Analysis Overview
SHA256
4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30
Threat Level: Known bad
The file 2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Cobaltstrike family
Xmrig family
Cobaltstrike
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 14:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 14:46
Reported
2024-06-01 14:49
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\GQxGCAQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ipKhOxz.exe | N/A |
| N/A | N/A | C:\Windows\System\jQGsgBy.exe | N/A |
| N/A | N/A | C:\Windows\System\blFAiRZ.exe | N/A |
| N/A | N/A | C:\Windows\System\svHkTaV.exe | N/A |
| N/A | N/A | C:\Windows\System\pRYdzJU.exe | N/A |
| N/A | N/A | C:\Windows\System\KeIylgm.exe | N/A |
| N/A | N/A | C:\Windows\System\UmKNpKA.exe | N/A |
| N/A | N/A | C:\Windows\System\POsRmvq.exe | N/A |
| N/A | N/A | C:\Windows\System\szlgMxj.exe | N/A |
| N/A | N/A | C:\Windows\System\gaYClVa.exe | N/A |
| N/A | N/A | C:\Windows\System\hvKvGyd.exe | N/A |
| N/A | N/A | C:\Windows\System\WOdNksf.exe | N/A |
| N/A | N/A | C:\Windows\System\DkBPadJ.exe | N/A |
| N/A | N/A | C:\Windows\System\dgKmKYs.exe | N/A |
| N/A | N/A | C:\Windows\System\hLdQWto.exe | N/A |
| N/A | N/A | C:\Windows\System\DJUqaSs.exe | N/A |
| N/A | N/A | C:\Windows\System\YyNsFuS.exe | N/A |
| N/A | N/A | C:\Windows\System\QzbTEwD.exe | N/A |
| N/A | N/A | C:\Windows\System\rjjPMGs.exe | N/A |
| N/A | N/A | C:\Windows\System\WcpOSdX.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\GQxGCAQ.exe
C:\Windows\System\GQxGCAQ.exe
C:\Windows\System\ipKhOxz.exe
C:\Windows\System\ipKhOxz.exe
C:\Windows\System\jQGsgBy.exe
C:\Windows\System\jQGsgBy.exe
C:\Windows\System\blFAiRZ.exe
C:\Windows\System\blFAiRZ.exe
C:\Windows\System\svHkTaV.exe
C:\Windows\System\svHkTaV.exe
C:\Windows\System\pRYdzJU.exe
C:\Windows\System\pRYdzJU.exe
C:\Windows\System\KeIylgm.exe
C:\Windows\System\KeIylgm.exe
C:\Windows\System\UmKNpKA.exe
C:\Windows\System\UmKNpKA.exe
C:\Windows\System\POsRmvq.exe
C:\Windows\System\POsRmvq.exe
C:\Windows\System\szlgMxj.exe
C:\Windows\System\szlgMxj.exe
C:\Windows\System\gaYClVa.exe
C:\Windows\System\gaYClVa.exe
C:\Windows\System\hvKvGyd.exe
C:\Windows\System\hvKvGyd.exe
C:\Windows\System\WOdNksf.exe
C:\Windows\System\WOdNksf.exe
C:\Windows\System\DkBPadJ.exe
C:\Windows\System\DkBPadJ.exe
C:\Windows\System\dgKmKYs.exe
C:\Windows\System\dgKmKYs.exe
C:\Windows\System\hLdQWto.exe
C:\Windows\System\hLdQWto.exe
C:\Windows\System\DJUqaSs.exe
C:\Windows\System\DJUqaSs.exe
C:\Windows\System\YyNsFuS.exe
C:\Windows\System\YyNsFuS.exe
C:\Windows\System\QzbTEwD.exe
C:\Windows\System\QzbTEwD.exe
C:\Windows\System\rjjPMGs.exe
C:\Windows\System\rjjPMGs.exe
C:\Windows\System\WcpOSdX.exe
C:\Windows\System\WcpOSdX.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4100-0-0x00007FF767E90000-0x00007FF7681E4000-memory.dmp
memory/4100-1-0x000001BBF48F0000-0x000001BBF4900000-memory.dmp
C:\Windows\System\GQxGCAQ.exe
| MD5 | 7e369b8d2b8185867d2156b239ecccea |
| SHA1 | 034625d1e2c572f0496b70468aa27d546402d3ef |
| SHA256 | 98e5ea3e7435d5c7134e8242268d595d0f8b713a13d7cc855bca754d90f7b1b5 |
| SHA512 | a7e053f0095c1b8672656c315cd410cf70b52f1faab43035b77f0d07b51feab15b0e07105f1cab096d9be462d030d2274656f2f6832b4988abf29cc6ab278826 |
memory/4312-6-0x00007FF7C8150000-0x00007FF7C84A4000-memory.dmp
memory/5112-15-0x00007FF759680000-0x00007FF7599D4000-memory.dmp
C:\Windows\System\jQGsgBy.exe
| MD5 | eea506da6f4f58df8527234cacd615fc |
| SHA1 | a23adb1558e49d0c368521968d5a33bc35684bf5 |
| SHA256 | 0ee6e393a6ac1a18c180e68354c8be7f58d602506e7763d5067f8bca28f2a3e2 |
| SHA512 | 88ffea7bf47c9a3ada0f39e42671c609729db2346831cfc0a20fa39f61d89ec2703678413bf9e70b7d519c121c0695bb9a950cb38194a2f9bc8eeca9f36e9a56 |
memory/4368-17-0x00007FF7A7A20000-0x00007FF7A7D74000-memory.dmp
C:\Windows\System\ipKhOxz.exe
| MD5 | 811b745be83ac839a8c1a8bfd9f159bf |
| SHA1 | 4f3d7380131507ecbdee55b964b1bb4bb233783d |
| SHA256 | 54723f0c1f774acbf83801411ffa9ea69c3c7abea82d0ea5178901aababe3960 |
| SHA512 | 47df4673e648b6179d4bc8c054f65562ccc1e2a499cd9d9f7ebbb671233c97764dab1a3da413d69dfc1474121c7088bc7eb27a7fbead2c49a9bcd30e7e3d899d |
C:\Windows\System\blFAiRZ.exe
| MD5 | acfecbf1d1d6845174abc28621395f60 |
| SHA1 | 63613144944596d542b8ee0f338a656d384ac827 |
| SHA256 | 74bd59c17a7bbf2f6be26b7f64eb6291a9946521d84aa0af1c7c457d7b546312 |
| SHA512 | 71bc991a0a4e61689bb797a98a25ccc5f6d7f7e81ad88ff90edb2bb1cc6b2853cc13de8b73742d2ff9bf96892530d0c6ce97292600a5a67ba8a4010115479a61 |
memory/3188-28-0x00007FF76BCD0000-0x00007FF76C024000-memory.dmp
C:\Windows\System\svHkTaV.exe
| MD5 | eb27a21fa5255aedde82e81f9d14d279 |
| SHA1 | 39da2c219aec47f0d83b97b368afa1968026baf5 |
| SHA256 | 617c24c24f0aed96a86fa72d817f9f6b6c36a4a39a790d214932a5d580b12137 |
| SHA512 | 183f16b7e5c427754c26b1f3b0f54bcd98afbee16d0850df0d6bb894e681b0bc440e2c4e9898cc14c3a23f9552b646f611b9463098ac9539120f0a2e00e321dc |
C:\Windows\System\pRYdzJU.exe
| MD5 | b7c8fa84a6af8cb6b25a939c6f2d7eb8 |
| SHA1 | c0c2bf5469c3650903d0b13223e6fe47045644ce |
| SHA256 | bbdd094df340a42e74453bb200a96c692ce05bf0c41b2ab99a59289607ab1d0e |
| SHA512 | 2d59e19d94f7b393bf5b6f6bcd35c6543b668488f63b0578d8bd7d3f21b8bc4d9791278b6f117030c869484076ed09eb4b40c42744d5f9eeeeb3400c1b33613d |
memory/2968-31-0x00007FF67F370000-0x00007FF67F6C4000-memory.dmp
memory/2576-38-0x00007FF7B2E00000-0x00007FF7B3154000-memory.dmp
C:\Windows\System\KeIylgm.exe
| MD5 | 92e81316b77e9221209540c6b24db5ff |
| SHA1 | 9e9882acd9dd4975ee3b276740aada37c7b9751d |
| SHA256 | 42176d74b6d7d954133c1800c9842a7ed18e3821375e9b7a2aa86e4e769a27c5 |
| SHA512 | 0b93eb1c52f1a3a16e300200ed4b591449e06b6c5febc13f1363a1bd86b59c5ffdd116d6264015586acbec3dbfa361b4fb7aa0436308784bdd6e8ebaaa48157b |
C:\Windows\System\UmKNpKA.exe
| MD5 | aefe43f865ff46d8ab43d4b91cec7b31 |
| SHA1 | d641d54db834e6b565dd81a6182b181e3f2e7968 |
| SHA256 | 5bc63052f848cdad60a03926aef9750612aff860249c5abbafb5e956912eaf4b |
| SHA512 | d43da00eda33889cd210f765efc5dc83236e8621d596a96206bdcab6f7fb5f0742e7994c6527359fc247cbd8aab4fc0910c5b804f05704b2ca406913cdffb2f8 |
memory/1688-42-0x00007FF7BB5F0000-0x00007FF7BB944000-memory.dmp
memory/2184-50-0x00007FF69B0A0000-0x00007FF69B3F4000-memory.dmp
C:\Windows\System\POsRmvq.exe
| MD5 | 797d32724958453e2e6befc90bf7e9c9 |
| SHA1 | 427711899251755f7a9f32982696cc1d5f5614d7 |
| SHA256 | ff4f0c29ccea0f34e3c54ee7b5a4508c14a950c7949a5c68a162165d2773739d |
| SHA512 | 6616e9bc8dd93c5b069e5c6c048846914ce47b8ed7292813c0afce8f25b3353bfc697880c959444b00d7414ba6c28c8419b99d77853d1672dcc0b60cd2381f05 |
C:\Windows\System\szlgMxj.exe
| MD5 | 3e654088c1ebcbf56c647e36df16d995 |
| SHA1 | db3cc12d567aa286583c6197bc29277c7148aa32 |
| SHA256 | 758d6990112c066298e667391e14532a3b2827c2771bff4565011fc19260d9e5 |
| SHA512 | fe9854e28a9ca6d809eae016b34f178242e7954c2167cc36c93bfc86dc698a634f5e17c12c13c604538f91737f2ff4485425fcc9548f768dc8f07e306bdcef84 |
memory/3756-57-0x00007FF706F70000-0x00007FF7072C4000-memory.dmp
memory/4100-60-0x00007FF767E90000-0x00007FF7681E4000-memory.dmp
C:\Windows\System\gaYClVa.exe
| MD5 | e831516941392a1b53c9a6725ec8911a |
| SHA1 | a5fa05144be10fcf109c1f4f86409ac57da2a9fc |
| SHA256 | 24189a728eea80376de5f2c6f7bf0ce873aadfd38754722513c31cd78cf21877 |
| SHA512 | 8c9547b208a563396cc48260a97b1fdd26b97f506a09d261e17e742f5f70896f8919a8983bf9ca1434fdf8a3ae6ec8112f0f89d76718f93f91f077897661fdf6 |
memory/948-68-0x00007FF766960000-0x00007FF766CB4000-memory.dmp
C:\Windows\System\hvKvGyd.exe
| MD5 | 7d7f7b7073949ea16c0add0b02657b22 |
| SHA1 | 2ac1e7c5d7f1cbc4d9f5b87ec80604aae216366d |
| SHA256 | 407c2242f6b968eddfb6fa1a0156d3c46b31a972711cee5e94713df30c95ed11 |
| SHA512 | b10f5072c2f24265e5ada721f05d39f7b51ecd17fa93c86147365151f4666c6c8a4ccf8717735f5c19e3c32a165efadbe789ca52dd630d840c2b633390bd3b3c |
C:\Windows\System\WOdNksf.exe
| MD5 | 224191d2e3ca5f159a226484a7d1f1ba |
| SHA1 | 6b7d76feae259c586cfd8cf0fb2cee9202a8b91e |
| SHA256 | cff9e73679ed46e198ac517eb60c57553af84f9679de80813aec3e8b5d219ea9 |
| SHA512 | 8da8e3ae2f9e655a4917d8f5529ede983d580761fc593f62989083aec21c146b2ce6ebab277001e17721663c5b651ed51e6571d42c9a8f784d7510068e921f33 |
memory/4524-73-0x00007FF60F310000-0x00007FF60F664000-memory.dmp
memory/4312-70-0x00007FF7C8150000-0x00007FF7C84A4000-memory.dmp
memory/4368-83-0x00007FF7A7A20000-0x00007FF7A7D74000-memory.dmp
memory/2020-85-0x00007FF774BF0000-0x00007FF774F44000-memory.dmp
C:\Windows\System\DkBPadJ.exe
| MD5 | d022b56b891454d663b5223e4b18442a |
| SHA1 | 843ac87a5236af7169a42f3a2fad8b97f0464d98 |
| SHA256 | d26a84eee28142bf02cbb4ae798c82cd94abc575484ccc827028b35588de77ba |
| SHA512 | 8e3ee8a3e3a513c0774be4c3245c7b9decab1d2052b27cf46da45cb81b76f2246964150033043046dda4fcd5808107fa158ebb5313c88ccde898df29e47cba5c |
memory/4940-87-0x00007FF7D78D0000-0x00007FF7D7C24000-memory.dmp
memory/2968-93-0x00007FF67F370000-0x00007FF67F6C4000-memory.dmp
C:\Windows\System\dgKmKYs.exe
| MD5 | e947d0853edbf6f033d525f42ea90e40 |
| SHA1 | aa77ee75ba08501118148d90ab4b80a0474f0690 |
| SHA256 | d8bb7fa33891c8a3609160bb9ee5d447ef23146765ca1fe730a77da083de0998 |
| SHA512 | e5101bb8570b62972cafd228c9cb812c81764ea476fd213b7e5ae3f9d25216a174d29846552f1cd58ff50fde60650bf0d86d7e689c4c3fceadc8e9c74bf06a75 |
memory/1556-94-0x00007FF6AAEA0000-0x00007FF6AB1F4000-memory.dmp
memory/4624-82-0x00007FF7274F0000-0x00007FF727844000-memory.dmp
C:\Windows\System\hLdQWto.exe
| MD5 | 3f80b823954e33aebd639208a12b90cc |
| SHA1 | c821ad72b79b9c0564663d31e9ac300f90e749e5 |
| SHA256 | c8320af00c3406811797c2596fd4a70967366b0395d7287dae37106528424aa8 |
| SHA512 | 2751ac00f72b87b35a3d4e58b072100bc77e26ee41a5c01c2c62209e15ab729871d2a2db63608c961d238dbc6417a0c4473bd3bc747ac8b4cd8415fa7a1298a6 |
C:\Windows\System\DJUqaSs.exe
| MD5 | 55cf32d2586d23e59674814e1a4ff930 |
| SHA1 | b037a6b9f436f1736aa0b22fd1b7a8b5824374ec |
| SHA256 | 288a39850e11141cdece3fcd90970b79751908ef423999eb46c0ca42d69c7118 |
| SHA512 | d72e9a4120bd10a0854fa5889a043f67211a2469548fed69a4886f312e8fc11ced37d8b6d4eb75d6c1f928bc4eac82ff224ed6672f10aa828738e3fd0c634ec8 |
C:\Windows\System\YyNsFuS.exe
| MD5 | 94964f8705957ece09cbbe5c7c61dcff |
| SHA1 | 0bbed891e4ce22397081c5f6a0cd47f0f04325ce |
| SHA256 | 8ca172ef14700cf83ae5f274674b77c379de88e8f15d53327ee71a3a4726e767 |
| SHA512 | bb37f3305655894b1901885426bf7e69b4049e99feb0732a1ad3645b83548a02ddef2554787787eb56192922daa502e8bfb53f93cf59ff9a61983d47344da20e |
memory/1724-111-0x00007FF64D7D0000-0x00007FF64DB24000-memory.dmp
memory/1688-110-0x00007FF7BB5F0000-0x00007FF7BB944000-memory.dmp
C:\Windows\System\rjjPMGs.exe
| MD5 | 6d617771e903315567441789465faa8a |
| SHA1 | bfdaa6689079a7402103f7beeb66921411b669fc |
| SHA256 | e85d8992b9a00d393306909bff4fd7b9ec55cf3ccf4c4980d253003ebe2ac38c |
| SHA512 | c7b13d54035d798b4a0a1da3f3f6897b0b780d1ac3306e03d96cca34b1485e7ed15c9f14f550fdad099939b42c315c068c7129102154b5235167a509b1eada97 |
C:\Windows\System\QzbTEwD.exe
| MD5 | ec7732169381578be83657bda8c1e851 |
| SHA1 | e9a696009e58dc8fcbfb1a697b1d51eab63a3fc2 |
| SHA256 | 24bf40c5abbd8222f050b6be1b310eac2bcaa32d4ff610045501f06cdfc4492e |
| SHA512 | 9e2206a901ab96105210e3703222858393bd935305ca64658e49f9fc4eed103326a5c7c95bdb3403115ae9e638f83be76708dfa27de9f4e0fa761153f119f411 |
memory/3516-126-0x00007FF6D0E90000-0x00007FF6D11E4000-memory.dmp
C:\Windows\System\WcpOSdX.exe
| MD5 | d6c48139dff072dc9fa8a5c6d4e7bcae |
| SHA1 | cbcf8955509cefbd2e24abffd99ac9928c5feaef |
| SHA256 | 475c4677eb1b3e47367094aefd451efdefe5c4608b364e506cf67a9b9483f786 |
| SHA512 | 93d08c54c71ac2f5f69c59f3d13f5e8de15a96e209707705388d2b5188e6151b1124472d157105450f4ff9b3c8327ad5f2f2cdf9ba4241b546a69f3913173712 |
memory/3576-129-0x00007FF69D2D0000-0x00007FF69D624000-memory.dmp
memory/948-125-0x00007FF766960000-0x00007FF766CB4000-memory.dmp
memory/2984-115-0x00007FF6D6180000-0x00007FF6D64D4000-memory.dmp
memory/4972-104-0x00007FF640880000-0x00007FF640BD4000-memory.dmp
memory/3792-133-0x00007FF66FF90000-0x00007FF6702E4000-memory.dmp
memory/4624-134-0x00007FF7274F0000-0x00007FF727844000-memory.dmp
memory/4940-135-0x00007FF7D78D0000-0x00007FF7D7C24000-memory.dmp
memory/1556-136-0x00007FF6AAEA0000-0x00007FF6AB1F4000-memory.dmp
memory/2984-137-0x00007FF6D6180000-0x00007FF6D64D4000-memory.dmp
memory/3576-138-0x00007FF69D2D0000-0x00007FF69D624000-memory.dmp
memory/4312-139-0x00007FF7C8150000-0x00007FF7C84A4000-memory.dmp
memory/5112-140-0x00007FF759680000-0x00007FF7599D4000-memory.dmp
memory/4368-141-0x00007FF7A7A20000-0x00007FF7A7D74000-memory.dmp
memory/3188-142-0x00007FF76BCD0000-0x00007FF76C024000-memory.dmp
memory/2968-143-0x00007FF67F370000-0x00007FF67F6C4000-memory.dmp
memory/2576-144-0x00007FF7B2E00000-0x00007FF7B3154000-memory.dmp
memory/2184-145-0x00007FF69B0A0000-0x00007FF69B3F4000-memory.dmp
memory/1688-146-0x00007FF7BB5F0000-0x00007FF7BB944000-memory.dmp
memory/3756-147-0x00007FF706F70000-0x00007FF7072C4000-memory.dmp
memory/948-148-0x00007FF766960000-0x00007FF766CB4000-memory.dmp
memory/4524-149-0x00007FF60F310000-0x00007FF60F664000-memory.dmp
memory/4624-150-0x00007FF7274F0000-0x00007FF727844000-memory.dmp
memory/2020-151-0x00007FF774BF0000-0x00007FF774F44000-memory.dmp
memory/4940-152-0x00007FF7D78D0000-0x00007FF7D7C24000-memory.dmp
memory/1556-153-0x00007FF6AAEA0000-0x00007FF6AB1F4000-memory.dmp
memory/4972-154-0x00007FF640880000-0x00007FF640BD4000-memory.dmp
memory/1724-155-0x00007FF64D7D0000-0x00007FF64DB24000-memory.dmp
memory/2984-156-0x00007FF6D6180000-0x00007FF6D64D4000-memory.dmp
memory/3516-157-0x00007FF6D0E90000-0x00007FF6D11E4000-memory.dmp
memory/3792-159-0x00007FF66FF90000-0x00007FF6702E4000-memory.dmp
memory/3576-158-0x00007FF69D2D0000-0x00007FF69D624000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 14:46
Reported
2024-06-01 14:49
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jlofsdR.exe | N/A |
| N/A | N/A | C:\Windows\System\TwDSyaY.exe | N/A |
| N/A | N/A | C:\Windows\System\XdskhYU.exe | N/A |
| N/A | N/A | C:\Windows\System\cWwOrXG.exe | N/A |
| N/A | N/A | C:\Windows\System\bikTaYq.exe | N/A |
| N/A | N/A | C:\Windows\System\RfSLppm.exe | N/A |
| N/A | N/A | C:\Windows\System\tLkVpYx.exe | N/A |
| N/A | N/A | C:\Windows\System\lQtZuPi.exe | N/A |
| N/A | N/A | C:\Windows\System\JsizMJs.exe | N/A |
| N/A | N/A | C:\Windows\System\YXAJIcK.exe | N/A |
| N/A | N/A | C:\Windows\System\hFcIIUp.exe | N/A |
| N/A | N/A | C:\Windows\System\pcoaSif.exe | N/A |
| N/A | N/A | C:\Windows\System\lQEbjyJ.exe | N/A |
| N/A | N/A | C:\Windows\System\VjOIbbp.exe | N/A |
| N/A | N/A | C:\Windows\System\BvULLqZ.exe | N/A |
| N/A | N/A | C:\Windows\System\OdWfzNt.exe | N/A |
| N/A | N/A | C:\Windows\System\qoQgNJZ.exe | N/A |
| N/A | N/A | C:\Windows\System\bPVekkP.exe | N/A |
| N/A | N/A | C:\Windows\System\IwqiuNP.exe | N/A |
| N/A | N/A | C:\Windows\System\CVmZoMt.exe | N/A |
| N/A | N/A | C:\Windows\System\xYyPsYS.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jlofsdR.exe
C:\Windows\System\jlofsdR.exe
C:\Windows\System\TwDSyaY.exe
C:\Windows\System\TwDSyaY.exe
C:\Windows\System\XdskhYU.exe
C:\Windows\System\XdskhYU.exe
C:\Windows\System\cWwOrXG.exe
C:\Windows\System\cWwOrXG.exe
C:\Windows\System\bikTaYq.exe
C:\Windows\System\bikTaYq.exe
C:\Windows\System\RfSLppm.exe
C:\Windows\System\RfSLppm.exe
C:\Windows\System\tLkVpYx.exe
C:\Windows\System\tLkVpYx.exe
C:\Windows\System\lQtZuPi.exe
C:\Windows\System\lQtZuPi.exe
C:\Windows\System\JsizMJs.exe
C:\Windows\System\JsizMJs.exe
C:\Windows\System\hFcIIUp.exe
C:\Windows\System\hFcIIUp.exe
C:\Windows\System\YXAJIcK.exe
C:\Windows\System\YXAJIcK.exe
C:\Windows\System\pcoaSif.exe
C:\Windows\System\pcoaSif.exe
C:\Windows\System\lQEbjyJ.exe
C:\Windows\System\lQEbjyJ.exe
C:\Windows\System\VjOIbbp.exe
C:\Windows\System\VjOIbbp.exe
C:\Windows\System\BvULLqZ.exe
C:\Windows\System\BvULLqZ.exe
C:\Windows\System\OdWfzNt.exe
C:\Windows\System\OdWfzNt.exe
C:\Windows\System\qoQgNJZ.exe
C:\Windows\System\qoQgNJZ.exe
C:\Windows\System\bPVekkP.exe
C:\Windows\System\bPVekkP.exe
C:\Windows\System\IwqiuNP.exe
C:\Windows\System\IwqiuNP.exe
C:\Windows\System\xYyPsYS.exe
C:\Windows\System\xYyPsYS.exe
C:\Windows\System\CVmZoMt.exe
C:\Windows\System\CVmZoMt.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2424-0-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2424-1-0x0000000000100000-0x0000000000110000-memory.dmp
C:\Windows\system\jlofsdR.exe
| MD5 | 55c2f0c4a4c640ac66ec9d04155e90e6 |
| SHA1 | 82b2d1e266ebfa8ec25278cb55ed2e35502f9989 |
| SHA256 | bd473291536239da1a98014fcde8b2e4e0a7b76871908edf6810ec32ba7aa68e |
| SHA512 | 84c334ef1a97febda4dfc0e915aa7c83c3f4821f900304ba58b58de275d951856e2f11686228deb9509cee5489abc6163094bd382f3a36039538876baf3fd4d8 |
memory/2424-8-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\TwDSyaY.exe
| MD5 | 54fb96af44dc060a1e5d026b423977c3 |
| SHA1 | 4d0e6e2c06c898951639bd5c95b2205c1019c1f6 |
| SHA256 | 21241c28bc13212b30931330ccd89f6e48cb7975cf16f0f383fb621e06dd5d95 |
| SHA512 | 9c1236c88004e79bb7497d75dc748c8a90d0bedcd6e55e1c2f7a71b60f7029be2bd408d79cd9602d5bf359762ff4cec6bb19007de1b1b4acd9523ab07775c3e9 |
memory/2424-16-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2920-14-0x000000013FD50000-0x00000001400A4000-memory.dmp
C:\Windows\system\XdskhYU.exe
| MD5 | 6ea8e2e756b922501740a9e2bf65bbd0 |
| SHA1 | d9fd9f4e497c99c25a800298d0eb310af9788979 |
| SHA256 | 50dad08aee5b02b35b7e8d92471e82ca90b006590fe6546675e199cc240619a5 |
| SHA512 | 9ac47455eafd4a8ce7082f8d508603db6ced5507fa13f6c9e1bfbb036be6d52705b2967ae4a172d955356d75ad58821463d5db5dab69bb6f4165b197f6e75661 |
memory/2280-22-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2424-21-0x000000013FF10000-0x0000000140264000-memory.dmp
C:\Windows\system\cWwOrXG.exe
| MD5 | 18a362da92522d809e0248fe70271cbb |
| SHA1 | b1c69cc9fb93742d7d7b7ddb65257d5b908cdb73 |
| SHA256 | 61f2b307bc8e87dad2c135dad207989e6e064f1d0b259878263d37503c7dc41c |
| SHA512 | 48acdc8f3388f4c27bee1b683d9a011e0a582087872aafad17ed2f64fa539d67d1e93463882e27c35ee3440d947832290b33e55ea36b5d4b1c2c862d407bef6b |
C:\Windows\system\bikTaYq.exe
| MD5 | 3add9ac68d5b16be757a19669a6bfba7 |
| SHA1 | 11cfded4c42b1cb0099326361a5cde4c91d096aa |
| SHA256 | ef76032d12d90178e83a285d21a4c0bb9ecf30d2f88899ca28227a4149790f25 |
| SHA512 | f676a7fe8e8350a62d297d943ddd29c793e07222ad680498af865438b34b39f3224a98f7ca792fb2b9d82fa14f998cdd963ddb0218f8e9fa07aaac97a45914b6 |
\Windows\system\RfSLppm.exe
| MD5 | d17f37b013089c1de1c587d605017855 |
| SHA1 | 4a266715cbc94e3f15e93ddbac1b71825a237afe |
| SHA256 | cab08e07ef6fc1aef49f41dc08cebe5f7f55c37dc021cfc5fa8a4cce58e442a9 |
| SHA512 | 1fa2fd9e80f3743432dc83e156282913a56b3b4d0c57678578ef4a2855c08ac76badbf22b34fe2b676d392f42f8f27251ddbe567e8994c44881a9b4d123d0a45 |
C:\Windows\system\tLkVpYx.exe
| MD5 | a6df9915b29b542fb940e62282b409d9 |
| SHA1 | c513677242181f34cc30f5ea3b7575f9fc55bd76 |
| SHA256 | 3f10c230cd8eedc71abc21be4c531a6c6efd86c9171f1e1c671ce85906554a41 |
| SHA512 | 9c379ce7737051e5b832fbd88252f2e704b388fd4f79bc46df51944fa273b7391db9990bcd5f779c4f358f081bc4dbb31fac14b19ea628ba712b19316dc5dad1 |
C:\Windows\system\lQtZuPi.exe
| MD5 | 11c4fc8eda943b4f7dfb235c697b011b |
| SHA1 | 8b970d06900ec4cb8224315d1b99609aebc52900 |
| SHA256 | da754ffb56077604bad69516e206cf3e868f51af518aec7575c8b8bbb269a956 |
| SHA512 | c4328f8b3ec275f42d61ea51bace2243e1e3329e2c731e4b4fcf5df1a3a507ed5f571f204dffa02e288ea6846dab265923a370072ad457f087f9de4eb113db6e |
memory/2856-58-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2492-85-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1824-92-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2584-98-0x000000013F980000-0x000000013FCD4000-memory.dmp
C:\Windows\system\OdWfzNt.exe
| MD5 | 69a7df3f3b25688c86dcb266aa5a4760 |
| SHA1 | e0423761a1ed29ba9fbe30766aa1ee550061b079 |
| SHA256 | 2d49311725d31b7cad23a668f810854a1a6a802aeffdcdbeccb019f10590cf2e |
| SHA512 | 75b69322cc53f3da0c363d83d6562058a6dc74a74269aac4923450fed6b11484d4412511a003a5bc8e5f7490fb4d1b11623398a872b1d513476445699575c74a |
\Windows\system\xYyPsYS.exe
| MD5 | b1c25544cecaba42ab6833b1515824b9 |
| SHA1 | 6787bc60e57be4384b9047d0d7513fb2326ea005 |
| SHA256 | a202d14ecf2652ab2a5dbd8339b1efc4b42bcb81041bb2f0eb9be5e2dce4777b |
| SHA512 | 2dcaee2e58ca3092ac700970b7b54da9a2bef22469dd666befc16d6225e593f2845a52e167ddaeea3b01d52c77701235ac9a15e0525149e84038dac57a06a9e3 |
C:\Windows\system\CVmZoMt.exe
| MD5 | 17552b65d25a524ed3bfa27ca6f706c9 |
| SHA1 | ef52e2462c3455407a07287211574043df557495 |
| SHA256 | 7353228881cb14bcf40fe9f37e2f686c6d737c34c90b982cc02888a8da8298ed |
| SHA512 | fd5f1bfd2e8226b5eb2cd7ecd801c9f705ea858c1db24d226d9c21fd76a95d33e52537222ad7c873fe7623d167b82b5db1eab5a64122914e5b856a4c2ae1482f |
C:\Windows\system\IwqiuNP.exe
| MD5 | 6105cadde08cd464dda42562a693fb8e |
| SHA1 | 557b7ff33bf62a4da74cd21eb89afff07777a88a |
| SHA256 | 9c29f25cdee5438957162fdba7443455f1b261a47107a5f61745b1afc42db28e |
| SHA512 | 4be8af52fd02856ca3a3969bec041e28a822c3b07fe6693b244f2ec1a07869a66e6e37ed45315224f44b11dfab48bf5b46efb4ff8d0f352144ef5bbe2788d88c |
C:\Windows\system\bPVekkP.exe
| MD5 | 0431492a86285d06802a7c37af511eda |
| SHA1 | 9a219473ea25732623b2e2e0954738cee2ed8889 |
| SHA256 | 37bcf328e8add634946d2abf7da2558306293110c3e5a3c8facccbd86bc4ce54 |
| SHA512 | 82d34892007f5d51f786edaa1ece897cf17c575a0025046f05853833040bfdbdca297ea70d22eff5e43808b4d9c3dcce165956ad56d3b0be27f16183743af225 |
C:\Windows\system\qoQgNJZ.exe
| MD5 | a966b0578cd40195043149aa113799ef |
| SHA1 | b3c627893beeb95b65176a0644c85842ec40b800 |
| SHA256 | fb8b7b9a50d7dab1e116f13148a967e42dffa5db4093bc3b9f3e227da2731e34 |
| SHA512 | 3068a08d79200f088224b863ac505b0f6428fa7ca6710e54ee54fcd8201a125469fc10808955c81210441f8c1707c485f1ec222b7b3b3301dcfcab43bc45d9bf |
C:\Windows\system\BvULLqZ.exe
| MD5 | ac93f1a8f0a8c04a0a84479cf2b535fa |
| SHA1 | ed0cdb54ab445199a35747712384948f6d13339e |
| SHA256 | 1012a80c4a0550ed6e15c85595e8595836375f7391cdba2dc63e296e0e590b09 |
| SHA512 | 23fd254cb2f723924530be0fccaece414447daf9a5490214ed1e03519718a1a43513eeaba46c2af7151bc3192486c3fa733a64a377a269dd0e93622f28823b41 |
memory/2424-97-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\VjOIbbp.exe
| MD5 | b53637b41f3fa2fa30669d0e694532d7 |
| SHA1 | 5a1ff2d6404060dd2b0dc4ce4bde0bfb7ce2f180 |
| SHA256 | 3cb31021c24aa6ec8f1b99022598d762ece1c560721d08b55ab6bff4c292b1a0 |
| SHA512 | 35fa75a2eab615cf0974ce4997263f82b16458295dcc6ab22b64e8ca46474e58a3e74710d373e6041433686e96759b15ec79fb1e288ec85fa579b9cf1df072be |
memory/2424-91-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\lQEbjyJ.exe
| MD5 | 4b60485c228d79c887176fdc048d1616 |
| SHA1 | 85474a9cbfd5541e8a5c593f9ee94a14de7d1f16 |
| SHA256 | c35ed620b2ea88dc031f890a613dd6a8caa76a8b51d9b9c786411aa3d26d3963 |
| SHA512 | 31b7367f0f9913e2ff066e55faeb1f69cd0d6dbd3e72a3c779b31faf873d711ceda439b07f450b1581a7ae8d654be4e785d8eba24036fc269a48b1d4d9bff5db |
memory/3032-86-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
C:\Windows\system\pcoaSif.exe
| MD5 | 916dcaf6409d704fae1bfbb740388c75 |
| SHA1 | 281069f17eb0ccaad01419ce53631e75b57fe761 |
| SHA256 | 96d7094d5391f5d80be86dc653a59d57c2f738f3dec58d4c0b356bad939d211f |
| SHA512 | 80948c0ca64da893cc386600b8ee10447184eb8075a0a407bfc7a42431ac69cfa7e77662541f16c0e8c10213a3c623614de68a6b7c0d29a22288c48de9f424f8 |
C:\Windows\system\hFcIIUp.exe
| MD5 | 81891d73c2980f15348806ca34e509f8 |
| SHA1 | e9413e8a00adc5356fd731387209d808270eea73 |
| SHA256 | 62bd6b7bfdf2d7651fcda7cf99e1ba5561a892251a860e1e3ef46a80cd46f55a |
| SHA512 | e81dfbdda1ace927a915a6b2abfc34a0be01ddc44d14eba84e672ed297c3354bdf344ed787cecbf4e2f73b2e1391c6c87d9bdc00fa62dfe50f2ff0ff243b714f |
memory/2424-82-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2280-81-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/1668-80-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2660-68-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2424-57-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2424-76-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2424-75-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\YXAJIcK.exe
| MD5 | bb9c5aec55906a529e1c9717f5581390 |
| SHA1 | b60cadc9c35825b83a2d26d2766ef7fb20e21380 |
| SHA256 | 7a77c211f477e39a332c9a6b32e4394529a6a130ac96aab2b2d125ab5d4cec70 |
| SHA512 | f8724a9aaec8c56750f5931c8c9ad22359a9fb16e683e3ac350eacac72414400c8e553c3f9a26c939ec2ffb08e4144558440424805098860c00ac939af01375c |
memory/2920-73-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2424-72-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2424-64-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
C:\Windows\system\JsizMJs.exe
| MD5 | 3fc8f5e214a1916fda6aaa4469a9f628 |
| SHA1 | fe565e69c2d54465824d6091a740f429b805793b |
| SHA256 | 7ef10bf763b1b4093a5b2d966d1c9327bd70fe862c0378c14e68c69ab71df8db |
| SHA512 | 365436e9f36e7a897bcf67e47d319584f53f4881cdc629fed4197351719ec1852507645dcf59e55aaa68928bb7b5bd81ef17a86cd8c90ff962d6f5cf7919a808 |
memory/2808-51-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2424-50-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2624-44-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2424-43-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2712-37-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2424-36-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2076-30-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2424-26-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2416-12-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/1668-139-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2424-138-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2424-140-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2492-141-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/3032-142-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2424-143-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1824-144-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2424-145-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2584-146-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2424-147-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2416-148-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2920-149-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2076-150-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2280-151-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2712-152-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2624-153-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2808-154-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2856-155-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2660-156-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/1668-158-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/1824-157-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/3032-160-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2492-159-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2584-161-0x000000013F980000-0x000000013FCD4000-memory.dmp