Analysis Overview
SHA256
38beffdd41fb0f6ed2eea60298f5775fedb455ca3340e8b91edc1e593b9468e7
Threat Level: Known bad
The file 2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike family
Cobaltstrike
Xmrig family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 10:20
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 10:20
Reported
2024-06-01 10:22
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\EQzipxn.exe | N/A |
| N/A | N/A | C:\Windows\System\IxJrBtU.exe | N/A |
| N/A | N/A | C:\Windows\System\eRVLIEu.exe | N/A |
| N/A | N/A | C:\Windows\System\xqiulNU.exe | N/A |
| N/A | N/A | C:\Windows\System\ZRtjFdy.exe | N/A |
| N/A | N/A | C:\Windows\System\DXHWBye.exe | N/A |
| N/A | N/A | C:\Windows\System\cqHDYcE.exe | N/A |
| N/A | N/A | C:\Windows\System\NWsCAla.exe | N/A |
| N/A | N/A | C:\Windows\System\yHECCJR.exe | N/A |
| N/A | N/A | C:\Windows\System\HaozNzO.exe | N/A |
| N/A | N/A | C:\Windows\System\JLFIwYd.exe | N/A |
| N/A | N/A | C:\Windows\System\ZCuASFN.exe | N/A |
| N/A | N/A | C:\Windows\System\EwXLZLU.exe | N/A |
| N/A | N/A | C:\Windows\System\DwjqpNu.exe | N/A |
| N/A | N/A | C:\Windows\System\fPewvvF.exe | N/A |
| N/A | N/A | C:\Windows\System\ZySJOJK.exe | N/A |
| N/A | N/A | C:\Windows\System\jIgDxJx.exe | N/A |
| N/A | N/A | C:\Windows\System\ckcSQHx.exe | N/A |
| N/A | N/A | C:\Windows\System\pSIhnPY.exe | N/A |
| N/A | N/A | C:\Windows\System\njhlIEN.exe | N/A |
| N/A | N/A | C:\Windows\System\DjtdDcE.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\EQzipxn.exe
C:\Windows\System\EQzipxn.exe
C:\Windows\System\IxJrBtU.exe
C:\Windows\System\IxJrBtU.exe
C:\Windows\System\eRVLIEu.exe
C:\Windows\System\eRVLIEu.exe
C:\Windows\System\xqiulNU.exe
C:\Windows\System\xqiulNU.exe
C:\Windows\System\ZRtjFdy.exe
C:\Windows\System\ZRtjFdy.exe
C:\Windows\System\DXHWBye.exe
C:\Windows\System\DXHWBye.exe
C:\Windows\System\cqHDYcE.exe
C:\Windows\System\cqHDYcE.exe
C:\Windows\System\NWsCAla.exe
C:\Windows\System\NWsCAla.exe
C:\Windows\System\yHECCJR.exe
C:\Windows\System\yHECCJR.exe
C:\Windows\System\HaozNzO.exe
C:\Windows\System\HaozNzO.exe
C:\Windows\System\JLFIwYd.exe
C:\Windows\System\JLFIwYd.exe
C:\Windows\System\ZCuASFN.exe
C:\Windows\System\ZCuASFN.exe
C:\Windows\System\EwXLZLU.exe
C:\Windows\System\EwXLZLU.exe
C:\Windows\System\DwjqpNu.exe
C:\Windows\System\DwjqpNu.exe
C:\Windows\System\fPewvvF.exe
C:\Windows\System\fPewvvF.exe
C:\Windows\System\ZySJOJK.exe
C:\Windows\System\ZySJOJK.exe
C:\Windows\System\jIgDxJx.exe
C:\Windows\System\jIgDxJx.exe
C:\Windows\System\ckcSQHx.exe
C:\Windows\System\ckcSQHx.exe
C:\Windows\System\pSIhnPY.exe
C:\Windows\System\pSIhnPY.exe
C:\Windows\System\njhlIEN.exe
C:\Windows\System\njhlIEN.exe
C:\Windows\System\DjtdDcE.exe
C:\Windows\System\DjtdDcE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1776-0-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1776-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\EQzipxn.exe
| MD5 | 652f29d76f5485c461b0fcc44d730318 |
| SHA1 | 8c6db95789bec96e6d4675e3c2243fab9ab9bb0d |
| SHA256 | d41c6ccdaf9a8fc4263e1f3f03def202e1ff83fd27dcdd08a43117271dc9030d |
| SHA512 | cc11fe81c649dc10808038944423f54298fe181e19db35acbb041a78d5b0bf64e938e87299b42872733b594b15f2e1a5ed56d33fcd72936c215d569e2bac4e06 |
memory/1776-6-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\IxJrBtU.exe
| MD5 | d92906cf02a60d8e4b8183ddbae4a14d |
| SHA1 | 270d99cfd4800e148bc45ed96c38b1e4722eea6d |
| SHA256 | a12d3f921d9841adbcd1c1d5461c09cb76fb074c1bf2edd782a3bf3fca2f5139 |
| SHA512 | 47f9b03fda97e5212ca302073a14379ad9076046a3905fa8badd951118a72d33744bac2e29291ab9dedb877f9197eb85943f6db1f94a6e31ce6c391b7d40f85a |
memory/1776-13-0x000000013F330000-0x000000013F684000-memory.dmp
memory/1300-15-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2420-12-0x000000013FD60000-0x00000001400B4000-memory.dmp
C:\Windows\system\eRVLIEu.exe
| MD5 | 4554834dfecd2522013d5271c72c37b8 |
| SHA1 | bcb8cf114cf6377a36e5943fecd34c90b0ca34b7 |
| SHA256 | 506669d8ed5153bafb6f99339a62c6918cc264744d602762069c7d154ba7d1d5 |
| SHA512 | c1eb45223965f57618370a6383425489c59943ada7b404c417cb890ca9f436b7a17c45dd1f9b18a68d01b26612b6ab17b998d2c3448fe7fba6ce3232ba0004be |
memory/3060-26-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2688-30-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1776-28-0x000000013F6B0000-0x000000013FA04000-memory.dmp
C:\Windows\system\xqiulNU.exe
| MD5 | 55bae7cbd2bfd54d4d4fb3ff8d2f969f |
| SHA1 | 7fa90b718678f0aec6026cb7dd6b6ce5584ed067 |
| SHA256 | acaff6262c9ead317f6475dfb98f2106e976edbe52e544891438cfdd96d44a7d |
| SHA512 | a8f3944c4af53e3c7384b7b8e548d12e52827effeeec259e0851f87938ed31e0fc1fd0d6aa6fb8a7e70cc6fa0ffc6643696172802d4848086bb07ef7e652c3f7 |
memory/1776-23-0x000000013F0B0000-0x000000013F404000-memory.dmp
C:\Windows\system\ZRtjFdy.exe
| MD5 | d65750b9811971e85ba538c04ff39b96 |
| SHA1 | e9bac7fdf904991727cff0c5c869f8d6cf7d2b6c |
| SHA256 | e53723f4b501ef36cef7fa6249e863cc8f5a5b893f7b5aef8384b514593d1f6d |
| SHA512 | 837219c5bbff982b837a4bbdf61db1b30158db5c8a2a618d0d4e8758821fa7ba772342519bf21108ba35d14d62ee12565fddddd078270344ed08fc2424f4b693 |
C:\Windows\system\DXHWBye.exe
| MD5 | da160638ca9d48f06651cf75b08ca735 |
| SHA1 | d617d858a828030c59852639790efc3072c3e599 |
| SHA256 | b99be4b48bcd0f028947d84edc94b65488aaa776cee88588363330da62f6b243 |
| SHA512 | 3402653026794ceba0ef0c30115b48679a9b28acf48deda7a827b9866ee5f6daa6ee02962531d783ebc7ff4d326642a31b1da5fc645184e4bcec822a7b371662 |
memory/2260-42-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2420-56-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2264-51-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/1776-63-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2740-64-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2564-72-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\JLFIwYd.exe
| MD5 | daf64e2d670af09845f24e6a1a4d7316 |
| SHA1 | 5fe2e3b8a4df5601eea712480a31b17666fa5505 |
| SHA256 | 1186cba158a9fb8fc84383f45c096a556f708f9af5bfa2d17d14599b875d12ef |
| SHA512 | 3567e4d703b53ec531226b5c2c3b0a35f5f08b6ed4f1f0a6a520d959b46c4c7a239ea6240b881dcbd178d2a4884b99d2ac1cd112593bb3cabf668fe759208bc6 |
memory/1776-80-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/1904-88-0x000000013FFF0000-0x0000000140344000-memory.dmp
C:\Windows\system\ZySJOJK.exe
| MD5 | 9268cbe6d87f767fcb0589434bae18ce |
| SHA1 | 54e67e6482a2a2d477fa64aebba87447488ab206 |
| SHA256 | 76146887f142645f8a6fe3a902e53bc8682018703bf2c80e09374d7580160bcf |
| SHA512 | 60498e2c69fae62f1d348f6e2e1f25004a0d9194b636cb726a16cb4707ee62e4ecbe5d6a15b16aa687b2ca73594b49b980b336a1553bcba5fd7b5a5197e3f73e |
C:\Windows\system\njhlIEN.exe
| MD5 | c03bf7fc1b3122f40916be8756ec9f05 |
| SHA1 | 689855920ae27fe01327eb942ee8584f19a68dc9 |
| SHA256 | 317e284ba071b14ff991072738d3e6bbe6f8bf6dbe9746d83f64030c75637dfb |
| SHA512 | ba63fc18cdf88d80e7e16b7506e757bca5dc77beb0c9c3d27288cb2488708fdd8718aea378dfe714068fc9ffd08fe6a985610ca26f21372c74a34433aeb58cac |
\Windows\system\DjtdDcE.exe
| MD5 | 8427a12b6aebf1fa962b42898edc36b3 |
| SHA1 | 599c543ca0df0119f913b37a2daa7ad666970076 |
| SHA256 | f7700b9f1ba83ff2dfd08382cba54a03fb28a51f2eb191c1b351e6f041faafed |
| SHA512 | b0294dc3d1d002cf6d72fe398062d698258bd3a4c3348071a311b4582e094343ea0ec743521d4d77ed9a8cbf42f292b930a4b735eaf0961da96ba7f3dde5bfb4 |
C:\Windows\system\pSIhnPY.exe
| MD5 | 1ff3fc5c21bf1d3be19b0788606b20f0 |
| SHA1 | 60514ac9f911b216680a9677a1ff4d13ebe60f36 |
| SHA256 | 21109ccef6df717990e254feda726dc655573c2044828ab051d58b7e16075dcd |
| SHA512 | bb6b714c39ef49fad9a7dec9579747c71f1a3276ae3c1f2e117f4dc2bc1bd8f54a51e8603f7455ad3590d26eeef5ff527334f0628181d7c6014fe6b8a3c6de49 |
C:\Windows\system\jIgDxJx.exe
| MD5 | 5f3d70bbb99ad67600da58d8020bb9e5 |
| SHA1 | 8fafae243064135a12dd3b2f3d3db7da1ea104b6 |
| SHA256 | 3519ec65ad4636b6420071e60315884eab9c5e053551fe2f3102dbda21a96b58 |
| SHA512 | 1faa8a65a8334a3b3d11e192a2878e77d1925aff9f20302d66c8d3b8cca24e2e6ff33b0587b57eb2e900cbd0cadc99ba45cd05acf90246b01423598ae3be03a3 |
memory/1776-111-0x000000013F220000-0x000000013F574000-memory.dmp
C:\Windows\system\fPewvvF.exe
| MD5 | c707a5a90c70e1aa94362535f52d1198 |
| SHA1 | 0b0d253fefed1358b1f2e405eaba0ea7b50d3ed4 |
| SHA256 | e66f171b3ff1f80f0e38189595e3f5dd13776f29f812d1bf7b9b2db6ee6dea7e |
| SHA512 | 9a24ac1949f30e9d5ce6644a2f22c4967987f003518dc87f6180186a5c91071f76af1b0bef0301a70a697d2ed2af6b9ebf990b3cafb76ac2421168f5b28ea023 |
C:\Windows\system\ckcSQHx.exe
| MD5 | 802bcfce6ae4a6c9507590044c789511 |
| SHA1 | 849b70861e61c52af29dbe2eed3f942f8d553693 |
| SHA256 | 972e14999ead0ae0dcfb0c118e7406e75320a489d7f3789471f2b7326f0ac733 |
| SHA512 | c321c0ace6c1ecd48c6ea44547d32dea4b4073f2c8d14d568291293264f6c2fa24ed7e73b40964a52a41e243ec0b3c02676aaa87aa038e57e970fa644cefd8f2 |
memory/2264-141-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2852-104-0x000000013F330000-0x000000013F684000-memory.dmp
memory/1776-103-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2260-102-0x000000013F9C0000-0x000000013FD14000-memory.dmp
C:\Windows\system\DwjqpNu.exe
| MD5 | 2d61c69ea30ada543be9bd1ac675aa38 |
| SHA1 | 5913cd6af780289ceba5caaecdd1928ffa82da9f |
| SHA256 | 18e5a5c6b3ca257b020a0270da7854f21516d33c32a012dc6e0000a2679d888a |
| SHA512 | a022245bbd28733306cd7539e3b29d64719ba795a6ca6931c9d0669e95315857ab013ab95089e7dd35252a844c3836ed62d89e24961a8d4f0727097a1b528873 |
memory/2680-95-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/1776-94-0x000000013F800000-0x000000013FB54000-memory.dmp
C:\Windows\system\EwXLZLU.exe
| MD5 | ce0b6d34109ab3c18a51cf990db0f29d |
| SHA1 | 8eaf791c5fbffcd130a4f5f6a2acccb28d97ba2e |
| SHA256 | 4699e72564d54d0f27c2bff34d5d27b4404fd969b2553de3edc9e7b528e43533 |
| SHA512 | 93a82036ad0f6e7193273fe2771cade2aecf4c0d88f4ff72aad6f7e762e5c1212fd9dd13d01d5f6cc2e2a3e93439ead10014413559af91f0fa3f7babe4cb0dac |
memory/2196-142-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2688-87-0x000000013F6B0000-0x000000013FA04000-memory.dmp
C:\Windows\system\ZCuASFN.exe
| MD5 | d4f3a9d27bfcf70bdc7928ee67d352ab |
| SHA1 | d07bc0f392eb8182f43c9994e4baa5517aa62353 |
| SHA256 | 76ce9f64deadea516b29b837f7715d0a345acc093e06417646fcb3dd0d0004e2 |
| SHA512 | c31c63ebbb73beb844ad34a4586ea2c183ec88f439d6e875458e0a553e2fa217aa39ecb2031626bf1e241d7cd1b52192fea83ea330333d41729645afea725003 |
memory/1776-84-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2960-81-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/3060-79-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/1300-78-0x000000013F330000-0x000000013F684000-memory.dmp
memory/1776-71-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\HaozNzO.exe
| MD5 | 4d7aaf02ff671f318b1e4ee86fb9818f |
| SHA1 | f97f84398373f09ba30938ea4b80da0ed26aa752 |
| SHA256 | a6d24ac8f4b9b80e3cc90e69d1e12985eca2e10f1b9421eab3ff42dad04d201a |
| SHA512 | b702cb8f4eef63fd05418b7d4d90653f5314550599beddb8f9dc3fcaeb1791aa7ee02dbb5b143ebb75878ebfd342beb689a31a7d99ddc5c5005a1c51776c0416 |
C:\Windows\system\yHECCJR.exe
| MD5 | 05e0b24737fe9e3301b1e83cc02f5c82 |
| SHA1 | 13963bd1b623dc8c0e92efeefbbbd9d83f1c84f4 |
| SHA256 | 77555d888c398d3f531b4709da1fac8937771e0e7762b0c7a99c2f493e163293 |
| SHA512 | b9e04ffee59ddfe17528eb14d2f747a6985efb08af08c5f08cc6753d57153314b36692a74b9c2777ed08294e4c44eb8b40e8ee5126bf39a010a9d447d957353d |
memory/1776-50-0x000000013FD40000-0x0000000140094000-memory.dmp
C:\Windows\system\cqHDYcE.exe
| MD5 | 322f571c7a64df70e8e303aa69747601 |
| SHA1 | fa23519d21089de70bca95e81df97b51d21c4b34 |
| SHA256 | e5afa3974a87c13bcbfa6a8f5c4d9b327ceb42baa56c37f7f46bb1539ccbdeb4 |
| SHA512 | 70ac7b3e4f853675cb0a4e29ff693b8e45ffc9f51f95ec614f7766e7537be5c9763cd29b7083df8f19e69e4467d74844a69113e40cb4a8f4761a6d05d06a7a68 |
memory/2740-143-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/1776-48-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2196-57-0x000000013F9F0000-0x000000013FD44000-memory.dmp
C:\Windows\system\NWsCAla.exe
| MD5 | 9c98d7099f9fdc494989a89ca817273b |
| SHA1 | a3b635182aefe81e64f5cb905c578785d11b493e |
| SHA256 | 69a20a3db368c949b5e90c778a5a9222db3e1ffbe4da979742d8aefd1a2e2e6c |
| SHA512 | f2ec86a989cc24e65ba7cc27c83503409e5a9289c0c912e638064d6286a70e9c5f16ed19a3953222d0e41b32b9795206f4428dc79c3cd7683fd722608665b49f |
memory/1776-41-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2660-37-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/1776-36-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2564-144-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1776-145-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2960-146-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/1776-147-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/1904-148-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1776-149-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2680-150-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/1776-151-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2852-152-0x000000013F330000-0x000000013F684000-memory.dmp
memory/1776-153-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2420-154-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/1300-155-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2688-156-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/3060-157-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2660-158-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2260-159-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2264-161-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2196-160-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2740-162-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2564-163-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2960-164-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/1904-165-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2680-166-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2852-167-0x000000013F330000-0x000000013F684000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 10:20
Reported
2024-06-01 10:22
Platform
win10v2004-20240426-en
Max time kernel
137s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HBbVIQf.exe | N/A |
| N/A | N/A | C:\Windows\System\dgCrDcJ.exe | N/A |
| N/A | N/A | C:\Windows\System\NJwqZPx.exe | N/A |
| N/A | N/A | C:\Windows\System\fyMMGoF.exe | N/A |
| N/A | N/A | C:\Windows\System\psjebCt.exe | N/A |
| N/A | N/A | C:\Windows\System\FomKXXr.exe | N/A |
| N/A | N/A | C:\Windows\System\mbEnQSN.exe | N/A |
| N/A | N/A | C:\Windows\System\gllyxnw.exe | N/A |
| N/A | N/A | C:\Windows\System\sjvRijT.exe | N/A |
| N/A | N/A | C:\Windows\System\bBFIXDj.exe | N/A |
| N/A | N/A | C:\Windows\System\fflhrTY.exe | N/A |
| N/A | N/A | C:\Windows\System\ZdqjynD.exe | N/A |
| N/A | N/A | C:\Windows\System\KEnfBQG.exe | N/A |
| N/A | N/A | C:\Windows\System\fBoVwsQ.exe | N/A |
| N/A | N/A | C:\Windows\System\evPtqKp.exe | N/A |
| N/A | N/A | C:\Windows\System\ieGNVtM.exe | N/A |
| N/A | N/A | C:\Windows\System\AJtubec.exe | N/A |
| N/A | N/A | C:\Windows\System\hgzRhfK.exe | N/A |
| N/A | N/A | C:\Windows\System\arIumhp.exe | N/A |
| N/A | N/A | C:\Windows\System\CbPOFIS.exe | N/A |
| N/A | N/A | C:\Windows\System\OdBsLnV.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\HBbVIQf.exe
C:\Windows\System\HBbVIQf.exe
C:\Windows\System\dgCrDcJ.exe
C:\Windows\System\dgCrDcJ.exe
C:\Windows\System\NJwqZPx.exe
C:\Windows\System\NJwqZPx.exe
C:\Windows\System\fyMMGoF.exe
C:\Windows\System\fyMMGoF.exe
C:\Windows\System\psjebCt.exe
C:\Windows\System\psjebCt.exe
C:\Windows\System\FomKXXr.exe
C:\Windows\System\FomKXXr.exe
C:\Windows\System\mbEnQSN.exe
C:\Windows\System\mbEnQSN.exe
C:\Windows\System\gllyxnw.exe
C:\Windows\System\gllyxnw.exe
C:\Windows\System\sjvRijT.exe
C:\Windows\System\sjvRijT.exe
C:\Windows\System\bBFIXDj.exe
C:\Windows\System\bBFIXDj.exe
C:\Windows\System\fflhrTY.exe
C:\Windows\System\fflhrTY.exe
C:\Windows\System\ZdqjynD.exe
C:\Windows\System\ZdqjynD.exe
C:\Windows\System\KEnfBQG.exe
C:\Windows\System\KEnfBQG.exe
C:\Windows\System\fBoVwsQ.exe
C:\Windows\System\fBoVwsQ.exe
C:\Windows\System\evPtqKp.exe
C:\Windows\System\evPtqKp.exe
C:\Windows\System\ieGNVtM.exe
C:\Windows\System\ieGNVtM.exe
C:\Windows\System\AJtubec.exe
C:\Windows\System\AJtubec.exe
C:\Windows\System\hgzRhfK.exe
C:\Windows\System\hgzRhfK.exe
C:\Windows\System\arIumhp.exe
C:\Windows\System\arIumhp.exe
C:\Windows\System\CbPOFIS.exe
C:\Windows\System\CbPOFIS.exe
C:\Windows\System\OdBsLnV.exe
C:\Windows\System\OdBsLnV.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2028-0-0x00007FF6DFC10000-0x00007FF6DFF64000-memory.dmp
memory/2028-1-0x00000175FD010000-0x00000175FD020000-memory.dmp
C:\Windows\System\HBbVIQf.exe
| MD5 | 7c7bdb2de47bd8d9797917175e2b422c |
| SHA1 | 95ebfe4bcad068c36345ed36ec796f2e39b514cd |
| SHA256 | e43759dbee1c4ca0b2422d6b21590240edb3bae747ee52450bc23798973d19b4 |
| SHA512 | 51a99c342adcad9c7e910b978f5fbd60813bb275d6e7200f17690dc412ca3293a4365c8c1174eec764148886abdc7dc57da52be5e1fbcb255349dbb712fa2f2d |
memory/852-13-0x00007FF77C930000-0x00007FF77CC84000-memory.dmp
C:\Windows\System\fyMMGoF.exe
| MD5 | a92b151a2a25c6336e53150ba41fcb12 |
| SHA1 | b1c38a4e65dcfbd65c5f5e9db6d091cbfd1eaffb |
| SHA256 | 59c5b04832d4ac9fc227e804210fa9b13fab63ed757df88458d94cf8035fbde7 |
| SHA512 | 54ad7168cdbe376f13ba91ac7ecc62cacc7f4ffa742d16a95ee2889bde0f720b33d969afb08f118079305c30b04713c2bfad70cec9ee06a6cc9614e9b0c572c7 |
C:\Windows\System\NJwqZPx.exe
| MD5 | 8010bdf0b0cb8c7132c5ea7ef8ccff34 |
| SHA1 | 2de9823265e369c20f6268255e5b49f62c391f7d |
| SHA256 | 2dbbbcc6cc62b0414f6ad42ed500fd2a9b405304d923745ee6ba52569a401dc5 |
| SHA512 | 6d9fa2a881a052e9db78f88a7c64837cd361ff8317ccd571b2bda2b644e905abf6689372483b4cb27f6d221bd99bad6154e38563da5ba8256847ceb4bae8f182 |
memory/2860-20-0x00007FF75BD60000-0x00007FF75C0B4000-memory.dmp
memory/5004-19-0x00007FF7F1F90000-0x00007FF7F22E4000-memory.dmp
C:\Windows\System\dgCrDcJ.exe
| MD5 | 6057db207a2bc302f8f13c5fed1867bc |
| SHA1 | d7b796a4c4ccf94abc1afc0c85935b5ba70b4ece |
| SHA256 | 414728b57041f68d78bacf211b7f783c87f3a856d5a860f23c24b1d2eaf38225 |
| SHA512 | 2441001fdbe5473bc18773a7fc9a026660d12fdfbd53c3473b9884e2d21d311511f2137a2e416dfad9ddf5a916b4ee0fa3b2c2e99b8788cad1f0cdd96bd728fb |
memory/4616-26-0x00007FF7D8C20000-0x00007FF7D8F74000-memory.dmp
C:\Windows\System\psjebCt.exe
| MD5 | 2ddf977fec6d82dbe5dd30ffab28a8f0 |
| SHA1 | e32856350a3392eac404059464b2760998891a25 |
| SHA256 | c376bcbb0f58a2fe9b4b14719e9abe53bd133d5ec2b2b01d55acffd1aa661c3e |
| SHA512 | b7f85d00ab765466fc17c389f88fe21756077ccfcb603b08bb89834a53deed528ac4970ab8ec7c49f9f8da75e752bb7c94601bb6384420b59909ce1675bed2de |
C:\Windows\System\FomKXXr.exe
| MD5 | 651e3f920b1ff142180ef17eb53f7276 |
| SHA1 | 884e3421d0fcbc29ceba083e8001e3b3791f1d76 |
| SHA256 | 8aba98fdd44f08b3ee0b009c1389bcad827623d96e32cc6a9e3a27f1c405d938 |
| SHA512 | 1052148f8231e0e4e7409d5331a4afb537fd0fa7393d81e31edc5f1c97be7d0e8e6b6a963db7a208257990cd20eebfd9482393ee01524c80b3f4626374a1c369 |
C:\Windows\System\mbEnQSN.exe
| MD5 | 30bf939b0badac4a795f6f33c2213afc |
| SHA1 | 147c5a5d3984e8590f2dab5c547d4a74be2f4e41 |
| SHA256 | 1b3a28df678dde93b6a1c424a9866ee9bb306bfd26bf1cf1c474b01a1dcd2de4 |
| SHA512 | 7a1c330300dd10b076a4ae5d5a683bdfd4ed41ebcf7fbdab39e8889196049e585ca96887a29baa6c64d89c6b30f3fc8e96c78c8f40740e38937afeb6eb622fbf |
memory/3492-42-0x00007FF64D2C0000-0x00007FF64D614000-memory.dmp
memory/4920-47-0x00007FF7213C0000-0x00007FF721714000-memory.dmp
memory/1200-51-0x00007FF681FD0000-0x00007FF682324000-memory.dmp
memory/4568-53-0x00007FF72E9E0000-0x00007FF72ED34000-memory.dmp
C:\Windows\System\sjvRijT.exe
| MD5 | cdd9d24d78d552866c972bfc37d71d23 |
| SHA1 | 9824718c767c612e0cdcd07443dda15f72e3f22a |
| SHA256 | d80e1a99ddbbb2bfac8692d7d6337b0ab25744961457e0cc2f09ccfe0a8503ed |
| SHA512 | 3c8677c7699142a15ca892fc5c56ce6fe8f816ccfd44f79b5e7b13f86c7d4d80caca7cd2c4c5921696cc6df3980a16c81afd7a2f3eacd364c5e9cb9343a31c81 |
C:\Windows\System\gllyxnw.exe
| MD5 | 591712f31f904675d232a8924dae8a40 |
| SHA1 | 4a7245240a30fd1caad465f88cb82efc9b7611d8 |
| SHA256 | a9aa99cdd15fe6ca750f33b20b9691e0288dd05f9ebd0406785b78605a53780d |
| SHA512 | 4c75148c0c3f16699e544dc4f5ef0a4d2260dccbc16d60d37fc0c74a93c920ef12f4bd0bedb2de9ed8d9e71392a12583ac4deda6a7528ae6f1c5289e7e0e60a9 |
memory/2428-32-0x00007FF7711E0000-0x00007FF771534000-memory.dmp
C:\Windows\System\bBFIXDj.exe
| MD5 | 4336fe7bb1922874c84e1ede1cf4b457 |
| SHA1 | 87c97dd0ff4eaaf8c7574e7c4cc06058cee3782a |
| SHA256 | e1a9520fafb70631fd3fa52beeee08016a65be875f94784a9d525b2f034552a4 |
| SHA512 | 38198ae5f94047e242e962643959dfc91c300de560014ef342e6c3e4e6f36b30090f1c5782b17d8579a601e5340450179803bbe5233514e966a44481a9e9036a |
memory/3652-63-0x00007FF731510000-0x00007FF731864000-memory.dmp
memory/2028-60-0x00007FF6DFC10000-0x00007FF6DFF64000-memory.dmp
C:\Windows\System\fflhrTY.exe
| MD5 | 78e312a4512e3fa5d2443f8b46563b52 |
| SHA1 | 814acd66726d9ac9c592ce0d07b153cf13af8cbc |
| SHA256 | a63d3149bde38f58e1bc5a7b2f8ee93e81c1cbf4347be509787f79420e289a01 |
| SHA512 | d36774433b9bb03f8db80b12311b4cf6ec4fe2540f18a912f9ddb1674ebb8e37da8684e1dad1f7675a6de76be8529893a9e5a0f2ba1416ad25486e529c0f8709 |
C:\Windows\System\ZdqjynD.exe
| MD5 | 9c21653489655c8a10a43a7dc9bbc7c9 |
| SHA1 | 50ab66cd672645612798b4ef9437e4dc58b02a8c |
| SHA256 | 2cdb5d81828c541788b0fdaffb6aabf51d5e5fc8a931126abb4551b5aa60cbce |
| SHA512 | 04d8708165c129f338083a845f9375359aa0a90c78f769c2c67314a5ad6ade521a51abfa5708fad57980dac174e745d0749f8a18bdc50fc532274fbfd484d4a9 |
memory/3540-69-0x00007FF6A27F0000-0x00007FF6A2B44000-memory.dmp
C:\Windows\System\KEnfBQG.exe
| MD5 | a1b18113481e5f5481fa871bc4420916 |
| SHA1 | d0c48e7c815090294e57ce4f79a0bf79a06a5d8e |
| SHA256 | 5b70a7fe5f457c4707266e22732bf8fe236b97530c9f38bba99a3d773efcb797 |
| SHA512 | e13870ecfa97041f5ece19b6806d590ba0e644638e8de52d12164a01c8bc9ff91569f77faf45912b9977566105da9d77748cd19287588afe22200aa7457ba963 |
C:\Windows\System\evPtqKp.exe
| MD5 | 86e559905d9e4acc4c915812811285ca |
| SHA1 | 49ad9e08ca9ff04ecb726732925db353ee03f44c |
| SHA256 | c1dd4e2a1f718cc3461f36f7d5ade10cd41dafcb9d7fc81e4e0a8e195b439f1a |
| SHA512 | f7801b653fd40dd7e039b0a6f3fbe32051ac4ae32dcbd6559ffad98e8e2cfab8a7b6f19b6d83eda910224c09d1ea6380e62897503953cefb4bfde1b039ee3727 |
C:\Windows\System\fBoVwsQ.exe
| MD5 | a65f3b2e3fd79ed7354b41afefa8d602 |
| SHA1 | e5666f77628f47be738109251aaaefd68cc6211b |
| SHA256 | 2c51fea8900261592e66626013a8fd7b8bbf184ed899f43ee0480a3c6b9d88bc |
| SHA512 | f0b75fb4e96d11006cd382704666c05d25d8199f08c7b7e092915f08c9a6cc60bc5b3fb20cfb0b2d35408c37b8ea1c28c1eaaef9abd0a9cc1d9c6b7448772f62 |
memory/3836-84-0x00007FF7F9290000-0x00007FF7F95E4000-memory.dmp
memory/2180-76-0x00007FF70EBA0000-0x00007FF70EEF4000-memory.dmp
memory/2860-75-0x00007FF75BD60000-0x00007FF75C0B4000-memory.dmp
C:\Windows\System\ieGNVtM.exe
| MD5 | c71c8437f2faa1ac5420fdd7222c98c3 |
| SHA1 | 708ad03cb9e1fd10f315b08b6d301bd01bb6477b |
| SHA256 | d174e6b5259b7ecc4b69fdd99be32e2191d987e6f76e8751afaafe7a8f5c9ea7 |
| SHA512 | 2551706f18437bfd762d116ca9d23b3ca037a0d9919df24998b0074cecb6986482c3933d49722c7ef037779a43304339126b7c708405e039e59e471a122c05d6 |
C:\Windows\System\AJtubec.exe
| MD5 | 219658d720bd3873ff207478d2c57b36 |
| SHA1 | 4afe758a745d77834804494aa530b7ad5165eaa5 |
| SHA256 | f3bc95c70e472d16329978230f74b3aa7224335a7eb8fff513198b61d6cbd895 |
| SHA512 | 72368d13a27aef31bcd29b740155eb6d429d1cbbe53ce8d80ce8c14aeeead4af769030491ecb3c1d9bbd15a9c4b0d5616f6909b730ce3b129cbfcb475e9f4724 |
C:\Windows\System\hgzRhfK.exe
| MD5 | 93808e1994d09cf495909b4fd9e99431 |
| SHA1 | ab2db54bdcef32469ece0355a339726e13750af2 |
| SHA256 | 4b1ff101b95b58062b0b9b6fb22bdafc5aa9c55a57abe6a2bf66fd739891a1b6 |
| SHA512 | d2b5833fba34a0c8476b7e0e3fddbefb9223324198932eeffacd953b7c35d17cb5c17b82a8c7e9f215e2536dcc76f09bd597d9d069726f3e62678e39b3a58f2c |
memory/676-111-0x00007FF6E0530000-0x00007FF6E0884000-memory.dmp
C:\Windows\System\arIumhp.exe
| MD5 | 34a686e6dd07811b1044642cae3af03e |
| SHA1 | 66011d0c1d2b5b58bf703459e5687cadc93481e1 |
| SHA256 | fb7a15de12deca0296c421bbeac2491e9de3f6ad82ce239bd5b1f57e75a07628 |
| SHA512 | 1ed5e53467be9795c2531ad276726ca2a342bcb3f97ee89b20dfe9093b55268c4903bb242513f586aaea41ed74bfae46df77bb0b087001ec1e46e55c5d0ed203 |
C:\Windows\System\CbPOFIS.exe
| MD5 | 493883e1408a6e0acafea85deea09a71 |
| SHA1 | 7e923f42fbc069cba992bdcdf4aa0d7bf8e332ce |
| SHA256 | cc9b170d36fecee07bcd68823a20acc7976d43bc95f18e825cd5081b751c15cb |
| SHA512 | ecf8e5611a2cd0f8c77f82bcc7a74ab45962ea5dca7ad9c821ffe70084b7cdd89ae38ce3cd0d60d0786eca7a462fb09eeaf1692a4d6655b516565bd591eeb76c |
memory/4632-123-0x00007FF7F9FA0000-0x00007FF7FA2F4000-memory.dmp
C:\Windows\System\OdBsLnV.exe
| MD5 | a3a72cfb92941e30ea0d57cceee58b86 |
| SHA1 | d62501da4d3783897bab6a85c51bc21a90ca3828 |
| SHA256 | d3a1f2f9c21e7111834d4e3b747af6a7490de4f88e35e7d116963be2aee91db4 |
| SHA512 | dfff99c18031540a3aa1004108ef3e6ae438591f5702da7dd848bb5bc0aafb2c9b84b7d90debb9fbdbe2e195f32ca08dad3eebcd0995fc676228f0751213e33b |
memory/3180-126-0x00007FF677850000-0x00007FF677BA4000-memory.dmp
memory/1200-121-0x00007FF681FD0000-0x00007FF682324000-memory.dmp
memory/4920-114-0x00007FF7213C0000-0x00007FF721714000-memory.dmp
memory/3492-113-0x00007FF64D2C0000-0x00007FF64D614000-memory.dmp
memory/2220-112-0x00007FF7F1460000-0x00007FF7F17B4000-memory.dmp
memory/4636-101-0x00007FF765980000-0x00007FF765CD4000-memory.dmp
memory/4444-100-0x00007FF792180000-0x00007FF7924D4000-memory.dmp
memory/2440-95-0x00007FF7253A0000-0x00007FF7256F4000-memory.dmp
memory/4568-132-0x00007FF72E9E0000-0x00007FF72ED34000-memory.dmp
memory/3708-133-0x00007FF6F4D20000-0x00007FF6F5074000-memory.dmp
memory/3652-134-0x00007FF731510000-0x00007FF731864000-memory.dmp
memory/3836-135-0x00007FF7F9290000-0x00007FF7F95E4000-memory.dmp
memory/4636-136-0x00007FF765980000-0x00007FF765CD4000-memory.dmp
memory/3180-137-0x00007FF677850000-0x00007FF677BA4000-memory.dmp
memory/852-138-0x00007FF77C930000-0x00007FF77CC84000-memory.dmp
memory/5004-139-0x00007FF7F1F90000-0x00007FF7F22E4000-memory.dmp
memory/2860-140-0x00007FF75BD60000-0x00007FF75C0B4000-memory.dmp
memory/4616-141-0x00007FF7D8C20000-0x00007FF7D8F74000-memory.dmp
memory/2428-142-0x00007FF7711E0000-0x00007FF771534000-memory.dmp
memory/4920-143-0x00007FF7213C0000-0x00007FF721714000-memory.dmp
memory/3492-144-0x00007FF64D2C0000-0x00007FF64D614000-memory.dmp
memory/4568-145-0x00007FF72E9E0000-0x00007FF72ED34000-memory.dmp
memory/1200-146-0x00007FF681FD0000-0x00007FF682324000-memory.dmp
memory/3652-147-0x00007FF731510000-0x00007FF731864000-memory.dmp
memory/3540-148-0x00007FF6A27F0000-0x00007FF6A2B44000-memory.dmp
memory/2180-149-0x00007FF70EBA0000-0x00007FF70EEF4000-memory.dmp
memory/3836-150-0x00007FF7F9290000-0x00007FF7F95E4000-memory.dmp
memory/2440-151-0x00007FF7253A0000-0x00007FF7256F4000-memory.dmp
memory/4444-152-0x00007FF792180000-0x00007FF7924D4000-memory.dmp
memory/4636-153-0x00007FF765980000-0x00007FF765CD4000-memory.dmp
memory/676-154-0x00007FF6E0530000-0x00007FF6E0884000-memory.dmp
memory/2220-155-0x00007FF7F1460000-0x00007FF7F17B4000-memory.dmp
memory/4632-156-0x00007FF7F9FA0000-0x00007FF7FA2F4000-memory.dmp
memory/3708-158-0x00007FF6F4D20000-0x00007FF6F5074000-memory.dmp
memory/3180-157-0x00007FF677850000-0x00007FF677BA4000-memory.dmp