Analysis Overview
SHA256
acfc09ac9e8ace846210d8ad53a648cd365c36142abad8f6f1e379ebc0b1214f
Threat Level: Known bad
The file 2024-06-06_81937f385524e513c3335390ffa4ce94_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
xmrig
Cobaltstrike family
Cobaltstrike
UPX dump on OEP (original entry point)
Xmrig family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 11:51
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 11:49
Reported
2024-06-06 11:53
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nXsHXFY.exe | N/A |
| N/A | N/A | C:\Windows\System\PWGBVOb.exe | N/A |
| N/A | N/A | C:\Windows\System\sSIqCzj.exe | N/A |
| N/A | N/A | C:\Windows\System\EvjEtQL.exe | N/A |
| N/A | N/A | C:\Windows\System\epeDNbi.exe | N/A |
| N/A | N/A | C:\Windows\System\FUqmXqb.exe | N/A |
| N/A | N/A | C:\Windows\System\LPlorLY.exe | N/A |
| N/A | N/A | C:\Windows\System\ZesCYKz.exe | N/A |
| N/A | N/A | C:\Windows\System\BrKTDjT.exe | N/A |
| N/A | N/A | C:\Windows\System\zVpXoOW.exe | N/A |
| N/A | N/A | C:\Windows\System\IfAWSZi.exe | N/A |
| N/A | N/A | C:\Windows\System\tFknxzi.exe | N/A |
| N/A | N/A | C:\Windows\System\HEQyIRI.exe | N/A |
| N/A | N/A | C:\Windows\System\nUqijBj.exe | N/A |
| N/A | N/A | C:\Windows\System\QwqHcuC.exe | N/A |
| N/A | N/A | C:\Windows\System\NBgemjV.exe | N/A |
| N/A | N/A | C:\Windows\System\THCqdYe.exe | N/A |
| N/A | N/A | C:\Windows\System\BzJOQQk.exe | N/A |
| N/A | N/A | C:\Windows\System\bqaQwLa.exe | N/A |
| N/A | N/A | C:\Windows\System\svLuXCV.exe | N/A |
| N/A | N/A | C:\Windows\System\jCyywLm.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_81937f385524e513c3335390ffa4ce94_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_81937f385524e513c3335390ffa4ce94_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_81937f385524e513c3335390ffa4ce94_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_81937f385524e513c3335390ffa4ce94_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\nXsHXFY.exe
C:\Windows\System\nXsHXFY.exe
C:\Windows\System\PWGBVOb.exe
C:\Windows\System\PWGBVOb.exe
C:\Windows\System\sSIqCzj.exe
C:\Windows\System\sSIqCzj.exe
C:\Windows\System\EvjEtQL.exe
C:\Windows\System\EvjEtQL.exe
C:\Windows\System\epeDNbi.exe
C:\Windows\System\epeDNbi.exe
C:\Windows\System\FUqmXqb.exe
C:\Windows\System\FUqmXqb.exe
C:\Windows\System\LPlorLY.exe
C:\Windows\System\LPlorLY.exe
C:\Windows\System\ZesCYKz.exe
C:\Windows\System\ZesCYKz.exe
C:\Windows\System\BrKTDjT.exe
C:\Windows\System\BrKTDjT.exe
C:\Windows\System\zVpXoOW.exe
C:\Windows\System\zVpXoOW.exe
C:\Windows\System\IfAWSZi.exe
C:\Windows\System\IfAWSZi.exe
C:\Windows\System\tFknxzi.exe
C:\Windows\System\tFknxzi.exe
C:\Windows\System\HEQyIRI.exe
C:\Windows\System\HEQyIRI.exe
C:\Windows\System\nUqijBj.exe
C:\Windows\System\nUqijBj.exe
C:\Windows\System\QwqHcuC.exe
C:\Windows\System\QwqHcuC.exe
C:\Windows\System\NBgemjV.exe
C:\Windows\System\NBgemjV.exe
C:\Windows\System\THCqdYe.exe
C:\Windows\System\THCqdYe.exe
C:\Windows\System\BzJOQQk.exe
C:\Windows\System\BzJOQQk.exe
C:\Windows\System\bqaQwLa.exe
C:\Windows\System\bqaQwLa.exe
C:\Windows\System\svLuXCV.exe
C:\Windows\System\svLuXCV.exe
C:\Windows\System\jCyywLm.exe
C:\Windows\System\jCyywLm.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4328 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2748-0-0x00007FF7761F0000-0x00007FF776544000-memory.dmp
memory/2748-1-0x00000213668C0000-0x00000213668D0000-memory.dmp
C:\Windows\System\nXsHXFY.exe
| MD5 | fe9a15d0b4074e67cdf8282ae13343ec |
| SHA1 | 9bdb69dffb6b69efa2853cccdc80e4d98ccc3827 |
| SHA256 | 48faf902c69df78fc533582efb15b14413d216a9da3fc4d8a3a96c7312012d66 |
| SHA512 | 81651b5114e18296985af5267f0f846524f9ffac4c985ce8d5587708167fa5d8cf701a39b0e3d11b57f2b6df8987d259950d02fa623363e2e2a9bb77bd9d51b8 |
memory/2148-7-0x00007FF64FEA0000-0x00007FF6501F4000-memory.dmp
C:\Windows\System\PWGBVOb.exe
| MD5 | f2328333dcf994fc988d26d232ca05b4 |
| SHA1 | ac78350eb11d1e45ab0dc251fd35a0fdb04a41d7 |
| SHA256 | 633f236b1b14110734a81690c784ecbecb64bf38f31b239b81041e53a8314481 |
| SHA512 | 99940524266a6d187080be67c482320ff9536efc936849058cbb9857c3007a4405d3e0e21bf60c2d81b14a3c18675c6179663df5be322a5d6e7fd19c514bcebc |
memory/2880-14-0x00007FF742DD0000-0x00007FF743124000-memory.dmp
C:\Windows\System\sSIqCzj.exe
| MD5 | 453eb2880726823f66f8f07c4811a28c |
| SHA1 | bd807a619d102530fdfac629c3e50eb42a088bc4 |
| SHA256 | ba9891410100674c12b78c500e01d1c5907ce74f06fc2c0f4766eff2eeb113e4 |
| SHA512 | b5f9dc2941ac839ad5d9a972d77ac337c06ebe1b864f7fec800d31984ba82d3949c37b1d33ab7085ec9ea19456f03677535965bbfd0561daa92d39c11b26d497 |
memory/2324-20-0x00007FF6EABF0000-0x00007FF6EAF44000-memory.dmp
C:\Windows\System\EvjEtQL.exe
| MD5 | 4946978206da5c92b0a80e5895287180 |
| SHA1 | 949eff4a57a54dae69531d30aae1170ab864a89a |
| SHA256 | dcf0c461fd4ad38afee5cf800716757fee3e78834ba852e2416105f7de292a5a |
| SHA512 | a64a103744c31ef676d314da4a31a18219d4d075ca807dc0d0aec1a4fd4301bf93461e9501704a5bca2172fdfce0dbb7c73eda8d02b300796a85998f90901487 |
memory/1688-24-0x00007FF6A9790000-0x00007FF6A9AE4000-memory.dmp
C:\Windows\System\epeDNbi.exe
| MD5 | 67678c7d734b32e238fdff4acdd891f4 |
| SHA1 | 07cb730edd4e1a859a2b003b0d143711f6a31a20 |
| SHA256 | b38c1b1fd0bbb4abc05b2881889b986d1c71db1f2fec4b3538d632f8fd2ef4f9 |
| SHA512 | d755d777642fc177febcc8109bd84401c3b58dbc114aa1295eb8a05b8081d7bfdd8055738bc597320750fec70159085c59d6bd4789f85845f4691585a97170ad |
memory/4712-31-0x00007FF6FACE0000-0x00007FF6FB034000-memory.dmp
C:\Windows\System\FUqmXqb.exe
| MD5 | 4c8deee6a6e894500c41feb5511a9609 |
| SHA1 | 17341a466914dcd52a5a27c8bd54408ea956d630 |
| SHA256 | dc3ca37576ae633c6856bb57d1e4f3fb98153292c573160a14645420293583e4 |
| SHA512 | a9272146309cf567e26ee21ea5e130c0b46fe65d7cec86eb0913d1fffbbd3f88a4e4cc3a98c2d3e40138c61c98f3a68b289d3caad190d5f686c9b16c8601b1d1 |
memory/232-38-0x00007FF6110B0000-0x00007FF611404000-memory.dmp
C:\Windows\System\LPlorLY.exe
| MD5 | df7c78c9245b448ca9c2d969b42f96e8 |
| SHA1 | 804c04df9fa11d7181db7f980937e1fdfa045f44 |
| SHA256 | efbc77d339212deef25d643ee73e71ef366fe243e99cd97244a5c10285874a0e |
| SHA512 | 90a086865d77c97a1a5d95ee08f704d1ef6b19c09439a3b58cdcbbcf11cc265b4f111b046ad0d28b80f9963295d5f7a235f36f01b65bbd79ed355865c94b927c |
memory/5020-42-0x00007FF7C5450000-0x00007FF7C57A4000-memory.dmp
C:\Windows\System\ZesCYKz.exe
| MD5 | a96cc16bebb83d25bd469d712f4a922e |
| SHA1 | 1df160176cadc3d9c90c221d5d3c146c1d7548ee |
| SHA256 | 812f7f7c46df507b73766c51d7e14ed699d7602b0f363d9ea4926bc099228945 |
| SHA512 | 97004e02ce42a87199c194c1da9710d64c43bf48412fc9a758be0370144be4561b07c7781e1b86da1fe8fb1724f060b1dec252774df5e4dc85c0722a67f17cc8 |
memory/1552-50-0x00007FF636470000-0x00007FF6367C4000-memory.dmp
C:\Windows\System\BrKTDjT.exe
| MD5 | 34580d84c21bf253872782fb85f88fc2 |
| SHA1 | 9a4779eb0851537c391cf77f83bc60679466e372 |
| SHA256 | e90ce16d7cb5bfb2702facd9fc663f64ce2315420429ad0f316d9c83c703696c |
| SHA512 | 8623554300e79935f2b68779639e0eb5774fb48e54591904eeaf7f2bd301689b92acfb7f79eb6efb2cd855c148d543b73c8825da76f4844d9ea13844efd5da67 |
memory/872-55-0x00007FF7153D0000-0x00007FF715724000-memory.dmp
C:\Windows\System\zVpXoOW.exe
| MD5 | 6c9a45b7e5bc2d164043bc399d5a9aa2 |
| SHA1 | adb9e2f53ee4ac7dcc3b9408b44ffce6ea1bbdf0 |
| SHA256 | 7b49d1d627ab16c848caf53cba729d6b2884797d4b1666aadf84d47cac1be267 |
| SHA512 | 23c08d6bae3defbe7da35a099c95ffd7293ffe105fc4f431b5bf57564a702b6e2815b394aad8ea1229a212326588fbb9852d4d09b4b63d244c8220eb3610b8d1 |
memory/2748-62-0x00007FF7761F0000-0x00007FF776544000-memory.dmp
C:\Windows\System\IfAWSZi.exe
| MD5 | 4023ec3db7b50b526e46f86fa04e8ab0 |
| SHA1 | cbbd633405e09e38b67d8964c63225c107775ffa |
| SHA256 | 93f8a7c81584900788e708fd610efbed073e0a9b7431e6273ed1ed31812ada8b |
| SHA512 | 354d50e57e8e710fdb401696d2018a589ae08407da3e71c41a05853f410f6f2efa7cef152047667206a92478f878162739817dd6855fc5bd2f234eec0d4f895b |
memory/4640-65-0x00007FF790A90000-0x00007FF790DE4000-memory.dmp
C:\Windows\System\tFknxzi.exe
| MD5 | 485275387e4bab1522dd2973564651b7 |
| SHA1 | cf67b4da186f3a48dda29d7e3f3deba397f1bc6b |
| SHA256 | 9620d335f9d1c347679d07c181d331d72605bd4c425b5e126d1fb470b5c7917f |
| SHA512 | b8a5602a147194c5d73797cab48f8b21974ec5d8399af51459a4a7bb0f7e5a80fbaa58642f8d709e5806ae72e3207b2ce88888ee57b9a2adf2157b030aacdee8 |
memory/2148-74-0x00007FF64FEA0000-0x00007FF6501F4000-memory.dmp
memory/2880-80-0x00007FF742DD0000-0x00007FF743124000-memory.dmp
C:\Windows\System\HEQyIRI.exe
| MD5 | 93d282c52edcf97cac98f5b82de612c0 |
| SHA1 | 48faa3b43c8610915f1910be6851b45ed7797df4 |
| SHA256 | 95c900258a20b5c5d1ee0a28bdd807638b98306bffc1dd9d72098ca531e687d7 |
| SHA512 | b7590ca1602e7bf36b3612c7a4f6d052bc68264d41cd86613f79a3fd5f970a2e27d390704a1ee8865d3ceb374682bfbd31d591cc0a7dc31106d42095e5939889 |
memory/1368-79-0x00007FF7B9E50000-0x00007FF7BA1A4000-memory.dmp
memory/1680-78-0x00007FF7B2EB0000-0x00007FF7B3204000-memory.dmp
C:\Windows\System\nUqijBj.exe
| MD5 | 957f826706292e24fd92a9c0d874f4de |
| SHA1 | 5580de874b29f47de9fe15cc78cce6e9b29ede53 |
| SHA256 | d2a35892671a5d92507c46c707bab861af1dfc793245510d99077e0dcc1e0c14 |
| SHA512 | 169ce0d4221d745e9e2e55ba5866fad909ecdf42e0e88fc7873bedd1a7e639b740f7ed667fc1ef42d32b7821ec3f91469cd9248a57d1a028a8cc2b88d4d7c246 |
memory/1816-90-0x00007FF6FB9C0000-0x00007FF6FBD14000-memory.dmp
C:\Windows\System\QwqHcuC.exe
| MD5 | d93bab9e68d38387d55b0f8e83bca1be |
| SHA1 | 80e3790b645c787913c0645d99ca91834b65eaae |
| SHA256 | 439e39e2f481127bfca865abea772a1854c398f85b6d6f410d02586f3cd455bb |
| SHA512 | 556a5a13bd1bc4dee94694aa2f609aa71a2ad16fe0259e4333276b817ee0a0e8b6c4b9531f07b771f109c7cf62a58197c553847228aa3261e78e3b9ec9d9d609 |
memory/408-92-0x00007FF798880000-0x00007FF798BD4000-memory.dmp
memory/1688-94-0x00007FF6A9790000-0x00007FF6A9AE4000-memory.dmp
memory/1248-93-0x00007FF7D0410000-0x00007FF7D0764000-memory.dmp
C:\Windows\System\NBgemjV.exe
| MD5 | 84e3cc23a0cc4db6c2824a7297e85585 |
| SHA1 | 58b3aaf55d93f4f97ac6637b711931b1532573c5 |
| SHA256 | f06fd810daff294fff159499c1f035659a7c239b00df3d7c295e999eb1698db1 |
| SHA512 | 2f1d439f17f59d1d376970d6928840c534aff27d77c18d574f088e4db23b14b0164327751bf8181a2bcd198296af6da5705b77a40d8833761c20e3b5e725ca34 |
C:\Windows\System\THCqdYe.exe
| MD5 | f1adbed926c94b447add99bdb12fc033 |
| SHA1 | 2a85f6310cce1f98051691ef41017f71bb3adfad |
| SHA256 | 50b50f85ebad328fd4961a85e433f06ce00f7863efef1e74bd0c553939781049 |
| SHA512 | f79b96a40e30c01480529421dd20d1b682db7577ddd192a6fd328edaa57698a047ee2bf1644a38e5be1adaa1660b960b4ae4424ae0da51a9bbd704f150952a52 |
memory/4712-107-0x00007FF6FACE0000-0x00007FF6FB034000-memory.dmp
memory/4968-111-0x00007FF697160000-0x00007FF6974B4000-memory.dmp
memory/3732-118-0x00007FF689BB0000-0x00007FF689F04000-memory.dmp
memory/5020-120-0x00007FF7C5450000-0x00007FF7C57A4000-memory.dmp
memory/3584-122-0x00007FF6861C0000-0x00007FF686514000-memory.dmp
C:\Windows\System\svLuXCV.exe
| MD5 | c787af84586e6c632b01bf5ea9f8726e |
| SHA1 | 2708f42d050d7d1a8b25102807764bada03848c7 |
| SHA256 | ef4889d9a40898207eb22d765059293d0c7664626dc22bc6016c18c3673a35fe |
| SHA512 | 4f0cfca0a9244730bbb80818bf0290bec9a6be291aeca4ef6828b6af33ec35c73d88f4c320637f2885b3037bb8baaff22a223701b00c05d163b2bc0bc31d5cd1 |
C:\Windows\System\bqaQwLa.exe
| MD5 | c75339da5c2b2c7529f3d87eaacc2c2d |
| SHA1 | d2cd15fd8fc7e07b08ee48d26134922f7bf420a3 |
| SHA256 | a17ca365cc9916e897627acb2968f7b00de1e69fa3e5b02d893e7e2fa560ba70 |
| SHA512 | 4a2d85502fe0f4f40763c4bce7647c328c1fce9b691e0c9e1cb25435fa98d5d2cacd62040b257d2ef6f426efe5eef04f3a78201734f66b632a6afb5c9d394488 |
memory/232-115-0x00007FF6110B0000-0x00007FF611404000-memory.dmp
C:\Windows\System\BzJOQQk.exe
| MD5 | ba204c26b3c105b8dae1ff23b8788069 |
| SHA1 | e7e6d6e5375683dbf4a37603625920bef60385ec |
| SHA256 | d3c84cec93ab3c11cd3b9f875171af2dfb7191c77a251c92d5edab0092028182 |
| SHA512 | b4a2cde55af39eb076f927c04db1553c59f7e04799dec73e965eba8446734142c1a559a36e6caf7106001757b5a3e86f1f0ec11f239c9955ece1e9af02f2530d |
memory/904-112-0x00007FF689CB0000-0x00007FF68A004000-memory.dmp
C:\Windows\System\BzJOQQk.exe
| MD5 | f505e9632fbd4a5d58adc9e4173d1271 |
| SHA1 | 1bde162a3fb4ccb17e2151f596876ce0481e68a3 |
| SHA256 | 470c9e84848117759613eb687b446759f7d07a7f41d04dc436b012f7f509e2e6 |
| SHA512 | e198372dce29bd351d9034837bc88bf336ab45518f945c233b0df8303eb7db6dfe81aa40e79300136ac6bc7ee0344b1f19f04eb515a02bbb33d814e047faaccf |
memory/1552-129-0x00007FF636470000-0x00007FF6367C4000-memory.dmp
memory/872-130-0x00007FF7153D0000-0x00007FF715724000-memory.dmp
C:\Windows\System\jCyywLm.exe
| MD5 | 55c02656e6928f889a6a18d13ce9aada |
| SHA1 | 7f79721be2dd807c6a9f4fe32b8c9b88fba1b76b |
| SHA256 | afdac34a6632971aa741a45f658133ccdd0111ac50334457a4c97eeec63a5e2b |
| SHA512 | 89c75cf1c3c62c5dabe2b6f4f44bc28a9a4f37e75b6d6098e32315ba4750564e31fc26fd9f0333ae53465b901c6f692e3e806d70ff0447d1bb553b930b9ebfff |
memory/1940-133-0x00007FF73BF50000-0x00007FF73C2A4000-memory.dmp
C:\Windows\System\jCyywLm.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
memory/4692-136-0x00007FF739720000-0x00007FF739A74000-memory.dmp
memory/1248-137-0x00007FF7D0410000-0x00007FF7D0764000-memory.dmp
memory/3584-138-0x00007FF6861C0000-0x00007FF686514000-memory.dmp
memory/4692-139-0x00007FF739720000-0x00007FF739A74000-memory.dmp
memory/2148-140-0x00007FF64FEA0000-0x00007FF6501F4000-memory.dmp
memory/2880-141-0x00007FF742DD0000-0x00007FF743124000-memory.dmp
memory/2324-142-0x00007FF6EABF0000-0x00007FF6EAF44000-memory.dmp
memory/1688-143-0x00007FF6A9790000-0x00007FF6A9AE4000-memory.dmp
memory/4712-144-0x00007FF6FACE0000-0x00007FF6FB034000-memory.dmp
memory/232-145-0x00007FF6110B0000-0x00007FF611404000-memory.dmp
memory/5020-146-0x00007FF7C5450000-0x00007FF7C57A4000-memory.dmp
memory/1552-147-0x00007FF636470000-0x00007FF6367C4000-memory.dmp
memory/872-148-0x00007FF7153D0000-0x00007FF715724000-memory.dmp
memory/4640-149-0x00007FF790A90000-0x00007FF790DE4000-memory.dmp
memory/1680-150-0x00007FF7B2EB0000-0x00007FF7B3204000-memory.dmp
memory/1368-151-0x00007FF7B9E50000-0x00007FF7BA1A4000-memory.dmp
memory/1816-152-0x00007FF6FB9C0000-0x00007FF6FBD14000-memory.dmp
memory/408-153-0x00007FF798880000-0x00007FF798BD4000-memory.dmp
memory/1248-154-0x00007FF7D0410000-0x00007FF7D0764000-memory.dmp
memory/4968-155-0x00007FF697160000-0x00007FF6974B4000-memory.dmp
memory/904-156-0x00007FF689CB0000-0x00007FF68A004000-memory.dmp
memory/3732-157-0x00007FF689BB0000-0x00007FF689F04000-memory.dmp
memory/3584-158-0x00007FF6861C0000-0x00007FF686514000-memory.dmp
memory/1940-159-0x00007FF73BF50000-0x00007FF73C2A4000-memory.dmp
memory/4692-160-0x00007FF739720000-0x00007FF739A74000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 11:49
Reported
2024-06-06 11:53
Platform
win7-20240221-en
Max time kernel
137s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dabJTdv.exe | N/A |
| N/A | N/A | C:\Windows\System\OOZtHUA.exe | N/A |
| N/A | N/A | C:\Windows\System\zqXBLUa.exe | N/A |
| N/A | N/A | C:\Windows\System\WoyQilu.exe | N/A |
| N/A | N/A | C:\Windows\System\iwvSBnq.exe | N/A |
| N/A | N/A | C:\Windows\System\pYBjPyE.exe | N/A |
| N/A | N/A | C:\Windows\System\qjCXZBq.exe | N/A |
| N/A | N/A | C:\Windows\System\vubSCZV.exe | N/A |
| N/A | N/A | C:\Windows\System\toIIxwF.exe | N/A |
| N/A | N/A | C:\Windows\System\VAdGhnX.exe | N/A |
| N/A | N/A | C:\Windows\System\onMPssq.exe | N/A |
| N/A | N/A | C:\Windows\System\AlppVCv.exe | N/A |
| N/A | N/A | C:\Windows\System\bUkOaLG.exe | N/A |
| N/A | N/A | C:\Windows\System\VxVhIEo.exe | N/A |
| N/A | N/A | C:\Windows\System\LBheIHS.exe | N/A |
| N/A | N/A | C:\Windows\System\BnxYxIj.exe | N/A |
| N/A | N/A | C:\Windows\System\AVbxhef.exe | N/A |
| N/A | N/A | C:\Windows\System\HwSuJUk.exe | N/A |
| N/A | N/A | C:\Windows\System\mSXSJpV.exe | N/A |
| N/A | N/A | C:\Windows\System\CKUPrBL.exe | N/A |
| N/A | N/A | C:\Windows\System\ziOJhNO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_81937f385524e513c3335390ffa4ce94_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_81937f385524e513c3335390ffa4ce94_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_81937f385524e513c3335390ffa4ce94_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_81937f385524e513c3335390ffa4ce94_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dabJTdv.exe
C:\Windows\System\dabJTdv.exe
C:\Windows\System\OOZtHUA.exe
C:\Windows\System\OOZtHUA.exe
C:\Windows\System\zqXBLUa.exe
C:\Windows\System\zqXBLUa.exe
C:\Windows\System\WoyQilu.exe
C:\Windows\System\WoyQilu.exe
C:\Windows\System\iwvSBnq.exe
C:\Windows\System\iwvSBnq.exe
C:\Windows\System\qjCXZBq.exe
C:\Windows\System\qjCXZBq.exe
C:\Windows\System\pYBjPyE.exe
C:\Windows\System\pYBjPyE.exe
C:\Windows\System\VAdGhnX.exe
C:\Windows\System\VAdGhnX.exe
C:\Windows\System\vubSCZV.exe
C:\Windows\System\vubSCZV.exe
C:\Windows\System\AlppVCv.exe
C:\Windows\System\AlppVCv.exe
C:\Windows\System\toIIxwF.exe
C:\Windows\System\toIIxwF.exe
C:\Windows\System\BnxYxIj.exe
C:\Windows\System\BnxYxIj.exe
C:\Windows\System\onMPssq.exe
C:\Windows\System\onMPssq.exe
C:\Windows\System\HwSuJUk.exe
C:\Windows\System\HwSuJUk.exe
C:\Windows\System\bUkOaLG.exe
C:\Windows\System\bUkOaLG.exe
C:\Windows\System\mSXSJpV.exe
C:\Windows\System\mSXSJpV.exe
C:\Windows\System\VxVhIEo.exe
C:\Windows\System\VxVhIEo.exe
C:\Windows\System\CKUPrBL.exe
C:\Windows\System\CKUPrBL.exe
C:\Windows\System\LBheIHS.exe
C:\Windows\System\LBheIHS.exe
C:\Windows\System\ziOJhNO.exe
C:\Windows\System\ziOJhNO.exe
C:\Windows\System\AVbxhef.exe
C:\Windows\System\AVbxhef.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2904-0-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2904-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\dabJTdv.exe
| MD5 | 38d761461394e2fbd1dc9c8f5b46201a |
| SHA1 | 2fdc4594514f457739a5a2d641c4573a153da24e |
| SHA256 | 4f3ec6d464d078899ecab2f26fb1cb8afd6b3b2122f53454bc5a39a8fd9b2b90 |
| SHA512 | 73020e2287f22055b4900e43f4755334d1918210633ff2c605898a196d3ccd7cb23b167e4a0961d31597c346706b157c4348698b36534319fada3c494ba6d67d |
C:\Windows\system\OOZtHUA.exe
| MD5 | 65cb9c9e8d7807f29dbdf0ba0ae9a34e |
| SHA1 | 12b6c881c03b8271b5adb4ff54d535b77bc143b5 |
| SHA256 | ae0ba3c81d223a618573a0e2f81e1216d739946700a6782b0cfbd646add8abdd |
| SHA512 | a1428494465b94014160084a4c9ad9376bccb48579d99736f55c1f881cf67ab610b2f33949665a066cbf870d2928340536da4e2bc3ab691f75cc43c4a7888858 |
memory/2864-14-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2904-21-0x0000000002230000-0x0000000002584000-memory.dmp
C:\Windows\system\WoyQilu.exe
| MD5 | 982ed661c5dc9b1eff7aced7d702cd7b |
| SHA1 | e237184ae7dfcc39c0a857314b9bd3718c27ce69 |
| SHA256 | e3bce9d572b27c01de31f47d7154216047bff7e765e11db0b6f9d25c8aa9826a |
| SHA512 | 146a05765f93d219f044df040b113b8057c92d3600ea7ea4bb7dfff3c10d7b44c6fe41de701631e9e7d15a02d1952778ce0fb37f9730db28496962914bd2e75e |
memory/2904-26-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2520-27-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2904-30-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2148-29-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/3032-18-0x000000013F8D0000-0x000000013FC24000-memory.dmp
\Windows\system\zqXBLUa.exe
| MD5 | d96b577dc6c6e265e5e4e3b4f2655536 |
| SHA1 | 2fca9483feabfbad6f0b24ac0eaabe51fcb50c45 |
| SHA256 | f94144e81a9e6e5995f7d5c2c8a65de8bc7d2b9b3aad6e9a3fceacddc7121a28 |
| SHA512 | 40fb9916bda2fabad1bec6c4f3f71e0c09621b62b7df32815da9b194ca3547dd3ea42942df48f8a30a3af2348a909da5a61d9f3b4447d5bcbb3bd065894b4ead |
\Windows\system\vubSCZV.exe
| MD5 | c70d1feb1cdd216f29d2ca56ba72488f |
| SHA1 | 684cf55412b6d0ad1995a8da3482c14f524b9c75 |
| SHA256 | 8e1091012956403fc166d2856683fb5ed8222bbfefec04173fb57940ba8f7719 |
| SHA512 | 1ab8ff4d68b4b07b218b7200809ce07c599b6a261710a45714580436f0e62e0585ae10db34502f89cace4f1f8d028da464a046eb11f3d9c0c7ee8879fbe3d142 |
memory/2904-109-0x000000013FF80000-0x00000001402D4000-memory.dmp
C:\Windows\system\BnxYxIj.exe
| MD5 | cf5cad56193ee12e87b7b48410dd3e4e |
| SHA1 | 723eac38173997fa7a43675fbf7a3813ec3dbb28 |
| SHA256 | 5e8a7c87ce601124e60f081fd83a8b3bdf212f861c6d010f11ffd3ac338bb7b1 |
| SHA512 | 4648595a5a4c6f874748878ff19f6014feb0ca8cd06ea0f09d3d9ffe447a3a2696db636b9d2db2d0595a0dff80c3c25bbea6a2996ca723399dc80924c1ac5cb1 |
C:\Windows\system\mSXSJpV.exe
| MD5 | 564ea325c409956d624db5a92f93e339 |
| SHA1 | 5bed865d6e216ff0a325d4f6fd085d321889b138 |
| SHA256 | 4ac2eda0cce716682563aab9032f61c820a4ccc1487420f3fe64c42f69b5c481 |
| SHA512 | 14b283e851356c2d247f162b8b75e7f93621b2e4925967dc195a01d408299e2b2ff0926fe0e502c6e334b36d6683ecbe62efb553b1a67bcfb258acf0f8e13079 |
C:\Windows\system\LBheIHS.exe
| MD5 | c62777ef64bebd6eb3ec54a54c298a7a |
| SHA1 | e80bf9ee6d17399933ee236159070b527c8af46a |
| SHA256 | 30942e7059c149e01036466a50744f388524e72d1ce91c8e49973196f45df70c |
| SHA512 | 0ae857c94eaf812c15f72495d535ac5ad7641c8c68959d89075e3e218cdf3a34d3adb3606a3fffd7eac806eae32c026284460195ed445f2f6db0e10278738a8e |
\Windows\system\ziOJhNO.exe
| MD5 | d00f51153327ed67dd99b41da7b655ca |
| SHA1 | e5a7121a0e5d147a115ff625662dd440a94f292c |
| SHA256 | d8f14ed3d770fc517d38166f3fc569c92cb99c881866142e8a4d3de53001a0bd |
| SHA512 | 76fc2a31495a246fab9785a905a5bac374cbb9c99cfa8d5d7bdfb92ea5383dc030aa2459e9f5073f040c95cb7fd80b87b85d7e3bd267b87b6126c8400a06c6b6 |
C:\Windows\system\VxVhIEo.exe
| MD5 | 802b008887a92dcc9eb0a797c88433b3 |
| SHA1 | 1d188b1968edc1feba942132b8defd9395e34822 |
| SHA256 | cd2054dc2382b6e6d79ff7553f59ddfbd057abfb8fa64eb4cca846272214ff20 |
| SHA512 | 23d0bb670c1251ae8cec1122efbcea58f47372b9322dfe324b0f4cdf6fc867cb62257f024cf209576235b4a8e2e68a144b557c4f3ddbf135f9a32160c44e7fe5 |
memory/1588-94-0x000000013FF60000-0x00000001402B4000-memory.dmp
\Windows\system\CKUPrBL.exe
| MD5 | 2fee8604720123143fc35dec0ea9d63b |
| SHA1 | bcfbc9fdf2182c9ddafb6a2ad2fa554fa2238378 |
| SHA256 | f2b8fe6f3b02400da6c69e1b33e28062bf1f0d4f4a89c0e708c49c1ba295cd57 |
| SHA512 | b615898a6d7bd19f1f200fe9279b6b92487f9c1781369e66f574903e5791fa3684e79ef30fa10cbb5c1b20c5721f6ee4ec90cd1eb0da9664dd46009ae4277c48 |
\Windows\system\HwSuJUk.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
C:\Windows\system\VAdGhnX.exe
| MD5 | ecbf1322b9e5d3a5719b166109b31f0c |
| SHA1 | 31d0c3bfdcee5fec79e03a82dc5e1bad6de263f3 |
| SHA256 | 7e6e81289c88413ba84591cb05ee471a99c9aec6e1d34fb20abf9ba80af404b4 |
| SHA512 | bc478b856d429e84b840a8522fa2b8116719a9de79c999339c3c60b7efc5639c6ec87ac0c3bf873126186384d2428a4807185e3a6b4dba429fff5a45d0861218 |
C:\Windows\system\HwSuJUk.exe
| MD5 | 6d24f6e38c0a7a5d92daafb1b03a22cf |
| SHA1 | 14fe9d5f4dd8501ebcea6ac7ee23ed189d0381c1 |
| SHA256 | 9b75ad51d96de346d96795ed724ea74e8479c6e2764af9d0836f9f89a7f1f9f4 |
| SHA512 | 641c30892dd3151a23636bc5e9ecd876c4ed9f7c6c80050497b1672f3689750a7bee3c95d40107fb2b4a593fc0df60f82a8f1be37d69f6c319eb24d560f884e8 |
memory/2636-56-0x000000013F1D0000-0x000000013F524000-memory.dmp
\Windows\system\AlppVCv.exe
| MD5 | 6527b8c5232966abbdad7876fad94b67 |
| SHA1 | 0a76bf9e0926ea52f7d732dd147b43fdfcfb2e01 |
| SHA256 | 5278c98ab4c1748df00c853b46f3e0b55bdbcc0d4ea9d0cfd17a8ee959396aa8 |
| SHA512 | 65afb58a065b10b0ad44d2accc097302d7a6ceef2061e2261540e265d9854d6704f978fcb76c6ed983cc8c2987f1ab0351dc6a66cc1b1ec4c439bfcc4650e39c |
memory/2364-126-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2904-125-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2904-124-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2904-123-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2904-122-0x0000000002230000-0x0000000002584000-memory.dmp
memory/1364-121-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2396-120-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2904-119-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2904-118-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/1388-117-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2904-116-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2536-115-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2904-114-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2912-112-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2904-111-0x000000013FDC0000-0x0000000140114000-memory.dmp
C:\Windows\system\AVbxhef.exe
| MD5 | fbab94abd71e0099be5ef9da6d20e72d |
| SHA1 | 3650c730fffd5f728aa63d2102490fbad41414aa |
| SHA256 | c1432580026c56cb36a0d2e736e3470bd4d06944b30c544efc1d2b06b624d2ae |
| SHA512 | 5611ad5371a154bbdeea785cd15f9a58acabd0564b3bcd01f07da10f86b07d78393362e59cf384810d89a87ea2bf881759a520c07df0879e77c455fbbd5a3b35 |
memory/2716-106-0x000000013FA80000-0x000000013FDD4000-memory.dmp
\Windows\system\LBheIHS.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\system\bUkOaLG.exe
| MD5 | e9d864be158d743b04f29563a12f814f |
| SHA1 | c1fb2462f5b49c0b5dd731170d4648f6ddc985af |
| SHA256 | ccc74fb82551acd6c9e5a00dd0deb4ca8e4a5680541f392d6bd7ba4e6a048912 |
| SHA512 | a25ac758952eb8f9481dae3b749dbcb60a8632c9bfc3c306c29f0805ce3c5c715439525607b3a13484b19cab5ba4c7ba557dd8682935df9468c5c92d8c3fb80a |
C:\Windows\system\AlppVCv.exe
| MD5 | aa84df2aa4d3e405cfa711ea45f76832 |
| SHA1 | f9d4c6b07df318263e7c10c93fe5aee7c1ed449f |
| SHA256 | 35f254698cefc343a5afa8e1f4afbd2f4e15c9dea7be1bc9d3cdc9a25b594ef4 |
| SHA512 | 40f8b842b8711e2a819c83c44eea2c12af01ba9972546d0cb7e21121b875f8bed7da028e78b61c94b16de95a951cf536d7b2db14fba809cc0242849570fa0f9d |
C:\Windows\system\onMPssq.exe
| MD5 | 05fc8665f6d4840e04fe0c7bd53a9519 |
| SHA1 | 405b57f109852bed3399ad2262ca7e79962ba322 |
| SHA256 | 6f8c01ff8d207f5e9e61db0bfe0c784b1dddc1baf68aa57056a5b6acd4b0fac6 |
| SHA512 | 83e2f97b3e6cdca3d67519895fd09f5434d7f58388a58af07497854e6d95262d70d02dde237f7cd76d3e4b15cfbd1d4ed8dff5836f2f5a26e1f4ce953eb0e659 |
memory/2904-46-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\pYBjPyE.exe
| MD5 | d15039c9fff1df3a923f7e2f6286dbdb |
| SHA1 | 6996fc7e50af93a13d2ea6097faf762e9bdfd9e0 |
| SHA256 | b7045088d73a1b810fd06accdc2486eb7a985e3063c03fe51e9f8e307fe70ade |
| SHA512 | edfe540dd4bd18794cf851fd8a06bfba3b580d18a9e657ae24fcfdbcd4ff593413a3d415b39c94d70bad229811fcd411f46b111330fd54078b91ffbdbbccce2c |
memory/2904-63-0x0000000002230000-0x0000000002584000-memory.dmp
\Windows\system\toIIxwF.exe
| MD5 | b1eecc81832e95517adf84a15c614569 |
| SHA1 | d991485d53dd0b9aabae671a9d64e337407c9c4e |
| SHA256 | 31ca29f565c2738ad9b2b8aeb25c7c1495cf098faa730bb42b421e7923ae3cb6 |
| SHA512 | 1be29ea2a022d3afbed40618b4cf9675c295ea257525ea8cc1af145f4aad0285ff345d816251c392fd330759e3f71a471b2ea8e6a9d6be7b3da7a4156136b19b |
C:\Windows\system\qjCXZBq.exe
| MD5 | 27777dc10387bef6eaba15504100c885 |
| SHA1 | 6dcca0a6925c227f983e07021880de2ea3ef0716 |
| SHA256 | 54518afb3d9e1ae40194f81c593e9f6a203fb75141583396193111e673decbd3 |
| SHA512 | 21f3115a5ed92b170c11dbf7f0071174fcf3a55641a7f71f64547d76aed15eebf5b9b603afc6233db0135c64a455fccee4e831709a9ca219bcdd25b7f9f26890 |
C:\Windows\system\iwvSBnq.exe
| MD5 | 4bafd0f786b1113fa20704030a515a5a |
| SHA1 | c7d8406b09da46cee91e06b52d7d0b44b0bf6964 |
| SHA256 | 2f0c4159d771ba76fb3d8e6de8780092c52265a15ee8f8b8a1bc2c053359b4e2 |
| SHA512 | 721058c4f9ea6158c97a40d87eab646ab75dc676fd88d0dcbbc0db11b8b2038dc0969ca1139f89995d6a3940b47af426de79277fb61206416a135fc54408fdbd |
memory/2904-13-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2904-136-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2520-137-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2864-138-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/3032-139-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2520-141-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2148-140-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2636-142-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2716-144-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2912-145-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2364-146-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2536-147-0x000000013F640000-0x000000013F994000-memory.dmp
memory/1388-148-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2396-149-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/1364-150-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/1588-143-0x000000013FF60000-0x00000001402B4000-memory.dmp