Analysis Overview
SHA256
f3f91ff34eb039f19fc642217809df770bd0ed7f832397ac80b2945e351e0574
Threat Level: Known bad
The file 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
UPX dump on OEP (original entry point)
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 01:40
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 01:40
Reported
2024-06-07 01:43
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xYDbKeq.exe | N/A |
| N/A | N/A | C:\Windows\System\ntTLUre.exe | N/A |
| N/A | N/A | C:\Windows\System\zxMDhTR.exe | N/A |
| N/A | N/A | C:\Windows\System\wsuMAqY.exe | N/A |
| N/A | N/A | C:\Windows\System\GqKdwli.exe | N/A |
| N/A | N/A | C:\Windows\System\QjfRoYk.exe | N/A |
| N/A | N/A | C:\Windows\System\ANtztmS.exe | N/A |
| N/A | N/A | C:\Windows\System\ohEhELp.exe | N/A |
| N/A | N/A | C:\Windows\System\xrCcMMv.exe | N/A |
| N/A | N/A | C:\Windows\System\BirMLNn.exe | N/A |
| N/A | N/A | C:\Windows\System\GfXapPr.exe | N/A |
| N/A | N/A | C:\Windows\System\HGniUjs.exe | N/A |
| N/A | N/A | C:\Windows\System\QWVdeqg.exe | N/A |
| N/A | N/A | C:\Windows\System\auxffal.exe | N/A |
| N/A | N/A | C:\Windows\System\LAdNlsZ.exe | N/A |
| N/A | N/A | C:\Windows\System\WhZfDxw.exe | N/A |
| N/A | N/A | C:\Windows\System\kWDNLuI.exe | N/A |
| N/A | N/A | C:\Windows\System\xmWpVln.exe | N/A |
| N/A | N/A | C:\Windows\System\TcovHfv.exe | N/A |
| N/A | N/A | C:\Windows\System\GCcKkCN.exe | N/A |
| N/A | N/A | C:\Windows\System\ZMynxrp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\xYDbKeq.exe
C:\Windows\System\xYDbKeq.exe
C:\Windows\System\ntTLUre.exe
C:\Windows\System\ntTLUre.exe
C:\Windows\System\zxMDhTR.exe
C:\Windows\System\zxMDhTR.exe
C:\Windows\System\wsuMAqY.exe
C:\Windows\System\wsuMAqY.exe
C:\Windows\System\GqKdwli.exe
C:\Windows\System\GqKdwli.exe
C:\Windows\System\QjfRoYk.exe
C:\Windows\System\QjfRoYk.exe
C:\Windows\System\ANtztmS.exe
C:\Windows\System\ANtztmS.exe
C:\Windows\System\ohEhELp.exe
C:\Windows\System\ohEhELp.exe
C:\Windows\System\xrCcMMv.exe
C:\Windows\System\xrCcMMv.exe
C:\Windows\System\BirMLNn.exe
C:\Windows\System\BirMLNn.exe
C:\Windows\System\GfXapPr.exe
C:\Windows\System\GfXapPr.exe
C:\Windows\System\HGniUjs.exe
C:\Windows\System\HGniUjs.exe
C:\Windows\System\QWVdeqg.exe
C:\Windows\System\QWVdeqg.exe
C:\Windows\System\auxffal.exe
C:\Windows\System\auxffal.exe
C:\Windows\System\LAdNlsZ.exe
C:\Windows\System\LAdNlsZ.exe
C:\Windows\System\WhZfDxw.exe
C:\Windows\System\WhZfDxw.exe
C:\Windows\System\kWDNLuI.exe
C:\Windows\System\kWDNLuI.exe
C:\Windows\System\xmWpVln.exe
C:\Windows\System\xmWpVln.exe
C:\Windows\System\TcovHfv.exe
C:\Windows\System\TcovHfv.exe
C:\Windows\System\GCcKkCN.exe
C:\Windows\System\GCcKkCN.exe
C:\Windows\System\ZMynxrp.exe
C:\Windows\System\ZMynxrp.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/3116-0-0x00007FF645530000-0x00007FF645884000-memory.dmp
memory/3116-1-0x000002060F980000-0x000002060F990000-memory.dmp
C:\Windows\System\xYDbKeq.exe
| MD5 | 27de40d259bb63ef2f65d4b219ccbc10 |
| SHA1 | fb2b10b9a0af73a04f360d905684d6fb89ed6f2d |
| SHA256 | 3195edec344e547ba69cfa35c849141709f52fb2c5014fa3264c7d8e34e5cd36 |
| SHA512 | 6d186dfe4125cd1f28c3062f086751677ab0da06a0db570fd28354ca9a2e3a732c09148ac9f827a695f919ca4b3eaa460b95750db6d8a2e302c134eaec4c19a9 |
memory/1632-8-0x00007FF795B40000-0x00007FF795E94000-memory.dmp
C:\Windows\System\ntTLUre.exe
| MD5 | da5a69fc30166be5f9930ae5cc05281e |
| SHA1 | ae08c31288451ae2d043fa394b05ed31e8ab55f1 |
| SHA256 | 4b57218118f3261599a3fcfb211d5b6cc2e105f372dee547ebffde85ad8cb7d9 |
| SHA512 | e394ee020267cb7d88d1f85a41ad050152a86f4bd804c7287ffd9fc6f97aacb0db2ab6ffbef7d35060af83a3f8a4e29d49797c78a0a301d691314cf34e0fee2c |
memory/804-13-0x00007FF69F210000-0x00007FF69F564000-memory.dmp
C:\Windows\System\zxMDhTR.exe
| MD5 | fcc2ff7df0e337a858f18bcaea96a90a |
| SHA1 | 1a036c10e5c4844ddb53de3b9720ddcc85621d3f |
| SHA256 | fff71d8cf1943bd266e6757ea1769cf2fce7b0b5854df645c9e1e7fbf9ad5de6 |
| SHA512 | 222951c2c4c9a9d60e59d68d03c335e6a43aea3df38268e95118daf021ecb377f6cfda8e0b0c4c82f21c475b5a64e7b15c97ea9b2cfd11f0c72c2b5d2982e5a9 |
C:\Windows\System\wsuMAqY.exe
| MD5 | 25836b8d7e7a7fb06831663c92558abf |
| SHA1 | a80b66b3c43bdabed5282c08e9cfa07acecaba44 |
| SHA256 | 88ec895e4338c687b9a5488fda9167a38a1c05b711f67cbc0db1c2d1ddc5eaae |
| SHA512 | f9515c6d098eeb852a0e3f7a1e85d46ebc2a4787ea8a96d757765a0f5355a3b5407d03ab0be44fbc774fee2fa18e0229d9f4554baf5405895c4ef6fd914cf0dc |
C:\Windows\System\GqKdwli.exe
| MD5 | b14a6c224511f1aefcafa8ced45ed912 |
| SHA1 | 496de9abca6b7178a0ab25b45e3a40bed5f3156c |
| SHA256 | 474ef8645d8a5401a6b40ba26bc363c55e27fc92834d1222ae069d6692f6b9cd |
| SHA512 | 696c040d552ea539bd85194508900adb7c4b9b00d91f43d2710069bc5cbef392525123f0c39b26636d3e0aebc05bbd11749d377951c00cfe4ce6d412263f1968 |
memory/404-27-0x00007FF7D9240000-0x00007FF7D9594000-memory.dmp
memory/636-18-0x00007FF6C5EE0000-0x00007FF6C6234000-memory.dmp
C:\Windows\System\QjfRoYk.exe
| MD5 | 0e80086731dc1b320acf16112c5ed3a1 |
| SHA1 | 54c907f72a07ad79fc9dabc8221aef5398055c88 |
| SHA256 | 30e913d181f05c1e20eae95d57a9f0ed7679f509e1c05fb179b7574000b4c6cf |
| SHA512 | 49446352177b1bbaefd8e34cff61f6cf29edcd2dbc23b354482c7bca7815e13df8512ac12ea4a3868da6d7b93017a379e04e7684ba0fd988b3a7581b81be8042 |
memory/2224-38-0x00007FF674400000-0x00007FF674754000-memory.dmp
C:\Windows\System\ANtztmS.exe
| MD5 | d944ca2612283e7cc8bff9c5d9b3e9c5 |
| SHA1 | a6bf45499331e7217e5a711bd6e191e6a4ad4849 |
| SHA256 | 80a73b5162f8f2324a1f1339f24653a334baa6c77b9060f304e57857547d39f8 |
| SHA512 | 39bc3090d954ef4785a72646db26eae12009c22fa6b38cdf3c2031a8c8b9004d8cd3d063be199f6cdf908e676458dc4555bacdb1ef902b552190a321cac8b387 |
memory/3388-42-0x00007FF707E00000-0x00007FF708154000-memory.dmp
C:\Windows\System\GfXapPr.exe
| MD5 | 7c4cef5f0bc0461873b814161f65a2ad |
| SHA1 | b5cbc2c81fc667662f3e63ac586a06e06524dd49 |
| SHA256 | fc2b871201788f63fc8969f42384959b92c23915bc229232c181c1b25e2f7982 |
| SHA512 | 0275c8ffa3471e57c95da6f412de6f7999e2577d230b6f3435979a735fa0319da4f2994ec2eb5e0e11273cb80ef6bb40756f7f9e218ed654d01ec4ddc24b0874 |
C:\Windows\System\HGniUjs.exe
| MD5 | 8a57c27852633556990c936dbb8ebe48 |
| SHA1 | c6772df46dee6c34fcbad590c64a707182eca2bc |
| SHA256 | 6a8baf96870e80b81af180ef40c057b22efdd8cb40c61e825d37a42797ccfcbd |
| SHA512 | ad9249d53057fb136cd4aa75ccae4efa0d1dd1271f0b5d3a3a489ce1e160dc50c310207a3dd81f0db781943f85d8caa40ce6445b20eb82e95cbbacbbf5faec42 |
C:\Windows\System\QWVdeqg.exe
| MD5 | 8949e52dfa5f4c2902d97ebffd0ae1c0 |
| SHA1 | 4296bd4079841c0a4c87bb2c1f15a30c74a9f81d |
| SHA256 | 09e76ba2d90e7c67f489ba3b6bbd1e3cefa9ee6f42ca61258fa5107409517d86 |
| SHA512 | e42909aa7095e68a1b2ef89ed2ed6ddf64025c5c3b522d16258431bfe32240f23215ad8459e104fb64001c7f776ffc214adfdd652fd6449c01bf68ab8b77b20d |
C:\Windows\System\WhZfDxw.exe
| MD5 | a6194c4e0af6e6ecf5265365afccb48d |
| SHA1 | 098d1970e6d5c71ecb52a7399ed0da70f3bb37e1 |
| SHA256 | ee1e7065701a1b338541f962eee5e8cf87a5dfdc8dd21e19d6b486c7c2df6b08 |
| SHA512 | 743e43464c86d598f1b1c1da8123d0406800b2bffd092c5723ad5de036dc6266b13abb62d4e891e2823d82af2735e8e98bffbb926c7867abfa7df0aa2234ffc9 |
C:\Windows\System\TcovHfv.exe
| MD5 | b55ef8e0cce7d776385f7a663495e2ed |
| SHA1 | 735e1b262755238bfa4d0ca2da34cbe3eab77beb |
| SHA256 | 6cd215d30f0540277279191555e72183a5ca3a7def394888f8776e0cf68c1d57 |
| SHA512 | 7615d4f57d3410181bf4c05436fff90316bcd27a3df4f4530caea8410018975722ea9bf7c398028dced45a1e693e67ed1be2ad0407a51c6340c53e6dbd18a94a |
C:\Windows\System\ZMynxrp.exe
| MD5 | 264994f620f47bb519839ef2660248ef |
| SHA1 | f9ca76cf6e3d21b53ad1cad79711f55c92eed029 |
| SHA256 | f3f1ea74701fcded09cdd4dfd71aa8a2b8fba033d6aba248224b026212668713 |
| SHA512 | c1e10e4824ea417f259744e365fe2013c89000c12111c86821075de841c82febd7c7de81ceae55bc5db9beaab9538a71ec19a3de15b52b273f90da2a858a4a28 |
C:\Windows\System\GCcKkCN.exe
| MD5 | fbca98362e27566b659da0a6693f3bb3 |
| SHA1 | dec4b89bebc0af02c8b15a763ca8324aa7e80283 |
| SHA256 | b28fcdac8afa569b2ad1d4bfea759734310d3d71d8ba1e0ad1d437a649c966eb |
| SHA512 | c4ed3e57964b3a4851d00e1978b2dc4b0ef074d30be7aa6bf40e9d31d4ac60ec9403ec042ef5c5528ed0f772f8a97de9661d21941d07d01ce7d2da6ed820ce7e |
C:\Windows\System\xmWpVln.exe
| MD5 | 6f5d00f64858b7959c20b789aa2b43ef |
| SHA1 | 840521e64214a4791a9b66ec770d1d63337e2ac6 |
| SHA256 | 1215e771aa37a1d253e47db0c4906be7eeed16b296142f8016682d53dc3a5570 |
| SHA512 | 30d0ae9052a4013517ccd3e7d07bb5677cabdf4f15b8057c5f4250334cdc72aa29eaaf9450b87ed5912a6920c1274ab0553011cd2f525d4a0efa69be26798b77 |
C:\Windows\System\kWDNLuI.exe
| MD5 | 470c822166cb8a5730daef4fc67b0369 |
| SHA1 | 422f7a2d0d3aa567e0827f60064eaf6b55934539 |
| SHA256 | 220e439c7ebec889ab8b2c9761f58f43631236cfe19a518907b56cef1f46816a |
| SHA512 | dca2545456014186415df12dec7d7f3ecf0007bcde6a25d2211deafea7fdecaebe7ee848b4a4df2685afe73fc51ab52c8da30725fc7b3363f8c029d8a456ebe4 |
C:\Windows\System\LAdNlsZ.exe
| MD5 | 035369bb38dc7433bbf3084454c0a3d0 |
| SHA1 | e753ad21e77f44d80da622d214d383fed263cd38 |
| SHA256 | b64697cacaa097ccd9e6f9571b80e9309b8f6fa4661490b7cf4dc46c10998791 |
| SHA512 | e3707752500f9f62d1ed55c58cc7d1020e9c3f96e14d57a680aff5836a4d3d06927f6a0d0187f3fe961bd7c2c30c1e96c2504109f5560112fecad17b58aa640c |
C:\Windows\System\auxffal.exe
| MD5 | 637e417546f1c80cf20bb26522ae62b4 |
| SHA1 | bc5e44a9b7a30387f9940cff2eb1df479f7b54db |
| SHA256 | b37a6f7268eb48c2e95e223530c6f37873045e40dc12e46960bb1c18c0747ff1 |
| SHA512 | deea81301a6468246dfe2c7ab70e23916f9f76b949303dd47bc62da160b57890109cfaf4099a2c5a96b86db3d221f6cf3d6b9aeccf295067fe0dbd055386298f |
C:\Windows\System\BirMLNn.exe
| MD5 | d616c82a43b582913b15b54d6bde56f1 |
| SHA1 | 271d5d32f29ec35e68b7d0c46766edcd6dad4584 |
| SHA256 | 072a6077cd64f6872139b2491a83db308404d09990e24fbc17a087e13a08c858 |
| SHA512 | f1169530607db95b8031d9dbcbb08a4490163725baabaaccedaa4b96e3b7d40aef8cf94d0d79a88b046ddef95608f001cb332a4cde041ee4c79468c05175e87d |
C:\Windows\System\xrCcMMv.exe
| MD5 | 3c7917988a1673239a8640af55759f22 |
| SHA1 | 35331c77e6df944a39deb8e626512ecdb86ae03d |
| SHA256 | f94f009050eeb639998d005dc82464dbbc134b86874b6fea8f8b98984c76ab71 |
| SHA512 | 43c682288cd0eab808622e4e78bcda987cf6f0e20fcec656e042fe90faecb3481fb8314921bf9b1b6805944394968f64bafee4b9c214581ea245c4661c5d0212 |
C:\Windows\System\ohEhELp.exe
| MD5 | ef2542bcc3d1c99d55947ed6343cee1c |
| SHA1 | 34933b0fe78c6f6996e05179e097a6fa15f157a1 |
| SHA256 | 38391ed40efc23961566f20a30ccf940c5b30c7e3b8c0d6e7b57de4413c88c27 |
| SHA512 | 9f79c2c41a499d90f8fc509cec16b00b6a44ff28d9995763b08e59c73f5acfe8b745e02e4ce2ccd32cf4c30f2c0f8c3487f119548a548d3f6ab2bebd24c6c3f9 |
memory/4168-34-0x00007FF69E510000-0x00007FF69E864000-memory.dmp
memory/3428-114-0x00007FF7E7E20000-0x00007FF7E8174000-memory.dmp
memory/3500-115-0x00007FF7FD810000-0x00007FF7FDB64000-memory.dmp
memory/1420-116-0x00007FF75D190000-0x00007FF75D4E4000-memory.dmp
memory/4872-117-0x00007FF7635B0000-0x00007FF763904000-memory.dmp
memory/4904-119-0x00007FF787210000-0x00007FF787564000-memory.dmp
memory/1668-120-0x00007FF6012E0000-0x00007FF601634000-memory.dmp
memory/5096-118-0x00007FF6E7450000-0x00007FF6E77A4000-memory.dmp
memory/4480-121-0x00007FF66D670000-0x00007FF66D9C4000-memory.dmp
memory/932-122-0x00007FF7A0DA0000-0x00007FF7A10F4000-memory.dmp
memory/4632-123-0x00007FF790240000-0x00007FF790594000-memory.dmp
memory/4488-124-0x00007FF7CA7E0000-0x00007FF7CAB34000-memory.dmp
memory/4524-125-0x00007FF6CD570000-0x00007FF6CD8C4000-memory.dmp
memory/3280-126-0x00007FF6E1760000-0x00007FF6E1AB4000-memory.dmp
memory/4828-127-0x00007FF7B9070000-0x00007FF7B93C4000-memory.dmp
memory/3116-128-0x00007FF645530000-0x00007FF645884000-memory.dmp
memory/1632-129-0x00007FF795B40000-0x00007FF795E94000-memory.dmp
memory/804-130-0x00007FF69F210000-0x00007FF69F564000-memory.dmp
memory/636-131-0x00007FF6C5EE0000-0x00007FF6C6234000-memory.dmp
memory/3388-132-0x00007FF707E00000-0x00007FF708154000-memory.dmp
memory/1632-133-0x00007FF795B40000-0x00007FF795E94000-memory.dmp
memory/804-134-0x00007FF69F210000-0x00007FF69F564000-memory.dmp
memory/404-136-0x00007FF7D9240000-0x00007FF7D9594000-memory.dmp
memory/636-135-0x00007FF6C5EE0000-0x00007FF6C6234000-memory.dmp
memory/4168-137-0x00007FF69E510000-0x00007FF69E864000-memory.dmp
memory/2224-138-0x00007FF674400000-0x00007FF674754000-memory.dmp
memory/3388-139-0x00007FF707E00000-0x00007FF708154000-memory.dmp
memory/3428-140-0x00007FF7E7E20000-0x00007FF7E8174000-memory.dmp
memory/3500-141-0x00007FF7FD810000-0x00007FF7FDB64000-memory.dmp
memory/1420-142-0x00007FF75D190000-0x00007FF75D4E4000-memory.dmp
memory/4872-143-0x00007FF7635B0000-0x00007FF763904000-memory.dmp
memory/5096-144-0x00007FF6E7450000-0x00007FF6E77A4000-memory.dmp
memory/4904-145-0x00007FF787210000-0x00007FF787564000-memory.dmp
memory/4480-147-0x00007FF66D670000-0x00007FF66D9C4000-memory.dmp
memory/932-148-0x00007FF7A0DA0000-0x00007FF7A10F4000-memory.dmp
memory/1668-146-0x00007FF6012E0000-0x00007FF601634000-memory.dmp
memory/4632-149-0x00007FF790240000-0x00007FF790594000-memory.dmp
memory/4488-150-0x00007FF7CA7E0000-0x00007FF7CAB34000-memory.dmp
memory/4524-151-0x00007FF6CD570000-0x00007FF6CD8C4000-memory.dmp
memory/4828-152-0x00007FF7B9070000-0x00007FF7B93C4000-memory.dmp
memory/3280-153-0x00007FF6E1760000-0x00007FF6E1AB4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 01:40
Reported
2024-06-07 01:43
Platform
win7-20240508-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\EtzunXT.exe | N/A |
| N/A | N/A | C:\Windows\System\ULGTYBI.exe | N/A |
| N/A | N/A | C:\Windows\System\EsKpquD.exe | N/A |
| N/A | N/A | C:\Windows\System\RgWNHog.exe | N/A |
| N/A | N/A | C:\Windows\System\mAwTfAf.exe | N/A |
| N/A | N/A | C:\Windows\System\VKosYnJ.exe | N/A |
| N/A | N/A | C:\Windows\System\UboLdSc.exe | N/A |
| N/A | N/A | C:\Windows\System\ZDjZyXo.exe | N/A |
| N/A | N/A | C:\Windows\System\tElOZEz.exe | N/A |
| N/A | N/A | C:\Windows\System\hsSldVs.exe | N/A |
| N/A | N/A | C:\Windows\System\GLrPXxh.exe | N/A |
| N/A | N/A | C:\Windows\System\HHeHorJ.exe | N/A |
| N/A | N/A | C:\Windows\System\dnKBaBM.exe | N/A |
| N/A | N/A | C:\Windows\System\XMIprlW.exe | N/A |
| N/A | N/A | C:\Windows\System\IEqAjNk.exe | N/A |
| N/A | N/A | C:\Windows\System\olunaIt.exe | N/A |
| N/A | N/A | C:\Windows\System\RXWnKsT.exe | N/A |
| N/A | N/A | C:\Windows\System\zfgwmjG.exe | N/A |
| N/A | N/A | C:\Windows\System\pjoUwRe.exe | N/A |
| N/A | N/A | C:\Windows\System\kfrRdvP.exe | N/A |
| N/A | N/A | C:\Windows\System\wzGZENe.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\EtzunXT.exe
C:\Windows\System\EtzunXT.exe
C:\Windows\System\ULGTYBI.exe
C:\Windows\System\ULGTYBI.exe
C:\Windows\System\RgWNHog.exe
C:\Windows\System\RgWNHog.exe
C:\Windows\System\EsKpquD.exe
C:\Windows\System\EsKpquD.exe
C:\Windows\System\mAwTfAf.exe
C:\Windows\System\mAwTfAf.exe
C:\Windows\System\VKosYnJ.exe
C:\Windows\System\VKosYnJ.exe
C:\Windows\System\UboLdSc.exe
C:\Windows\System\UboLdSc.exe
C:\Windows\System\ZDjZyXo.exe
C:\Windows\System\ZDjZyXo.exe
C:\Windows\System\tElOZEz.exe
C:\Windows\System\tElOZEz.exe
C:\Windows\System\hsSldVs.exe
C:\Windows\System\hsSldVs.exe
C:\Windows\System\GLrPXxh.exe
C:\Windows\System\GLrPXxh.exe
C:\Windows\System\HHeHorJ.exe
C:\Windows\System\HHeHorJ.exe
C:\Windows\System\dnKBaBM.exe
C:\Windows\System\dnKBaBM.exe
C:\Windows\System\XMIprlW.exe
C:\Windows\System\XMIprlW.exe
C:\Windows\System\IEqAjNk.exe
C:\Windows\System\IEqAjNk.exe
C:\Windows\System\olunaIt.exe
C:\Windows\System\olunaIt.exe
C:\Windows\System\RXWnKsT.exe
C:\Windows\System\RXWnKsT.exe
C:\Windows\System\zfgwmjG.exe
C:\Windows\System\zfgwmjG.exe
C:\Windows\System\pjoUwRe.exe
C:\Windows\System\pjoUwRe.exe
C:\Windows\System\kfrRdvP.exe
C:\Windows\System\kfrRdvP.exe
C:\Windows\System\wzGZENe.exe
C:\Windows\System\wzGZENe.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1932-0-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1932-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\EtzunXT.exe
| MD5 | 12ceda513f79b255b10ec326eac2857b |
| SHA1 | 7afc636c2000c7bdd96bf99961899d3c3fa79e17 |
| SHA256 | c68dfd1d16c07989b33bf62b23fc0a8e017b592b2e8e2c4a9b6a84715a2fce5a |
| SHA512 | 1ff2360fc4d27969d264c1634d5200b4f021810821324250c6661d988f321257e7298626a7a91b52b2b315bc74c08b02e54c4839c04fdf8c0eacc6682ac2d49f |
memory/1932-6-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2068-8-0x000000013F7B0000-0x000000013FB04000-memory.dmp
C:\Windows\system\ULGTYBI.exe
| MD5 | 3055876544b08296b315a8fb0c18b5eb |
| SHA1 | 47298a50083e263dff5a7e989c9c1df2b9c2d5fe |
| SHA256 | 53cebc46774bc17cec9ce31fa0b455c5d499bcd3dfa20dce0135420db1bf6fb8 |
| SHA512 | a7114439c44992629206428a38f6ec0cb53c9d3d8c650d49bce2b725d6acb1a5091f0291adfb082cd1bf29dae72b0e0a9ded0b5f7f95feac74b40664868eb5a8 |
C:\Windows\system\EsKpquD.exe
| MD5 | 0bb562c327e0d21ebf0d899c61e56968 |
| SHA1 | 70e8805c3c90f80a56a2af4f01e0e9897119fa0b |
| SHA256 | a9c366a56f08b454ded0902a227a68f40f6edd9b6b61711f47ac503e70160598 |
| SHA512 | a345d805b32bd09fa1e3350cb674e3a2d4393e5751eb65ec62f8a71606bf000a35eafc7b28c2581cbd3826d140500c9ab44305b072f606b042daddabb403a5d5 |
\Windows\system\RgWNHog.exe
| MD5 | 77ea7994f712ca414aa3b434f3175ca0 |
| SHA1 | efb2d15c0b2b53b621a8010d0274fc252797d70c |
| SHA256 | e8c81afa1c9c37b9a427943432c74b96dadc5ec306486d1f9d78f21954c8f75e |
| SHA512 | 9593ef09240011950b088ebfd98942620b64fc68635796f89efb04962e31f84ce55f1202696f1ca6a1faa86655dcb032ce21a65ad81433a07f2db22ba4cef97c |
memory/2576-27-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/1040-28-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1932-25-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/1932-23-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2756-20-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/1932-13-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2664-36-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/1932-39-0x000000013F520000-0x000000013F874000-memory.dmp
memory/1932-35-0x0000000002510000-0x0000000002864000-memory.dmp
C:\Windows\system\mAwTfAf.exe
| MD5 | 047a8c73e7ef97f6e51db319ca9edc5a |
| SHA1 | 419d62e6ed5d496d65ac1a76d5715e9fa7989b43 |
| SHA256 | e42de31a883f6fe72e264cfa862ae40307dbb5cacacef3a0858041c1210bc3ef |
| SHA512 | b7c2b42b74ea572265e77899459935ce6c17eba3f7b1c52e449f48e51c540e05fb1220a30bc66ed2b34849e6b317a53882bac060d130f2a3e1c02971475980c3 |
\Windows\system\VKosYnJ.exe
| MD5 | bf269a78c19cae1ddb59a40a26beb9b8 |
| SHA1 | 5a36f3ee7b36293ea22a1165c9436212a4c08523 |
| SHA256 | 178e6b9c3ac403e5b26f2c1a1d2e9f7881d95049ee40f986fd68274eb7fa9636 |
| SHA512 | 61a5ed5a2d6d8824555fd85fef06fe53fc4f13d3e2c27d3985f80fd2b39127bed7220394fe8d11a90e30a6466392a42a905a849631008c14909f7b056f7b1843 |
memory/2480-44-0x000000013F520000-0x000000013F874000-memory.dmp
memory/1932-43-0x000000013F1C0000-0x000000013F514000-memory.dmp
\Windows\system\UboLdSc.exe
| MD5 | 66f1a6f180b4051709a0753273017105 |
| SHA1 | 2e717e020a62675665ecde92410eca54c0d66239 |
| SHA256 | 78b9d2b29c8bf28fa3d44bba501dba39d9b222afb3e2ade4fb912b298b1ab933 |
| SHA512 | 26af3863296609e816a837f4efa9aed47d9f6653183d6901a40cf4b22423308fc3ddbef135a362c1e2ff4d7cf7e00f45039dd5933b57138416e6ce0078b7c233 |
memory/1932-59-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2484-60-0x000000013FC20000-0x000000013FF74000-memory.dmp
C:\Windows\system\hsSldVs.exe
| MD5 | ec9376e574ab59d846b8071e318b3186 |
| SHA1 | 5c7fb16075770955ddedc912b77a784a4b323af9 |
| SHA256 | b394b8bc2ab5f3dc7c450cacc02d70f837f16aed38cf346ba52743bd7ab14138 |
| SHA512 | 37549c2791bb9f8871d6960c88da2a5367e9dc530fa5304eb3cce6b60b46fae0de95ff46f69b0ccbec13f5ce2ed8d007c98e16d7fd745348470d09ddef7e7708 |
\Windows\system\tElOZEz.exe
| MD5 | a2173df71bc6d190bef3f1c1710ea2e3 |
| SHA1 | a70bd63890270ce605be68de0fd826252c2aed2d |
| SHA256 | e25bbec886d2bb79bcd65981671b233d2de704b280f0be243f231caa19e5959e |
| SHA512 | ef17cffd1dee096ba6ffacac0bccbc86ac7aa439e59c175597682135f2ba032509dc347f8ab264a3af578d7db1ffa3eb8e2ae1f7f8427d6de617122b5a1a8ef0 |
C:\Windows\system\HHeHorJ.exe
| MD5 | 23258638437131e687aa042ab22ae726 |
| SHA1 | d50ae3e481ab807b36dd460b60b253018ba8962d |
| SHA256 | 3a7e337efa52de26aed99ff9256441bd5639417fd2bbeaaa55119c3eab308b14 |
| SHA512 | 2c59471edc7cf8226a56fe990b86c3043cad0ff397f0d7f0466844f6fa9f50fd9cc257703767fcd79bfc7c12bb019156dc7f8c1047638a298e9e7f947e79a5e4 |
memory/2540-89-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2480-102-0x000000013F520000-0x000000013F874000-memory.dmp
C:\Windows\system\kfrRdvP.exe
| MD5 | 298aff57955bc9ac0483874eed999726 |
| SHA1 | 0e7a22e6c5ec67fad831d9d136e6deef95e9da84 |
| SHA256 | 04f42abb727805d4be93f751f5d479deab96fd228479563e84008c3ea75ec43c |
| SHA512 | a0b19c4953843a844f2e3ab410244eb39fb11ed7198d2e1c32bc47d84826ef1089f0b19b1fc0a5fe239980d0ab32116376c484d60a136575a4d5d107f57f88db |
\Windows\system\wzGZENe.exe
| MD5 | 6bca77fa312adddaa6ffeb9ac5dd7e1b |
| SHA1 | 1a9204f7d04874bc1ea981edd6290d4cd2a73c61 |
| SHA256 | 591a69a367f15471f3669629dcf7312514ca886fcb719758eedfff1ccb30ab31 |
| SHA512 | dec5864dd71f2773c82a54edde6b4323c37b3ff36c682dfb49ccaa45a4d19136be1596fd3a1dd538910d7284a9a0eb48d064fa3af8acb630ce541f45eb4bca99 |
C:\Windows\system\pjoUwRe.exe
| MD5 | d0e47f9abba739955435deb220d69916 |
| SHA1 | 1719385558a416722959196142b9103b054cc7e8 |
| SHA256 | 177f9ee2514bcb08831222dcc782c2b3a69edbf62157d34ba0b3bbe42211f8e9 |
| SHA512 | 59d326f26ea74efca34af809d901b7f60432301f286d43f007c3b24cadc133ef1e40ffa6331ebd325e19e08971d0494cdb06a27e09d1f9f86f6dde44257ff3f7 |
C:\Windows\system\RXWnKsT.exe
| MD5 | 5391207a754324e08c15d43a7b5f26ac |
| SHA1 | 3318486efb35c33aa44e31658b206b47838c8392 |
| SHA256 | 4f5c7c2271a9219d5c1acf6a95f948faf321dc5cf36beb9d7df58c89309d2245 |
| SHA512 | 6b40d691183cdee95b0149750dc698a3fd0653c7c3f8e6080be5fdcb08beb5b47559b074ae003e075d77c11aa3fae98da28c5145e8b577c91a3cf84c9f3761a3 |
C:\Windows\system\zfgwmjG.exe
| MD5 | ed02768bac54388f5a354845fa38841d |
| SHA1 | 7cc78212e8b761f5db8dee3d724b8c0a6b52e9d6 |
| SHA256 | ae89f07c790516d444fb5ed5820c7d2376b9a5a6435a2d0a17a89584652cfee3 |
| SHA512 | aecf30f10ecc9f24f44c86ebca0e96c2d359293eb4a3a1001153f16d602e24aa1a61128432474b74edc78e5f4acf8866e12a96f01a0f990b7076680dff3ec34d |
C:\Windows\system\IEqAjNk.exe
| MD5 | 212f38d534364701f1b1fade0d1599d7 |
| SHA1 | 84dd1d9acbd03c62e27c55ac679d1372fb6bd171 |
| SHA256 | f74513649caf90da502284fac6bec09a8fe8fdf87a82aee8f146897b17c3578b |
| SHA512 | 76571d277de68b317e4f06b837b6d43232c97ef8874cc59e54f358dc676f8696de113c45db9b7a8611fec981378059cc9c76cf7e80dc91f83b06df17dd026891 |
memory/1932-108-0x000000013FDC0000-0x0000000140114000-memory.dmp
C:\Windows\system\olunaIt.exe
| MD5 | d5f67696d796d4bd9d438df41c96b8a9 |
| SHA1 | e12f75406963fa1552bf4592b9d07b2ce53aeff6 |
| SHA256 | 10d2cc5fc91dee32711d345d517c664b65125a8d83909deb70eaf7bcf71b601e |
| SHA512 | 80d0d05f689add39c00f557b9c8b99c2e22099a3314a3a78f04d8bf6f1af85ec19b477f650ef336aa0eb9498e1c365764dc7778b8c0c404bcf59e7320bfe7ed0 |
memory/2212-103-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2712-96-0x000000013F550000-0x000000013F8A4000-memory.dmp
C:\Windows\system\dnKBaBM.exe
| MD5 | b3972ac9cb536424c56ca6dc2842f2f0 |
| SHA1 | 4431e659ee4ed43cfc5108da9136edabd39e4657 |
| SHA256 | 29ee27f8e5c759122590fe09f20afa4b79d36befacbff355a7aa9b9cb1590ad8 |
| SHA512 | a866f6c9c95b223cfb4c31c6a98be1c62479a606b09e69662d9bb41a07ace7230f0d586866229e8b91e7b8949baf4bc2f5ec218d2a9fba530631db16158c3abf |
C:\Windows\system\XMIprlW.exe
| MD5 | 6b41cec5878a2ad4f0e3f59bd9792f95 |
| SHA1 | 3db56774a61383bade8945f5c11a9f6f62122d11 |
| SHA256 | a8c28b1bb20a8d626da94e6334c3da5d6b30c9d51ac276998ae539fe3a8fdefd |
| SHA512 | dd2e4fd0075aa56cbfebddff87e7ce54127604153c001bcadb057454eee5e3e5218ceb368ca0996e941607e848d3fec95420c3cc9e917c831ce89585789474ad |
memory/1932-88-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2664-87-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2128-82-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/1040-81-0x000000013F710000-0x000000013FA64000-memory.dmp
C:\Windows\system\GLrPXxh.exe
| MD5 | 15d36d0e8789763565c17db4afd25d83 |
| SHA1 | 6235296f1314af1ba17bf41b3da0c3517775c5e1 |
| SHA256 | c688de26d4838cd75483f01495704195da9b28f6c0bd088b1bd5e2452e8f36c3 |
| SHA512 | 1d62481c651a0b3f86c7a657a67fc034993ef3692f8b19936c85f9815cfcf3fbb9cb80acb5f29be896ae642860d3488b639bde1f1ccca89055cdcd56b8d102bf |
memory/1932-77-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2896-67-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/1932-66-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2072-73-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2484-141-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/1932-140-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/1932-72-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2608-53-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2068-52-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1932-49-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2756-58-0x000000013F700000-0x000000013FA54000-memory.dmp
C:\Windows\system\ZDjZyXo.exe
| MD5 | 2807f5d9916f6c1b57a0ee5d4bdbf967 |
| SHA1 | 58683066891c9e5d10e7384fe9db49a2f9185c9e |
| SHA256 | 3cb02df24209cdb78955e48db23895b9f90f452a0f28408545c8e52bfa747dfd |
| SHA512 | 6c3d8563029bb5792554c5567396a39605d306a0ddf4e510948a3b9d35e5fd485aa06a507b4ddaf95e119c3fa46dd420ac2cbfbd057089c102d6d13799246045 |
memory/2896-143-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/1932-142-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2072-145-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/1932-144-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2128-146-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/1932-147-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2540-148-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/1932-149-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2712-150-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/1932-151-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2212-152-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2068-153-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2756-154-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2576-155-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/1040-156-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2664-157-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2480-158-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2608-159-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2484-160-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2896-162-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2072-161-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2128-163-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2540-164-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2712-165-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2212-166-0x000000013F8F0000-0x000000013FC44000-memory.dmp