Analysis Overview
SHA256
bb9c7de1b0445bf7a0b43451ab0d427e69d9a253d4182484313b3ec510c71e64
Threat Level: Known bad
The file 2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Xmrig family
xmrig
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 12:24
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 12:24
Reported
2024-06-06 12:26
Platform
win7-20240221-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RvxlBVA.exe | N/A |
| N/A | N/A | C:\Windows\System\NqUrUwU.exe | N/A |
| N/A | N/A | C:\Windows\System\MOuVdvz.exe | N/A |
| N/A | N/A | C:\Windows\System\HepQXTj.exe | N/A |
| N/A | N/A | C:\Windows\System\kCBWwpU.exe | N/A |
| N/A | N/A | C:\Windows\System\inFbgmp.exe | N/A |
| N/A | N/A | C:\Windows\System\vzTpaDk.exe | N/A |
| N/A | N/A | C:\Windows\System\CRjkjIS.exe | N/A |
| N/A | N/A | C:\Windows\System\KGvWsOe.exe | N/A |
| N/A | N/A | C:\Windows\System\YbiGkqn.exe | N/A |
| N/A | N/A | C:\Windows\System\UHgKPts.exe | N/A |
| N/A | N/A | C:\Windows\System\JEaNyWs.exe | N/A |
| N/A | N/A | C:\Windows\System\KrUZMZL.exe | N/A |
| N/A | N/A | C:\Windows\System\wHlFBFK.exe | N/A |
| N/A | N/A | C:\Windows\System\WELneEo.exe | N/A |
| N/A | N/A | C:\Windows\System\fvDQIfw.exe | N/A |
| N/A | N/A | C:\Windows\System\LsxSEtF.exe | N/A |
| N/A | N/A | C:\Windows\System\mDssAJN.exe | N/A |
| N/A | N/A | C:\Windows\System\LMNOQiB.exe | N/A |
| N/A | N/A | C:\Windows\System\GGzJhKZ.exe | N/A |
| N/A | N/A | C:\Windows\System\UrBnkWf.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\RvxlBVA.exe
C:\Windows\System\RvxlBVA.exe
C:\Windows\System\NqUrUwU.exe
C:\Windows\System\NqUrUwU.exe
C:\Windows\System\MOuVdvz.exe
C:\Windows\System\MOuVdvz.exe
C:\Windows\System\HepQXTj.exe
C:\Windows\System\HepQXTj.exe
C:\Windows\System\kCBWwpU.exe
C:\Windows\System\kCBWwpU.exe
C:\Windows\System\inFbgmp.exe
C:\Windows\System\inFbgmp.exe
C:\Windows\System\CRjkjIS.exe
C:\Windows\System\CRjkjIS.exe
C:\Windows\System\vzTpaDk.exe
C:\Windows\System\vzTpaDk.exe
C:\Windows\System\KGvWsOe.exe
C:\Windows\System\KGvWsOe.exe
C:\Windows\System\YbiGkqn.exe
C:\Windows\System\YbiGkqn.exe
C:\Windows\System\UHgKPts.exe
C:\Windows\System\UHgKPts.exe
C:\Windows\System\JEaNyWs.exe
C:\Windows\System\JEaNyWs.exe
C:\Windows\System\KrUZMZL.exe
C:\Windows\System\KrUZMZL.exe
C:\Windows\System\wHlFBFK.exe
C:\Windows\System\wHlFBFK.exe
C:\Windows\System\WELneEo.exe
C:\Windows\System\WELneEo.exe
C:\Windows\System\fvDQIfw.exe
C:\Windows\System\fvDQIfw.exe
C:\Windows\System\LsxSEtF.exe
C:\Windows\System\LsxSEtF.exe
C:\Windows\System\mDssAJN.exe
C:\Windows\System\mDssAJN.exe
C:\Windows\System\LMNOQiB.exe
C:\Windows\System\LMNOQiB.exe
C:\Windows\System\GGzJhKZ.exe
C:\Windows\System\GGzJhKZ.exe
C:\Windows\System\UrBnkWf.exe
C:\Windows\System\UrBnkWf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1308-0-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1308-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\RvxlBVA.exe
| MD5 | 06229b0d236776f1128473ea37ce0507 |
| SHA1 | e04265353869987bf4a200b5ad8c9c846688837d |
| SHA256 | 68ae45e45b4c7626afa3363564219e75480a0a713165585d0cd705cba30b7d1e |
| SHA512 | 2e63e7dd0c780aa5f2f11fe5b2613bd3ff7450a33b9bcf49b9d11d13a98a3bb2f70fd73480812cf03dce7ef8823d6e41a1c7c9de5471bef280bc6567984c44d9 |
C:\Windows\system\NqUrUwU.exe
| MD5 | c7b921deb5f875b3a71556de27026715 |
| SHA1 | affc54e2e3dc636281b9333c9701f8c486161bb3 |
| SHA256 | 5a869082889aaa968953e5ea31f81fd71a73e29d1cbe476f9ecf35660beb54f2 |
| SHA512 | b13d7e9a1a9b517129b13f400ba72299ec785cee03c9cf28959b42e769bfb6cbe5fb9a0a861c96e874f1b43ffb25a57c9b5734a56e0204928690246ff38bf07e |
memory/2972-15-0x000000013F310000-0x000000013F664000-memory.dmp
memory/1308-12-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2748-9-0x000000013F4C0000-0x000000013F814000-memory.dmp
C:\Windows\system\MOuVdvz.exe
| MD5 | 1c975139e8a26cb5054721b7b134a1f7 |
| SHA1 | ec082930915c5dc6b06fb5aa6e3043fb69d99e90 |
| SHA256 | 276e0cd7bee13364020c993f6028e032a18da6984ebb3e242b1fb24fe5f0a03b |
| SHA512 | a7c5f68bfa6ce557d949a7a559432b6fb6d83ca1a76049bb178d284d67419327c3e28a26e3aa6e8c739ef7318375cb6d0e9db71b8f6e9011caeab27a1f58164e |
memory/2680-21-0x000000013F2D0000-0x000000013F624000-memory.dmp
C:\Windows\system\HepQXTj.exe
| MD5 | 8326c0a131be56b3aff6a6ed84ffb5f5 |
| SHA1 | 62caf9e9528ee5e9f12f484de6bc1af1338b1e27 |
| SHA256 | 4e7a8a46130c6291ed3de52105492c26480a6854b107d0b33046ad014507cea2 |
| SHA512 | 042561dfe1f440233775a251f4958df55ccf78532e32402bf5355769bfd4cfe78ca9b4c22a141683bdd7758fd8715b26435e3dd1838f677772a01112177d7347 |
memory/2152-28-0x000000013F4F0000-0x000000013F844000-memory.dmp
\Windows\system\kCBWwpU.exe
| MD5 | f1eea9b5233019cc3aff395b6ff5d06e |
| SHA1 | f2307db7aca1187bf26bcecb0d54b43912249e1a |
| SHA256 | 2dda3a5f6df6dfe8a0cae4bd8ef2a3e99d3592dd91dc9e6b30583a75b88044ab |
| SHA512 | 56a877d3e56af800e2622dad78ad15b3415ebd78518a75e5a673d15e8dc48c43a6624ea079d13c6626c099343e5a035df292bcfc99e7b9db6fd2be74dd7b06e5 |
memory/1308-26-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2584-33-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1308-31-0x0000000002410000-0x0000000002764000-memory.dmp
\Windows\system\inFbgmp.exe
| MD5 | cabcfd37e6451c0bb59f2053d2e1941b |
| SHA1 | 03cba68d38b56dadb4925d6a1eef443c7d4c0408 |
| SHA256 | 4f4062133d95b6bfabe9d7e39245fd3f1d60fbf6825f608db5271b4d674521d2 |
| SHA512 | d2b7e7b069a65aa88970665cdb971b59c8f3fda347d92fc12080f568b03e7af4db5eebf5a706d985d86c3e84d868731a66dfa02905e58b4719d4ab7377ee6afc |
memory/1308-41-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1308-49-0x000000013FEB0000-0x0000000140204000-memory.dmp
C:\Windows\system\vzTpaDk.exe
| MD5 | b30167770e826961b43601178a55d3b1 |
| SHA1 | f1f76a12e219dcc22d705c78b0ecf148425e602b |
| SHA256 | 0055ceefdaf6eab9d0776e1b2a1f818aa1687e0055fb392e2d0e83496ccf60da |
| SHA512 | e4357603200f9daef98fe0cf3f5a97ea09766adc45bec330b54749f35c1de492155c3a612492d51d1a76cc09c325450e415d1398f25f8e7b4bf496c689a0ecaf |
memory/2424-54-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/1308-46-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2592-58-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/1308-57-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2972-56-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2616-43-0x000000013F580000-0x000000013F8D4000-memory.dmp
\Windows\system\YbiGkqn.exe
| MD5 | 816439705b8489e8bc1f477fb26034fb |
| SHA1 | f89fbf25e3810b07548906aa3c10d66a74535ad5 |
| SHA256 | e54083a27e3a8aebc185c72bfa865c26d6d0b93ce761a1bc8d381bd4290f92fb |
| SHA512 | 9fe7d2df573330bb0a4d2a1d459ed0e8e83f57ce075c2633e30f4ad363f8a1ee7d1a85057642918ac2083489fa53cb2ad0a4b65b8496e49e1690356499730ab4 |
memory/2152-68-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2864-73-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2844-63-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/572-81-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/1400-88-0x000000013FC80000-0x000000013FFD4000-memory.dmp
\Windows\system\wHlFBFK.exe
| MD5 | 10ffb69423ae21817c2c20c9336814fe |
| SHA1 | 1a9f856694368070367920bd5ceb5d101ab6d285 |
| SHA256 | f30db7d667e1769d01db4a5a745e0372a991460934c2b6b0d6def3cb7c30c40f |
| SHA512 | a3d31d14864637cb712b494c94b86145f565f27ae6771fbe19913dbefab62378dd05b46ac98c9c44d1f56c78a3c797cf3ec87ee4e564e6a8cad4012405278e50 |
memory/904-103-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/1860-97-0x000000013FF70000-0x00000001402C4000-memory.dmp
C:\Windows\system\WELneEo.exe
| MD5 | 5193db95e196ce8bda17bff1326b3c8e |
| SHA1 | d8198b01d90702ade790c7f383dcbf625dfa6640 |
| SHA256 | 4b7d6dfb28604c99a36549a63ed13e0e808404baee75994eb6609402ccbd729f |
| SHA512 | 8adffcf75c5b8323da50a99787aa639b8bc4c2323d36d39f932952fe99b6b9fb71fe46e324da439e24e20604bdb84ece109048287f7f691694b83ab0e968db34 |
C:\Windows\system\mDssAJN.exe
| MD5 | a01c755f3f4b69b6667e3c0dc5055e50 |
| SHA1 | c549ffedf62cc192b6e9423b06a4072c2de5ca84 |
| SHA256 | f763cc4b345ebf5e931a5e02e967cb007942a2584f799b82aa4cf0606e8225b3 |
| SHA512 | 7a48b75dd74026a75d01c73df59e9ae7260ec00974693897d29158416b42b31bb9d97e9a5f9e1b22bc5702f71b04ee3171deb5b22ce3453dd6fd3186fb3a7efd |
C:\Windows\system\GGzJhKZ.exe
| MD5 | 4c88183d715b30dd333d3669d44d195e |
| SHA1 | fc0c5d8ae140ca8f885a32c81ad70d2c4d51d7c5 |
| SHA256 | d8d77c6fbd675fde657ac5d05e96431009113aeffd0fe57858cfdb43aafdc336 |
| SHA512 | 802cdaad23b445d0247170035bfa42eddbcc70ea8c028398b1cfa3512837845b2d6ead1359a647710ad490335c7d7b5ae29492d430220674d20436fe045cdd21 |
\Windows\system\UrBnkWf.exe
| MD5 | 239cbf432d8696f152efcd89af8c43ad |
| SHA1 | 072a981fc05a7d536e8750ff5a2763ca440aa047 |
| SHA256 | e8e4227b2f4a1acaf6f4d7aab3e88c6f370b27f4aaec33201b4ae85d7d667260 |
| SHA512 | 273dc56e614e9fca99ec9760567b856366e3e4cbaef99acb2f49d075b2d8a34e33e4b9bca524d310b681002ec4f733ec873931936571c49132a36a37589e8715 |
C:\Windows\system\LMNOQiB.exe
| MD5 | 495d5811224315902966ae642e476603 |
| SHA1 | 969102664dd68a9237a853b82e03489a536b162a |
| SHA256 | e6ccd988871fae6aa97e7143f6241712f76199a630ce3767c646347dff3f0ae2 |
| SHA512 | 56e97e4a911b9adacfa230bc0a2d46db634588ea3858515f30eb1f2afdaee5caf389d7cacd03500b1f75b1efbd8ca791646f40f8c7b8c9d6cabbf59df4ac1e98 |
memory/2864-143-0x000000013FEF0000-0x0000000140244000-memory.dmp
C:\Windows\system\LsxSEtF.exe
| MD5 | 44d5f0eb5b817d0d2df7ffe944627afa |
| SHA1 | 1dbeba94f03fd2e6119f2d986c6fe41b75345adc |
| SHA256 | f77af1474a989421bdfa647792299dedda4f34bbe497ae7a3583ab84e9351dc3 |
| SHA512 | 7f9d254807f5e673a45222404c559e0b4c4023e1c1a3a0f5d5e0808988c9f36822ad4d0b1e7198729ff68bdcf0e143b6d0e1e12a741297d2e84a6bf14eac3623 |
C:\Windows\system\fvDQIfw.exe
| MD5 | 40e704952f0553bd07bfa22f978dc0e9 |
| SHA1 | d64469822fc9c06541131f6daa0561179a68a46e |
| SHA256 | 7b154dcc4d07f09b9080d69b02a22d4e524d0914a1794008c4df663924c34ea9 |
| SHA512 | 4d0a12d20eb3002368b1d8f0fbfd4ef7ea8caee04052cb48405c774a90076a8480eb4f8bcaef9c8473d9a9cabec129ebe0aa3a9a030a4eb463e19b7754bd2132 |
memory/1308-144-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/1308-109-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1308-108-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2592-96-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/572-145-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
C:\Windows\system\KrUZMZL.exe
| MD5 | 77df76f76ef89f00cb46dc864e6dcde6 |
| SHA1 | ddf2038810335d7483cda3e25fdd2b1ae17b23ed |
| SHA256 | 25944d0cef7d2a35a05c57eb544f6f608fc9a7e2dfd0227c1ef64e586186b773 |
| SHA512 | c029ecd6909a978f6ab82e84df56a72bd937cd323c145c259c61cc438386d69c4139efa40577a28f56b2b83d104f360976688678bd700aeadba4758176a0a83e |
memory/1308-92-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2844-102-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/1308-99-0x0000000002410000-0x0000000002764000-memory.dmp
C:\Windows\system\JEaNyWs.exe
| MD5 | 85711d8a98a7cafff0825bfd2f2bc1ad |
| SHA1 | c9fc045c0ad75b7b6a19d9b8f6302bcb0f2ba9ee |
| SHA256 | ad3b44437d18a4f2580e050f7f0065bade0953c1d612deeae7b4bc5172767569 |
| SHA512 | 89417bd07a65ec12ef0f8d6db2feedc7fc61fbf48d83d92e0372b481ab37359daa5844bac6e0965307d6e403758d98639878d87ef01e2c42c4e7b1c900c3a093 |
memory/1308-85-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/1308-80-0x000000013FEB0000-0x0000000140204000-memory.dmp
C:\Windows\system\UHgKPts.exe
| MD5 | c15636710041c3f44e6cf3bd9a416c20 |
| SHA1 | a49914e77fb68964b70c543aea8c0053a8e47ae5 |
| SHA256 | e9c48afc0f19ebb82029f94dcb4a09d01b236f0dd71261bbfdf92a70cb647314 |
| SHA512 | ee9473eaa308c1fad3c7dedcc41801686eb483d13088c11bdda459c91979aef73ad8572fe253a8faf55e26c8f4c02fb7359f0d89db3cc5438777fcd2ad733eb9 |
memory/1308-77-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2584-76-0x000000013F4F0000-0x000000013F844000-memory.dmp
C:\Windows\system\KGvWsOe.exe
| MD5 | 23538e797b1ca6f6ab19b46f3ec9d54c |
| SHA1 | 326765f4f975382049bc20dd1ea42152b0b303cf |
| SHA256 | 21036ffa873838aaf879200ac31532f1c3513d2b45905ff0372e18b1c8c257a7 |
| SHA512 | 0fec0e0619d5a1914861bfc81b5c33d18bea4b624be2e19629aa7f9158173888cc3337c0f26e77c568ece3d19c1d3f531012197933c67ac5e52bb97074038e35 |
memory/1308-60-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/1308-69-0x000000013FEF0000-0x0000000140244000-memory.dmp
\Windows\system\CRjkjIS.exe
| MD5 | 90dfe84cc68813e8c7ae2e4272390afb |
| SHA1 | 57bde1920ae7edf6ded678618ee0e38d035bd74b |
| SHA256 | ad8c85dbbb0f3af6bb36aba2dd5045145f9c9380336de8de24da8208abef9a36 |
| SHA512 | c7848690fe3ebd5b608452b0c661eb1d8f965e9c648e8d81ffe1ab17286c7f7c0d1c55c6c65c43d5e601851bf10eb4a037f91473a057fc17ad2060ec993f8366 |
memory/1308-53-0x0000000002410000-0x0000000002764000-memory.dmp
memory/1400-146-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/1308-147-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1860-148-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1308-149-0x0000000002410000-0x0000000002764000-memory.dmp
memory/904-150-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/1308-151-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2748-152-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2972-153-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2680-154-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2152-155-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2584-156-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2616-157-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2424-158-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2844-159-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2592-160-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2864-161-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/572-162-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/1400-163-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/904-164-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/1860-165-0x000000013FF70000-0x00000001402C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 12:24
Reported
2024-06-06 12:26
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LiJaYUP.exe | N/A |
| N/A | N/A | C:\Windows\System\gYhrQmq.exe | N/A |
| N/A | N/A | C:\Windows\System\CfkDCSl.exe | N/A |
| N/A | N/A | C:\Windows\System\zWaviHE.exe | N/A |
| N/A | N/A | C:\Windows\System\wsHgFaf.exe | N/A |
| N/A | N/A | C:\Windows\System\dMwAEXR.exe | N/A |
| N/A | N/A | C:\Windows\System\iDpPzkH.exe | N/A |
| N/A | N/A | C:\Windows\System\Kdxygrt.exe | N/A |
| N/A | N/A | C:\Windows\System\GuMsgei.exe | N/A |
| N/A | N/A | C:\Windows\System\sazpSih.exe | N/A |
| N/A | N/A | C:\Windows\System\bcUVhLC.exe | N/A |
| N/A | N/A | C:\Windows\System\JLigfNb.exe | N/A |
| N/A | N/A | C:\Windows\System\xagCPGf.exe | N/A |
| N/A | N/A | C:\Windows\System\soawhvZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZAxAgac.exe | N/A |
| N/A | N/A | C:\Windows\System\NzaIuUy.exe | N/A |
| N/A | N/A | C:\Windows\System\dqmsEun.exe | N/A |
| N/A | N/A | C:\Windows\System\sLjlkTC.exe | N/A |
| N/A | N/A | C:\Windows\System\pENoboS.exe | N/A |
| N/A | N/A | C:\Windows\System\bdjBoRP.exe | N/A |
| N/A | N/A | C:\Windows\System\xEltcIq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\LiJaYUP.exe
C:\Windows\System\LiJaYUP.exe
C:\Windows\System\gYhrQmq.exe
C:\Windows\System\gYhrQmq.exe
C:\Windows\System\CfkDCSl.exe
C:\Windows\System\CfkDCSl.exe
C:\Windows\System\zWaviHE.exe
C:\Windows\System\zWaviHE.exe
C:\Windows\System\wsHgFaf.exe
C:\Windows\System\wsHgFaf.exe
C:\Windows\System\dMwAEXR.exe
C:\Windows\System\dMwAEXR.exe
C:\Windows\System\iDpPzkH.exe
C:\Windows\System\iDpPzkH.exe
C:\Windows\System\Kdxygrt.exe
C:\Windows\System\Kdxygrt.exe
C:\Windows\System\GuMsgei.exe
C:\Windows\System\GuMsgei.exe
C:\Windows\System\sazpSih.exe
C:\Windows\System\sazpSih.exe
C:\Windows\System\bcUVhLC.exe
C:\Windows\System\bcUVhLC.exe
C:\Windows\System\JLigfNb.exe
C:\Windows\System\JLigfNb.exe
C:\Windows\System\xagCPGf.exe
C:\Windows\System\xagCPGf.exe
C:\Windows\System\soawhvZ.exe
C:\Windows\System\soawhvZ.exe
C:\Windows\System\ZAxAgac.exe
C:\Windows\System\ZAxAgac.exe
C:\Windows\System\NzaIuUy.exe
C:\Windows\System\NzaIuUy.exe
C:\Windows\System\dqmsEun.exe
C:\Windows\System\dqmsEun.exe
C:\Windows\System\sLjlkTC.exe
C:\Windows\System\sLjlkTC.exe
C:\Windows\System\pENoboS.exe
C:\Windows\System\pENoboS.exe
C:\Windows\System\bdjBoRP.exe
C:\Windows\System\bdjBoRP.exe
C:\Windows\System\xEltcIq.exe
C:\Windows\System\xEltcIq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
memory/4416-0-0x00007FF76AD30000-0x00007FF76B084000-memory.dmp
memory/4416-1-0x000001FC71080000-0x000001FC71090000-memory.dmp
C:\Windows\System\LiJaYUP.exe
| MD5 | 03e9eeb2db7e92a93b18655735c824d2 |
| SHA1 | c250248a83b1a0527a3fc435e32a9b543b20377a |
| SHA256 | daf0ffd8a452d3d7eabfe3e2fb810766b520214b47411a9268bb5d08a0f676a6 |
| SHA512 | b101ef39921131e8bbb89a6a00aa38fa421fceb3306af21a900e431b1f234a7dea43ac616425145c23e5264570539b8a5f7781f8048db38c0645331a27fbfa16 |
C:\Windows\System\CfkDCSl.exe
| MD5 | 922f23a8056c93378053baeed6f72029 |
| SHA1 | 934e9d344970f163b17c2db6abc3e3d4d2207477 |
| SHA256 | 99ee2a62716bccde5eb8803c9a26239837b0bb01fa12baeaf7c3fa994ab80f18 |
| SHA512 | 533dcf722cc747af25b3361a8d63cb39242a5053198867d56d9f31a2a2b8366bd1bc76f6dfc8fb81ed7f7a5a25011b307565af4de016f4b0f453c3dc519fd94a |
C:\Windows\System\gYhrQmq.exe
| MD5 | c4fcd3b44c54e17a81fd01047e4407ff |
| SHA1 | c85b74c81821d5054dabad4ebefd0409f7b814d5 |
| SHA256 | 01e0fa868a9db42aff71fd12cb58a3f0751b54ffa6712a96c24c3dc2aee32aa0 |
| SHA512 | d22f2d118c03ff5d54863b764e5ae7ad429cda40579992ff7f9be02ffb7e1ee54bf0db56713072f4db1ca6b78ce4d1342498821fa5b95b0aff9b910705477c14 |
C:\Windows\System\zWaviHE.exe
| MD5 | 6693ab9c267e8897ec806852e7c6ab9f |
| SHA1 | 9869969d594dcf150bdc30d094f7c70fd9813e99 |
| SHA256 | 25f407209af9c2b4d76fc1faedb22523080df8ca939f17577ddfb742df04d14a |
| SHA512 | 2f9359a395da0a7006acdda5132770be837323464b04c6f39fcc77a745f822f227a84bd0f28537b2d405d6335e32a10415dd8e73dded732893d52953ef26cc34 |
C:\Windows\System\wsHgFaf.exe
| MD5 | ac7be8545839c5638458b6a021cb057a |
| SHA1 | 185d93e386b78b7cdae3f3aaa0c7d4661164df0f |
| SHA256 | bde422488e2a4d1e1df65e01ba9d82b3eb9e2a0508a2d04d65415295fcff273c |
| SHA512 | 86f8bb2ae9ca3fa7b316d3ab34e853c9b4afedf9cc0a25f4efee825bac14747e01c96686435b817011db6e33604d93b5b3de29559d3b47529397dbfbaac03596 |
C:\Windows\System\iDpPzkH.exe
| MD5 | 4d4486ec79b44f2555acafdfd40589ab |
| SHA1 | 352000db992706314affdbaf4deff311c60e007f |
| SHA256 | fdd5530c97bc8bd6c0181cce2cd6a1b3bb41f02e2dfed82b951b19bdd82ddf5a |
| SHA512 | 8da6f3b59ff7d4827ef33ae98be1aa4f1aa3e113a0e54af60a9c3ebf983206edcc734ebe228bb08e6f24057cb5530a81800b74be12ac74d4147436670c956bff |
C:\Windows\System\Kdxygrt.exe
| MD5 | ab8bb56d005bd6c9d9b3d157e95594ef |
| SHA1 | fd8e747a3e65e0864c7056ce1c7ba06005a64740 |
| SHA256 | 5f3fa227beb219438fb7f97c62d26dd147d6292b0b5ac82d489e69bd74f1c286 |
| SHA512 | a42fe7c2e832df5c06eb039e37dda6e1df91a1064eb064662ed2f7f3e592e184c666a952c3010f77fef8b2691af2980138577327e3f2ea4a11eb534a76d17388 |
C:\Windows\System\JLigfNb.exe
| MD5 | d288620f7ede0474cf8ee7732006e6bd |
| SHA1 | 014031e2335e672116623060671fa775a9f75e75 |
| SHA256 | a781cd0857228094728f812c3e3886680265bd3a1a123c1e617242be9cb57137 |
| SHA512 | 8c1291d33e32061fef89a8238feb7d1b14223676efde95c2146ee39343755d8afc1102a48ba4f660264d821fdda866c6af40391901ec865e41c40da5a6c0a35e |
memory/4948-71-0x00007FF702200000-0x00007FF702554000-memory.dmp
memory/4488-72-0x00007FF776730000-0x00007FF776A84000-memory.dmp
C:\Windows\System\bcUVhLC.exe
| MD5 | 38fbdeda41bc6e8f148bb47353f97140 |
| SHA1 | 498d4ee383a0b548a6e18bc04f2cf6ee369e3794 |
| SHA256 | ff0fa1eb047e7e3df3d7cb7babec33b24d6d2c7449da1d30c81c327c015d84e1 |
| SHA512 | 3db6e033eb0c45cdb7db4556a2bf894c2a383487b33b3ca81c1ca0c7cead84e7febfdeff98bc8337cccd3d512b6c46de88e18f8c58f007b27f3e7f7e8f8f8375 |
memory/4124-68-0x00007FF7BD9C0000-0x00007FF7BDD14000-memory.dmp
C:\Windows\System\sazpSih.exe
| MD5 | 47fdc553f160ad2c7368e630f224e22d |
| SHA1 | b3e6d156322a1b549a57a37dd0f374974bd4fa17 |
| SHA256 | 24cb971c788d83997a96520c2f10886c62db39c2431747593e79a25b7cf89c43 |
| SHA512 | b246ec79c091f8ec1867880dfd8731414639ae63014079f0462b3b2957eac230ec4c8e34cc9b40a70e60d4d635a7e661ccb1b87c623bbb4bfdf4ede5c24a9d2b |
memory/4348-63-0x00007FF773E20000-0x00007FF774174000-memory.dmp
memory/2604-60-0x00007FF715340000-0x00007FF715694000-memory.dmp
C:\Windows\System\GuMsgei.exe
| MD5 | a9919128e1e5ceb04b078efb19cb6261 |
| SHA1 | 8a119e29a8311298eb21ee5d277438861f4efa6e |
| SHA256 | 509e027a41b3ae2cbb9ba8b9c1a9125312b87721e1c11b72aaf7d6820c26ea75 |
| SHA512 | 15c45c30943b83c5201982da35118cf7d5773f03c7a3dbf98edd3f58023b9cf9053349ded6a2259dc75be6553e55b28f0e5caab4171d1285971c2723dbeda446 |
memory/3628-48-0x00007FF6F3D20000-0x00007FF6F4074000-memory.dmp
C:\Windows\System\dMwAEXR.exe
| MD5 | 1c041147627f82ea041d11ee4e5e0090 |
| SHA1 | 9f6600178e939ba170837406cecefd81adbc1fe7 |
| SHA256 | 5fe22829b792e3a09ddffe262fd3ddc3cb52c7627e8f81f1443bf722edad77bf |
| SHA512 | 29222fe65f85fd18a608b7332b8308e173b2405be0439c5fd47c2b3c220a643167c34919528aac2e44a0b3b68552eee3341bd6d331c570e4f496cd1d27506309 |
memory/800-41-0x00007FF767C20000-0x00007FF767F74000-memory.dmp
memory/3412-36-0x00007FF685B00000-0x00007FF685E54000-memory.dmp
memory/1544-29-0x00007FF747A00000-0x00007FF747D54000-memory.dmp
memory/2728-23-0x00007FF60E790000-0x00007FF60EAE4000-memory.dmp
memory/3348-17-0x00007FF6ED9E0000-0x00007FF6EDD34000-memory.dmp
memory/1872-10-0x00007FF7F5AD0000-0x00007FF7F5E24000-memory.dmp
C:\Windows\System\xagCPGf.exe
| MD5 | 098cf18f10fa99d0cdb927c192c7c7a7 |
| SHA1 | 231a5379468ce2af09891ef94868029f3e19d270 |
| SHA256 | 0afb13fabf495808c9cd6d06c549f965763496c0c8a447ec308b0b723e78bb2c |
| SHA512 | b2a6adbd2d18ffee249b06cc098f5c1506ff3e83ad1b0cbfc5f0621d2fb65367eb72e35f82822c72a4af140c53b01ed8ee81446fe7f3f75143be2026c9f281bb |
memory/5076-81-0x00007FF7A7170000-0x00007FF7A74C4000-memory.dmp
memory/1872-80-0x00007FF7F5AD0000-0x00007FF7F5E24000-memory.dmp
memory/4416-79-0x00007FF76AD30000-0x00007FF76B084000-memory.dmp
C:\Windows\System\soawhvZ.exe
| MD5 | a28cc8b397b2f463aba37ef8dcc88b68 |
| SHA1 | ba53f64b21df672b00f0b3287b69527cfc6a33bb |
| SHA256 | 8e6dea650c8e380ceb33bb3a4e564f0db1cabee1bd4aae582a1700592832315e |
| SHA512 | 21c132ba44632dd09f35003611a6b3d889e6436792291cc50ef2cd551d7c1b9cf501b0c3d4443ae150703c2d6b680665a4db805e642786a95ffa493f28b4d884 |
memory/3348-87-0x00007FF6ED9E0000-0x00007FF6EDD34000-memory.dmp
memory/4520-91-0x00007FF7503A0000-0x00007FF7506F4000-memory.dmp
C:\Windows\System\ZAxAgac.exe
| MD5 | c8c536aca406b66b1a491ae037ba0388 |
| SHA1 | 55f964b6b9a95a238997773ad3b0f46eeb7f7ee3 |
| SHA256 | 4a7bb2502660752ae342331aefe2051a0bf14603371da4ff5ce97570d168fbff |
| SHA512 | 59475e76eb17c223d57c40af871ced330b0da6a5b1f0dc52438cbf745c379123c8bfb6d0ca8cfc7bf102ed193f3f3c8f74bd8c01ea35e69013aeee1869000314 |
memory/3164-96-0x00007FF6EB4F0000-0x00007FF6EB844000-memory.dmp
memory/2728-95-0x00007FF60E790000-0x00007FF60EAE4000-memory.dmp
C:\Windows\System\NzaIuUy.exe
| MD5 | 95993f3c4a0fcd7490ecaaaf8fb23bee |
| SHA1 | 4188d6d70e53a31de26873de5217d0df2e2237d9 |
| SHA256 | 28cce7cf3aa6df52cabf097915518809d98bcf2b4b988b2700fc57552c711f77 |
| SHA512 | 152e388e4cda717783c1ced25b3712f804496e8950b515786960505269d2717d2cb6b0a654429650ee1cedb6c678f9dc7756db93a35e0e109b6a53bc1b964e09 |
memory/4884-103-0x00007FF778260000-0x00007FF7785B4000-memory.dmp
memory/1544-102-0x00007FF747A00000-0x00007FF747D54000-memory.dmp
C:\Windows\System\dqmsEun.exe
| MD5 | 98ecb921b856bffbc609e0f2fa960533 |
| SHA1 | 5a1f19ccc17f7177d48328a83177b098cd71cad9 |
| SHA256 | 466ed0e356dbb206755c181a9dc872e1e350343c2762e37b2197ada86f677579 |
| SHA512 | 2395b26bee5b9b5c0c007102df020af7c1fb57a4109ea295dc006040cecc4c19266a4c4c7af464d945853818e64588cb4ba44922ad5f04b93b37392120797b8a |
memory/3412-111-0x00007FF685B00000-0x00007FF685E54000-memory.dmp
C:\Windows\System\sLjlkTC.exe
| MD5 | 5f106b104bc3ed0a131f5a45898c8fda |
| SHA1 | d98f541b80a9533621c6ff505fb23e9957181c1e |
| SHA256 | 6d6c98fcfbe7319d681fe1790ba0ebb5bfe9df1b05b8daf5e09bc00cdd7b1150 |
| SHA512 | 90a2d6c510ad76637c01cfe9fed2f766ee2bd98e72c7e50d97c7fcb0f5e31e5ac31c78162a7a7a21c3382af193755e64aaa9ab633d7aa597cf81ec7c0652f42a |
C:\Windows\System\pENoboS.exe
| MD5 | c8ba638f4d77a3218eaa06148c5a2d9e |
| SHA1 | ac600f58459598992ac353cbe90a4a8200889816 |
| SHA256 | 3337a4ea35dd10d421ff977d2b2b312c16743598e76a18816c01d980855d9795 |
| SHA512 | 6363404899292c206cf42148033997fdeee74d065f436615109a5f9c4a8cf0b31744e3bd3f74b446af964d5ef11619a236e27d2f6e3a4bf1bbcf811f8f9a0e49 |
C:\Windows\System\bdjBoRP.exe
| MD5 | f9456adafd8d3b5f0dd53c2fcbeea13d |
| SHA1 | 22c875e40b2fd39bc5d67d36730982e3301a83d3 |
| SHA256 | 486d8b4373c021f9ca23e5248fdea6d02e08fbe90c68163df266ab26c2e4d0ed |
| SHA512 | a8c544f6c89ce4a5d2481bd1eb3e46d0fb09850d8568ca776c34b535f4df15d2e0f6c5ab263bbefe38cb8e27373bac31b7e0e438347b6588bc81e44de5e52495 |
memory/800-128-0x00007FF767C20000-0x00007FF767F74000-memory.dmp
memory/5000-131-0x00007FF67A120000-0x00007FF67A474000-memory.dmp
C:\Windows\System\xEltcIq.exe
| MD5 | 5695d0b9e72163defa7b6454ffd1e954 |
| SHA1 | 5432d5de989d117571c4f69952f4874883af1de5 |
| SHA256 | 4fc6a15818cec6e9d5342fc38bd8bac291af16136851760b8d4bab1e2c78a49c |
| SHA512 | 470ca09f7a44d815f991bf43dac9138b4fa26f3b99e8fe4961f99575a568519d2a957d33bcd30c44deaf4fc12fc9b2df0d81944d0f456e50b3ba2a066291a0e6 |
memory/5616-132-0x00007FF7E20F0000-0x00007FF7E2444000-memory.dmp
memory/2660-130-0x00007FF771740000-0x00007FF771A94000-memory.dmp
memory/3628-129-0x00007FF6F3D20000-0x00007FF6F4074000-memory.dmp
memory/4860-118-0x00007FF69C4F0000-0x00007FF69C844000-memory.dmp
memory/3532-112-0x00007FF7AA7F0000-0x00007FF7AAB44000-memory.dmp
memory/4348-136-0x00007FF773E20000-0x00007FF774174000-memory.dmp
memory/4948-137-0x00007FF702200000-0x00007FF702554000-memory.dmp
memory/5076-138-0x00007FF7A7170000-0x00007FF7A74C4000-memory.dmp
memory/4520-139-0x00007FF7503A0000-0x00007FF7506F4000-memory.dmp
memory/5000-140-0x00007FF67A120000-0x00007FF67A474000-memory.dmp
memory/5616-141-0x00007FF7E20F0000-0x00007FF7E2444000-memory.dmp
memory/1872-142-0x00007FF7F5AD0000-0x00007FF7F5E24000-memory.dmp
memory/3348-143-0x00007FF6ED9E0000-0x00007FF6EDD34000-memory.dmp
memory/2728-144-0x00007FF60E790000-0x00007FF60EAE4000-memory.dmp
memory/1544-145-0x00007FF747A00000-0x00007FF747D54000-memory.dmp
memory/3412-146-0x00007FF685B00000-0x00007FF685E54000-memory.dmp
memory/800-147-0x00007FF767C20000-0x00007FF767F74000-memory.dmp
memory/2604-149-0x00007FF715340000-0x00007FF715694000-memory.dmp
memory/3628-148-0x00007FF6F3D20000-0x00007FF6F4074000-memory.dmp
memory/4488-152-0x00007FF776730000-0x00007FF776A84000-memory.dmp
memory/4124-151-0x00007FF7BD9C0000-0x00007FF7BDD14000-memory.dmp
memory/4948-150-0x00007FF702200000-0x00007FF702554000-memory.dmp
memory/4348-153-0x00007FF773E20000-0x00007FF774174000-memory.dmp
memory/5076-154-0x00007FF7A7170000-0x00007FF7A74C4000-memory.dmp
memory/4520-155-0x00007FF7503A0000-0x00007FF7506F4000-memory.dmp
memory/3164-156-0x00007FF6EB4F0000-0x00007FF6EB844000-memory.dmp
memory/4884-157-0x00007FF778260000-0x00007FF7785B4000-memory.dmp
memory/3532-158-0x00007FF7AA7F0000-0x00007FF7AAB44000-memory.dmp
memory/4860-160-0x00007FF69C4F0000-0x00007FF69C844000-memory.dmp
memory/2660-159-0x00007FF771740000-0x00007FF771A94000-memory.dmp
memory/5000-161-0x00007FF67A120000-0x00007FF67A474000-memory.dmp
memory/5616-162-0x00007FF7E20F0000-0x00007FF7E2444000-memory.dmp