Analysis Overview
SHA256
22ae0182924e0e496ff9ac822afbe6a212d4a4be1d924f577ca85a4f929718f6
Threat Level: Known bad
The file 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 01:36
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 01:35
Reported
2024-06-07 01:39
Platform
win7-20240508-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\QnEWNCZ.exe | N/A |
| N/A | N/A | C:\Windows\System\uzDUBiC.exe | N/A |
| N/A | N/A | C:\Windows\System\bIcdnCV.exe | N/A |
| N/A | N/A | C:\Windows\System\rDXFENw.exe | N/A |
| N/A | N/A | C:\Windows\System\ruHHgMU.exe | N/A |
| N/A | N/A | C:\Windows\System\iaknlkg.exe | N/A |
| N/A | N/A | C:\Windows\System\tdrmdbl.exe | N/A |
| N/A | N/A | C:\Windows\System\jXJyUoy.exe | N/A |
| N/A | N/A | C:\Windows\System\BXdiMgd.exe | N/A |
| N/A | N/A | C:\Windows\System\JQvaiOw.exe | N/A |
| N/A | N/A | C:\Windows\System\XPJNcIx.exe | N/A |
| N/A | N/A | C:\Windows\System\DZJxehs.exe | N/A |
| N/A | N/A | C:\Windows\System\ShZsdNR.exe | N/A |
| N/A | N/A | C:\Windows\System\ltLBRrp.exe | N/A |
| N/A | N/A | C:\Windows\System\jZnCOcN.exe | N/A |
| N/A | N/A | C:\Windows\System\aWbSfiG.exe | N/A |
| N/A | N/A | C:\Windows\System\iRYDJQr.exe | N/A |
| N/A | N/A | C:\Windows\System\QtDLmpy.exe | N/A |
| N/A | N/A | C:\Windows\System\HiWtivX.exe | N/A |
| N/A | N/A | C:\Windows\System\emgdVmp.exe | N/A |
| N/A | N/A | C:\Windows\System\JLyJTGX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\QnEWNCZ.exe
C:\Windows\System\QnEWNCZ.exe
C:\Windows\System\uzDUBiC.exe
C:\Windows\System\uzDUBiC.exe
C:\Windows\System\bIcdnCV.exe
C:\Windows\System\bIcdnCV.exe
C:\Windows\System\rDXFENw.exe
C:\Windows\System\rDXFENw.exe
C:\Windows\System\ruHHgMU.exe
C:\Windows\System\ruHHgMU.exe
C:\Windows\System\iaknlkg.exe
C:\Windows\System\iaknlkg.exe
C:\Windows\System\tdrmdbl.exe
C:\Windows\System\tdrmdbl.exe
C:\Windows\System\jXJyUoy.exe
C:\Windows\System\jXJyUoy.exe
C:\Windows\System\BXdiMgd.exe
C:\Windows\System\BXdiMgd.exe
C:\Windows\System\JQvaiOw.exe
C:\Windows\System\JQvaiOw.exe
C:\Windows\System\XPJNcIx.exe
C:\Windows\System\XPJNcIx.exe
C:\Windows\System\DZJxehs.exe
C:\Windows\System\DZJxehs.exe
C:\Windows\System\ShZsdNR.exe
C:\Windows\System\ShZsdNR.exe
C:\Windows\System\ltLBRrp.exe
C:\Windows\System\ltLBRrp.exe
C:\Windows\System\jZnCOcN.exe
C:\Windows\System\jZnCOcN.exe
C:\Windows\System\aWbSfiG.exe
C:\Windows\System\aWbSfiG.exe
C:\Windows\System\iRYDJQr.exe
C:\Windows\System\iRYDJQr.exe
C:\Windows\System\QtDLmpy.exe
C:\Windows\System\QtDLmpy.exe
C:\Windows\System\HiWtivX.exe
C:\Windows\System\HiWtivX.exe
C:\Windows\System\emgdVmp.exe
C:\Windows\System\emgdVmp.exe
C:\Windows\System\JLyJTGX.exe
C:\Windows\System\JLyJTGX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2188-0-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2188-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\QnEWNCZ.exe
| MD5 | 2f98881cfc990f1b2cf09753ea386c26 |
| SHA1 | 5d54e2d771587c7897d7c81d5f1c63570e1cbaf0 |
| SHA256 | afce25f9cc130e20c6607660476f3c9deb74966f800bbe9b70439af43b0388f4 |
| SHA512 | a8d5f9d1aeabf1dfbd6c23daba0e8e28bfee31f5c9133f6d1a26e0758c8b2bf3ab52b9cc4426982a29b44347e45712ea2e28b2cbd7375653d863738a3d428b13 |
memory/2188-6-0x000000013FD70000-0x00000001400C4000-memory.dmp
\Windows\system\uzDUBiC.exe
| MD5 | c74d441a4f44ac1204b8ed5e1e27862d |
| SHA1 | 816d542d9cbac1d5c157384690360bd22b95c4f8 |
| SHA256 | f96f8099c4b485b9ecf84e822ffcf2e9ba4aae1c2ad310862eb162001e78d18b |
| SHA512 | b23b5341ab94eb2c1838817c71168c7b2fb0a43eda23c7ddc19aaf2718ef71a2ceea9939aa58a7846a24fadd1e0e3f3e306d1609c90facef4e89f20042b03c79 |
memory/2580-14-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2188-13-0x000000013FA80000-0x000000013FDD4000-memory.dmp
\Windows\system\bIcdnCV.exe
| MD5 | bfcf09f83c2a775831bb56d43cec5116 |
| SHA1 | 0edaf821032e58c77b9bc50f9069f0c215e909ea |
| SHA256 | 192b0e166251c18baf7a0337a9d580f3eb21a13992e4dac88ee3d8dabb0abf96 |
| SHA512 | ce17518b652efe729f833d99b7e190adbaa0069310c6639edb8f9dbac0a9a60ac99a7d5286017d703ed711ee849663cdca4443d59a0db1e29365e947f725686d |
memory/2688-21-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
C:\Windows\system\rDXFENw.exe
| MD5 | 6fc1d2a6aa4e5fec1598640195150caa |
| SHA1 | 163971d08fea512c74e8dc6194438875b3a4e2dd |
| SHA256 | c7702a558c524dcd71e1b49a725b4d00424bcfa78922fa47fa3df7ad8780489b |
| SHA512 | 32242bb3972b6c84fe04251d691d74728217a6789799a7b9b70417f9c92fed40204f2a0597f504eb1e15f95e5fdd6bfa9b9cbc89671f004164b2844ac1ca4ae4 |
\Windows\system\rDXFENw.exe
| MD5 | 75b056ed26af3dd8175f087453210e07 |
| SHA1 | 01ec4420ddf81a3aa40efe58b4fd95ac05074785 |
| SHA256 | c4a3e2d0d64d8057e975a002c9bbbeea9ac085879a454bbbcb7e77be9e565aa0 |
| SHA512 | 21b7f49530894fa75253ba677395d4d87aad8207b9e86919a14ece6188cd9894bb462d89bdce3e7bfbcd82a57316f9e27b5e3045241bb38c0970c740b55cc720 |
memory/2616-28-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2188-27-0x000000013F040000-0x000000013F394000-memory.dmp
C:\Windows\system\ruHHgMU.exe
| MD5 | 9f44562c257f67d1a2ffe2263147667c |
| SHA1 | bf94f63c4e98258e1de0c2b4a1660f5dce9e5a46 |
| SHA256 | 7f54c2f94cc5a831aba0fafe9e2c552f6088500473085697b72b89f2880b8ac8 |
| SHA512 | 6272a6226fb2ed4f4df04a10a82dbb4d7c7460fcdb440466e5eeb8108cb023dc1dd5ca7a2fb5c453de850d4c363f116b864a00ec0200d8ff14ff6a6d8df02d5c |
memory/2188-34-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2768-40-0x000000013F5C0000-0x000000013F914000-memory.dmp
C:\Windows\system\iaknlkg.exe
| MD5 | d27fbca55fdf93d34ffc9e6b0a189308 |
| SHA1 | bc09d89f2565019abffcd23e80018e794f9ae340 |
| SHA256 | 89dad0f69137c63f0db6b79c59d7aab10fe49e5156208022a8663297126aafca |
| SHA512 | 067204cf6f10e7c89897d6a4d4026fa8523b70497cc02d0284f1de41d2a3a2692b0ff2b0a2a93824e00fe003a34335b12b612531fcec384fed77a5da02acd30d |
C:\Windows\system\tdrmdbl.exe
| MD5 | 5f0d1e340dbab0a99ef8f234ca52982b |
| SHA1 | 0a66ed143533c563519f5b6f43eff6174f409321 |
| SHA256 | 80b125d2da7f82b737b90eadf69c3d5f2cc89e96ab792b6fbb7190753a631cc4 |
| SHA512 | 2ed6e509fd4bc361d11a8e07c5c40efd04fd988fd521eda76ed805767d20ddb37af23eaac6aba9efc6689705c7713f3a97e277afc92e44cc087b6b1d3796c7cf |
memory/2772-47-0x000000013F6E0000-0x000000013FA34000-memory.dmp
C:\Windows\system\jXJyUoy.exe
| MD5 | 1fc0ec112fff99898da4260928ee6e5b |
| SHA1 | ef56b99dabd5c58f33898c2ab4e477d1735b0cdc |
| SHA256 | eecbe80f971badca9103556b4edddb5944770b772770dcffeec9dc97f98804ac |
| SHA512 | b94ac5db4b4f08866c9e2729a7247a93bd88941ed81a96c3492981f8d3686f3794a0dea7199814b57ac20f4102f15f17fc334364a22bb92920812841cd27987d |
memory/2468-54-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\JQvaiOw.exe
| MD5 | 5f14a23df7a5fb0b758d823e83ebf77b |
| SHA1 | f91c6106fcc1d15ffa95e55ab8736d47b0737eee |
| SHA256 | c28b4757468f2f6e48573184889695e504d309bc388c48220c11c56073389f20 |
| SHA512 | 890bbf049d2252c523e9d17dbaac81fb27a692b1422be3ee8124e387967d4d490b10ad41e79fb6a4d9f38aad21236074922162f7e2e3eb4d53b8a62eb65fc2ee |
memory/2580-65-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2928-67-0x000000013FC20000-0x000000013FF74000-memory.dmp
C:\Windows\system\XPJNcIx.exe
| MD5 | cf853a651c7bfe656ba9989cd09c205d |
| SHA1 | ff8bb95a2ff9626be6197a384e1bdefaf3707c1b |
| SHA256 | 5ec65aeb845878d4ff0c19961b8703eb8626445b3522f158881b49226e1547cf |
| SHA512 | a01de9280df84f5fd01fffee8e734b78b5d41dd805ee783f7eb5d6e3ef57f2bac353b2c47e02e620166be8647923d2b2847a927ca9b90032335b2227ab0fafaa |
memory/2532-83-0x000000013FE60000-0x00000001401B4000-memory.dmp
\Windows\system\ShZsdNR.exe
| MD5 | 0c4fa25607b4370165ec346f1ab5cf33 |
| SHA1 | e793a93cf0e5f3e380ba686a46b04e292ac07498 |
| SHA256 | f680fd2e7e49c6829b698cc5e2e48b3f3ec8ee78dfde1c28c492f9f7a1d1aa8a |
| SHA512 | 57cf1299c34833ccdb24babcc7aeb948098cf922afcd315f5a5058d132d8d7c108e23a581403cea07290b7bffcfee0f7a4aa118bae4b90c90b7ccd5b4bd86e46 |
memory/1220-89-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
C:\Windows\system\emgdVmp.exe
| MD5 | 03686cfd6bbb43c8ac4dc50889b137b9 |
| SHA1 | 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee |
| SHA256 | ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471 |
| SHA512 | 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2 |
\Windows\system\JLyJTGX.exe
| MD5 | 6e20c1464f2f11359d03740e39e646c8 |
| SHA1 | e90209ae46e403e71a97b0f056c5611d8850af0f |
| SHA256 | e9593ce32c1f94db36680e392134bf6ea24ae6d0ede4ec413f37566a5f2d14d1 |
| SHA512 | 3c5d83e738534c4ac0713b5c116bdf631b564cab66985488e774409d89d4217b15f7b4d1125192155a4943ff3a81fa41e606de408ffb1a46a6a0a426634ea7fe |
C:\Windows\system\JLyJTGX.exe
| MD5 | da49f1b1f2b96b49705866203751f59f |
| SHA1 | 1fb490e694febd4abb5609eba7058906c7c62fc1 |
| SHA256 | db17ce16538e3104d76c2865f6043929089867615332842fb4539363fa1e158f |
| SHA512 | 64230d121060a4ecf7e8546c8f3f841eea180c2377add458625a54155c0dd3d899c021538950ea3047fd426aed50dfc97cdf1f7e2bcab143f2777fd079bf8bf0 |
\Windows\system\emgdVmp.exe
| MD5 | 51c3be54698bae34dd22c5833ed27085 |
| SHA1 | 6c9f3d2ab47c8eb8b8dc993166a353e75dc2899a |
| SHA256 | f13d717ad42883dd299204fdebca36fd0ab0debd3d47577dd9ab295718198ba2 |
| SHA512 | fa27b8ec98c577763e831feb9ec37dc43f024bb8e7678afaeba089ac4e3cdc83aca81e417a6f9e900a2b4b1ca409f1b778fb4856a0c26573a88dad58c2d1a8f9 |
C:\Windows\system\HiWtivX.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
\Windows\system\HiWtivX.exe
| MD5 | 520306f0af217a723b94881629ed2c1f |
| SHA1 | edfebe61571cd3958f1312a9985e7616d97f5058 |
| SHA256 | 753b1655c90b67a0e9ef8ac7f9ad5137a5f68ca7523e64de621b55f82736ad40 |
| SHA512 | 9ac6a96dd03c1ec975477a89483a2d662a3a654c6c49304a4eef6675c320419be317a4ea86000c6b38c10beb98f86f51309fa6427a10328bb6e8081fbc42222e |
C:\Windows\system\QtDLmpy.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
\Windows\system\QtDLmpy.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
C:\Windows\system\iRYDJQr.exe
| MD5 | 19e6e210ca2246e2be55acb25719f830 |
| SHA1 | 5a2e0f6788591a265faa9e44f498b03fd3de145f |
| SHA256 | 0643848649217009ea5912837c2301db5fc1ad1347c922926313c273164a866e |
| SHA512 | c310ba292e81a19c16bb7133e3b95ce7f0182cd5c81cd8761a5e391c1814b6d2f54bdc39edfc5835b48a1632273865321109bde234482f132fa88a12c94d4019 |
memory/2188-102-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\jZnCOcN.exe
| MD5 | 0488d3462c87a424b0d6a8fb2b58a726 |
| SHA1 | c704a2c0e57b930e44e41faad5c0301618b3bdb3 |
| SHA256 | 43808e419b8ec73c0c078b8f0d7a80937b886505b6893e435bcffdede828c212 |
| SHA512 | 810d33792c56e10f69f1173958d89cd47588f9e6aab99d864f966683595eda049b46e6d88073abaddee1e1cb6a18915bb4eb4713712ce74a268c2f1b5e03bf3d |
C:\Windows\system\aWbSfiG.exe
| MD5 | 16c173122c2e25b513000a08ba6380d7 |
| SHA1 | 9d68c32c49066d08434b12ca1639dc9b9bf972fc |
| SHA256 | 47c59a769a38bb433bc0e5c9aad00d466a6bcebbc5fc50c9e86fc35c5325f657 |
| SHA512 | 9f54dc357e4431f6ae077c90a30bf07bda9ea598605faeccad1e02b00658934ab36b2be9b810fdf1f1d09f0f89121dcffab9b83811e76e910b3cfa7f07094ea5 |
\Windows\system\aWbSfiG.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
memory/1616-97-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2188-96-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2188-88-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
C:\Windows\system\ShZsdNR.exe
| MD5 | e0c400b12d5be3783dd5d2957c470185 |
| SHA1 | 5084bad14945d89bce9e7a1ad1d415ff32ea3236 |
| SHA256 | f4b56b4ca4eca8834ec83aab5401fa22e308f7a8d4f333b51be3c2e7d6890025 |
| SHA512 | 88d67ad4bf7fd966314012acfd0705a7aa95b1b3ac18088f50e7d969177f6c38e4a25ef1a08c5ccdb05b37b296a28010502d2c6fef1efafdddce509cd45a8a09 |
memory/2768-133-0x000000013F5C0000-0x000000013F914000-memory.dmp
C:\Windows\system\ltLBRrp.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
\Windows\system\ltLBRrp.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
memory/2188-82-0x000000013FE60000-0x00000001401B4000-memory.dmp
\Windows\system\DZJxehs.exe
| MD5 | dcba41eaf5e259e434c061c7cefc88dd |
| SHA1 | 5b914e18c259b1f5c8a0911020498534a3b9d548 |
| SHA256 | 544bbcea79ba4fc79521639175d4326516295527e7cd39c6f66fd391bd10ec8f |
| SHA512 | a24358d891815ff7ed9fe489c507bac23fc68ed149f6a85a3a8720f9055c1654efce8a81a64b0a7b30622658c4645f9fb709ab6acec28124b429a35a68b7285f |
memory/2152-73-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2548-61-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2188-66-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/3016-60-0x000000013FD70000-0x00000001400C4000-memory.dmp
C:\Windows\system\BXdiMgd.exe
| MD5 | 170c48e4cbe032ecd65ebbd5c279cde5 |
| SHA1 | 850de190cb8ff1c9fdedf664432cb4df366c35b5 |
| SHA256 | fe533e2709cc5f15bec1d29d86b3e4c7b13f3ad322c183105c8202b9223401f9 |
| SHA512 | 2739caab4ee557a828a191a2250074c6d2175aac3674e7cb3750ba796e80a1376326b13a6a1a05756b242b18ab9b74a3884c3b822b0a07e3e190c82d8eb6c715 |
memory/2188-53-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2188-46-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2844-37-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2548-134-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2928-136-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2188-135-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2152-137-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2188-138-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/1220-139-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2188-140-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2188-141-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/3016-142-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2688-144-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2580-143-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2616-145-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2844-146-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2772-147-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2468-148-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2768-149-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2548-151-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2532-153-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2152-152-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/1220-154-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/1616-155-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2928-150-0x000000013FC20000-0x000000013FF74000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 01:35
Reported
2024-06-07 01:39
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XAApyEK.exe | N/A |
| N/A | N/A | C:\Windows\System\bRqcGBg.exe | N/A |
| N/A | N/A | C:\Windows\System\lsmnVXb.exe | N/A |
| N/A | N/A | C:\Windows\System\zLmilRb.exe | N/A |
| N/A | N/A | C:\Windows\System\fwtxXTS.exe | N/A |
| N/A | N/A | C:\Windows\System\uAtOVzE.exe | N/A |
| N/A | N/A | C:\Windows\System\MrdGOGw.exe | N/A |
| N/A | N/A | C:\Windows\System\VlnxWAo.exe | N/A |
| N/A | N/A | C:\Windows\System\xkUUgYh.exe | N/A |
| N/A | N/A | C:\Windows\System\paVrAXC.exe | N/A |
| N/A | N/A | C:\Windows\System\QnVDKyn.exe | N/A |
| N/A | N/A | C:\Windows\System\DZBWypS.exe | N/A |
| N/A | N/A | C:\Windows\System\fyNQaYx.exe | N/A |
| N/A | N/A | C:\Windows\System\pLWLluZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZdJpNGZ.exe | N/A |
| N/A | N/A | C:\Windows\System\AaEaBtE.exe | N/A |
| N/A | N/A | C:\Windows\System\QasVIHB.exe | N/A |
| N/A | N/A | C:\Windows\System\LlNLCeS.exe | N/A |
| N/A | N/A | C:\Windows\System\epWSXoF.exe | N/A |
| N/A | N/A | C:\Windows\System\IHvkGfr.exe | N/A |
| N/A | N/A | C:\Windows\System\gyGvbcF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\XAApyEK.exe
C:\Windows\System\XAApyEK.exe
C:\Windows\System\bRqcGBg.exe
C:\Windows\System\bRqcGBg.exe
C:\Windows\System\lsmnVXb.exe
C:\Windows\System\lsmnVXb.exe
C:\Windows\System\zLmilRb.exe
C:\Windows\System\zLmilRb.exe
C:\Windows\System\fwtxXTS.exe
C:\Windows\System\fwtxXTS.exe
C:\Windows\System\uAtOVzE.exe
C:\Windows\System\uAtOVzE.exe
C:\Windows\System\MrdGOGw.exe
C:\Windows\System\MrdGOGw.exe
C:\Windows\System\VlnxWAo.exe
C:\Windows\System\VlnxWAo.exe
C:\Windows\System\xkUUgYh.exe
C:\Windows\System\xkUUgYh.exe
C:\Windows\System\paVrAXC.exe
C:\Windows\System\paVrAXC.exe
C:\Windows\System\QnVDKyn.exe
C:\Windows\System\QnVDKyn.exe
C:\Windows\System\DZBWypS.exe
C:\Windows\System\DZBWypS.exe
C:\Windows\System\fyNQaYx.exe
C:\Windows\System\fyNQaYx.exe
C:\Windows\System\pLWLluZ.exe
C:\Windows\System\pLWLluZ.exe
C:\Windows\System\ZdJpNGZ.exe
C:\Windows\System\ZdJpNGZ.exe
C:\Windows\System\AaEaBtE.exe
C:\Windows\System\AaEaBtE.exe
C:\Windows\System\QasVIHB.exe
C:\Windows\System\QasVIHB.exe
C:\Windows\System\LlNLCeS.exe
C:\Windows\System\LlNLCeS.exe
C:\Windows\System\epWSXoF.exe
C:\Windows\System\epWSXoF.exe
C:\Windows\System\IHvkGfr.exe
C:\Windows\System\IHvkGfr.exe
C:\Windows\System\gyGvbcF.exe
C:\Windows\System\gyGvbcF.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1064-0-0x00007FF611700000-0x00007FF611A54000-memory.dmp
memory/1064-1-0x000001C6CB880000-0x000001C6CB890000-memory.dmp
C:\Windows\System\XAApyEK.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
memory/3056-8-0x00007FF6743B0000-0x00007FF674704000-memory.dmp
C:\Windows\System\bRqcGBg.exe
| MD5 | 992e15ebc2245cf970acce9948576d6c |
| SHA1 | 3322f50d4aebf915abc8a5277cd07a23adf5f127 |
| SHA256 | 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5 |
| SHA512 | 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7 |
C:\Windows\System\bRqcGBg.exe
| MD5 | e8c4508a392ccf08590d3627a36cc3c3 |
| SHA1 | 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2 |
| SHA256 | cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d |
| SHA512 | f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410 |
memory/1880-14-0x00007FF680E60000-0x00007FF6811B4000-memory.dmp
memory/4804-20-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp
C:\Windows\System\lsmnVXb.exe
| MD5 | 77671172f7ce39fbac5dee833603eeb4 |
| SHA1 | b6efc4c5702bc17a65da0a050b8439a8e901b2a2 |
| SHA256 | 60bb6732a28f20f84d03ce56d84db8cfd88ce5797554645f75ac7dfe59070545 |
| SHA512 | 4fa255e6a83c6d1e0ab12aca2ef29576a5d4b818456edf8542902b0cf3bfa08e86c8fc4a823479b6d2f9b4230442ba67e81b29d730c85843726ee60c3f75b032 |
C:\Windows\System\zLmilRb.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
C:\Windows\System\uAtOVzE.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
memory/1120-30-0x00007FF751520000-0x00007FF751874000-memory.dmp
C:\Windows\System\MrdGOGw.exe
| MD5 | c665d55523745ebd550a2c4296ad8ec9 |
| SHA1 | 43f72a8e93454ded742dbec7a7c84f59cb0d6520 |
| SHA256 | 4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b |
| SHA512 | 57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454 |
C:\Windows\System\VlnxWAo.exe
| MD5 | ffafad94c04d076c16e861ff07a4cb57 |
| SHA1 | c3501d64aef8c1b093200710a06e749c69db782a |
| SHA256 | 8937d79446003663139b48fb488b397b86db6056b10f97b4b51376a75074f295 |
| SHA512 | 64f6a6b1b0b877c82172b2c14c03c94dd8e19ddfeb29793c31f8e0d87bb2bb2fc63432b7cfddd5451417062117de8a69817c2cc596bd537558b9b01636a48700 |
C:\Windows\System\xkUUgYh.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
memory/1384-72-0x00007FF7AEF10000-0x00007FF7AF264000-memory.dmp
memory/3016-68-0x00007FF653950000-0x00007FF653CA4000-memory.dmp
C:\Windows\System\QnVDKyn.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
C:\Windows\System\paVrAXC.exe
| MD5 | 3ed5a609fc99609f477b127cb1075f8e |
| SHA1 | efbe9eae011603d0818e0ea87d848f4505a8ca00 |
| SHA256 | f5c7ed548f4ba98079252e02c14f981d3b1b5468313f0be262b25ccc06a1f939 |
| SHA512 | adf3c7526c8d008f32ef1391728203330e532d5ab3157f9a2a7fe21b8a1324527c1ba05f5b2198a9d7b1cc621dddfe091207ec334b309442cd5608fc15d0fd18 |
memory/1928-61-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp
memory/1064-60-0x00007FF611700000-0x00007FF611A54000-memory.dmp
memory/2440-56-0x00007FF76CE50000-0x00007FF76D1A4000-memory.dmp
memory/4804-80-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp
C:\Windows\System\LlNLCeS.exe
| MD5 | 7d9f1099f6b47550fd37adb914ba896f |
| SHA1 | 73597804426883357ebb880f6c0164793f40ad60 |
| SHA256 | 66cd4cd4af8f630e7f196e1d09756e078751dfa9bcc54e0d14fae0ccbe492285 |
| SHA512 | e8add13893f4c014a42f0f57f95da110b546828bbf0b90c6e45d275710a9847ff130353175caa02a22132a7aec183fbbcda6a7a954c359f2b63e3b3f4a4cba77 |
memory/4252-119-0x00007FF61D090000-0x00007FF61D3E4000-memory.dmp
C:\Windows\System\LlNLCeS.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
C:\Windows\System\gyGvbcF.exe
| MD5 | 2e820f8af7aa3bf225d37608a0a87341 |
| SHA1 | b813ceb09756bee341a57c9525bd3abdbe863ab8 |
| SHA256 | de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa |
| SHA512 | 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4 |
memory/4812-127-0x00007FF7E96F0000-0x00007FF7E9A44000-memory.dmp
memory/2440-122-0x00007FF76CE50000-0x00007FF76D1A4000-memory.dmp
memory/4136-121-0x00007FF70FCF0000-0x00007FF710044000-memory.dmp
memory/4348-116-0x00007FF614700000-0x00007FF614A54000-memory.dmp
memory/5088-112-0x00007FF689960000-0x00007FF689CB4000-memory.dmp
memory/2920-110-0x00007FF793120000-0x00007FF793474000-memory.dmp
memory/4448-107-0x00007FF67EC70000-0x00007FF67EFC4000-memory.dmp
C:\Windows\System\QasVIHB.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/1824-101-0x00007FF67F1F0000-0x00007FF67F544000-memory.dmp
memory/1120-97-0x00007FF751520000-0x00007FF751874000-memory.dmp
memory/4988-90-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp
memory/372-86-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp
memory/2412-85-0x00007FF7D0FB0000-0x00007FF7D1304000-memory.dmp
C:\Windows\System\pLWLluZ.exe
| MD5 | 03686cfd6bbb43c8ac4dc50889b137b9 |
| SHA1 | 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee |
| SHA256 | ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471 |
| SHA512 | 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2 |
memory/2220-136-0x00007FF79A7B0000-0x00007FF79AB04000-memory.dmp
memory/3016-135-0x00007FF653950000-0x00007FF653CA4000-memory.dmp
memory/1928-134-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp
memory/4252-48-0x00007FF61D090000-0x00007FF61D3E4000-memory.dmp
memory/1492-46-0x00007FF755930000-0x00007FF755C84000-memory.dmp
memory/4448-38-0x00007FF67EC70000-0x00007FF67EFC4000-memory.dmp
C:\Windows\System\uAtOVzE.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
memory/372-24-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp
memory/2412-138-0x00007FF7D0FB0000-0x00007FF7D1304000-memory.dmp
memory/1384-137-0x00007FF7AEF10000-0x00007FF7AF264000-memory.dmp
memory/4988-139-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp
memory/4348-140-0x00007FF614700000-0x00007FF614A54000-memory.dmp
memory/4812-142-0x00007FF7E96F0000-0x00007FF7E9A44000-memory.dmp
memory/4136-141-0x00007FF70FCF0000-0x00007FF710044000-memory.dmp
memory/3056-143-0x00007FF6743B0000-0x00007FF674704000-memory.dmp
memory/1880-144-0x00007FF680E60000-0x00007FF6811B4000-memory.dmp
memory/4804-145-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp
memory/372-146-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp
memory/1120-147-0x00007FF751520000-0x00007FF751874000-memory.dmp
memory/4448-148-0x00007FF67EC70000-0x00007FF67EFC4000-memory.dmp
memory/1492-149-0x00007FF755930000-0x00007FF755C84000-memory.dmp
memory/4252-150-0x00007FF61D090000-0x00007FF61D3E4000-memory.dmp
memory/2440-151-0x00007FF76CE50000-0x00007FF76D1A4000-memory.dmp
memory/1928-152-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp
memory/3016-153-0x00007FF653950000-0x00007FF653CA4000-memory.dmp
memory/1384-154-0x00007FF7AEF10000-0x00007FF7AF264000-memory.dmp
memory/2412-155-0x00007FF7D0FB0000-0x00007FF7D1304000-memory.dmp
memory/1824-157-0x00007FF67F1F0000-0x00007FF67F544000-memory.dmp
memory/4988-156-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp
memory/5088-159-0x00007FF689960000-0x00007FF689CB4000-memory.dmp
memory/2920-158-0x00007FF793120000-0x00007FF793474000-memory.dmp
memory/2220-163-0x00007FF79A7B0000-0x00007FF79AB04000-memory.dmp
memory/4348-162-0x00007FF614700000-0x00007FF614A54000-memory.dmp
memory/4812-161-0x00007FF7E96F0000-0x00007FF7E9A44000-memory.dmp
memory/4136-160-0x00007FF70FCF0000-0x00007FF710044000-memory.dmp