007FF60E7A0000-0x00007FF60EAF4000-memory.dmp
memory/4264-55-0x00007FF6E3930000-0x00007FF6E3C84000-memory.dmp
C:\Windows\System\RboGwcE.exe
| MD5 | 06ad4b9592c0302fff2026354b815c9b |
| SHA1 | a66aff739d09197d67c7dd6541823597a6db799c |
| SHA256 | 63c65c4e3479bf9fd478c16dc6b67029fbfa00aaca81d76f4934f645b2e804b6 |
| SHA512 | 52965baa0d5faeceab9120200c43900a05fa7c53034f7919a639a4d39a1a55456dc2a19a68729b4b7cc166c89227cd0cf6a708bc0e5338aefd1e0ed4dc8ef642 |
memory/2736-46-0x00007FF752640000-0x00007FF752994000-memory.dmp
memory/2180-42-0x00007FF759BB0000-0x00007FF759F04000-memory.dmp
memory/3540-38-0x00007FF761420000-0x00007FF761774000-memory.dmp
C:\Windows\System\ZozsRBy.exe
| MD5 | 595d18269a4d052cb1dfad539b3cc717 |
| SHA1 | f62c7d30ac05814818c6197abbd2d06dd72514b4 |
| SHA256 | 6d268bd48a3f1b469bdb6a768efd5232398b8dc1e77444bf7f6ab56dc8fdb975 |
| SHA512 | 67edaff7abef2d98d2b4d45dd037c726297874ffa3a53de66cc1a219cd29e09839865691d32786b9e86f99c55f3654de011c81b1319d7e2fad27ae70db4dc078 |
C:\Windows\System\UIGluhO.exe
| MD5 | f844f8e37a22cb1a723b2306575ef528 |
| SHA1 | 9c3a775d048402af47f1621a6e4c590503eba1c4 |
| SHA256 | 7515617f092b77a0b79c9f7a9eae2c6018f6c06de2bcc11d97550427b8b2c36b |
| SHA512 | 10497d3fbaa774f930e4fa0f966a613f63d122acd7d3247391100881e15b710d074923430921060ba625e8854d7d0aceceef04fc06381e9b9749db1053ab4fbb |
memory/2856-24-0x00007FF7C25A0000-0x00007FF7C28F4000-memory.dmp
C:\Windows\System\ObtUoXs.exe
| MD5 | 114d7923622d6633e03cf7f24691d5fa |
| SHA1 | de191dac6f8e47fd50935193f47eef8b3c275a93 |
| SHA256 | d3584fa180fd43be0c2b7fe4a246e1fdb77282c5f00a1283254386f0a9480ca8 |
| SHA512 | fd31a3a5b0f5612cee032c950f01a24b1182ac469d534916f8b92cd9c0fa8c3684897a733f9ffa65f79e2c48d04baae0b97af37fc1f1f5c62d32fcd6ff9a87b7 |
memory/4972-17-0x00007FF6C19E0000-0x00007FF6C1D34000-memory.dmp
C:\Windows\System\CsntIWy.exe
| MD5 | 61b18869694f04d062f7d3fe9d208ed8 |
| SHA1 | 931229e3840edbdfaec080c7fcfc21e7f1dd3fba |
| SHA256 | 45304b4f7834bc9fa4607c4352f2115e9fa73b0758dc2650842d278d2bd00b96 |
| SHA512 | 9b57889bad2a8d579dd0e92935dab858db16dffe47cf14eb9a44525527e471b48f3b5cf11e0ad142acd4dad4b5f37f1d364bd2b01c2299f4aa9630581580a95c |
C:\Windows\System\fyTqAQT.exe
| MD5 | 8a5624350c6852d0f6022c76c2c0cd3f |
| SHA1 | 23f838b265125be13667a6dc1c874e71e0ac5963 |
| SHA256 | cf79171263bb6326b2106738eafed1d235da7f1a70345e3639a8d0ac287565e1 |
| SHA512 | ec53b3dbfbf6db341e2c1d71d9c064bf3b9b541d831726c8becdc902f31ded09c0afd2acd3c12f9a8c1bb80134d8fe6e6bada70906730a2a413344b12bc8f561 |
memory/4972-92-0x00007FF6C19E0000-0x00007FF6C1D34000-memory.dmp
C:\Windows\System\jNXilRQ.exe
| MD5 | 71491b060f8aa87b26a7f77a87cded98 |
| SHA1 | 8a4492d26c59a5f83ec63dd52ceb266b597bfe01 |
| SHA256 | 9198bc4a043a6704eac8031beb84455f1168a69c221f74fb67de23aea593d1da |
| SHA512 | 3683e833875deb943bc0c8a79947ecf6cf4ad59d7a5735af4bfc959ed0e9b8b151a3184089284fbe24bc5b2fb994f147815c21d2eb53b9c36ae5897e2a74889f |
C:\Windows\System\LVXpchh.exe
| MD5 | 2c4607008aed957046d1986636f2b154 |
| SHA1 | 165ca2b2ccefa30eab321ed3837db42c0b39f581 |
| SHA256 | d07c46ab70454350ea9fe10daeba3cd9e289d372737c795d33dd8558564741f1 |
| SHA512 | e9e52a966fa4390cd1c66faee8e48d2497a3658b61996be8a0e95c9bc274ea57f0cfdddde77c871cdc6609ce45027eb18d57c66470acefeeebaf13d30083a344 |
C:\Windows\System\BTXmaXz.exe
| MD5 | 1ee2b8b63fe1bd539639f58d2ac14eeb |
| SHA1 | 7716bdbe110b1e5574bf9015e07d0f7993fa0c8a |
| SHA256 | d159543543241e68132c0fe0bc3b8955c828bd7093e2447f78d96f792a384b37 |
| SHA512 | 86f8dd3e1e00890192814df138c0b3ddffe013c3ba57a53c10d706d869ae3b095e78bc4d7b37fefd3a32b77ac6268bff361492ac0b13a1396bb1ca91426e7388 |
C:\Windows\System\ezdYEgw.exe
| MD5 | 28df3cfdb2057aff3a3ad26c5677dbe8 |
| SHA1 | d5618fe6ccca4486c0ab0f4b40af32383bd44ab5 |
| SHA256 | 62340b422b28bb79ce2bcfb6d4b898ffbc5bcfaba3b7ba60c483bf3d50edd673 |
| SHA512 | 67336f47ab6aedb112afe1a057d175959f5c7901ef644a9d0a5f006c193cd3fd1d46b1540c72d2707a144d145d00b1bc99b99838544888497cc075355cfed467 |
C:\Windows\System\ashXugw.exe
| MD5 | f2255929b6fdc4d6becc051b6f0aa640 |
| SHA1 | 42fcc171bff1953d6ef17c5449e4cd7738353477 |
| SHA256 | 5bd8d9118bf0667fd5565e04c96a2869135bd7618c190e01f94899f2f5dc3d78 |
| SHA512 | 8156ca304891ecb56576bf39d352357aed63ccd1ff1d033193e43f886b9e3be67c3f28744ac7f6d7c3924571503e49af5a7695967e82e915af2563cda9b129a4 |
memory/2280-124-0x00007FF7E3FE0000-0x00007FF7E4334000-memory.dmp
memory/3996-120-0x00007FF7688E0000-0x00007FF768C34000-memory.dmp
memory/3088-119-0x00007FF797F10000-0x00007FF798264000-memory.dmp
memory/4796-116-0x00007FF78B340000-0x00007FF78B694000-memory.dmp
C:\Windows\System\kiYLWij.exe
| MD5 | bfd060e8fdb6bd51c4ba750cefa6bcd3 |
| SHA1 | 4d5851d231c946f34bf09b193d488761ede714c7 |
| SHA256 | 37b3eb8406ff746fb22a97e57bc1f88d1d5f83235d55d5484cc6c945a77aa166 |
| SHA512 | b8ef212a6c4fb96cb742683d4f5429492c828d2ddbf334774e41c301e1cef41d8a7f70e83cf5e80978c2772d32370497b4f2cbcf428b819c2b17cd9e3fb92af7 |
memory/3512-107-0x00007FF6487F0000-0x00007FF648B44000-memory.dmp
memory/2856-100-0x00007FF7C25A0000-0x00007FF7C28F4000-memory.dmp
memory/1308-99-0x00007FF6E75A0000-0x00007FF6E78F4000-memory.dmp
C:\Windows\System\jXkFLOR.exe
| MD5 | 75ceec0d4b95f7e623529284f0a18b78 |
| SHA1 | 75d1dae1685ee3ba4df98ec505b54603f7e0704e |
| SHA256 | 3397512db81062c1f16243a80f2facc26ee704440d8bbbe7a97ea0457f7820eb |
| SHA512 | a3def18da5a4f543d128afe26e06781dac8e69bef0ecc2ae657c106269b3694b3b1cffdb3ee90b42733929aafba1671757e702a3694025f87a257e2307b1807f |
memory/4600-91-0x00007FF78E840000-0x00007FF78EB94000-memory.dmp
memory/4196-90-0x00007FF61E750000-0x00007FF61EAA4000-memory.dmp
memory/3728-131-0x00007FF70CE90000-0x00007FF70D1E4000-memory.dmp
memory/3540-132-0x00007FF761420000-0x00007FF761774000-memory.dmp
memory/2672-133-0x00007FF74CAE0000-0x00007FF74CE34000-memory.dmp
memory/1320-86-0x00007FF7BF6D0000-0x00007FF7BFA24000-memory.dmp
memory/2180-134-0x00007FF759BB0000-0x00007FF759F04000-memory.dmp
memory/2736-135-0x00007FF752640000-0x00007FF752994000-memory.dmp
memory/4264-136-0x00007FF6E3930000-0x00007FF6E3C84000-memory.dmp
memory/4432-137-0x00007FF60E7A0000-0x00007FF60EAF4000-memory.dmp
memory/2188-138-0x00007FF615110000-0x00007FF615464000-memory.dmp
memory/1308-139-0x00007FF6E75A0000-0x00007FF6E78F4000-memory.dmp
memory/3996-140-0x00007FF7688E0000-0x00007FF768C34000-memory.dmp
memory/4600-141-0x00007FF78E840000-0x00007FF78EB94000-memory.dmp
memory/4972-142-0x00007FF6C19E0000-0x00007FF6C1D34000-memory.dmp
memory/4808-143-0x00007FF62F300000-0x00007FF62F654000-memory.dmp
memory/4796-145-0x00007FF78B340000-0x00007FF78B694000-memory.dmp
memory/2856-144-0x00007FF7C25A0000-0x00007FF7C28F4000-memory.dmp
memory/3540-147-0x00007FF761420000-0x00007FF761774000-memory.dmp
memory/2180-146-0x00007FF759BB0000-0x00007FF759F04000-memory.dmp
memory/4432-150-0x00007FF60E7A0000-0x00007FF60EAF4000-memory.dmp
memory/228-151-0x00007FF7958E0000-0x00007FF795C34000-memory.dmp
memory/2736-149-0x00007FF752640000-0x00007FF752994000-memory.dmp
memory/4264-148-0x00007FF6E3930000-0x00007FF6E3C84000-memory.dmp
memory/4984-153-0x00007FF6E1300000-0x00007FF6E1654000-memory.dmp
memory/2188-152-0x00007FF615110000-0x00007FF615464000-memory.dmp
memory/4196-154-0x00007FF61E750000-0x00007FF61EAA4000-memory.dmp
memory/3512-155-0x00007FF6487F0000-0x00007FF648B44000-memory.dmp
memory/1308-156-0x00007FF6E75A0000-0x00007FF6E78F4000-memory.dmp
memory/3088-157-0x00007FF797F10000-0x00007FF798264000-memory.dmp
memory/2280-158-0x00007FF7E3FE0000-0x00007FF7E4334000-memory.dmp
memory/3996-159-0x00007FF7688E0000-0x00007FF768C34000-memory.dmp
memory/2672-160-0x00007FF74CAE0000-0x00007FF74CE34000-memory.dmp
memory/3728-161-0x00007FF70CE90000-0x00007FF70D1E4000-memory.dmp