Analysis Overview
SHA256
13c8a79a22d5034b55634ca96fa57030388a098a60dfc92e86a0613ed36f2206
Threat Level: Known bad
The file 2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobaltstrike
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Xmrig family
XMRig Miner payload
Detects Reflective DLL injection artifacts
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 13:38
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 13:38
Reported
2024-06-06 13:41
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pOzczpW.exe | N/A |
| N/A | N/A | C:\Windows\System\FoWysuA.exe | N/A |
| N/A | N/A | C:\Windows\System\DtReISB.exe | N/A |
| N/A | N/A | C:\Windows\System\TgtKoxa.exe | N/A |
| N/A | N/A | C:\Windows\System\sYNecfF.exe | N/A |
| N/A | N/A | C:\Windows\System\GrAgMuS.exe | N/A |
| N/A | N/A | C:\Windows\System\gFTwpVK.exe | N/A |
| N/A | N/A | C:\Windows\System\mOMVNbP.exe | N/A |
| N/A | N/A | C:\Windows\System\dQjLEop.exe | N/A |
| N/A | N/A | C:\Windows\System\tNhoQkT.exe | N/A |
| N/A | N/A | C:\Windows\System\ysdhCSu.exe | N/A |
| N/A | N/A | C:\Windows\System\BfOwunl.exe | N/A |
| N/A | N/A | C:\Windows\System\UVebHov.exe | N/A |
| N/A | N/A | C:\Windows\System\RpHKQjp.exe | N/A |
| N/A | N/A | C:\Windows\System\sZJtuYg.exe | N/A |
| N/A | N/A | C:\Windows\System\AOvmNkV.exe | N/A |
| N/A | N/A | C:\Windows\System\CFZLBqk.exe | N/A |
| N/A | N/A | C:\Windows\System\wbbUtOz.exe | N/A |
| N/A | N/A | C:\Windows\System\zbRwSvw.exe | N/A |
| N/A | N/A | C:\Windows\System\dTRDOVZ.exe | N/A |
| N/A | N/A | C:\Windows\System\sHJPkFE.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pOzczpW.exe
C:\Windows\System\pOzczpW.exe
C:\Windows\System\FoWysuA.exe
C:\Windows\System\FoWysuA.exe
C:\Windows\System\DtReISB.exe
C:\Windows\System\DtReISB.exe
C:\Windows\System\TgtKoxa.exe
C:\Windows\System\TgtKoxa.exe
C:\Windows\System\sYNecfF.exe
C:\Windows\System\sYNecfF.exe
C:\Windows\System\GrAgMuS.exe
C:\Windows\System\GrAgMuS.exe
C:\Windows\System\gFTwpVK.exe
C:\Windows\System\gFTwpVK.exe
C:\Windows\System\mOMVNbP.exe
C:\Windows\System\mOMVNbP.exe
C:\Windows\System\dQjLEop.exe
C:\Windows\System\dQjLEop.exe
C:\Windows\System\tNhoQkT.exe
C:\Windows\System\tNhoQkT.exe
C:\Windows\System\ysdhCSu.exe
C:\Windows\System\ysdhCSu.exe
C:\Windows\System\BfOwunl.exe
C:\Windows\System\BfOwunl.exe
C:\Windows\System\UVebHov.exe
C:\Windows\System\UVebHov.exe
C:\Windows\System\RpHKQjp.exe
C:\Windows\System\RpHKQjp.exe
C:\Windows\System\sZJtuYg.exe
C:\Windows\System\sZJtuYg.exe
C:\Windows\System\AOvmNkV.exe
C:\Windows\System\AOvmNkV.exe
C:\Windows\System\CFZLBqk.exe
C:\Windows\System\CFZLBqk.exe
C:\Windows\System\wbbUtOz.exe
C:\Windows\System\wbbUtOz.exe
C:\Windows\System\zbRwSvw.exe
C:\Windows\System\zbRwSvw.exe
C:\Windows\System\dTRDOVZ.exe
C:\Windows\System\dTRDOVZ.exe
C:\Windows\System\sHJPkFE.exe
C:\Windows\System\sHJPkFE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2168-0-0x00007FF7D3880000-0x00007FF7D3BD4000-memory.dmp
memory/2168-1-0x0000022C7A080000-0x0000022C7A090000-memory.dmp
C:\Windows\System\pOzczpW.exe
| MD5 | 204225c59ed2325f02c092958f8b7440 |
| SHA1 | d7048857440a57d4cb59a8ce52ac81db74d2b9c9 |
| SHA256 | 5a10a9cf7294d5d7f0ac604dab6622729a1ad5dd8ab521d45bc46257530af28f |
| SHA512 | c14edf988f35118ff6cf87ea5ef02f8e4910738aa7f1a55b90bc47356e787bf9a0f68794bae9f5b0e2f930f4dd1f14979b1164407b323d82af6ddf242d9f1be7 |
memory/1440-8-0x00007FF7D0980000-0x00007FF7D0CD4000-memory.dmp
C:\Windows\System\FoWysuA.exe
| MD5 | c6ad592960972f0c892cd77e70ebb9d9 |
| SHA1 | 88cbb9335540fc4a9491714cef18d27e73e05b1e |
| SHA256 | 9000e272e8fd79d9b476e6876fee0ecb8a43a9e7c489a8b5235babc898a597df |
| SHA512 | 55dfe66bb35ffa44136dd0334f739c430d1cacc1e898b977418a4e14d396472ce5b6b9999220ed2df4b6e8eabbe4653b05045216a2e6513fec47a0237e43db2d |
C:\Windows\System\DtReISB.exe
| MD5 | 69025f096572a08701c1ac351f0286f9 |
| SHA1 | 0d87e0b1f417b3ac27aaccc0ecd4bc340c3f9037 |
| SHA256 | 3e2d6b1511d526358ed730db49b54dd3e6fbe1002e1b831bd20dccbd35a86244 |
| SHA512 | 793a20c30bc854cb4fe2fe0ba32c2c5e5e234930189c48e6f0522851f9ca5e0f93cc822ef5dc904b688b8c94c60da7ec0ace5e68b314c6edd0c9568c3c2136de |
memory/4596-19-0x00007FF657C40000-0x00007FF657F94000-memory.dmp
memory/4516-13-0x00007FF678D60000-0x00007FF6790B4000-memory.dmp
C:\Windows\System\TgtKoxa.exe
| MD5 | e7bb397bffc21ee20d79bd6cf612a93c |
| SHA1 | a608dd8a1b8cd33011d090438097b9aed9dc11e0 |
| SHA256 | 74a1d1da97383ddb448c33bda8afe521ca2a2597d970b3c0988d481f6b09e163 |
| SHA512 | f31f2ef401197219c3d78fbbd3b231b7aaf66ee183ac52702e478d47af48498dbe44764a4fca84a909fbb8db6c2893b5e2cc75b6e6f0c24a0ba038465950edfe |
C:\Windows\System\sYNecfF.exe
| MD5 | d943c424ef76722dd7c453ca315ae8aa |
| SHA1 | 5ddfdf4a452b0b4f10c7ee1984451660e3a52e0f |
| SHA256 | a1606c4f28b1f5a8dcc26cd207738aed3ffec2a34012bcf8c0721b0fd2be2209 |
| SHA512 | 01c90226fcb98e461e3cf7228fa36bf6c725f1492b75e1608cef5d187a082237fa6db5195fada2f96f46159f986c21424e3ae43f5458bb6f1c2f862fcea91d92 |
memory/2992-32-0x00007FF711140000-0x00007FF711494000-memory.dmp
C:\Windows\System\GrAgMuS.exe
| MD5 | 1360d147d1c50780b0666bf64fcb8ff0 |
| SHA1 | d2ba011085d0374d2ac9e458b8d5728f4478dd84 |
| SHA256 | 7da175438929ad781d7b17599b0b1269b20bc8e296b1eec6605ac5830faed8f7 |
| SHA512 | 8516695fb513aff4c487dceb777cbfa890e6c197dca5980c6587cd12f498687a2f8551109146978d12d692d9f8372a0418a3fb23610b9a5b544f314bc6d23755 |
memory/1704-36-0x00007FF6BCDD0000-0x00007FF6BD124000-memory.dmp
C:\Windows\System\mOMVNbP.exe
| MD5 | fcdd9a41ec94d050534818d4ba424dff |
| SHA1 | 6c02ac2a929b37ef41002461a36dd698e315a47b |
| SHA256 | c206858e0e2e13d520e3a55f40ae29314bbccf2c5ee6d94121f6d822f3acea77 |
| SHA512 | f53a35ab79c5b6c096bea3cabfb9bc6bec5583a6713ed98ae3cc95deb6d2820819f325a6be35c0497cd10cb81f6b1f8ff5659e61259c39cd8e66b3a6e2577657 |
memory/1572-51-0x00007FF61F030000-0x00007FF61F384000-memory.dmp
C:\Windows\System\dQjLEop.exe
| MD5 | 3dbe1e6ac591103808f4f4dd81c1d45a |
| SHA1 | bb0c0fbea2e8ff4d0d635c73329bd27711695efe |
| SHA256 | 59e66f95091a8d8e8b0fe37a63c6edc1833ee979ce593cb5c2bef59de699ab95 |
| SHA512 | cacd2df798b5532453a96eb5ca064e05f118cb1068162ac2effe55c67dec78af11f1c05c281f0f6641497b1a4b34e96b0d705b2a2d3408835537bd9aa767a353 |
C:\Windows\System\ysdhCSu.exe
| MD5 | a2035159eccc2e054be6248898635e57 |
| SHA1 | 55d8c5f6dc48aed31db53cdc21766384fdc62bb0 |
| SHA256 | d0f6836f201b2f4b0db273ae24db2376cbbe441274e2ef309f9eb16a5c87fa09 |
| SHA512 | 5b9402d78ef60899b74f1dc8cc6c0768d88b679b6e99b012e6d5a52e7dbd2da4371e4b1f8afa799315df1cbbecc9053e2c1085cce8290d8b09dd19e9014255ae |
memory/1252-73-0x00007FF70A100000-0x00007FF70A454000-memory.dmp
memory/4964-79-0x00007FF7615B0000-0x00007FF761904000-memory.dmp
memory/3800-80-0x00007FF64EB60000-0x00007FF64EEB4000-memory.dmp
C:\Windows\System\UVebHov.exe
| MD5 | 20e636f799184ef2ec2caa6edc4c30dc |
| SHA1 | a10e36fb83de47c1c7ef42f34e102d4025f8b291 |
| SHA256 | e3e9bc6a346e8ffa89472164a7b523d8362bc4d952b5ed1854664b669b5f6190 |
| SHA512 | a208ac2ab36133da75f12a72956b3e2dbb859143e5bfa7151280e3e85c641b788df27308839e0696446550d54d48a7c3e1f3fc8cf1333d8751c96fa1cc5fd4df |
memory/4160-76-0x00007FF7FCF20000-0x00007FF7FD274000-memory.dmp
C:\Windows\System\BfOwunl.exe
| MD5 | 9f1e1741bf25fa89fd40055cde6553d9 |
| SHA1 | 09bba4aeb28c3dfd8ea4b52b7ae1b82b18f4e0a2 |
| SHA256 | 730f0293929905a76d02ecb7da3a0359dfc635ab66db2df98974eb137e30330a |
| SHA512 | d5c29e881440c1d6477ca700b10828cb3005a134ffe48bea3c6d8bb47560022696c590a2b07b4b9f9f34e7bb89f76affd23e2f142b5cb4a978b541e518894257 |
C:\Windows\System\tNhoQkT.exe
| MD5 | 1581a6a1c840bfa5e6f8592261a3a2a0 |
| SHA1 | f4cdb22dcb3154f6f16a86e137addf1cecdf1f0f |
| SHA256 | 20c94acd77bb28e460ef86a35e7c8f3c4eeb6fb92846e0faadde92225ca268f0 |
| SHA512 | 74fbc3a326cf9c2002930cf847d4c4dac1f17f1cc0b294c442082eb8a8ca3892dd231fef6ab0f135a0e003e9effa56430bc288e7848bc2916edcc5010cf7ea4b |
memory/4356-58-0x00007FF68C6F0000-0x00007FF68CA44000-memory.dmp
memory/3908-55-0x00007FF674590000-0x00007FF6748E4000-memory.dmp
C:\Windows\System\gFTwpVK.exe
| MD5 | 5acfeb55faf67d1b5c02f19f39e63706 |
| SHA1 | 1224963d1114ebd8db7306a28c9628a81c2b523e |
| SHA256 | 388120bb4ab0fec90c23d8b3844e9602cee2347f40c12bc24b0f73567f61a65b |
| SHA512 | 5fd43ee7cbf9f7260a45c975a015746955078941fa3cee7758af6303f58531a33e821d0dbba7bdec65223fe45f70abee49fd22599a13d7cb4fd6affd0f5781b8 |
memory/4788-26-0x00007FF7AC4B0000-0x00007FF7AC804000-memory.dmp
C:\Windows\System\RpHKQjp.exe
| MD5 | b899e5e7cf845bc5fefe8024594ccd25 |
| SHA1 | 5d74041d176533603cafd1cebb3f06daa743ec3d |
| SHA256 | ffae1a0ed08396b8fb27c8966b26df2471aff4f618c003c3450e1f6312119433 |
| SHA512 | f229a7cdfbca30b6577e665bbf0c416ed3a6cd74e36c98553b708fb55feda0cfaae7440b51ea97caf5c6c74da5ae72546f950811d13d8c4f768410f04179b2b8 |
memory/800-86-0x00007FF7EEC60000-0x00007FF7EEFB4000-memory.dmp
C:\Windows\System\sZJtuYg.exe
| MD5 | 79c93d85fde280928e948f184bf4ec7c |
| SHA1 | 6426ed181466c889203da3c7c2a6a6fcf01d8960 |
| SHA256 | c7758e78c3ed23d3f0f7db6729d19432dbc5f06ede42d3473cc7f793e10bae1e |
| SHA512 | c7eead7718fe269f7b422dc52cadab3e421f5b89b2ca6fe4c22886527505d13b285f76ddef58e9d8bf8d74f69332a5701c3dfb304c57f058321a4bc185900246 |
C:\Windows\System\AOvmNkV.exe
| MD5 | 47561c21a44b9303534a83f16c239605 |
| SHA1 | f8603990614a47cd4868285a929a278a7c46c6bc |
| SHA256 | f0a6a08521b3e6f604408eb96eff219239a74ba990a9f5b37f0769078b8c37c7 |
| SHA512 | dbff86047b36daa83efc2150d942496235e84cbd5104f8f389029ef94b265f62e1e26b5e698fc80781881433da473cb28eca07f2caa3e93214a74bbed75ab74e |
memory/440-95-0x00007FF720630000-0x00007FF720984000-memory.dmp
memory/2168-90-0x00007FF7D3880000-0x00007FF7D3BD4000-memory.dmp
C:\Windows\System\CFZLBqk.exe
| MD5 | 642260d5fe3cf70418abeef1e846bdc7 |
| SHA1 | 78eb9ea9c9c12e946fd6545b341db3fb00e1c70e |
| SHA256 | d30362860f8cd364b2cd045dd54acda0c391f6930a7c7327c5755d2e5e0f2f3f |
| SHA512 | 85098b9ed9f6d43c3347f47e54d0135e774d652aa1ef581859d492277273e4a1912ba2bbf59afb9c22859043966ad0e664c1e1d62b3f4a4e0aeac89ae74e7c21 |
C:\Windows\System\wbbUtOz.exe
| MD5 | d939c5e9d5db4ca44def63eaa5d6383c |
| SHA1 | cfa61e42fa45f62b90e5cc8fbd41b76583d61c08 |
| SHA256 | d8a6c28fd153c1c573b8132817ca708288c39abc3e8ff5861f791c664f31f90c |
| SHA512 | a8338910be4b0802c06baab5dc30c12abdeb8bc9f57315de2dabd1ca2e2a0761943fc97270b6f41170d2f0f6b18a316ba39fe4e85f95a8a2afa875b2f8296ec4 |
C:\Windows\System\zbRwSvw.exe
| MD5 | 71f0fb5c5f79e512b4c1adfce2e1e655 |
| SHA1 | 67f1081c52de881ea65a06c4013e216ed6502fef |
| SHA256 | b5788142c62fa64a50e95c50b3934433cdabb606dce64cc4ea9a252710bce26e |
| SHA512 | a524c3f959adbbb311eca9489edcf92c5e5c2cd36656e7ed4b360acc362b7eff6f01d15fa7e89a9ecbce80610267bd1a312cb57c22e3a4c71219f78d529a241f |
memory/4436-121-0x00007FF7548C0000-0x00007FF754C14000-memory.dmp
C:\Windows\System\sHJPkFE.exe
| MD5 | 8300aef93ffc905fc29d78f8db79d6ec |
| SHA1 | 70d048169a9d873f093955c840af4babb07c9cc9 |
| SHA256 | 196b739adaf259abe35d3f78e216d49ca1d589738c0132384047a26cf91c0835 |
| SHA512 | 61b4de087e6865c96693fe0400e948c28595d28092690fe931588c4cbd8595f060f0dcdbc23c4b358866a77509436811235d05548a04ac049029201ff0e822ea |
memory/2544-125-0x00007FF6FEAA0000-0x00007FF6FEDF4000-memory.dmp
C:\Windows\System\dTRDOVZ.exe
| MD5 | 09355fbd1b399d71ba8f50877dfa583c |
| SHA1 | 012b3dfd4734cd84ad97537e92659bf11dde7b54 |
| SHA256 | 1a3b40b734e2acb12d20133a1d7b8c39bb591b486031aba7546d3aa2176e4e09 |
| SHA512 | c16da86946beeb4fd1fa7cec695c647152057f2830cbd90fc604b4f9e69ea6cc09e153f30f754cefc5445439c2c8da73a440e22ceff386d82e6c66f3f1d4e6a3 |
memory/400-111-0x00007FF7D32D0000-0x00007FF7D3624000-memory.dmp
memory/2976-108-0x00007FF6C9920000-0x00007FF6C9C74000-memory.dmp
memory/4516-104-0x00007FF678D60000-0x00007FF6790B4000-memory.dmp
memory/2388-99-0x00007FF6C6F10000-0x00007FF6C7264000-memory.dmp
memory/2756-130-0x00007FF6BDB90000-0x00007FF6BDEE4000-memory.dmp
memory/1704-129-0x00007FF6BCDD0000-0x00007FF6BD124000-memory.dmp
memory/4356-131-0x00007FF68C6F0000-0x00007FF68CA44000-memory.dmp
memory/800-132-0x00007FF7EEC60000-0x00007FF7EEFB4000-memory.dmp
memory/2388-133-0x00007FF6C6F10000-0x00007FF6C7264000-memory.dmp
memory/2976-134-0x00007FF6C9920000-0x00007FF6C9C74000-memory.dmp
memory/400-135-0x00007FF7D32D0000-0x00007FF7D3624000-memory.dmp
memory/4436-136-0x00007FF7548C0000-0x00007FF754C14000-memory.dmp
memory/1440-137-0x00007FF7D0980000-0x00007FF7D0CD4000-memory.dmp
memory/4596-138-0x00007FF657C40000-0x00007FF657F94000-memory.dmp
memory/4516-139-0x00007FF678D60000-0x00007FF6790B4000-memory.dmp
memory/4788-140-0x00007FF7AC4B0000-0x00007FF7AC804000-memory.dmp
memory/2992-141-0x00007FF711140000-0x00007FF711494000-memory.dmp
memory/1572-142-0x00007FF61F030000-0x00007FF61F384000-memory.dmp
memory/1704-143-0x00007FF6BCDD0000-0x00007FF6BD124000-memory.dmp
memory/3908-144-0x00007FF674590000-0x00007FF6748E4000-memory.dmp
memory/4356-145-0x00007FF68C6F0000-0x00007FF68CA44000-memory.dmp
memory/4160-146-0x00007FF7FCF20000-0x00007FF7FD274000-memory.dmp
memory/1252-147-0x00007FF70A100000-0x00007FF70A454000-memory.dmp
memory/4964-148-0x00007FF7615B0000-0x00007FF761904000-memory.dmp
memory/3800-149-0x00007FF64EB60000-0x00007FF64EEB4000-memory.dmp
memory/800-150-0x00007FF7EEC60000-0x00007FF7EEFB4000-memory.dmp
memory/440-151-0x00007FF720630000-0x00007FF720984000-memory.dmp
memory/2388-152-0x00007FF6C6F10000-0x00007FF6C7264000-memory.dmp
memory/2976-153-0x00007FF6C9920000-0x00007FF6C9C74000-memory.dmp
memory/4436-154-0x00007FF7548C0000-0x00007FF754C14000-memory.dmp
memory/2544-156-0x00007FF6FEAA0000-0x00007FF6FEDF4000-memory.dmp
memory/400-155-0x00007FF7D32D0000-0x00007FF7D3624000-memory.dmp
memory/2756-157-0x00007FF6BDB90000-0x00007FF6BDEE4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 13:38
Reported
2024-06-06 13:41
Platform
win7-20240419-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mmXxoOd.exe | N/A |
| N/A | N/A | C:\Windows\System\sxdqqKL.exe | N/A |
| N/A | N/A | C:\Windows\System\UKqzrIy.exe | N/A |
| N/A | N/A | C:\Windows\System\tgHrTVp.exe | N/A |
| N/A | N/A | C:\Windows\System\cxQjHyC.exe | N/A |
| N/A | N/A | C:\Windows\System\EiVsqMF.exe | N/A |
| N/A | N/A | C:\Windows\System\WUWUxgI.exe | N/A |
| N/A | N/A | C:\Windows\System\THbRIZu.exe | N/A |
| N/A | N/A | C:\Windows\System\bosoYWn.exe | N/A |
| N/A | N/A | C:\Windows\System\hmQgHgq.exe | N/A |
| N/A | N/A | C:\Windows\System\cgxIHfA.exe | N/A |
| N/A | N/A | C:\Windows\System\BFSNONv.exe | N/A |
| N/A | N/A | C:\Windows\System\NMGPfjJ.exe | N/A |
| N/A | N/A | C:\Windows\System\pbugCEb.exe | N/A |
| N/A | N/A | C:\Windows\System\tAZwzJE.exe | N/A |
| N/A | N/A | C:\Windows\System\rqHiGAa.exe | N/A |
| N/A | N/A | C:\Windows\System\mEMcfVE.exe | N/A |
| N/A | N/A | C:\Windows\System\zfwUdqt.exe | N/A |
| N/A | N/A | C:\Windows\System\OtRjcdf.exe | N/A |
| N/A | N/A | C:\Windows\System\NjjZRYU.exe | N/A |
| N/A | N/A | C:\Windows\System\pOBsdCn.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\mmXxoOd.exe
C:\Windows\System\mmXxoOd.exe
C:\Windows\System\sxdqqKL.exe
C:\Windows\System\sxdqqKL.exe
C:\Windows\System\UKqzrIy.exe
C:\Windows\System\UKqzrIy.exe
C:\Windows\System\tgHrTVp.exe
C:\Windows\System\tgHrTVp.exe
C:\Windows\System\cxQjHyC.exe
C:\Windows\System\cxQjHyC.exe
C:\Windows\System\EiVsqMF.exe
C:\Windows\System\EiVsqMF.exe
C:\Windows\System\WUWUxgI.exe
C:\Windows\System\WUWUxgI.exe
C:\Windows\System\THbRIZu.exe
C:\Windows\System\THbRIZu.exe
C:\Windows\System\bosoYWn.exe
C:\Windows\System\bosoYWn.exe
C:\Windows\System\hmQgHgq.exe
C:\Windows\System\hmQgHgq.exe
C:\Windows\System\cgxIHfA.exe
C:\Windows\System\cgxIHfA.exe
C:\Windows\System\BFSNONv.exe
C:\Windows\System\BFSNONv.exe
C:\Windows\System\NMGPfjJ.exe
C:\Windows\System\NMGPfjJ.exe
C:\Windows\System\pbugCEb.exe
C:\Windows\System\pbugCEb.exe
C:\Windows\System\tAZwzJE.exe
C:\Windows\System\tAZwzJE.exe
C:\Windows\System\rqHiGAa.exe
C:\Windows\System\rqHiGAa.exe
C:\Windows\System\mEMcfVE.exe
C:\Windows\System\mEMcfVE.exe
C:\Windows\System\zfwUdqt.exe
C:\Windows\System\zfwUdqt.exe
C:\Windows\System\OtRjcdf.exe
C:\Windows\System\OtRjcdf.exe
C:\Windows\System\NjjZRYU.exe
C:\Windows\System\NjjZRYU.exe
C:\Windows\System\pOBsdCn.exe
C:\Windows\System\pOBsdCn.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2052-0-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2052-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\mmXxoOd.exe
| MD5 | 67fccfc30c4c0ce5505b4c060f97c91c |
| SHA1 | d0f14133036f3b8c2ca41033d45012dee43622eb |
| SHA256 | 7eb9f2d0f616082045deb593d181a4bcb6fc9ffe41d92b10374dfd2bdbb1eeaa |
| SHA512 | ab0664aa9ea877fa45c94834c9e6394fef901cff4b4c42eb51fad2aa45765e651a9f94e6088b025904cec386b89d97cc58bbec099e877403c903db5018b2c403 |
memory/2052-6-0x0000000002300000-0x0000000002654000-memory.dmp
C:\Windows\system\sxdqqKL.exe
| MD5 | 875defcc01609e8f936139baec22b0d3 |
| SHA1 | ed0650b5f4b24bb50d12a8bd4c7bd69ff62631a6 |
| SHA256 | 74d4741833b1ded0a1053bf96675434d4fb9f563ef087ec25bbff6a890a6be64 |
| SHA512 | 8d898749b07e78273395cd97ac67f928cd4987f1775eb1e73a10c90281bfe56920eb19f9b6f9b7d8b1fe5ff59d38e8a6fb997f8fd67485fd0e8ec81fe60d11ea |
C:\Windows\system\UKqzrIy.exe
| MD5 | 524754471568355b633a3cd50c159417 |
| SHA1 | 92e1f964986e1277d393c4ad2fe56125a2d886f2 |
| SHA256 | 2389a471635e69e04ea0bde4e0f9f8a16149f458d7d7a1ad11352d9145b93fb4 |
| SHA512 | 00617201262780056a908613f173a647ab4013d5d329ee097cfeea0d9bf33910d95dbacf285ea3aa38c283879b6710cd6673a26babce73496954f92cee1eef37 |
memory/3060-15-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2052-14-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2364-21-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2052-19-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2448-11-0x000000013FBD0000-0x000000013FF24000-memory.dmp
\Windows\system\tgHrTVp.exe
| MD5 | 09fb6b8af24dc421117b4fb5b37bbfd8 |
| SHA1 | 8964b42edcf76de2bf6f9ceb66e6c1cc7bceb00a |
| SHA256 | bbebf15642223a07a88f0d5cbc4e49b474faed2d218c5891fe98e6296e154937 |
| SHA512 | 719d5572396497f5179f066d08d8943d4f4cb835860a1435cef8a1c37d4b21f1a73360b40b3d41fadc520618ef4e2eabb80b2498ec526a03214379ddf2cffb07 |
memory/2688-29-0x000000013FF80000-0x00000001402D4000-memory.dmp
\Windows\system\cxQjHyC.exe
| MD5 | 6cbd0278b47db5232bbf8e0fa4db72b8 |
| SHA1 | 050d8f4416732a34757be8981581cd6b7c39ee28 |
| SHA256 | 13350f331d5cc3208336eb598848de370a674bbc4ace33281153f2fd1d308d1b |
| SHA512 | 09fdb783f21ffe1ee2ba8901e82286f57db331bf852db6912858b38068993c07a1c023e8d47c1a8c1396255e996c1ad8f89338c7c9d365a689b50939ba1e83e3 |
memory/2052-31-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2448-43-0x000000013FBD0000-0x000000013FF24000-memory.dmp
C:\Windows\system\EiVsqMF.exe
| MD5 | 8770f865993e770f6a0032d4d2c046d2 |
| SHA1 | 3714c50780c44f6a1e0e5d3399b5c3dfcd59a52e |
| SHA256 | 449b4a4189013e400b3c1de3a378ce2fb737a87eb781daf067df60c03f36211a |
| SHA512 | 0d93ce923ffdacaa8715af1ad481814ed380e308105f824bc2ef7056f27fb5fad079c6d6d836a844b757e970f9b479c9506894ace42ed54b261fa74a357c0b7e |
memory/2772-47-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2052-46-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2052-42-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2052-41-0x0000000002300000-0x0000000002654000-memory.dmp
memory/1984-40-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2052-36-0x000000013FEF0000-0x0000000140244000-memory.dmp
\Windows\system\WUWUxgI.exe
| MD5 | 296cc3b069cd30558ecac19c339353a5 |
| SHA1 | 03545075c30c7d8cc7ac62b31366dc76aa1c42eb |
| SHA256 | af5d5db2d5b79622bf4ca92c23537d10bcf7e096323fc335f5b0426364d0b11a |
| SHA512 | 7a9d2e4047a63c9eb60f7329c0316f9c016e6ac7ef6c5d6392b022393cad13f7a02d0dba7bf1da6603b535f1c75973005a928e1c4a2cc831f4dcd4ca04f401eb |
memory/2700-54-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/3060-52-0x000000013F6C0000-0x000000013FA14000-memory.dmp
\Windows\system\THbRIZu.exe
| MD5 | bd02c2d6bda6a5ee110124755e322aea |
| SHA1 | 0e490e4a9aed352decfc9cd3980239040df28257 |
| SHA256 | c4043e97aebdcecccb110b220a9d484bdb57f3addff2592fc5f1799bcff1506a |
| SHA512 | 83996caad3f3bb139b663b0dce1fef8726ea56427f86624266776c98e22c570ea8335c027b5b6977dce73e2f5131fe201b1b8f8e582030b7cdc002dfe54738e7 |
memory/2052-60-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2528-61-0x000000013F790000-0x000000013FAE4000-memory.dmp
\Windows\system\bosoYWn.exe
| MD5 | ebfd2887dd669b6616b8c95cb9ee89ea |
| SHA1 | 9d4d75b430e388c3abd72787df5da40a2e34b770 |
| SHA256 | 021f8a98c19b550e3fd0850fc041391440f18b3dac4b23e558e49ddf870110bd |
| SHA512 | 6fd16115dfa75a35edb1d51b3708bd8247da760fe11e27fddc0692c5dc7c5dda1802f38a7df5ccda5b67a714fbdea1126dbdb27454bf06793f0ea7be3e2b62ad |
memory/2364-65-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2052-66-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/3024-70-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2052-68-0x0000000002300000-0x0000000002654000-memory.dmp
\Windows\system\hmQgHgq.exe
| MD5 | 895db499307793bcd16bb18b3cf3ad3a |
| SHA1 | 7a4300e4cb012c62ae0146a3ebfe602070d54b49 |
| SHA256 | e300efb613eca10f6e224a91961dca728f6aaff62cd1ff6a9098a9c3fb44f501 |
| SHA512 | ae4ff04c75df24c84bb1926aa4404c0ec11733a908e96e0804303940cbd7141f985babf884501a1ca40e2ca53458e220052ee98f52f6b971bea565dec2167415 |
memory/2580-78-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2052-76-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2688-75-0x000000013FF80000-0x00000001402D4000-memory.dmp
C:\Windows\system\cgxIHfA.exe
| MD5 | 5ff243d7cf8d120136360278ad83d710 |
| SHA1 | 1a33b5f2105b1377a24a991e89aa635edada5acb |
| SHA256 | 6770c3773ba71103ebfab626fb1c2c49e27f6ef3e57fece645f656d14c6172f5 |
| SHA512 | 605242c16e92749cb515da3c4dfa05b908dbdee9e1ee8c2eec0ee23d8bd07414f2228947e7bf5cde0824bb8a3548397bf3216593845a67e88c52cd829bcf0d2d |
C:\Windows\system\BFSNONv.exe
| MD5 | 79ad6eb0a524978d654bd7c073fa38e0 |
| SHA1 | 07b096aaa76f7353aff74f1a59b524e0e87e832c |
| SHA256 | 269a8110647986e202e18d1493d9713abe3290af0d6cef13b4cf050ff54f76cf |
| SHA512 | 7ae5c188db73aee50b1122baef7ad5a1afa8a5e7aa15cd8bad5daa10c52fc4b1bc186807bd0a6ac611101fb56ad7da640f7c156155caacf3dfa798bd832188e0 |
memory/1984-90-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2880-91-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2860-85-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2052-84-0x000000013F180000-0x000000013F4D4000-memory.dmp
\Windows\system\NMGPfjJ.exe
| MD5 | 39b74d3a200f8f65e8f54aadb0911795 |
| SHA1 | bc6575b306e2472ba1a1619909d60bf09056e71b |
| SHA256 | 78382c9caa12b7fb683285bbf20ce788b151a229805dc353930b2c6da4c46ef1 |
| SHA512 | c259212d9328eeae1791b77f4dded11bd46e9881ef1fa2d9f36f15cbb995e9545ec101a1519d28a6e6a30758b92afafcce0859a2de521f5404b76192bb1e79a3 |
memory/2888-97-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2052-96-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2052-95-0x0000000002300000-0x0000000002654000-memory.dmp
\Windows\system\pbugCEb.exe
| MD5 | b4ba6844c27b86d934c0be43b0ddd311 |
| SHA1 | 8bf1a5653618596d963171907e577c4ab898fb43 |
| SHA256 | 6ce90a6bc1d9b1d1e9aef4fb0e30e23498e9407d3ea39f7e99cd9e394fdbbbd6 |
| SHA512 | 0bd09c411b8f4cb58e2967d7806a88249461587f9e13e1a4d1738f1442de8bdd6ecabe581b56d39c6b907dd1def270cdb66c530f368c0a2fb44f30a37b728545 |
C:\Windows\system\rqHiGAa.exe
| MD5 | 47aac041121e45327b9c259717454351 |
| SHA1 | b9fd0155751cce7237735a7fa21b5674cc97dcb6 |
| SHA256 | d3f32c59d305aaec13519e65e27e99092491456acd0a56728a88f91b0861d195 |
| SHA512 | 6cd528693ffc1af48a04c3bcbb50edf6fe422a657e96dc313d68306dd8a4a69318a15566005f9e2eb43971526e37f9ad76dca0248ec539703255ace5c5cd91e8 |
memory/2052-113-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2052-112-0x000000013F790000-0x000000013FAE4000-memory.dmp
C:\Windows\system\tAZwzJE.exe
| MD5 | 9ec4c9ee325a8f81071fe859720afd41 |
| SHA1 | 8109c34bf4b1566b9d8b24e8adf6adea7aa2d46a |
| SHA256 | fa241e6097043def421b1be17bd0b92ef149056e50aa25d0d7887924743a6853 |
| SHA512 | 93ec0f5f0ca7a7a7690c9e99209fa601334e08db7f9e906d68c6a22789eac1f26e7ec38f3feb3b09e20e13284d476e3301b2244b938285ef49e67f2b60fe00ab |
C:\Windows\system\zfwUdqt.exe
| MD5 | c485a447107b603bcc0f0dfb794b01d1 |
| SHA1 | e9352c708756828f8facafb34a47e052180ebf63 |
| SHA256 | 3bbf70b4347a5cb6a8807e68b28515071aabba559ca6a81138134203e0d016b6 |
| SHA512 | d59c59da14c6dc55c0c46af19379d4f020172ee8087a43b4c0ed0bccd2a5ff188a0c6b3ab0347e78178dcf414c43f18ca151956e477042be772510439e4b4a8c |
C:\Windows\system\mEMcfVE.exe
| MD5 | 37676825c1a194d99b5d0d1efee9ff9e |
| SHA1 | 3a14c4306d92797a3568b6733e8027191d73cbf1 |
| SHA256 | be6075318c75f25b0cd5e22e9d704152c088d4ab70d0d28c7effd29ba03fb16c |
| SHA512 | 0eb059c63ab1f862106db4faab589eaa64263888000c6675239b98c762444ec29a5fd64dc5f38989efc4e6dbaebdd7bb347093d8682f23e4edcd679e9c9f9409 |
memory/2052-128-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\OtRjcdf.exe
| MD5 | 09b890779c3e886465f58b4f2686aa02 |
| SHA1 | 8c680badbb6187e04ed08b3f19c5dc7bcac9463e |
| SHA256 | b813551b8ed7d3c5c5213a7245012636c31fb954509fb1bee7364d4f80cf4a95 |
| SHA512 | 09797f6fc560d136a08ff4bd0f49ea420fb98768dff13e25ebe4eb0fd4183f9a6306a41b86d75cf26e34cd56ee2efd457bc8aaafbab53e93b7a1f29f8a50b4e2 |
C:\Windows\system\NjjZRYU.exe
| MD5 | 601bd8af8556b58d660db6a412767eb7 |
| SHA1 | b56a9f6b0f077a739709b9c4cf7d2b76bb5dfbdd |
| SHA256 | 154102f0f567b569dee145eb22c5f187f3ed2b227a0e30a0ae78cbd9eb3af4a1 |
| SHA512 | 23242c14381262369052d13a97aab9994f6defcd967f219568b5452222f5e695683a41df8513cd50cdfd66288b0a4d39bed487d7e7c7a67514a05212ec3b5bac |
\Windows\system\pOBsdCn.exe
| MD5 | ef5a7d4aef4f689f6012c92784cf16b3 |
| SHA1 | dc1b9ff2f7623829d579842dfffc55766bdfc417 |
| SHA256 | 0fdbdb5e57920b5b0b12e81e666082335789f79f603111c530f5589f071a77f6 |
| SHA512 | 8abee50f2490274aa52226cd34e466790fd51a7f3465acce666525e77c432dc15807778568345ad4f825716f020cdbef44e4d79404ca5a1bc9c955f8aeff5bc9 |
memory/3024-143-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2052-144-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2580-145-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2052-146-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2880-147-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2052-148-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2888-149-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2052-150-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2448-151-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/3060-152-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2364-153-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2688-154-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/1984-155-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2772-156-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2700-157-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2528-158-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/3024-159-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2580-160-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2860-161-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2888-163-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2880-162-0x000000013F770000-0x000000013FAC4000-memory.dmp