Analysis Overview
SHA256
7a9f2484694ad767b005a2df6b71bb817320f51fd16743e8ba767ee364a962a9
Threat Level: Known bad
The file 2024-06-01_77607c1c117b6721fa3d8c5c5d78c919_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
Cobaltstrike family
xmrig
Xmrig family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 09:45
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 09:45
Reported
2024-06-01 09:47
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\hLRZggk.exe | N/A |
| N/A | N/A | C:\Windows\System\GETJbHx.exe | N/A |
| N/A | N/A | C:\Windows\System\lwKFhOM.exe | N/A |
| N/A | N/A | C:\Windows\System\gJHZNQu.exe | N/A |
| N/A | N/A | C:\Windows\System\QRNXMDP.exe | N/A |
| N/A | N/A | C:\Windows\System\DvOLKxi.exe | N/A |
| N/A | N/A | C:\Windows\System\mzWhHku.exe | N/A |
| N/A | N/A | C:\Windows\System\GlBCWBw.exe | N/A |
| N/A | N/A | C:\Windows\System\lUWXGDt.exe | N/A |
| N/A | N/A | C:\Windows\System\QzITdZb.exe | N/A |
| N/A | N/A | C:\Windows\System\avbrTRj.exe | N/A |
| N/A | N/A | C:\Windows\System\KaRcvCZ.exe | N/A |
| N/A | N/A | C:\Windows\System\vFexwHi.exe | N/A |
| N/A | N/A | C:\Windows\System\ZHSNiWR.exe | N/A |
| N/A | N/A | C:\Windows\System\jGHEWMF.exe | N/A |
| N/A | N/A | C:\Windows\System\AIBcmbv.exe | N/A |
| N/A | N/A | C:\Windows\System\KzEupKx.exe | N/A |
| N/A | N/A | C:\Windows\System\xxFOQXZ.exe | N/A |
| N/A | N/A | C:\Windows\System\AvPTHVA.exe | N/A |
| N/A | N/A | C:\Windows\System\lSjPGNw.exe | N/A |
| N/A | N/A | C:\Windows\System\TFMoSto.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_77607c1c117b6721fa3d8c5c5d78c919_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_77607c1c117b6721fa3d8c5c5d78c919_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_77607c1c117b6721fa3d8c5c5d78c919_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_77607c1c117b6721fa3d8c5c5d78c919_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\hLRZggk.exe
C:\Windows\System\hLRZggk.exe
C:\Windows\System\GETJbHx.exe
C:\Windows\System\GETJbHx.exe
C:\Windows\System\lwKFhOM.exe
C:\Windows\System\lwKFhOM.exe
C:\Windows\System\gJHZNQu.exe
C:\Windows\System\gJHZNQu.exe
C:\Windows\System\QRNXMDP.exe
C:\Windows\System\QRNXMDP.exe
C:\Windows\System\DvOLKxi.exe
C:\Windows\System\DvOLKxi.exe
C:\Windows\System\mzWhHku.exe
C:\Windows\System\mzWhHku.exe
C:\Windows\System\GlBCWBw.exe
C:\Windows\System\GlBCWBw.exe
C:\Windows\System\lUWXGDt.exe
C:\Windows\System\lUWXGDt.exe
C:\Windows\System\QzITdZb.exe
C:\Windows\System\QzITdZb.exe
C:\Windows\System\avbrTRj.exe
C:\Windows\System\avbrTRj.exe
C:\Windows\System\KaRcvCZ.exe
C:\Windows\System\KaRcvCZ.exe
C:\Windows\System\vFexwHi.exe
C:\Windows\System\vFexwHi.exe
C:\Windows\System\ZHSNiWR.exe
C:\Windows\System\ZHSNiWR.exe
C:\Windows\System\jGHEWMF.exe
C:\Windows\System\jGHEWMF.exe
C:\Windows\System\AIBcmbv.exe
C:\Windows\System\AIBcmbv.exe
C:\Windows\System\KzEupKx.exe
C:\Windows\System\KzEupKx.exe
C:\Windows\System\xxFOQXZ.exe
C:\Windows\System\xxFOQXZ.exe
C:\Windows\System\AvPTHVA.exe
C:\Windows\System\AvPTHVA.exe
C:\Windows\System\lSjPGNw.exe
C:\Windows\System\lSjPGNw.exe
C:\Windows\System\TFMoSto.exe
C:\Windows\System\TFMoSto.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4560-0-0x00007FF615200000-0x00007FF615554000-memory.dmp
memory/4560-1-0x0000017472BC0000-0x0000017472BD0000-memory.dmp
C:\Windows\System\hLRZggk.exe
| MD5 | c23cd0628c2a1b6ccdcbeaa416e8f61e |
| SHA1 | 676c83cc594b2544a858fb2b5672032c05a14352 |
| SHA256 | 7a72aa71b6492f0991e8dc2f4bd9d16972dd211f3e3ee13ec7a80d4424704eba |
| SHA512 | 12bb675c6314d9bb5c5e9b135305f73445cf5328d37ba005ef77abc655393ef302caa295dabfbaed1eae6c516c176f95c2fbed090f502ab2ef8a2d3ca6ba88bc |
C:\Windows\System\lwKFhOM.exe
| MD5 | b1d6cf041746a2ab98a19f16897f459b |
| SHA1 | 01a046831e4d7d5d44284b4b9a51d2263f844ca6 |
| SHA256 | 558d6ca7ce9be63e46e614b49d15c981b5f0647331c2496d2b96dc73257e841b |
| SHA512 | 15b048b2f50b255753748e7e94a716d01ea512233cd73bc3aaf92558ebede648b1a02ff9733a29af309cd495a87f25a6587246bf60a80600de62baab1cc1e1ab |
memory/3652-14-0x00007FF764800000-0x00007FF764B54000-memory.dmp
C:\Windows\System\GETJbHx.exe
| MD5 | 11e6481c4ecf3ea295980d6304ab97fa |
| SHA1 | 389de6f47739b79140d8083129736c3f865e40f7 |
| SHA256 | 68cd822a5df209d042785b1d2614f745762461f99f11923042bd9e1278303fc2 |
| SHA512 | 062dab1a544f50d4ac4ceddae04a6e08a3a494756604f531cd50638f9369a57295180e316fbf4ea99ff188181f0f540a7ca4bed69907485c2e882ec756b514c2 |
memory/3240-8-0x00007FF65C490000-0x00007FF65C7E4000-memory.dmp
C:\Windows\System\gJHZNQu.exe
| MD5 | a0663ed3708784260ff674fcbd732b91 |
| SHA1 | 7c9516e2e0fa41aa1e9b69834c181e5820bd494f |
| SHA256 | b50cc7d589a6d9358c02b692c8d0aa6814e7549134cd90a2e8d1be0e75aae281 |
| SHA512 | b9cdf30603ed223c228d981e0042d52afec519a15f07c97f387cb85621c8c31bac28cbac40b682679f3a821673bc6fe4f12fe51a8406758b1697796c919285eb |
memory/1052-20-0x00007FF785E60000-0x00007FF7861B4000-memory.dmp
memory/3892-23-0x00007FF6BAA90000-0x00007FF6BADE4000-memory.dmp
C:\Windows\System\QRNXMDP.exe
| MD5 | 1e2f0f1169e52ef78e0eb361a3e18118 |
| SHA1 | cdca8e7157181a7bf0ed8a4555553a7c15ae08ad |
| SHA256 | 839f11df7f3dfa55389cbcb18bcb706e856bbfb34d751ddea809fb210f15c40c |
| SHA512 | c81126e3a1407e8a7ccb2fa06e7f03c16d37532a908f5db81c6c8e66689b6798a99d88700f55eab9383f1acf6eaa436ea2fb69e8540d89d7d54221dfcbeecd6d |
C:\Windows\System\DvOLKxi.exe
| MD5 | d737903f9bdc86d7ecea2e1034f0b224 |
| SHA1 | fad4489c87058bb0b6902b90e89b38578d20ec7c |
| SHA256 | 6806f9c70663efab905fc5e6106893730f71e465a0685b523f405f710d44e2a3 |
| SHA512 | 9d84691175a7a0469dd50bc4a1071684ff3be9fb696f5d67a94689fefac0c9a9b2bb8c28ba1077cddbb8b68656abfe55f2c37e05b7b26f5c4df6d854a8fac119 |
C:\Windows\System\mzWhHku.exe
| MD5 | 9a1be8fc792fcfd0b1df159ef4ab2ad2 |
| SHA1 | 4bed8d47a23b8855007a1702a114262273fcb0e3 |
| SHA256 | e4374ab194101411247e73f7e23d9d3257a6779b62f77bf64efcee5b4d30f254 |
| SHA512 | 00a335d8aeb79f4c2d28c3cf460b6057183e893dd67f582fb1e259f8e810fb34dc1f15af7b7a379b4527a607dd029d85740c7007f156d185a61aa9200cd0f08e |
memory/904-43-0x00007FF6252C0000-0x00007FF625614000-memory.dmp
memory/4668-40-0x00007FF6C87A0000-0x00007FF6C8AF4000-memory.dmp
memory/652-39-0x00007FF66FE20000-0x00007FF670174000-memory.dmp
C:\Windows\System\GlBCWBw.exe
| MD5 | 81e324a11b68a144f3be9cb9f9e8df51 |
| SHA1 | 9c60a026897b3d714a5835ce546f5a929d87054d |
| SHA256 | 43679cdccac540131d6a0fb5719d5798670d5070e8114564074c61afd820bcc1 |
| SHA512 | 48f5100bd38246b843340a56dd6f117375a11a8e14c6c3bf08a8f36a77adad1925d4a42a4c64abbf4c9cf8cc557c77bff42a5f2946f46d4d83f564427690d89b |
memory/2128-50-0x00007FF68A610000-0x00007FF68A964000-memory.dmp
C:\Windows\System\lUWXGDt.exe
| MD5 | 8ffaba850eaafc00b4e3b2f38d447973 |
| SHA1 | 9cfe7f0cc25662bad83b88950502e5b154ab1c47 |
| SHA256 | 0c0c2c301ddfe126bceabc6913a44df86360c763ab484c45fa9b5f755b9d2b3b |
| SHA512 | 50ac5e79a022d48ee861dc6ea378be94bdaf6a489272e655ed273b2cda0f57b7635ed85f418fc5e22a25fda08e0afa728b49440df67f2e3f6780beb38dff9a03 |
memory/2980-57-0x00007FF6772E0000-0x00007FF677634000-memory.dmp
C:\Windows\System\QzITdZb.exe
| MD5 | fe4dfa926576d9261086e9a705e2f214 |
| SHA1 | 9e08deab492a795cca870fe6a9551b99dadf1039 |
| SHA256 | 431f3eee4a46ad5b558091470ea9cc2329026c3ca9b4dc3fdc33e11471de1e4d |
| SHA512 | 0d246cd9e15ef03d4358d55690c5e191dcc664cbd777713f6ee0e2ec364f25d2f6ee99698e5b34c2221d4d03fcbd6c6b4a45258042382978f4f129086314ecf4 |
C:\Windows\System\avbrTRj.exe
| MD5 | 804d841bed4669f8b7a25f271edc1798 |
| SHA1 | 46ebd3c3b41a4e978c3b306798c92ec2a1627d84 |
| SHA256 | 2b4bfd1ff0325363dbe97060a7cfefec0d420f1836d63dc2b85f9a21260cd169 |
| SHA512 | 61e7c2494c6fd8e64e74a82602410d6da7eada1be69d5e5a1faa3b6eb9e452b720f0fbb6bfb06c0ab82fc6d90f0770c7bd1b3a183ad85cee9b7d444f40d605a4 |
memory/5068-64-0x00007FF66D340000-0x00007FF66D694000-memory.dmp
C:\Windows\System\KaRcvCZ.exe
| MD5 | e7de849f6827f03d29a9554080054aab |
| SHA1 | 6f85e2fdbc0b8283f25305e9b501f7a2b0783089 |
| SHA256 | 1506a74eb315ae69303f1febd13d002d6567f88881a768cb427f501064112172 |
| SHA512 | de4e354d3f14026e9c9579dec84681356ef899944052380fccbe646c5544dbf32f07870f1496e00156362697df1f2c67b22d455b93047640ea10b53c5cb67e69 |
memory/3044-70-0x00007FF6CA940000-0x00007FF6CAC94000-memory.dmp
memory/4560-74-0x00007FF615200000-0x00007FF615554000-memory.dmp
C:\Windows\System\vFexwHi.exe
| MD5 | 4dfe9e56abe4b54f2525ca1314feb209 |
| SHA1 | e721224c1ae9aac87eeff973d853cc9739852bd8 |
| SHA256 | 01252c9be668221bd6e97bd79d6a0823bd1e54e221708c06fe6bdeb0cceed25f |
| SHA512 | 3e92382c7e980c7b9d2f064d72c3d1de18d63742b60d219a8f84742ab9c1f86ff7937ea3df293994316ccbd9ed46f66295520aaf75744c9398390912aa3a56ce |
C:\Windows\System\ZHSNiWR.exe
| MD5 | bf80d4c67e32b81f8d04a1f7d1492ac8 |
| SHA1 | f28ffa7b5702ccc7accf83f191ed8b1b9ce9318e |
| SHA256 | 2117a78c63d730263b628030645ba4ccde14f09d3412e46e4206728d9be0df4c |
| SHA512 | a129f099933bc2cb5c1ee627b741c2d8bb52037e5ce011dc58bba7e393ae1d7b7794295032ecc046767522ad5c73e3617e3f206a2d157ac07945a85a71740961 |
memory/3460-82-0x00007FF7A1680000-0x00007FF7A19D4000-memory.dmp
memory/2196-75-0x00007FF738360000-0x00007FF7386B4000-memory.dmp
memory/3652-87-0x00007FF764800000-0x00007FF764B54000-memory.dmp
C:\Windows\System\jGHEWMF.exe
| MD5 | 185e13b72dbb54b290af04b702273195 |
| SHA1 | 9f923d1a8745cd05af4b302fef99900c03e93595 |
| SHA256 | 86c2789b80b78a5bbe4470617434fad315c47992edc11d23e779ab342b65a8d7 |
| SHA512 | 7dfcf0518e66d557f04df90b24cadc33205fd6be91d4a1f305d0cfdd59c75dd80ce00b10f65f2c942ea6c2fe4f638939e7ccadbf4220d71fb5cb7e4f6f52bc71 |
C:\Windows\System\AIBcmbv.exe
| MD5 | a50d0f403011269c322f97b76ff550f4 |
| SHA1 | 25b8bdb87386bf9b848e162763941fb02d4674d1 |
| SHA256 | 2aca764ed3cc0c5806fad43effa7dec0b90638af7b56c5a6336744db69a193bc |
| SHA512 | 5834fc88bf208d60a2ca9a1bbfd0dafed69c0a743a2fb824bec9593ce0a3684937739e0525f7fe9144eef0b66696a735c541670a9a8a2f56fa479f20d182f913 |
memory/1388-94-0x00007FF6D94F0000-0x00007FF6D9844000-memory.dmp
memory/1384-91-0x00007FF6941C0000-0x00007FF694514000-memory.dmp
C:\Windows\System\xxFOQXZ.exe
| MD5 | 95b26dbd9d42a6240f828b8ce9a02663 |
| SHA1 | 5eaf9fcb7eebdb6612a2c1043cd293e2a525912c |
| SHA256 | 54fe6c35ed48324042340a1089f2143d26519bc57d9ac826050b16ccf1e93cdc |
| SHA512 | e50b8e56a8e5efd718ef3b181ed5dc4d56a09c4aae37102cb6139dcfe457c8efe0a37c740de04e7d4a62347e814fd4369c917f49873bbbae914c0ffa0c1c2360 |
memory/2788-107-0x00007FF7ADF50000-0x00007FF7AE2A4000-memory.dmp
C:\Windows\System\KzEupKx.exe
| MD5 | c8f943fac9054d172eeec0e65b895a08 |
| SHA1 | 09cf4928c3c0041c255feb2bc30c8766031f3090 |
| SHA256 | fd49fd786e331dcd9a9070d9bec0e58b3cff96ede7100cd66b052e692f068c93 |
| SHA512 | 65506d6a38c418f849387099245797317ff8b5f10d13b1ea6ef0ce15562528e2f7ecf7fda07dd20340ae51fbcfb794b7744c58171d91e4a2000a313b354bb521 |
memory/3892-102-0x00007FF6BAA90000-0x00007FF6BADE4000-memory.dmp
memory/2176-116-0x00007FF64FA30000-0x00007FF64FD84000-memory.dmp
memory/740-113-0x00007FF625C80000-0x00007FF625FD4000-memory.dmp
memory/904-112-0x00007FF6252C0000-0x00007FF625614000-memory.dmp
C:\Windows\System\AvPTHVA.exe
| MD5 | 7e26ab1213e8e407ecaf6b5686670574 |
| SHA1 | 2c1bfe8f04effdd8576647b6c12f117f56f355be |
| SHA256 | ce0f7905779faf32a3d8988542e3b606e1cd1122bde5777452ed02ab906ba5b3 |
| SHA512 | 00afcf11f15c26827d9e4e2a58741c045189b0c77e495d9448a06751e86c99a68b206ca084df8b3089adee0bd020521b4fc07685ff09186fad988eaf6e485df4 |
memory/1076-128-0x00007FF65A530000-0x00007FF65A884000-memory.dmp
C:\Windows\System\TFMoSto.exe
| MD5 | 833d09e4ed03c196f12a77f2bc1b1a62 |
| SHA1 | 764189fbb292860365ccd7d8108c6835e5b146ab |
| SHA256 | a3658e2a97a8b10cd2089c802d75eaa153da04a0518a1661a58d1aef1585bf54 |
| SHA512 | 45d6478f1f0665c2fc15c520bcf7cc96dfd436d765f97ce4a731b1b665ec0cae6e0233e8d76df92c09d12166acdd7161e1bac7df81b568aca880178ea44bd516 |
memory/3352-127-0x00007FF703060000-0x00007FF7033B4000-memory.dmp
memory/2980-122-0x00007FF6772E0000-0x00007FF677634000-memory.dmp
C:\Windows\System\lSjPGNw.exe
| MD5 | c9589bb4eb7cfc7dab8cf811d96cdfaa |
| SHA1 | 48da7263d24396fb8dbe46e7ab90db2057c613b1 |
| SHA256 | d41033977e567b47e12b0e972915e9eef0af82215bd4aa115ed6e05212f9036a |
| SHA512 | 0146d8ea8fd3a03e4936b7fd138e4f713bc17615147f8143be6e15e35b71a113479e1c0c17f9d67d00528563b5892cb1d9cdc20d8ed0bd0485b51ea65c119bcb |
memory/3532-132-0x00007FF72A160000-0x00007FF72A4B4000-memory.dmp
memory/3240-133-0x00007FF65C490000-0x00007FF65C7E4000-memory.dmp
memory/3652-134-0x00007FF764800000-0x00007FF764B54000-memory.dmp
memory/1052-135-0x00007FF785E60000-0x00007FF7861B4000-memory.dmp
memory/3892-136-0x00007FF6BAA90000-0x00007FF6BADE4000-memory.dmp
memory/652-137-0x00007FF66FE20000-0x00007FF670174000-memory.dmp
memory/4668-138-0x00007FF6C87A0000-0x00007FF6C8AF4000-memory.dmp
memory/904-139-0x00007FF6252C0000-0x00007FF625614000-memory.dmp
memory/2128-140-0x00007FF68A610000-0x00007FF68A964000-memory.dmp
memory/2980-141-0x00007FF6772E0000-0x00007FF677634000-memory.dmp
memory/5068-142-0x00007FF66D340000-0x00007FF66D694000-memory.dmp
memory/3044-143-0x00007FF6CA940000-0x00007FF6CAC94000-memory.dmp
memory/2196-144-0x00007FF738360000-0x00007FF7386B4000-memory.dmp
memory/3460-145-0x00007FF7A1680000-0x00007FF7A19D4000-memory.dmp
memory/1384-146-0x00007FF6941C0000-0x00007FF694514000-memory.dmp
memory/1388-147-0x00007FF6D94F0000-0x00007FF6D9844000-memory.dmp
memory/2788-148-0x00007FF7ADF50000-0x00007FF7AE2A4000-memory.dmp
memory/740-149-0x00007FF625C80000-0x00007FF625FD4000-memory.dmp
memory/2176-150-0x00007FF64FA30000-0x00007FF64FD84000-memory.dmp
memory/1076-151-0x00007FF65A530000-0x00007FF65A884000-memory.dmp
memory/3352-152-0x00007FF703060000-0x00007FF7033B4000-memory.dmp
memory/3532-153-0x00007FF72A160000-0x00007FF72A4B4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 09:45
Reported
2024-06-01 09:47
Platform
win7-20240221-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dbpuNFr.exe | N/A |
| N/A | N/A | C:\Windows\System\mVZJZgI.exe | N/A |
| N/A | N/A | C:\Windows\System\CFbaQDI.exe | N/A |
| N/A | N/A | C:\Windows\System\GKdOsoJ.exe | N/A |
| N/A | N/A | C:\Windows\System\AqQcrWV.exe | N/A |
| N/A | N/A | C:\Windows\System\BekXwPW.exe | N/A |
| N/A | N/A | C:\Windows\System\cWZxPCl.exe | N/A |
| N/A | N/A | C:\Windows\System\oeQGZrS.exe | N/A |
| N/A | N/A | C:\Windows\System\jjfISlz.exe | N/A |
| N/A | N/A | C:\Windows\System\wYrKUVy.exe | N/A |
| N/A | N/A | C:\Windows\System\Djvageo.exe | N/A |
| N/A | N/A | C:\Windows\System\KAVuPbq.exe | N/A |
| N/A | N/A | C:\Windows\System\pxOlcBw.exe | N/A |
| N/A | N/A | C:\Windows\System\xtMjcrv.exe | N/A |
| N/A | N/A | C:\Windows\System\saWGTFV.exe | N/A |
| N/A | N/A | C:\Windows\System\rlMYfAs.exe | N/A |
| N/A | N/A | C:\Windows\System\tzyLTpR.exe | N/A |
| N/A | N/A | C:\Windows\System\rAaPIzU.exe | N/A |
| N/A | N/A | C:\Windows\System\PNXGJuj.exe | N/A |
| N/A | N/A | C:\Windows\System\HMERKqX.exe | N/A |
| N/A | N/A | C:\Windows\System\WhClJQr.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_77607c1c117b6721fa3d8c5c5d78c919_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_77607c1c117b6721fa3d8c5c5d78c919_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_77607c1c117b6721fa3d8c5c5d78c919_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_77607c1c117b6721fa3d8c5c5d78c919_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dbpuNFr.exe
C:\Windows\System\dbpuNFr.exe
C:\Windows\System\mVZJZgI.exe
C:\Windows\System\mVZJZgI.exe
C:\Windows\System\CFbaQDI.exe
C:\Windows\System\CFbaQDI.exe
C:\Windows\System\GKdOsoJ.exe
C:\Windows\System\GKdOsoJ.exe
C:\Windows\System\AqQcrWV.exe
C:\Windows\System\AqQcrWV.exe
C:\Windows\System\BekXwPW.exe
C:\Windows\System\BekXwPW.exe
C:\Windows\System\cWZxPCl.exe
C:\Windows\System\cWZxPCl.exe
C:\Windows\System\oeQGZrS.exe
C:\Windows\System\oeQGZrS.exe
C:\Windows\System\jjfISlz.exe
C:\Windows\System\jjfISlz.exe
C:\Windows\System\wYrKUVy.exe
C:\Windows\System\wYrKUVy.exe
C:\Windows\System\Djvageo.exe
C:\Windows\System\Djvageo.exe
C:\Windows\System\KAVuPbq.exe
C:\Windows\System\KAVuPbq.exe
C:\Windows\System\pxOlcBw.exe
C:\Windows\System\pxOlcBw.exe
C:\Windows\System\xtMjcrv.exe
C:\Windows\System\xtMjcrv.exe
C:\Windows\System\saWGTFV.exe
C:\Windows\System\saWGTFV.exe
C:\Windows\System\rlMYfAs.exe
C:\Windows\System\rlMYfAs.exe
C:\Windows\System\tzyLTpR.exe
C:\Windows\System\tzyLTpR.exe
C:\Windows\System\rAaPIzU.exe
C:\Windows\System\rAaPIzU.exe
C:\Windows\System\PNXGJuj.exe
C:\Windows\System\PNXGJuj.exe
C:\Windows\System\WhClJQr.exe
C:\Windows\System\WhClJQr.exe
C:\Windows\System\HMERKqX.exe
C:\Windows\System\HMERKqX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1796-0-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1796-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\dbpuNFr.exe
| MD5 | 88ebb61339f1c3aac3e0d2f840a112c2 |
| SHA1 | e372c656a2aae5315dd840dc4b6a844a60473cf4 |
| SHA256 | b1fb807c21afc792cbd96fb1f22fda0bfbaa39923c718883f3cd6ecf52ffa37a |
| SHA512 | 12c58f8ae2773fcb7b9d6f73bfa21d63a672f6c36f54db1b4a413a903b3c735396195f30f879eb86b1b88aed8a209eda70839cf4ddd5723c709de723c9fb9f9e |
\Windows\system\mVZJZgI.exe
| MD5 | 45b5afa718917c31dcd474d272f8df62 |
| SHA1 | 67b78e4f59e56d2fd8aa1abdbabd4b950c039ca4 |
| SHA256 | 39b60ba076eba1908d71b77c1bcc8f0b3b7d4535a5ada70ad3158a585daaf800 |
| SHA512 | 5a76031988a667f5dd269dea8c79a3072399c26450ac1080c53b8c3ef50f74caabd56e31b7b552f83adc315e5a81878f4a72383471b39acc0b3f2682b1673a91 |
memory/1796-12-0x0000000002230000-0x0000000002584000-memory.dmp
\Windows\system\CFbaQDI.exe
| MD5 | 462920afc59ccee343fe660a0fc02529 |
| SHA1 | f29d6f9cc23d44e681d1e2d4b25df6c469f52b60 |
| SHA256 | ce76cc40ae0f8fdf2048385e22f4d844a7e143d88e6b3e124bcd735fd4642911 |
| SHA512 | 0b398dfd080a2d43c960a522654def6a5429d6f88a6fd007e807bc3548ec1eef4cbcee7dae1798750510517101ffe3fa3381ac52eb8ae19f468ed57a66fb7d24 |
\Windows\system\GKdOsoJ.exe
| MD5 | 89b48fff47158100b18483d2d667a363 |
| SHA1 | 1452e301e57ec838c51e0634041f35e86bd2b358 |
| SHA256 | 61c7040919d693e02f4777b7e362e825e88b91a7a668bcf4475dc326793dae7f |
| SHA512 | 0fc6a61feda1b40246651bfa67d948e8fde2855b9a4ed488ce87871b6582dfa66c8b0cf67eb72a8417ee653f2c5e3a195eeba78a3186f775a9face4f54722317 |
C:\Windows\system\AqQcrWV.exe
| MD5 | aac12b57e1a5f6e788d75d7a5699e44c |
| SHA1 | a8fd19e07d2de7ba24f0dcb230c84df2c4cac2d9 |
| SHA256 | 258bd4e0ebee459c10cfc51bf511b1356f275e4ccf8eb09d451a60c080ada3e0 |
| SHA512 | d46f0d9e7e6ce8898be51e911a8f9a203c1f0aacf78f908bfac154bd75ddc985f7f7cdcc3f1d92ccb3c2c8c0472771462e7dc0dd323d5519dedb9db99100cfc4 |
memory/1796-29-0x000000013F0D0000-0x000000013F424000-memory.dmp
C:\Windows\system\BekXwPW.exe
| MD5 | 171c0564d02b22ffb005afd2cddd7511 |
| SHA1 | 8fe3c23ae4130de9e8201a31d009e7d889d09973 |
| SHA256 | c2196f30ea28fbb4566c53875275d350ba153488b84690bd0aba677d9d302e50 |
| SHA512 | facd2b1effb25852702836e4e86dac45d55399a24fc46c7d210841925e614f897f3aa9b636813832fbc86ed053ad7a287895056a4206b0d24a6ad86c1998a0c4 |
C:\Windows\system\cWZxPCl.exe
| MD5 | 729fd7f4184cf665a4057f252bd6ad9a |
| SHA1 | 9d3715ef268d33b9cf869e99722d6d4f908f671c |
| SHA256 | 3b1805f312ed3c5c2006d6e0a91bab295fdf2d32fc77e5a8a0fd037bf1ab54da |
| SHA512 | f1250c9f78795619306936a30110c8a08c3ab52000abf4e848b0adcc68fb6986254dbe04309e12ecc2a2c48ae7ffb4102d49d9f20441cd431b0a4bd7ff5a3fc0 |
C:\Windows\system\oeQGZrS.exe
| MD5 | 2538dac70d69610ccebe1b6c1a5b0355 |
| SHA1 | cc9add0dd1bd0c9a379b8ebd5887fb6bdbea9e73 |
| SHA256 | 4efe16c857969b90b2f119db23763fd242727cf913bddc8f627d7f96687540df |
| SHA512 | 9fb02384e708912b4135066da6c492b198182b952d35a30eaa27c8c4d6582c549bc0f75530be845bd3764fcf30254f10d1f046b9e4163a0d371a19773c787de3 |
C:\Windows\system\jjfISlz.exe
| MD5 | 47a8fa7ddfdea2207629a94c53997460 |
| SHA1 | f7018e32393f1cfeb86d5e0a894b3e553404f77d |
| SHA256 | 26912ea65fbf31efede09f645cd397ab9273054b5b3653047e36b528321e36f4 |
| SHA512 | e76bb997c8d1219ee4ae19f7bec1639d94399967237e2c17d29f10698a02ecc2627f776fc1757cc017fd09f35a8cbbdd8987a54cdb2b240f212f7c8efc2dc9bb |
C:\Windows\system\wYrKUVy.exe
| MD5 | fa92affa220bfe1f83bf69f876e14120 |
| SHA1 | 8a9b65985b7b7e245cbbcf6d79c7d346557ef926 |
| SHA256 | 1107266cf362bb0c5f8fd3d1efe98ce0dda0a3e80778acc5763595a80b3a06d7 |
| SHA512 | 1f98fe76b4bc5e6aa4f1b37724a499eb375518bf1852ea0284d186808407b10a678a99bfef4c3620e132bd4a5d779546f729ae2a53821afb7c96d8bf464ea751 |
C:\Windows\system\pxOlcBw.exe
| MD5 | 4b2f853ed14a97df413aa291f00fb34c |
| SHA1 | ba0f7990153966d9121ccc4096cc149bc7475cdf |
| SHA256 | f3dedeeb87e87fb5696bcc238d85dce5dc155b180999102e2fa26c87ecc61fc6 |
| SHA512 | d151d728941057279d3b8dd634ba6700cb1b95db361af3e0ec5bd64a982d434f1e7362af464b49f8d07ec5dc448cd7ca5f1ff403a9c80d3add5af33812fca96e |
C:\Windows\system\rlMYfAs.exe
| MD5 | 8cdd1861d158e4b2f9f36aef5a3ac322 |
| SHA1 | 3d3728338eefc03efda900c1924d92d374651867 |
| SHA256 | 876bed31060153433ab8fcb122eea3785b1680887f562333540a72d931e1069d |
| SHA512 | 36805afa1123ef664518b92c65028df22586b66da8e6d89dc22a029097025e6b811119b6da0b63fe1a63ad6ce76cec31c3fa89f0afe77616057bf33b9ef51165 |
C:\Windows\system\rAaPIzU.exe
| MD5 | 2298bb0239301cece749996d1e9fc8e4 |
| SHA1 | 519ddfd1d2bace8ccbc4908937d80e6ee59e6753 |
| SHA256 | 7bb1a8dc943da1a1a91b643b21d1110d1fb2ea8b85283731db0383e5507d01ad |
| SHA512 | 6ed595fca70bce304a85f1877584186109a73743c5a038844467d0e820714caa703708307674860c1e0bdd5c2be9c7686d0f248fb0933eb62e570c14925f2523 |
memory/1796-103-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2576-102-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2588-129-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/1796-128-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2440-116-0x000000013F900000-0x000000013FC54000-memory.dmp
\Windows\system\WhClJQr.exe
| MD5 | ad29302e404b4afdaec8040bcc9ba876 |
| SHA1 | 947df2746ec4f9f46b19fa1ecc9bf896d03a6bfd |
| SHA256 | 95828dd44b9a346856524cffffaefdc4c4a023d437e8e1877aa612a7e5ef6a30 |
| SHA512 | 22d006136487f3adafc64ab94ba3cf8b3d93230ebf9fe1bfa9cd428fec6a9dbd5694713ab822e2606e030b22945dd53c324b86131e08d98788304fd169bc87cc |
memory/1952-127-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/1796-126-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2912-125-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/1796-124-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2612-123-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/1796-122-0x000000013FEB0000-0x0000000140204000-memory.dmp
C:\Windows\system\HMERKqX.exe
| MD5 | 23369a584eaaf3060a7d3996c68f6fae |
| SHA1 | a0e9209b76a740bd10fbc6dad328cc941be3a02c |
| SHA256 | adf0225ccc6783c515537eb16d04a0bc690838b73122f02fcd999e9152ff0aa8 |
| SHA512 | 28442cf3b9b4e7f2f7f0ecb44ae7ce7e4bf54de288195936501572d47ade6864b5737f99473944b44bc85ee4f6c2940decefbe96541a165a9411381c52caa7dc |
memory/2472-120-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1796-119-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1796-112-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2484-111-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2684-97-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2660-96-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/1796-110-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2984-109-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1796-108-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1276-107-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1796-106-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2812-105-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
C:\Windows\system\PNXGJuj.exe
| MD5 | d848fe948b44c21373f5f7dec3afa26d |
| SHA1 | a143627efcd46f6cff845265dcc9345c64530c1e |
| SHA256 | 735b2fb8f0d7e85c2b737fb35bd39d69388529fbc856790d40be13c8e179c5c9 |
| SHA512 | cff20919591938b514635b4e301ad3af8ff18e522e849cefc8b3f3fa976e196e704b078b28910fad99e81b2d96c1cc449c38aa71895b0467cc0de8f470115d51 |
C:\Windows\system\tzyLTpR.exe
| MD5 | 607ce608e18177b7f170eb7b0409243e |
| SHA1 | 2a7b987776904d2ff1e08408766ea3e2cbaf9811 |
| SHA256 | 42785b54116a348712bd2bbd0feede0690e0317959f24f2083bc962fba48dbd0 |
| SHA512 | b6697573e54317573d6cee20c922f8ea3c532d178bad0a764de24e0bc16b5d33f501ae80a06283704c95651c978db68e4840c33bb88c9f7d2615bf027a42a04b |
C:\Windows\system\saWGTFV.exe
| MD5 | 160c3fa0e415f0fb37263e0f449d8476 |
| SHA1 | f3c7a947dfbc433a72923172bd87e606d4af4539 |
| SHA256 | 1f34060eeedaa65cac8dd541539c51b41665a5535af99de62156df9cc6e3313e |
| SHA512 | a2f07478cdb982760f183fe4753c5661774a4c54f3e128ad62710b0b47e95a1650e3133530fd20e7e660f2616aab205ea2bef98ac7bf16302ef6842061bdc36b |
C:\Windows\system\xtMjcrv.exe
| MD5 | 48df5a11737219815545091902d63ffa |
| SHA1 | 46c6fd6651cd7d50829657d8e464b15b137c2fcb |
| SHA256 | 5634d63c9ae9ca8e6185ea26ffc64ed3a60e7dfebf2987a89a7a062acad43a39 |
| SHA512 | df9e69a0d6d1b1703ea45023511aa5de3821b63fc4c23cc4ae626e0f4b4094f6b275008271f0558fac6e4ba8784fed53606e73de5028afc69183afdd5915afb6 |
C:\Windows\system\KAVuPbq.exe
| MD5 | 0c82bb61860daae3aa79bb0937f3f522 |
| SHA1 | 3208dff8bb6081f7ef45b59cb05aae4df6e2a1fc |
| SHA256 | c3dca31f3d9a2d32ed9ddc46d3a60e343f17e743dd763bd5762a0271728d1698 |
| SHA512 | 24dbd7cf51bf17d40e88b39eede7cf2c512aa721bde0dca1efea72fa886df1dd5a6f3cd222a79954e9d2f029414f4176a145d94f1ef9f3dc9d7bb466990516ff |
C:\Windows\system\Djvageo.exe
| MD5 | ef40c3687da37b1f20c727fa41c6dd90 |
| SHA1 | cabaf061a56b77f814a4b237c1b373b07347233c |
| SHA256 | e0e012079fac7c0f8f0476b1e855970eb1b3312ca893ba1758fbef422b2a7a0f |
| SHA512 | b1521be27481481b7beaaf9e56c880f1630378a785cd83f798d29fe27d3884e321d2baa67b981677eda49868257bfe0e3896d91cf8a7bb29432d4b271191f440 |
memory/2380-23-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/1796-133-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1952-134-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2380-135-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2588-136-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2660-137-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2684-138-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2576-139-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2812-140-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2984-145-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2472-144-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2440-143-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2484-142-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2612-141-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/1276-147-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2912-146-0x000000013F1A0000-0x000000013F4F4000-memory.dmp