Analysis Overview
SHA256
fdce2eda06cba3d141cc12371c3cdc9129bb861ef58b07f9d393a4e690787116
Threat Level: Known bad
The file 2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobaltstrike
xmrig
Xmrig family
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:43
Reported
2024-06-01 15:45
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qOXpwic.exe | N/A |
| N/A | N/A | C:\Windows\System\NAOVlwZ.exe | N/A |
| N/A | N/A | C:\Windows\System\xYRiwyx.exe | N/A |
| N/A | N/A | C:\Windows\System\qkDdZFN.exe | N/A |
| N/A | N/A | C:\Windows\System\BCXDqQs.exe | N/A |
| N/A | N/A | C:\Windows\System\lhsUacM.exe | N/A |
| N/A | N/A | C:\Windows\System\geUeyPB.exe | N/A |
| N/A | N/A | C:\Windows\System\AxNYslH.exe | N/A |
| N/A | N/A | C:\Windows\System\KtYqUtq.exe | N/A |
| N/A | N/A | C:\Windows\System\kXmjQih.exe | N/A |
| N/A | N/A | C:\Windows\System\shOZywh.exe | N/A |
| N/A | N/A | C:\Windows\System\tuJtjaw.exe | N/A |
| N/A | N/A | C:\Windows\System\ugyxqcV.exe | N/A |
| N/A | N/A | C:\Windows\System\EcPgtfC.exe | N/A |
| N/A | N/A | C:\Windows\System\ZbeOASX.exe | N/A |
| N/A | N/A | C:\Windows\System\dbiHPvK.exe | N/A |
| N/A | N/A | C:\Windows\System\zJTvZmE.exe | N/A |
| N/A | N/A | C:\Windows\System\DEAuyLa.exe | N/A |
| N/A | N/A | C:\Windows\System\yasJEoz.exe | N/A |
| N/A | N/A | C:\Windows\System\ZpXYIih.exe | N/A |
| N/A | N/A | C:\Windows\System\onlvaeY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qOXpwic.exe
C:\Windows\System\qOXpwic.exe
C:\Windows\System\NAOVlwZ.exe
C:\Windows\System\NAOVlwZ.exe
C:\Windows\System\xYRiwyx.exe
C:\Windows\System\xYRiwyx.exe
C:\Windows\System\qkDdZFN.exe
C:\Windows\System\qkDdZFN.exe
C:\Windows\System\BCXDqQs.exe
C:\Windows\System\BCXDqQs.exe
C:\Windows\System\lhsUacM.exe
C:\Windows\System\lhsUacM.exe
C:\Windows\System\geUeyPB.exe
C:\Windows\System\geUeyPB.exe
C:\Windows\System\AxNYslH.exe
C:\Windows\System\AxNYslH.exe
C:\Windows\System\KtYqUtq.exe
C:\Windows\System\KtYqUtq.exe
C:\Windows\System\kXmjQih.exe
C:\Windows\System\kXmjQih.exe
C:\Windows\System\shOZywh.exe
C:\Windows\System\shOZywh.exe
C:\Windows\System\tuJtjaw.exe
C:\Windows\System\tuJtjaw.exe
C:\Windows\System\ugyxqcV.exe
C:\Windows\System\ugyxqcV.exe
C:\Windows\System\EcPgtfC.exe
C:\Windows\System\EcPgtfC.exe
C:\Windows\System\ZbeOASX.exe
C:\Windows\System\ZbeOASX.exe
C:\Windows\System\dbiHPvK.exe
C:\Windows\System\dbiHPvK.exe
C:\Windows\System\zJTvZmE.exe
C:\Windows\System\zJTvZmE.exe
C:\Windows\System\DEAuyLa.exe
C:\Windows\System\DEAuyLa.exe
C:\Windows\System\yasJEoz.exe
C:\Windows\System\yasJEoz.exe
C:\Windows\System\ZpXYIih.exe
C:\Windows\System\ZpXYIih.exe
C:\Windows\System\onlvaeY.exe
C:\Windows\System\onlvaeY.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5072-0-0x00007FF71FE20000-0x00007FF720174000-memory.dmp
memory/5072-1-0x000002631E560000-0x000002631E570000-memory.dmp
C:\Windows\System\qOXpwic.exe
| MD5 | 1bfd5934e63eba29d81444c31c1cb39a |
| SHA1 | 59fa01c38b3ab580dc30b892a010bd7175c00691 |
| SHA256 | f7bc72c0af28fb023d3a38a8a22c4e66fb954f85d5a4fc6b0fc1b5b8fb12c6bd |
| SHA512 | cc342cb774df543e3dfe59331360d3b625fd857c50e93d409efcd47f45fd7c33704f953aa1381e5e690f282e4ea71dd662f5b1c64a39ae940689cbdfa6471a45 |
memory/636-10-0x00007FF6C8E00000-0x00007FF6C9154000-memory.dmp
C:\Windows\System\NAOVlwZ.exe
| MD5 | b08de410c48ab166f1953ed15d3c8fc5 |
| SHA1 | 5803ddb70869fe4e7497789ac9e8ac9d168e20b7 |
| SHA256 | 4e354c5adee6944ff602f2b65638155062a57be0cd8dea637e27e3131b03bd9b |
| SHA512 | 00018d54a5898f63c008d997149e416ce11d3b741500c7cc623c49266f0fe54422f6e61ef2f5270e6361affbb17534fb1b8401a5717e6d87cb891eaab9ca638f |
C:\Windows\System\xYRiwyx.exe
| MD5 | bfd46266a24a99564d745f90f5bce68f |
| SHA1 | d28211c0b19633d32e89369bad10ae4fd9abd987 |
| SHA256 | 7b604a00afa52c68d3c2bc3ca515b246438405b4d8b4553ca273630503e2782c |
| SHA512 | 967b37230cd05934a2299cfde28b610ab87f1047209e811975d3b23cc09ba306e369dc2ea6b9ec60c5f7ce7423295735d0612167b212d71a6829d7ee8aea74a0 |
memory/1128-19-0x00007FF64E690000-0x00007FF64E9E4000-memory.dmp
C:\Windows\System\BCXDqQs.exe
| MD5 | e09b6dbf4af554fa273421f70b85a178 |
| SHA1 | 4ee0f7baa0b41207f7b544a998c3676f488e94bd |
| SHA256 | 57758e0a98175bfd903a7a8729abc02cf9b16d454ea148e248749e0e80b3d860 |
| SHA512 | a4de8af60e748fa1fc29b9ce6d265c7c61c5863d4b0bf6fbe5ec90a7c11f8109bccca521d3c813c6c5fb7791a28862a26686dcd03c952b736297949c5894986f |
C:\Windows\System\geUeyPB.exe
| MD5 | 0eb6a2801746b1606911ef51b2b2405d |
| SHA1 | f476e639a78c6019e482f96333d2ce64829752d1 |
| SHA256 | 559b486cb788d3e64f56ec3bf800a6b513813c0286491213beaf6346b0e95534 |
| SHA512 | ac454fcebe8763acdae7d6a6fa85b8d1dbd41e13a24eb16dab63d136f1998a30bebe32c743e8011edf2551625b184d17d3ea4e1c157f1e73abc987f0bc0408b7 |
memory/2528-40-0x00007FF691670000-0x00007FF6919C4000-memory.dmp
memory/4232-43-0x00007FF69BE70000-0x00007FF69C1C4000-memory.dmp
memory/32-48-0x00007FF672320000-0x00007FF672674000-memory.dmp
C:\Windows\System\kXmjQih.exe
| MD5 | db3fc19e3f6480d4213d353097291779 |
| SHA1 | de8e4515af7c221e18fa75488e07854127bdb0fd |
| SHA256 | 3a6772942ecca5953d56734b9bb28a2e5b6469bf4b38800980813a16e0e38aa5 |
| SHA512 | f74e46d3d5c068ab74a4faf05b4b42b2985c679936aa5e8f1308b9a957d259f7fd1838770702ea52923a091484b0c7143d7ed8a4120c75f3cce841a71996913d |
C:\Windows\System\KtYqUtq.exe
| MD5 | bdee44517a2a3bb90444f2f1f2c7c96b |
| SHA1 | 02ac19389300a81df5364f3128cff2704bd52e8f |
| SHA256 | bd44a3e73a18406c567a37d790a2622e43ba10fe0a3465f2cb6f12b6a79ec41b |
| SHA512 | 9af1e1621aae39492930f657926a65189351b127009dff52e3bae1019692ac3948a77728df4e3bc51cef0efd6bb8406107d34f36713895eeb92c5d3b8e537e5f |
C:\Windows\System\shOZywh.exe
| MD5 | 16efdedbd62fa7ce7b7a006201d689e6 |
| SHA1 | 180c47d46c523826be8d34ea409973e53a5d13c6 |
| SHA256 | c7ef2a938c55815323d87619f2341927b45f5ba60cbab9848c7d931cdbfc8188 |
| SHA512 | bb32b99d8e1389082622d3219c936030ce3b88e92772dc193aea3b73b7f463dc73b17a4a38758d7554c501f5487a65d4b94c75d3de84f0694d6598615005ea04 |
memory/1976-69-0x00007FF6EA750000-0x00007FF6EAAA4000-memory.dmp
memory/704-70-0x00007FF67C140000-0x00007FF67C494000-memory.dmp
C:\Windows\System\ugyxqcV.exe
| MD5 | 6b6b5aaf621a3930f7a9be04a70cc3b8 |
| SHA1 | b8cb3b8ed3435bfd69e75fb6e85bd4e583b9dca5 |
| SHA256 | 2493b6d646e93b4ad89d8ba9b55beccdf8e48de5168d009966ef4b0414e599da |
| SHA512 | 6420794290d436892ae9a8165fb097e45ce5abdaac1276e6fd74d264a754485f1ddbd0f9d58e4722cc0c5c227d2cdc0103cff6f2a71b96a5780b1b67c452888a |
memory/3476-77-0x00007FF673760000-0x00007FF673AB4000-memory.dmp
C:\Windows\System\tuJtjaw.exe
| MD5 | 9e3047f25904b6f1774e6fb571b38089 |
| SHA1 | e4d3f55a7354d42d427c62eb039ffeaa8523f9f2 |
| SHA256 | 2029c6e55739922252d4023b9e3e43a3a1b0e88032d9a8efb9eb01b275b3bec5 |
| SHA512 | e509c8065c632261111346a3415acb61d5358def1f2b63d3604327d27fa98e83570b1c2d8c7e760e9c9c7c11d9c273b0ba74d89b3968b3d30d55c8a77f38c64d |
memory/2500-58-0x00007FF757DC0000-0x00007FF758114000-memory.dmp
memory/4124-55-0x00007FF771990000-0x00007FF771CE4000-memory.dmp
memory/548-54-0x00007FF7EE6A0000-0x00007FF7EE9F4000-memory.dmp
C:\Windows\System\AxNYslH.exe
| MD5 | 46e6c11beebf7238362789e81edf0805 |
| SHA1 | 75a3aeaa90892febee42d55554471b471d89c90f |
| SHA256 | 4e0ee746e68d3723dd551150dbf42cb256a294638d7e3cf8f12f2e12e7cad815 |
| SHA512 | 8859176059ee7fa9478aa2b32b4fdeb6a6df8e8827a7867b0322775a39c8f145ae66b359613b15b5f7b66e5d4e82c24b60e4bea9414ebde1616be2bc76138dd9 |
C:\Windows\System\lhsUacM.exe
| MD5 | adb2ca87e5597466c1803b248275fd28 |
| SHA1 | 5606ab2f6772d27c49b3ab80f6467c1b26eb0a59 |
| SHA256 | 614affacfcf5ef6ad0d3bfe206e54f14db617a2e3d1be8bef9779e238c4ad8da |
| SHA512 | 6acf8674933468b9b4c50897b4cd4ce0b1d5ed1235fc48a9362d412fd55fb8e383457aeb779efc25f46774c1190c05589ae841793d3759a569be3b7345f79c41 |
memory/4668-34-0x00007FF7AC2C0000-0x00007FF7AC614000-memory.dmp
C:\Windows\System\qkDdZFN.exe
| MD5 | 34314d261de0e7ccba1c856f75cb1155 |
| SHA1 | 5a331b47a32e5cb65bde83adce5b5457b726b587 |
| SHA256 | 50779bd77af5ac22ecb82436d0854f2d5d9de20821fb964f18fd28695b10f394 |
| SHA512 | 954b5c55c039469c10bef1e1eb1451ac9ce8de450e09a3b1bf85a78daaee099c0a06fb4fa11c3eb952bfc0bae6b086363fb4ca4063bf904f533aef0acd73002f |
memory/2152-24-0x00007FF771C10000-0x00007FF771F64000-memory.dmp
C:\Windows\System\EcPgtfC.exe
| MD5 | b88a952c090763e6ec9ee7f31158791d |
| SHA1 | 409e5a6280576c1fb5bf1b84f5422168b971bd67 |
| SHA256 | 424098759e08746130f1d6a97235f842adcf355b0b1e6ac1257b54c0f7cfdb67 |
| SHA512 | f51971278ccbbcef7f91b0b24276adafa0b85ae7f20f2917ca2361392386506427a5542be3b03a13e2b31d6e17dd2a82773d3b6e4f1701304a6092b6d3a2581c |
memory/5072-84-0x00007FF71FE20000-0x00007FF720174000-memory.dmp
memory/1892-88-0x00007FF694790000-0x00007FF694AE4000-memory.dmp
C:\Windows\System\ZbeOASX.exe
| MD5 | 2c34413827947ecd03dce7f8848d9c36 |
| SHA1 | 8e7cf5112006f2a5c3e268b5187d7edd682aa7a8 |
| SHA256 | 64ec00ea7671082ef4343f55645649c93011dbfb7c6e465b110df1d82807a81c |
| SHA512 | 3c57901c411a37d9ff1f947f203e18d687533302899ee284cff326d6e9f24fee8fd54aef3d83b08c52202cc4c0f8c6bdc556e5fbb6ee72ab2f5bcd38ed7848fd |
C:\Windows\System\zJTvZmE.exe
| MD5 | eef0961413de564d4e633583885e5a37 |
| SHA1 | ac9f874c6f1a1b30d0e78945884d4d9c000fc096 |
| SHA256 | 71a2a5686a9770c8c5c10cf1c66bec2244e727c8fcb265b503402c87ec0289b4 |
| SHA512 | 1487e2af642664e235ac674f4467dde2830a1dca5da63ff37c610cdca257b3b81c484e261e80c8ae721101a0a55b1d67556887d467953189ce2649dff2b6dd4e |
C:\Windows\System\DEAuyLa.exe
| MD5 | fa4af4349895fb60110461b303c0c372 |
| SHA1 | 0b9ea57995e613a4fa81ae7b9d988525fd1850ea |
| SHA256 | 96f3af7817c991a179e4a7455ebc4d29e725c3370c6933580b24c189bee810a8 |
| SHA512 | 3aa067837d2ef71a7de79100e79af17f30236f5ee9b5c879222cb3863b27a79e9248a3074949c15cf086ac86954167edf12beffd8fc7986624a561775400af4e |
C:\Windows\System\yasJEoz.exe
| MD5 | 20c5b3c73cd490e32858d82ca087b784 |
| SHA1 | 87e08f556812b30827fffb32a42b6ef40dd08429 |
| SHA256 | 83c371220418ccab94a6ca4f90d77a8e9e99eb97e1ec7f31c847d511b946b6fa |
| SHA512 | 774ba0a48b40749fb5d0846e38ba568cac6180921940feae42c68caf2b76f322082080c06cc05e1b84e1124753e59364f5ea484e044b77fd0ae44a26486d1a49 |
memory/3532-117-0x00007FF6D7E10000-0x00007FF6D8164000-memory.dmp
C:\Windows\System\ZpXYIih.exe
| MD5 | ce5223de0c8d5e7b569a748dd57f83b3 |
| SHA1 | 8c9d8c275fde1659a827560b826005f0e684e84f |
| SHA256 | 5f35f4dc9b99099d145502908ac5d91f5b49f01de0999448d10c53728d397474 |
| SHA512 | 0d5c4db8e1e2ac17dda4fbc78a77e3bbf9e5fd63e1295a7f97ca19de8004046145b0afcd7262ca5c3befe4a4b8bbee27638646e1852a6547afba5d4f27c9598a |
memory/1088-126-0x00007FF656450000-0x00007FF6567A4000-memory.dmp
memory/548-125-0x00007FF7EE6A0000-0x00007FF7EE9F4000-memory.dmp
memory/32-124-0x00007FF672320000-0x00007FF672674000-memory.dmp
memory/3800-119-0x00007FF6994E0000-0x00007FF699834000-memory.dmp
memory/4480-111-0x00007FF6BE9B0000-0x00007FF6BED04000-memory.dmp
memory/1072-110-0x00007FF6FCAA0000-0x00007FF6FCDF4000-memory.dmp
memory/2984-106-0x00007FF663D40000-0x00007FF664094000-memory.dmp
memory/2152-101-0x00007FF771C10000-0x00007FF771F64000-memory.dmp
memory/1128-100-0x00007FF64E690000-0x00007FF64E9E4000-memory.dmp
memory/636-99-0x00007FF6C8E00000-0x00007FF6C9154000-memory.dmp
C:\Windows\System\dbiHPvK.exe
| MD5 | 7171c55a224ddcc646492ca55143374e |
| SHA1 | f63815edbd935811b2c35c15463a221da44fe016 |
| SHA256 | 7a951ceefb8d254d2760983e50b882ef63d9bca6fd6d2c262ddd7d3a8a145dc7 |
| SHA512 | d1596a7f23a789cb274f4917a020095e795cc1db04fa84f29d873a8a5efd46ccb003f1acc5a8f78772ef280b1ebd58bee9fcbd601c0b7e516fdd51c518bb3ef9 |
C:\Windows\System\onlvaeY.exe
| MD5 | 0c1f3c0b629430f02f60666badfc851a |
| SHA1 | 1e74a416394362ce0be6afbf151eb4019e0fa330 |
| SHA256 | aa7980154adf973d5a1e9fd3d4438d96c8bc5bb2b2db14c478f9bcd48651c673 |
| SHA512 | dee6b8165432242206b4864aadb99405a6e6703c8648785f2aaff6e4dd86521e2fb5402f9d6380450f78e8000149a3694ef738c33f40becc80ff30a2acdcd250 |
memory/4124-133-0x00007FF771990000-0x00007FF771CE4000-memory.dmp
memory/1744-134-0x00007FF6E5A70000-0x00007FF6E5DC4000-memory.dmp
memory/2500-135-0x00007FF757DC0000-0x00007FF758114000-memory.dmp
memory/1976-136-0x00007FF6EA750000-0x00007FF6EAAA4000-memory.dmp
memory/704-137-0x00007FF67C140000-0x00007FF67C494000-memory.dmp
memory/3476-138-0x00007FF673760000-0x00007FF673AB4000-memory.dmp
memory/1892-139-0x00007FF694790000-0x00007FF694AE4000-memory.dmp
memory/3800-140-0x00007FF6994E0000-0x00007FF699834000-memory.dmp
memory/1088-141-0x00007FF656450000-0x00007FF6567A4000-memory.dmp
memory/636-142-0x00007FF6C8E00000-0x00007FF6C9154000-memory.dmp
memory/1128-143-0x00007FF64E690000-0x00007FF64E9E4000-memory.dmp
memory/2528-144-0x00007FF691670000-0x00007FF6919C4000-memory.dmp
memory/2152-145-0x00007FF771C10000-0x00007FF771F64000-memory.dmp
memory/4232-146-0x00007FF69BE70000-0x00007FF69C1C4000-memory.dmp
memory/4668-147-0x00007FF7AC2C0000-0x00007FF7AC614000-memory.dmp
memory/548-149-0x00007FF7EE6A0000-0x00007FF7EE9F4000-memory.dmp
memory/4124-148-0x00007FF771990000-0x00007FF771CE4000-memory.dmp
memory/1976-152-0x00007FF6EA750000-0x00007FF6EAAA4000-memory.dmp
memory/704-154-0x00007FF67C140000-0x00007FF67C494000-memory.dmp
memory/2500-153-0x00007FF757DC0000-0x00007FF758114000-memory.dmp
memory/32-150-0x00007FF672320000-0x00007FF672674000-memory.dmp
memory/3476-151-0x00007FF673760000-0x00007FF673AB4000-memory.dmp
memory/1892-156-0x00007FF694790000-0x00007FF694AE4000-memory.dmp
memory/1072-155-0x00007FF6FCAA0000-0x00007FF6FCDF4000-memory.dmp
memory/3532-158-0x00007FF6D7E10000-0x00007FF6D8164000-memory.dmp
memory/2984-157-0x00007FF663D40000-0x00007FF664094000-memory.dmp
memory/4480-159-0x00007FF6BE9B0000-0x00007FF6BED04000-memory.dmp
memory/1088-160-0x00007FF656450000-0x00007FF6567A4000-memory.dmp
memory/3800-161-0x00007FF6994E0000-0x00007FF699834000-memory.dmp
memory/1744-162-0x00007FF6E5A70000-0x00007FF6E5DC4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:43
Reported
2024-06-01 15:45
Platform
win7-20240220-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qOXpwic.exe | N/A |
| N/A | N/A | C:\Windows\System\NAOVlwZ.exe | N/A |
| N/A | N/A | C:\Windows\System\xYRiwyx.exe | N/A |
| N/A | N/A | C:\Windows\System\qkDdZFN.exe | N/A |
| N/A | N/A | C:\Windows\System\BCXDqQs.exe | N/A |
| N/A | N/A | C:\Windows\System\lhsUacM.exe | N/A |
| N/A | N/A | C:\Windows\System\geUeyPB.exe | N/A |
| N/A | N/A | C:\Windows\System\AxNYslH.exe | N/A |
| N/A | N/A | C:\Windows\System\KtYqUtq.exe | N/A |
| N/A | N/A | C:\Windows\System\kXmjQih.exe | N/A |
| N/A | N/A | C:\Windows\System\shOZywh.exe | N/A |
| N/A | N/A | C:\Windows\System\tuJtjaw.exe | N/A |
| N/A | N/A | C:\Windows\System\ugyxqcV.exe | N/A |
| N/A | N/A | C:\Windows\System\EcPgtfC.exe | N/A |
| N/A | N/A | C:\Windows\System\ZbeOASX.exe | N/A |
| N/A | N/A | C:\Windows\System\dbiHPvK.exe | N/A |
| N/A | N/A | C:\Windows\System\zJTvZmE.exe | N/A |
| N/A | N/A | C:\Windows\System\DEAuyLa.exe | N/A |
| N/A | N/A | C:\Windows\System\yasJEoz.exe | N/A |
| N/A | N/A | C:\Windows\System\ZpXYIih.exe | N/A |
| N/A | N/A | C:\Windows\System\onlvaeY.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qOXpwic.exe
C:\Windows\System\qOXpwic.exe
C:\Windows\System\NAOVlwZ.exe
C:\Windows\System\NAOVlwZ.exe
C:\Windows\System\xYRiwyx.exe
C:\Windows\System\xYRiwyx.exe
C:\Windows\System\qkDdZFN.exe
C:\Windows\System\qkDdZFN.exe
C:\Windows\System\BCXDqQs.exe
C:\Windows\System\BCXDqQs.exe
C:\Windows\System\lhsUacM.exe
C:\Windows\System\lhsUacM.exe
C:\Windows\System\geUeyPB.exe
C:\Windows\System\geUeyPB.exe
C:\Windows\System\AxNYslH.exe
C:\Windows\System\AxNYslH.exe
C:\Windows\System\KtYqUtq.exe
C:\Windows\System\KtYqUtq.exe
C:\Windows\System\kXmjQih.exe
C:\Windows\System\kXmjQih.exe
C:\Windows\System\shOZywh.exe
C:\Windows\System\shOZywh.exe
C:\Windows\System\tuJtjaw.exe
C:\Windows\System\tuJtjaw.exe
C:\Windows\System\ugyxqcV.exe
C:\Windows\System\ugyxqcV.exe
C:\Windows\System\EcPgtfC.exe
C:\Windows\System\EcPgtfC.exe
C:\Windows\System\ZbeOASX.exe
C:\Windows\System\ZbeOASX.exe
C:\Windows\System\dbiHPvK.exe
C:\Windows\System\dbiHPvK.exe
C:\Windows\System\zJTvZmE.exe
C:\Windows\System\zJTvZmE.exe
C:\Windows\System\DEAuyLa.exe
C:\Windows\System\DEAuyLa.exe
C:\Windows\System\yasJEoz.exe
C:\Windows\System\yasJEoz.exe
C:\Windows\System\ZpXYIih.exe
C:\Windows\System\ZpXYIih.exe
C:\Windows\System\onlvaeY.exe
C:\Windows\System\onlvaeY.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/840-0-0x0000000000100000-0x0000000000110000-memory.dmp
memory/840-1-0x000000013F370000-0x000000013F6C4000-memory.dmp
C:\Windows\system\qOXpwic.exe
| MD5 | 1bfd5934e63eba29d81444c31c1cb39a |
| SHA1 | 59fa01c38b3ab580dc30b892a010bd7175c00691 |
| SHA256 | f7bc72c0af28fb023d3a38a8a22c4e66fb954f85d5a4fc6b0fc1b5b8fb12c6bd |
| SHA512 | cc342cb774df543e3dfe59331360d3b625fd857c50e93d409efcd47f45fd7c33704f953aa1381e5e690f282e4ea71dd662f5b1c64a39ae940689cbdfa6471a45 |
memory/1996-9-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/840-7-0x000000013FDD0000-0x0000000140124000-memory.dmp
\Windows\system\NAOVlwZ.exe
| MD5 | b08de410c48ab166f1953ed15d3c8fc5 |
| SHA1 | 5803ddb70869fe4e7497789ac9e8ac9d168e20b7 |
| SHA256 | 4e354c5adee6944ff602f2b65638155062a57be0cd8dea637e27e3131b03bd9b |
| SHA512 | 00018d54a5898f63c008d997149e416ce11d3b741500c7cc623c49266f0fe54422f6e61ef2f5270e6361affbb17534fb1b8401a5717e6d87cb891eaab9ca638f |
memory/2572-21-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/1796-20-0x000000013FE00000-0x0000000140154000-memory.dmp
C:\Windows\system\xYRiwyx.exe
| MD5 | bfd46266a24a99564d745f90f5bce68f |
| SHA1 | d28211c0b19633d32e89369bad10ae4fd9abd987 |
| SHA256 | 7b604a00afa52c68d3c2bc3ca515b246438405b4d8b4553ca273630503e2782c |
| SHA512 | 967b37230cd05934a2299cfde28b610ab87f1047209e811975d3b23cc09ba306e369dc2ea6b9ec60c5f7ce7423295735d0612167b212d71a6829d7ee8aea74a0 |
memory/840-22-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/840-24-0x0000000002520000-0x0000000002874000-memory.dmp
\Windows\system\qkDdZFN.exe
| MD5 | 34314d261de0e7ccba1c856f75cb1155 |
| SHA1 | 5a331b47a32e5cb65bde83adce5b5457b726b587 |
| SHA256 | 50779bd77af5ac22ecb82436d0854f2d5d9de20821fb964f18fd28695b10f394 |
| SHA512 | 954b5c55c039469c10bef1e1eb1451ac9ce8de450e09a3b1bf85a78daaee099c0a06fb4fa11c3eb952bfc0bae6b086363fb4ca4063bf904f533aef0acd73002f |
memory/2060-28-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/840-34-0x0000000002520000-0x0000000002874000-memory.dmp
\Windows\system\lhsUacM.exe
| MD5 | adb2ca87e5597466c1803b248275fd28 |
| SHA1 | 5606ab2f6772d27c49b3ab80f6467c1b26eb0a59 |
| SHA256 | 614affacfcf5ef6ad0d3bfe206e54f14db617a2e3d1be8bef9779e238c4ad8da |
| SHA512 | 6acf8674933468b9b4c50897b4cd4ce0b1d5ed1235fc48a9362d412fd55fb8e383457aeb779efc25f46774c1190c05589ae841793d3759a569be3b7345f79c41 |
memory/2520-41-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2604-39-0x000000013F500000-0x000000013F854000-memory.dmp
C:\Windows\system\AxNYslH.exe
| MD5 | 46e6c11beebf7238362789e81edf0805 |
| SHA1 | 75a3aeaa90892febee42d55554471b471d89c90f |
| SHA256 | 4e0ee746e68d3723dd551150dbf42cb256a294638d7e3cf8f12f2e12e7cad815 |
| SHA512 | 8859176059ee7fa9478aa2b32b4fdeb6a6df8e8827a7867b0322775a39c8f145ae66b359613b15b5f7b66e5d4e82c24b60e4bea9414ebde1616be2bc76138dd9 |
memory/840-55-0x0000000002520000-0x0000000002874000-memory.dmp
\Windows\system\KtYqUtq.exe
| MD5 | bdee44517a2a3bb90444f2f1f2c7c96b |
| SHA1 | 02ac19389300a81df5364f3128cff2704bd52e8f |
| SHA256 | bd44a3e73a18406c567a37d790a2622e43ba10fe0a3465f2cb6f12b6a79ec41b |
| SHA512 | 9af1e1621aae39492930f657926a65189351b127009dff52e3bae1019692ac3948a77728df4e3bc51cef0efd6bb8406107d34f36713895eeb92c5d3b8e537e5f |
memory/1996-60-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/840-59-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2736-56-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2548-50-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/840-49-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/840-47-0x000000013F710000-0x000000013FA64000-memory.dmp
C:\Windows\system\geUeyPB.exe
| MD5 | 0eb6a2801746b1606911ef51b2b2405d |
| SHA1 | f476e639a78c6019e482f96333d2ce64829752d1 |
| SHA256 | 559b486cb788d3e64f56ec3bf800a6b513813c0286491213beaf6346b0e95534 |
| SHA512 | ac454fcebe8763acdae7d6a6fa85b8d1dbd41e13a24eb16dab63d136f1998a30bebe32c743e8011edf2551625b184d17d3ea4e1c157f1e73abc987f0bc0408b7 |
C:\Windows\system\BCXDqQs.exe
| MD5 | e09b6dbf4af554fa273421f70b85a178 |
| SHA1 | 4ee0f7baa0b41207f7b544a998c3676f488e94bd |
| SHA256 | 57758e0a98175bfd903a7a8729abc02cf9b16d454ea148e248749e0e80b3d860 |
| SHA512 | a4de8af60e748fa1fc29b9ce6d265c7c61c5863d4b0bf6fbe5ec90a7c11f8109bccca521d3c813c6c5fb7791a28862a26686dcd03c952b736297949c5894986f |
\Windows\system\kXmjQih.exe
| MD5 | db3fc19e3f6480d4213d353097291779 |
| SHA1 | de8e4515af7c221e18fa75488e07854127bdb0fd |
| SHA256 | 3a6772942ecca5953d56734b9bb28a2e5b6469bf4b38800980813a16e0e38aa5 |
| SHA512 | f74e46d3d5c068ab74a4faf05b4b42b2985c679936aa5e8f1308b9a957d259f7fd1838770702ea52923a091484b0c7143d7ed8a4120c75f3cce841a71996913d |
memory/2552-70-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2400-72-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/840-71-0x000000013FA40000-0x000000013FD94000-memory.dmp
C:\Windows\system\shOZywh.exe
| MD5 | 16efdedbd62fa7ce7b7a006201d689e6 |
| SHA1 | 180c47d46c523826be8d34ea409973e53a5d13c6 |
| SHA256 | c7ef2a938c55815323d87619f2341927b45f5ba60cbab9848c7d931cdbfc8188 |
| SHA512 | bb32b99d8e1389082622d3219c936030ce3b88e92772dc193aea3b73b7f463dc73b17a4a38758d7554c501f5487a65d4b94c75d3de84f0694d6598615005ea04 |
memory/808-79-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/840-78-0x0000000002520000-0x0000000002874000-memory.dmp
C:\Windows\system\tuJtjaw.exe
| MD5 | 9e3047f25904b6f1774e6fb571b38089 |
| SHA1 | e4d3f55a7354d42d427c62eb039ffeaa8523f9f2 |
| SHA256 | 2029c6e55739922252d4023b9e3e43a3a1b0e88032d9a8efb9eb01b275b3bec5 |
| SHA512 | e509c8065c632261111346a3415acb61d5358def1f2b63d3604327d27fa98e83570b1c2d8c7e760e9c9c7c11d9c273b0ba74d89b3968b3d30d55c8a77f38c64d |
memory/2372-87-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/840-86-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2060-85-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2604-93-0x000000013F500000-0x000000013F854000-memory.dmp
memory/840-94-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2692-95-0x000000013FB40000-0x000000013FE94000-memory.dmp
C:\Windows\system\ugyxqcV.exe
| MD5 | 6b6b5aaf621a3930f7a9be04a70cc3b8 |
| SHA1 | b8cb3b8ed3435bfd69e75fb6e85bd4e583b9dca5 |
| SHA256 | 2493b6d646e93b4ad89d8ba9b55beccdf8e48de5168d009966ef4b0414e599da |
| SHA512 | 6420794290d436892ae9a8165fb097e45ce5abdaac1276e6fd74d264a754485f1ddbd0f9d58e4722cc0c5c227d2cdc0103cff6f2a71b96a5780b1b67c452888a |
C:\Windows\system\EcPgtfC.exe
| MD5 | b88a952c090763e6ec9ee7f31158791d |
| SHA1 | 409e5a6280576c1fb5bf1b84f5422168b971bd67 |
| SHA256 | 424098759e08746130f1d6a97235f842adcf355b0b1e6ac1257b54c0f7cfdb67 |
| SHA512 | f51971278ccbbcef7f91b0b24276adafa0b85ae7f20f2917ca2361392386506427a5542be3b03a13e2b31d6e17dd2a82773d3b6e4f1701304a6092b6d3a2581c |
memory/1920-103-0x000000013F210000-0x000000013F564000-memory.dmp
memory/840-102-0x0000000002520000-0x0000000002874000-memory.dmp
C:\Windows\system\ZbeOASX.exe
| MD5 | 2c34413827947ecd03dce7f8848d9c36 |
| SHA1 | 8e7cf5112006f2a5c3e268b5187d7edd682aa7a8 |
| SHA256 | 64ec00ea7671082ef4343f55645649c93011dbfb7c6e465b110df1d82807a81c |
| SHA512 | 3c57901c411a37d9ff1f947f203e18d687533302899ee284cff326d6e9f24fee8fd54aef3d83b08c52202cc4c0f8c6bdc556e5fbb6ee72ab2f5bcd38ed7848fd |
memory/2520-101-0x000000013F710000-0x000000013FA64000-memory.dmp
C:\Windows\system\ZpXYIih.exe
| MD5 | ce5223de0c8d5e7b569a748dd57f83b3 |
| SHA1 | 8c9d8c275fde1659a827560b826005f0e684e84f |
| SHA256 | 5f35f4dc9b99099d145502908ac5d91f5b49f01de0999448d10c53728d397474 |
| SHA512 | 0d5c4db8e1e2ac17dda4fbc78a77e3bbf9e5fd63e1295a7f97ca19de8004046145b0afcd7262ca5c3befe4a4b8bbee27638646e1852a6547afba5d4f27c9598a |
\Windows\system\onlvaeY.exe
| MD5 | 0c1f3c0b629430f02f60666badfc851a |
| SHA1 | 1e74a416394362ce0be6afbf151eb4019e0fa330 |
| SHA256 | aa7980154adf973d5a1e9fd3d4438d96c8bc5bb2b2db14c478f9bcd48651c673 |
| SHA512 | dee6b8165432242206b4864aadb99405a6e6703c8648785f2aaff6e4dd86521e2fb5402f9d6380450f78e8000149a3694ef738c33f40becc80ff30a2acdcd250 |
C:\Windows\system\yasJEoz.exe
| MD5 | 20c5b3c73cd490e32858d82ca087b784 |
| SHA1 | 87e08f556812b30827fffb32a42b6ef40dd08429 |
| SHA256 | 83c371220418ccab94a6ca4f90d77a8e9e99eb97e1ec7f31c847d511b946b6fa |
| SHA512 | 774ba0a48b40749fb5d0846e38ba568cac6180921940feae42c68caf2b76f322082080c06cc05e1b84e1124753e59364f5ea484e044b77fd0ae44a26486d1a49 |
C:\Windows\system\DEAuyLa.exe
| MD5 | fa4af4349895fb60110461b303c0c372 |
| SHA1 | 0b9ea57995e613a4fa81ae7b9d988525fd1850ea |
| SHA256 | 96f3af7817c991a179e4a7455ebc4d29e725c3370c6933580b24c189bee810a8 |
| SHA512 | 3aa067837d2ef71a7de79100e79af17f30236f5ee9b5c879222cb3863b27a79e9248a3074949c15cf086ac86954167edf12beffd8fc7986624a561775400af4e |
C:\Windows\system\zJTvZmE.exe
| MD5 | eef0961413de564d4e633583885e5a37 |
| SHA1 | ac9f874c6f1a1b30d0e78945884d4d9c000fc096 |
| SHA256 | 71a2a5686a9770c8c5c10cf1c66bec2244e727c8fcb265b503402c87ec0289b4 |
| SHA512 | 1487e2af642664e235ac674f4467dde2830a1dca5da63ff37c610cdca257b3b81c484e261e80c8ae721101a0a55b1d67556887d467953189ce2649dff2b6dd4e |
C:\Windows\system\dbiHPvK.exe
| MD5 | 7171c55a224ddcc646492ca55143374e |
| SHA1 | f63815edbd935811b2c35c15463a221da44fe016 |
| SHA256 | 7a951ceefb8d254d2760983e50b882ef63d9bca6fd6d2c262ddd7d3a8a145dc7 |
| SHA512 | d1596a7f23a789cb274f4917a020095e795cc1db04fa84f29d873a8a5efd46ccb003f1acc5a8f78772ef280b1ebd58bee9fcbd601c0b7e516fdd51c518bb3ef9 |
memory/2736-139-0x000000013F340000-0x000000013F694000-memory.dmp
memory/840-138-0x0000000002520000-0x0000000002874000-memory.dmp
memory/840-140-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/840-141-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/840-142-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/1996-143-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/1796-144-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2572-145-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2060-146-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2604-147-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2548-149-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2520-148-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2736-150-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2552-151-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2400-152-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/808-153-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2372-154-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2692-155-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/1920-156-0x000000013F210000-0x000000013F564000-memory.dmp