Analysis Overview
SHA256
0abd22c36c4ee358aa6f8e14db796def6f1c98d166a226975ca1dc60d5101d35
Threat Level: Known bad
The file 2024-06-06_a3dc0d6f7e449349de7ca5b4f83b0a6f_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike family
xmrig
XMRig Miner payload
Xmrig family
Cobaltstrike
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 14:03
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 14:02
Reported
2024-06-06 14:06
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\VfuwvgK.exe | N/A |
| N/A | N/A | C:\Windows\System\laNvDFB.exe | N/A |
| N/A | N/A | C:\Windows\System\efreIVY.exe | N/A |
| N/A | N/A | C:\Windows\System\OgQoeWt.exe | N/A |
| N/A | N/A | C:\Windows\System\UfNIYOI.exe | N/A |
| N/A | N/A | C:\Windows\System\YHNOPdu.exe | N/A |
| N/A | N/A | C:\Windows\System\HdCGQsl.exe | N/A |
| N/A | N/A | C:\Windows\System\fswQUlt.exe | N/A |
| N/A | N/A | C:\Windows\System\LOIVOMe.exe | N/A |
| N/A | N/A | C:\Windows\System\HaSpCmP.exe | N/A |
| N/A | N/A | C:\Windows\System\ajrKQMD.exe | N/A |
| N/A | N/A | C:\Windows\System\ujWqeGj.exe | N/A |
| N/A | N/A | C:\Windows\System\cEXKour.exe | N/A |
| N/A | N/A | C:\Windows\System\RSQTWbJ.exe | N/A |
| N/A | N/A | C:\Windows\System\VibtlVK.exe | N/A |
| N/A | N/A | C:\Windows\System\BEEBoAT.exe | N/A |
| N/A | N/A | C:\Windows\System\BsArtGv.exe | N/A |
| N/A | N/A | C:\Windows\System\jvAEELF.exe | N/A |
| N/A | N/A | C:\Windows\System\hBHAPlK.exe | N/A |
| N/A | N/A | C:\Windows\System\IMgPdlL.exe | N/A |
| N/A | N/A | C:\Windows\System\LLQrNCY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_a3dc0d6f7e449349de7ca5b4f83b0a6f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_a3dc0d6f7e449349de7ca5b4f83b0a6f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_a3dc0d6f7e449349de7ca5b4f83b0a6f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_a3dc0d6f7e449349de7ca5b4f83b0a6f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\VfuwvgK.exe
C:\Windows\System\VfuwvgK.exe
C:\Windows\System\laNvDFB.exe
C:\Windows\System\laNvDFB.exe
C:\Windows\System\efreIVY.exe
C:\Windows\System\efreIVY.exe
C:\Windows\System\OgQoeWt.exe
C:\Windows\System\OgQoeWt.exe
C:\Windows\System\UfNIYOI.exe
C:\Windows\System\UfNIYOI.exe
C:\Windows\System\YHNOPdu.exe
C:\Windows\System\YHNOPdu.exe
C:\Windows\System\HdCGQsl.exe
C:\Windows\System\HdCGQsl.exe
C:\Windows\System\fswQUlt.exe
C:\Windows\System\fswQUlt.exe
C:\Windows\System\LOIVOMe.exe
C:\Windows\System\LOIVOMe.exe
C:\Windows\System\HaSpCmP.exe
C:\Windows\System\HaSpCmP.exe
C:\Windows\System\ajrKQMD.exe
C:\Windows\System\ajrKQMD.exe
C:\Windows\System\ujWqeGj.exe
C:\Windows\System\ujWqeGj.exe
C:\Windows\System\cEXKour.exe
C:\Windows\System\cEXKour.exe
C:\Windows\System\RSQTWbJ.exe
C:\Windows\System\RSQTWbJ.exe
C:\Windows\System\VibtlVK.exe
C:\Windows\System\VibtlVK.exe
C:\Windows\System\BEEBoAT.exe
C:\Windows\System\BEEBoAT.exe
C:\Windows\System\BsArtGv.exe
C:\Windows\System\BsArtGv.exe
C:\Windows\System\jvAEELF.exe
C:\Windows\System\jvAEELF.exe
C:\Windows\System\hBHAPlK.exe
C:\Windows\System\hBHAPlK.exe
C:\Windows\System\IMgPdlL.exe
C:\Windows\System\IMgPdlL.exe
C:\Windows\System\LLQrNCY.exe
C:\Windows\System\LLQrNCY.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 23.62.61.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 105.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/32-0-0x00007FF76B230000-0x00007FF76B584000-memory.dmp
memory/32-1-0x000002D5A1D80000-0x000002D5A1D90000-memory.dmp
C:\Windows\System\VfuwvgK.exe
| MD5 | 19e1cdcaddb559a183f9d8a428c6d4c6 |
| SHA1 | 559515d5f69b401c10f9182700d863694b828bf6 |
| SHA256 | f57928d4720b704725050c24fa4b0b5283e67ac265a2c78e5528114c5e575956 |
| SHA512 | be35b527bf577761e7db30ea83f219aad13c9d5aae61e4bc1f5b5a39e8c5eb5aef8aed4a2347e5cca89ece654c6ffef2171726296ca1fa4fdc0f2be9e69bb95a |
C:\Windows\System\laNvDFB.exe
| MD5 | c8a80bb3fd1ae73b187a9a0b71bc7286 |
| SHA1 | c9ff79bb427bd425199561c31596caa82dd3ec62 |
| SHA256 | 3dd17e357e6bdb62a9f1588dd5414528d8fdf4cd466afc3e1e40d9bbb99b6f12 |
| SHA512 | 01108986330704647ebe010acb6495056377805934075b01a7969023ae3d84a67efc20aa3e3a76dec73ba373693bd9b2c2eadf682e97d63d06563c590e9095ad |
memory/1396-13-0x00007FF7B7A90000-0x00007FF7B7DE4000-memory.dmp
C:\Windows\System\efreIVY.exe
| MD5 | 158526d65e6d0a61ae4738f66f28ced7 |
| SHA1 | a3aa43b76faa284571504dfee028caf5048fc974 |
| SHA256 | 185dd90af24b4418ec5d8ffae01f63d562103b5d103e746b894305ba37f1c46a |
| SHA512 | fea633999d109b5af584489f300428b34657b08ec4534717fe8038e3a89506c0eef757856bd90e64402ba2bf0f81980e33fa13e3b59bde8acabc6e602cecd057 |
memory/1612-20-0x00007FF666C10000-0x00007FF666F64000-memory.dmp
memory/376-8-0x00007FF6B3090000-0x00007FF6B33E4000-memory.dmp
C:\Windows\System\OgQoeWt.exe
| MD5 | 1ff2638ea02f70e22a2558f39c42461c |
| SHA1 | 068947e1adb37e128ee1960344d150a054c30cd9 |
| SHA256 | 55812e32dd6d26bb23445f14a0360f91e9d1deea4589e3842ef0605515d05c00 |
| SHA512 | c02739a756a230b3dec7aabb0b80d76473ce8408a803ddf54bf53156b375068c2e637302b2b98d2e04d048c2022141081d46e0a06f3193b5c35397ece85989dd |
memory/3400-26-0x00007FF64C6D0000-0x00007FF64CA24000-memory.dmp
memory/2512-32-0x00007FF7A9B40000-0x00007FF7A9E94000-memory.dmp
C:\Windows\System\YHNOPdu.exe
| MD5 | 23031c30d35e79c1000b8e405c195f93 |
| SHA1 | 28efef1e36016d265baa06e0b2072bbc98cddca3 |
| SHA256 | a99c4db148672df82fd8efddba1d6725375c9f02af0371f7cf7ff4dea47bd102 |
| SHA512 | bcbc2593de0886003e524576da8f004fbaf9bddb1c318cbdbfa68faca18c58cb61b09817741b5476d3b808508077933e0c362628baaf7ed13181479eb84d9f15 |
C:\Windows\System\HdCGQsl.exe
| MD5 | fbe32ce044f8dfc66a37a3c38c83b598 |
| SHA1 | aedb44f2a6fed4339a87ce76630fa973287bf8a3 |
| SHA256 | 567e6b7953bb0c31e42904b404798049d017a550715ccd4c1b1243edc5e2a387 |
| SHA512 | 3ce659ba733b453cbcf4b5a1280975401ee4424b33f8b6a19b49209f8bc04c85e74373eaa4180fd3ebba6dda5ed2d4785d08159b990d503513e790627b711498 |
memory/2680-46-0x00007FF7A25E0000-0x00007FF7A2934000-memory.dmp
C:\Windows\System\fswQUlt.exe
| MD5 | 573e468b32b3a64246af67a9b95082e4 |
| SHA1 | 2d6c59220bbf43429654dfe27469cccdc8d6b31f |
| SHA256 | 356ff3455fe0ff2ca3192936a0dd911cf9da092cb916460ef4e7b402199abb85 |
| SHA512 | a7884a0cc8ffcf6558f26fa81c34e94289ac687582e3b3d42e436504f263640dfba025576e05df1087a38859dfe1428ac6380792bd833843e357251042ad122b |
C:\Windows\System\LOIVOMe.exe
| MD5 | 2ddedcb6d02b5ac7b0d5db9d1afeeb9e |
| SHA1 | b4b6a0f50913c354b550a9ab4f842102a774f3ac |
| SHA256 | d344cfd9f3290a0ce0db2d6e5866413262389ba6aa8566459f8290c94bfc448d |
| SHA512 | 00343f42973e5440bc9e6f6ce9de20b8fd4c6d891c618cea6276079b47d3960ebf6e21bde10f0ad717a4167da6723ff7c2fc76299d0736681cd00f0bc88f3fde |
C:\Windows\System\HaSpCmP.exe
| MD5 | 3b4457ade964db5acf793e21c2fe581e |
| SHA1 | 63da2219fb1bff858ac2695df466da45a1895125 |
| SHA256 | bcfd7e8015587afdf48f44787a05df4c1934f630618165c026b4c4db747b14c2 |
| SHA512 | 6bb279df7e5c88c241279a105c3bc24876542b739dc635a290c8de793439e2b5db89076f841aef2e759d1ca9d9c7329c22da648136adbff11c180c5a8effd7c3 |
memory/3212-62-0x00007FF668150000-0x00007FF6684A4000-memory.dmp
memory/3056-57-0x00007FF7BEDB0000-0x00007FF7BF104000-memory.dmp
memory/2892-55-0x00007FF72FF00000-0x00007FF730254000-memory.dmp
memory/2448-36-0x00007FF65B610000-0x00007FF65B964000-memory.dmp
C:\Windows\System\UfNIYOI.exe
| MD5 | e1bdb469eaa5b9cdc9d97e719becbc50 |
| SHA1 | 87985523fe2110e1e4068ac1c5b252ba9c66182b |
| SHA256 | 48eb198427c489d7a8088252ad97dae114774fdf2adec424121d1452e97d49cb |
| SHA512 | ad234777538013b8444fb4b2135e66d3ca82b720d9c428a71d4cf143e49601b44beb39e6f789dfc04330a4785db375ca625601378766f6ef5e2b04d51819e5d7 |
C:\Windows\System\ajrKQMD.exe
| MD5 | 3b450bd4056c45056503849e4ecd9de5 |
| SHA1 | 4084f5ff469c45c23c726d39d7d6c13d5c8141e5 |
| SHA256 | a5f654d467eadc4a4cdb5d62128ac409aab76a74cb25f096be51080d27d69b7d |
| SHA512 | adcabfe70d7be232e7a1f9a6ef6c8cac824dd9c93cd27fca36f7b319b523fc3569ad857634a50f497e487956146ac309d90dc1fbab808d3aee9e7e0ddebc0571 |
C:\Windows\System\cEXKour.exe
| MD5 | de279d7b14af2f4457c0f914ff4f256f |
| SHA1 | 73bc0cb5a874db3eed8730278bc8294b2ed2c229 |
| SHA256 | 73a89c898c62bec2fdecd552bea169d35038ada86c7bd52c86b542764b420416 |
| SHA512 | 960eb8a5a3b408510d5288b465fce43925f272a4d0b4ef8196b87a715c4e7069861508b1ebccf6bd947eb72824489e4bc55e4e936240dc72b29d4d4ec52524b0 |
memory/2360-74-0x00007FF733B20000-0x00007FF733E74000-memory.dmp
C:\Windows\System\ujWqeGj.exe
| MD5 | 0c9653e2ee79269ae196379a8593296b |
| SHA1 | f6bc0638f250b62c13e3f761cb9cbf1c62b5e790 |
| SHA256 | 4ea605f3cef7e1c3a8f05948508313c8e57dca774532980463b7068c4fd0c284 |
| SHA512 | ce67610928466578b83ade77a12104418f1589eb5784586bf4d22069e2eebfea6c55dc87367dc5f3901425ac77933c7352dd499a587511b01f311c7e2ed9bb5f |
memory/32-68-0x00007FF76B230000-0x00007FF76B584000-memory.dmp
memory/376-80-0x00007FF6B3090000-0x00007FF6B33E4000-memory.dmp
C:\Windows\System\RSQTWbJ.exe
| MD5 | 91c1aa234a43fc4c00247a0ebd6d1744 |
| SHA1 | ccb1441534b3255f355ead6795eb1a6bff504983 |
| SHA256 | 5ced6765b3a3b8819763905fe34bb275625d7a72bd47c00703a4d035400e6184 |
| SHA512 | af51849a9d5e18524bec51453342933c25dc26994f65620d17eb734e007a6bf489b4d5fc8c09dc44552f84e9d79a3b76e4b32d5af40a62cdff2d4139a81b410f |
memory/2232-89-0x00007FF7BE8C0000-0x00007FF7BEC14000-memory.dmp
C:\Windows\System\RSQTWbJ.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/1396-85-0x00007FF7B7A90000-0x00007FF7B7DE4000-memory.dmp
memory/892-84-0x00007FF7BDA70000-0x00007FF7BDDC4000-memory.dmp
memory/1104-83-0x00007FF6587C0000-0x00007FF658B14000-memory.dmp
C:\Windows\System\BEEBoAT.exe
| MD5 | 77f8f21072dac1ee9d07d840530c306f |
| SHA1 | b65ead298f6cd1fa23e97699165db581e72ee7b2 |
| SHA256 | 2d6aba2aaeba18cc06f762f8364357b655a69ddd9dbcf2c8ff45bb564e565604 |
| SHA512 | 3dbd8f5d62bb53d28e78e9e0f7d48cafc944e1b0da976cbd3eac372d54877ad67b53d48b2c75d22f634e24f7a5b3566f636c4cd311cdbf7bba364366007c1183 |
memory/4488-102-0x00007FF68ED90000-0x00007FF68F0E4000-memory.dmp
C:\Windows\System\VibtlVK.exe
| MD5 | 02bd553a239ddb5b26594aadb11982e4 |
| SHA1 | cdd6fd75a6c30b2ba45a811890dc53a163bdfa20 |
| SHA256 | 8009c5532748c8687e03fb9e7ce8ef2abaff7147ce97f18f8966a945cbbf2a8a |
| SHA512 | 74a5910d424e32de5227915d3421e5579c25944d6e33327e941965e81a25dbe1b9d7f0f44a72afe1b8a481ad4b7a540b68716b7d91c647c16e851d823df4b4d9 |
C:\Windows\System\BEEBoAT.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
memory/3308-94-0x00007FF7121E0000-0x00007FF712534000-memory.dmp
memory/3400-93-0x00007FF64C6D0000-0x00007FF64CA24000-memory.dmp
C:\Windows\System\BsArtGv.exe
| MD5 | ec62c0e86d0f36f59df06eb52a678187 |
| SHA1 | c0e16dd397cb50916b9f7de2c69aa57ffd2c3776 |
| SHA256 | 1cb0f1ada403f1f51497355481fdeb64a524b58b51336ac271cb58529d7fa9b4 |
| SHA512 | 4f8f6d146199912b2882837c53d4234d13f94f1c6024ffe8aff4d92b2ad75c7fa714ce58947e5eefd41f04ed03ee3d38109387b2d9e87ccebfda58d66651ff67 |
C:\Windows\System\IMgPdlL.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
memory/2640-125-0x00007FF72C4C0000-0x00007FF72C814000-memory.dmp
memory/4060-119-0x00007FF7D1D40000-0x00007FF7D2094000-memory.dmp
memory/2128-116-0x00007FF762500000-0x00007FF762854000-memory.dmp
C:\Windows\System\jvAEELF.exe
| MD5 | a101049315cff6c9687bc2c303397076 |
| SHA1 | df5294fc254392c5a4fd7904e28e2409343bc59b |
| SHA256 | f93783fdcaf2982fd82b3caa3805d7b8607df6c2a8f8148dcafeff5d03c690ef |
| SHA512 | d40642521207146da29467a9bfb024c3ac6997f5dd31bff3d543ace3692d137398804a110804b1a5de921a324f54048bf8a93e1d809da4fd076740d22bdc6794 |
memory/1092-111-0x00007FF793B00000-0x00007FF793E54000-memory.dmp
C:\Windows\System\LLQrNCY.exe
| MD5 | 16b2f93ed6b38ef6bc92b73f200d8e1e |
| SHA1 | 87519f601ce5125521bfce35d7118b11371e1c61 |
| SHA256 | 4886906caf92a14794047a517b5f3cdb89c7ea395814c57712e0e75186e3859e |
| SHA512 | e27df770ae77007a032ecaf8cb731f57114a10ebd6c0e63a535da0efbb8f3c6db02be78dd1ca2155c7da1d4663d1555fb3d4f18dcacb04edbcc0793acb2e4fc6 |
memory/2448-106-0x00007FF65B610000-0x00007FF65B964000-memory.dmp
memory/3544-132-0x00007FF7F0880000-0x00007FF7F0BD4000-memory.dmp
memory/3308-133-0x00007FF7121E0000-0x00007FF712534000-memory.dmp
memory/1092-134-0x00007FF793B00000-0x00007FF793E54000-memory.dmp
memory/2128-135-0x00007FF762500000-0x00007FF762854000-memory.dmp
memory/4060-136-0x00007FF7D1D40000-0x00007FF7D2094000-memory.dmp
memory/2640-137-0x00007FF72C4C0000-0x00007FF72C814000-memory.dmp
memory/376-138-0x00007FF6B3090000-0x00007FF6B33E4000-memory.dmp
memory/1396-139-0x00007FF7B7A90000-0x00007FF7B7DE4000-memory.dmp
memory/1612-140-0x00007FF666C10000-0x00007FF666F64000-memory.dmp
memory/3400-141-0x00007FF64C6D0000-0x00007FF64CA24000-memory.dmp
memory/2512-142-0x00007FF7A9B40000-0x00007FF7A9E94000-memory.dmp
memory/2448-143-0x00007FF65B610000-0x00007FF65B964000-memory.dmp
memory/2680-144-0x00007FF7A25E0000-0x00007FF7A2934000-memory.dmp
memory/3056-146-0x00007FF7BEDB0000-0x00007FF7BF104000-memory.dmp
memory/2892-145-0x00007FF72FF00000-0x00007FF730254000-memory.dmp
memory/3212-147-0x00007FF668150000-0x00007FF6684A4000-memory.dmp
memory/1104-149-0x00007FF6587C0000-0x00007FF658B14000-memory.dmp
memory/2360-148-0x00007FF733B20000-0x00007FF733E74000-memory.dmp
memory/892-150-0x00007FF7BDA70000-0x00007FF7BDDC4000-memory.dmp
memory/2232-151-0x00007FF7BE8C0000-0x00007FF7BEC14000-memory.dmp
memory/4488-153-0x00007FF68ED90000-0x00007FF68F0E4000-memory.dmp
memory/3308-152-0x00007FF7121E0000-0x00007FF712534000-memory.dmp
memory/1092-154-0x00007FF793B00000-0x00007FF793E54000-memory.dmp
memory/4060-156-0x00007FF7D1D40000-0x00007FF7D2094000-memory.dmp
memory/2640-157-0x00007FF72C4C0000-0x00007FF72C814000-memory.dmp
memory/2128-155-0x00007FF762500000-0x00007FF762854000-memory.dmp
memory/3544-158-0x00007FF7F0880000-0x00007FF7F0BD4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 14:02
Reported
2024-06-06 14:06
Platform
win7-20240508-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\VfuwvgK.exe | N/A |
| N/A | N/A | C:\Windows\System\laNvDFB.exe | N/A |
| N/A | N/A | C:\Windows\System\efreIVY.exe | N/A |
| N/A | N/A | C:\Windows\System\OgQoeWt.exe | N/A |
| N/A | N/A | C:\Windows\System\UfNIYOI.exe | N/A |
| N/A | N/A | C:\Windows\System\YHNOPdu.exe | N/A |
| N/A | N/A | C:\Windows\System\HdCGQsl.exe | N/A |
| N/A | N/A | C:\Windows\System\fswQUlt.exe | N/A |
| N/A | N/A | C:\Windows\System\LOIVOMe.exe | N/A |
| N/A | N/A | C:\Windows\System\HaSpCmP.exe | N/A |
| N/A | N/A | C:\Windows\System\ajrKQMD.exe | N/A |
| N/A | N/A | C:\Windows\System\ujWqeGj.exe | N/A |
| N/A | N/A | C:\Windows\System\cEXKour.exe | N/A |
| N/A | N/A | C:\Windows\System\RSQTWbJ.exe | N/A |
| N/A | N/A | C:\Windows\System\VibtlVK.exe | N/A |
| N/A | N/A | C:\Windows\System\BEEBoAT.exe | N/A |
| N/A | N/A | C:\Windows\System\BsArtGv.exe | N/A |
| N/A | N/A | C:\Windows\System\jvAEELF.exe | N/A |
| N/A | N/A | C:\Windows\System\hBHAPlK.exe | N/A |
| N/A | N/A | C:\Windows\System\IMgPdlL.exe | N/A |
| N/A | N/A | C:\Windows\System\LLQrNCY.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_a3dc0d6f7e449349de7ca5b4f83b0a6f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_a3dc0d6f7e449349de7ca5b4f83b0a6f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_a3dc0d6f7e449349de7ca5b4f83b0a6f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_a3dc0d6f7e449349de7ca5b4f83b0a6f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\VfuwvgK.exe
C:\Windows\System\VfuwvgK.exe
C:\Windows\System\laNvDFB.exe
C:\Windows\System\laNvDFB.exe
C:\Windows\System\efreIVY.exe
C:\Windows\System\efreIVY.exe
C:\Windows\System\OgQoeWt.exe
C:\Windows\System\OgQoeWt.exe
C:\Windows\System\UfNIYOI.exe
C:\Windows\System\UfNIYOI.exe
C:\Windows\System\YHNOPdu.exe
C:\Windows\System\YHNOPdu.exe
C:\Windows\System\HdCGQsl.exe
C:\Windows\System\HdCGQsl.exe
C:\Windows\System\fswQUlt.exe
C:\Windows\System\fswQUlt.exe
C:\Windows\System\LOIVOMe.exe
C:\Windows\System\LOIVOMe.exe
C:\Windows\System\HaSpCmP.exe
C:\Windows\System\HaSpCmP.exe
C:\Windows\System\ajrKQMD.exe
C:\Windows\System\ajrKQMD.exe
C:\Windows\System\ujWqeGj.exe
C:\Windows\System\ujWqeGj.exe
C:\Windows\System\cEXKour.exe
C:\Windows\System\cEXKour.exe
C:\Windows\System\RSQTWbJ.exe
C:\Windows\System\RSQTWbJ.exe
C:\Windows\System\VibtlVK.exe
C:\Windows\System\VibtlVK.exe
C:\Windows\System\BEEBoAT.exe
C:\Windows\System\BEEBoAT.exe
C:\Windows\System\BsArtGv.exe
C:\Windows\System\BsArtGv.exe
C:\Windows\System\jvAEELF.exe
C:\Windows\System\jvAEELF.exe
C:\Windows\System\hBHAPlK.exe
C:\Windows\System\hBHAPlK.exe
C:\Windows\System\IMgPdlL.exe
C:\Windows\System\IMgPdlL.exe
C:\Windows\System\LLQrNCY.exe
C:\Windows\System\LLQrNCY.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2024-0-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2024-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\VfuwvgK.exe
| MD5 | 19e1cdcaddb559a183f9d8a428c6d4c6 |
| SHA1 | 559515d5f69b401c10f9182700d863694b828bf6 |
| SHA256 | f57928d4720b704725050c24fa4b0b5283e67ac265a2c78e5528114c5e575956 |
| SHA512 | be35b527bf577761e7db30ea83f219aad13c9d5aae61e4bc1f5b5a39e8c5eb5aef8aed4a2347e5cca89ece654c6ffef2171726296ca1fa4fdc0f2be9e69bb95a |
C:\Windows\system\laNvDFB.exe
| MD5 | c8a80bb3fd1ae73b187a9a0b71bc7286 |
| SHA1 | c9ff79bb427bd425199561c31596caa82dd3ec62 |
| SHA256 | 3dd17e357e6bdb62a9f1588dd5414528d8fdf4cd466afc3e1e40d9bbb99b6f12 |
| SHA512 | 01108986330704647ebe010acb6495056377805934075b01a7969023ae3d84a67efc20aa3e3a76dec73ba373693bd9b2c2eadf682e97d63d06563c590e9095ad |
C:\Windows\system\efreIVY.exe
| MD5 | 158526d65e6d0a61ae4738f66f28ced7 |
| SHA1 | a3aa43b76faa284571504dfee028caf5048fc974 |
| SHA256 | 185dd90af24b4418ec5d8ffae01f63d562103b5d103e746b894305ba37f1c46a |
| SHA512 | fea633999d109b5af584489f300428b34657b08ec4534717fe8038e3a89506c0eef757856bd90e64402ba2bf0f81980e33fa13e3b59bde8acabc6e602cecd057 |
C:\Windows\system\OgQoeWt.exe
| MD5 | 1ff2638ea02f70e22a2558f39c42461c |
| SHA1 | 068947e1adb37e128ee1960344d150a054c30cd9 |
| SHA256 | 55812e32dd6d26bb23445f14a0360f91e9d1deea4589e3842ef0605515d05c00 |
| SHA512 | c02739a756a230b3dec7aabb0b80d76473ce8408a803ddf54bf53156b375068c2e637302b2b98d2e04d048c2022141081d46e0a06f3193b5c35397ece85989dd |
C:\Windows\system\UfNIYOI.exe
| MD5 | e1bdb469eaa5b9cdc9d97e719becbc50 |
| SHA1 | 87985523fe2110e1e4068ac1c5b252ba9c66182b |
| SHA256 | 48eb198427c489d7a8088252ad97dae114774fdf2adec424121d1452e97d49cb |
| SHA512 | ad234777538013b8444fb4b2135e66d3ca82b720d9c428a71d4cf143e49601b44beb39e6f789dfc04330a4785db375ca625601378766f6ef5e2b04d51819e5d7 |
C:\Windows\system\YHNOPdu.exe
| MD5 | 23031c30d35e79c1000b8e405c195f93 |
| SHA1 | 28efef1e36016d265baa06e0b2072bbc98cddca3 |
| SHA256 | a99c4db148672df82fd8efddba1d6725375c9f02af0371f7cf7ff4dea47bd102 |
| SHA512 | bcbc2593de0886003e524576da8f004fbaf9bddb1c318cbdbfa68faca18c58cb61b09817741b5476d3b808508077933e0c362628baaf7ed13181479eb84d9f15 |
C:\Windows\system\HdCGQsl.exe
| MD5 | fbe32ce044f8dfc66a37a3c38c83b598 |
| SHA1 | aedb44f2a6fed4339a87ce76630fa973287bf8a3 |
| SHA256 | 567e6b7953bb0c31e42904b404798049d017a550715ccd4c1b1243edc5e2a387 |
| SHA512 | 3ce659ba733b453cbcf4b5a1280975401ee4424b33f8b6a19b49209f8bc04c85e74373eaa4180fd3ebba6dda5ed2d4785d08159b990d503513e790627b711498 |
C:\Windows\system\fswQUlt.exe
| MD5 | 573e468b32b3a64246af67a9b95082e4 |
| SHA1 | 2d6c59220bbf43429654dfe27469cccdc8d6b31f |
| SHA256 | 356ff3455fe0ff2ca3192936a0dd911cf9da092cb916460ef4e7b402199abb85 |
| SHA512 | a7884a0cc8ffcf6558f26fa81c34e94289ac687582e3b3d42e436504f263640dfba025576e05df1087a38859dfe1428ac6380792bd833843e357251042ad122b |
C:\Windows\system\BEEBoAT.exe
| MD5 | 77f8f21072dac1ee9d07d840530c306f |
| SHA1 | b65ead298f6cd1fa23e97699165db581e72ee7b2 |
| SHA256 | 2d6aba2aaeba18cc06f762f8364357b655a69ddd9dbcf2c8ff45bb564e565604 |
| SHA512 | 3dbd8f5d62bb53d28e78e9e0f7d48cafc944e1b0da976cbd3eac372d54877ad67b53d48b2c75d22f634e24f7a5b3566f636c4cd311cdbf7bba364366007c1183 |
C:\Windows\system\LLQrNCY.exe
| MD5 | 16b2f93ed6b38ef6bc92b73f200d8e1e |
| SHA1 | 87519f601ce5125521bfce35d7118b11371e1c61 |
| SHA256 | 4886906caf92a14794047a517b5f3cdb89c7ea395814c57712e0e75186e3859e |
| SHA512 | e27df770ae77007a032ecaf8cb731f57114a10ebd6c0e63a535da0efbb8f3c6db02be78dd1ca2155c7da1d4663d1555fb3d4f18dcacb04edbcc0793acb2e4fc6 |
C:\Windows\system\IMgPdlL.exe
| MD5 | 468057d25df84e8d41a62e6e238ed727 |
| SHA1 | 0d5fab84b35124335b9e23d940263dd543802581 |
| SHA256 | fc9d83f371f33d472ac24fdc12da0b73f538a2067b7d63cfc3cb9075f6ee6c4d |
| SHA512 | 9377304c76bd1a1f83e75c218ac0a3739476ae155302162d18eb2dc65be6ebdd1135ab14f47dc954b9aaf81ee99df96556a4aa9c421bdb0516df427999dc12cf |
C:\Windows\system\hBHAPlK.exe
| MD5 | 03ed8cbd20a57d9e4810be157e9b5b47 |
| SHA1 | 04c70e3c6d16f739fd765961aad310fe44e58fb7 |
| SHA256 | b2fd34de849dfeb0a99186e6e4b7f18acef31e441ebeef870e22c10dda0d29be |
| SHA512 | f073f910b5b4b86563398d6426b66f2568a180d1b6aeab9afa424b20321bd4e5ad804324bf0146c80be9eef1101e3abb18286bb35803fa07d4deab490c2384c5 |
C:\Windows\system\jvAEELF.exe
| MD5 | a101049315cff6c9687bc2c303397076 |
| SHA1 | df5294fc254392c5a4fd7904e28e2409343bc59b |
| SHA256 | f93783fdcaf2982fd82b3caa3805d7b8607df6c2a8f8148dcafeff5d03c690ef |
| SHA512 | d40642521207146da29467a9bfb024c3ac6997f5dd31bff3d543ace3692d137398804a110804b1a5de921a324f54048bf8a93e1d809da4fd076740d22bdc6794 |
C:\Windows\system\BsArtGv.exe
| MD5 | ec62c0e86d0f36f59df06eb52a678187 |
| SHA1 | c0e16dd397cb50916b9f7de2c69aa57ffd2c3776 |
| SHA256 | 1cb0f1ada403f1f51497355481fdeb64a524b58b51336ac271cb58529d7fa9b4 |
| SHA512 | 4f8f6d146199912b2882837c53d4234d13f94f1c6024ffe8aff4d92b2ad75c7fa714ce58947e5eefd41f04ed03ee3d38109387b2d9e87ccebfda58d66651ff67 |
\Windows\system\BsArtGv.exe
| MD5 | 992e15ebc2245cf970acce9948576d6c |
| SHA1 | 3322f50d4aebf915abc8a5277cd07a23adf5f127 |
| SHA256 | 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5 |
| SHA512 | 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7 |
C:\Windows\system\VibtlVK.exe
| MD5 | 02bd553a239ddb5b26594aadb11982e4 |
| SHA1 | cdd6fd75a6c30b2ba45a811890dc53a163bdfa20 |
| SHA256 | 8009c5532748c8687e03fb9e7ce8ef2abaff7147ce97f18f8966a945cbbf2a8a |
| SHA512 | 74a5910d424e32de5227915d3421e5579c25944d6e33327e941965e81a25dbe1b9d7f0f44a72afe1b8a481ad4b7a540b68716b7d91c647c16e851d823df4b4d9 |
C:\Windows\system\RSQTWbJ.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
\Windows\system\RSQTWbJ.exe
| MD5 | 91c1aa234a43fc4c00247a0ebd6d1744 |
| SHA1 | ccb1441534b3255f355ead6795eb1a6bff504983 |
| SHA256 | 5ced6765b3a3b8819763905fe34bb275625d7a72bd47c00703a4d035400e6184 |
| SHA512 | af51849a9d5e18524bec51453342933c25dc26994f65620d17eb734e007a6bf489b4d5fc8c09dc44552f84e9d79a3b76e4b32d5af40a62cdff2d4139a81b410f |
C:\Windows\system\cEXKour.exe
| MD5 | de279d7b14af2f4457c0f914ff4f256f |
| SHA1 | 73bc0cb5a874db3eed8730278bc8294b2ed2c229 |
| SHA256 | 73a89c898c62bec2fdecd552bea169d35038ada86c7bd52c86b542764b420416 |
| SHA512 | 960eb8a5a3b408510d5288b465fce43925f272a4d0b4ef8196b87a715c4e7069861508b1ebccf6bd947eb72824489e4bc55e4e936240dc72b29d4d4ec52524b0 |
C:\Windows\system\ujWqeGj.exe
| MD5 | 0c9653e2ee79269ae196379a8593296b |
| SHA1 | f6bc0638f250b62c13e3f761cb9cbf1c62b5e790 |
| SHA256 | 4ea605f3cef7e1c3a8f05948508313c8e57dca774532980463b7068c4fd0c284 |
| SHA512 | ce67610928466578b83ade77a12104418f1589eb5784586bf4d22069e2eebfea6c55dc87367dc5f3901425ac77933c7352dd499a587511b01f311c7e2ed9bb5f |
C:\Windows\system\ajrKQMD.exe
| MD5 | 3b450bd4056c45056503849e4ecd9de5 |
| SHA1 | 4084f5ff469c45c23c726d39d7d6c13d5c8141e5 |
| SHA256 | a5f654d467eadc4a4cdb5d62128ac409aab76a74cb25f096be51080d27d69b7d |
| SHA512 | adcabfe70d7be232e7a1f9a6ef6c8cac824dd9c93cd27fca36f7b319b523fc3569ad857634a50f497e487956146ac309d90dc1fbab808d3aee9e7e0ddebc0571 |
C:\Windows\system\HaSpCmP.exe
| MD5 | 3b4457ade964db5acf793e21c2fe581e |
| SHA1 | 63da2219fb1bff858ac2695df466da45a1895125 |
| SHA256 | bcfd7e8015587afdf48f44787a05df4c1934f630618165c026b4c4db747b14c2 |
| SHA512 | 6bb279df7e5c88c241279a105c3bc24876542b739dc635a290c8de793439e2b5db89076f841aef2e759d1ca9d9c7329c22da648136adbff11c180c5a8effd7c3 |
C:\Windows\system\LOIVOMe.exe
| MD5 | 2ddedcb6d02b5ac7b0d5db9d1afeeb9e |
| SHA1 | b4b6a0f50913c354b550a9ab4f842102a774f3ac |
| SHA256 | d344cfd9f3290a0ce0db2d6e5866413262389ba6aa8566459f8290c94bfc448d |
| SHA512 | 00343f42973e5440bc9e6f6ce9de20b8fd4c6d891c618cea6276079b47d3960ebf6e21bde10f0ad717a4167da6723ff7c2fc76299d0736681cd00f0bc88f3fde |
memory/2024-14-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2024-12-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2024-111-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2816-114-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2024-116-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2520-117-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/3032-120-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2560-123-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1048-127-0x000000013F530000-0x000000013F884000-memory.dmp
memory/1868-130-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/3024-129-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2024-128-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2024-126-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2524-125-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2024-124-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2024-122-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2648-121-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2024-119-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2808-118-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2620-115-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2024-113-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/2640-112-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2320-110-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2168-109-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2024-131-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2168-133-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2320-134-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2808-139-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/3032-140-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2648-141-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1048-144-0x000000013F530000-0x000000013F884000-memory.dmp
memory/3024-145-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2524-143-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2560-142-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2520-138-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2620-137-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2640-136-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2816-135-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/1868-132-0x000000013F0F0000-0x000000013F444000-memory.dmp