Analysis Overview
SHA256
e6a9a78b4a8fa1f1902cc96b91650547fc41523c4e884912aa00f25d4673e683
Threat Level: Known bad
The file 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Xmrig family
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 08:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 08:43
Reported
2024-06-08 08:46
Platform
win7-20240419-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\aHvKVhH.exe | N/A |
| N/A | N/A | C:\Windows\System\KWbdyEf.exe | N/A |
| N/A | N/A | C:\Windows\System\lTzmwYP.exe | N/A |
| N/A | N/A | C:\Windows\System\oAQZqht.exe | N/A |
| N/A | N/A | C:\Windows\System\SYDPzmd.exe | N/A |
| N/A | N/A | C:\Windows\System\JeUpuzH.exe | N/A |
| N/A | N/A | C:\Windows\System\vJyApuh.exe | N/A |
| N/A | N/A | C:\Windows\System\fbGisJh.exe | N/A |
| N/A | N/A | C:\Windows\System\BdUCkMO.exe | N/A |
| N/A | N/A | C:\Windows\System\atoHRbj.exe | N/A |
| N/A | N/A | C:\Windows\System\jUtUNdi.exe | N/A |
| N/A | N/A | C:\Windows\System\tFjfnxb.exe | N/A |
| N/A | N/A | C:\Windows\System\BIZCqZZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YZYADDR.exe | N/A |
| N/A | N/A | C:\Windows\System\hAGOBQA.exe | N/A |
| N/A | N/A | C:\Windows\System\KiLMsnW.exe | N/A |
| N/A | N/A | C:\Windows\System\hoqOuZQ.exe | N/A |
| N/A | N/A | C:\Windows\System\lZXinBA.exe | N/A |
| N/A | N/A | C:\Windows\System\JUIFqUY.exe | N/A |
| N/A | N/A | C:\Windows\System\YEJVoNw.exe | N/A |
| N/A | N/A | C:\Windows\System\FSFGWdp.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\aHvKVhH.exe
C:\Windows\System\aHvKVhH.exe
C:\Windows\System\KWbdyEf.exe
C:\Windows\System\KWbdyEf.exe
C:\Windows\System\lTzmwYP.exe
C:\Windows\System\lTzmwYP.exe
C:\Windows\System\oAQZqht.exe
C:\Windows\System\oAQZqht.exe
C:\Windows\System\SYDPzmd.exe
C:\Windows\System\SYDPzmd.exe
C:\Windows\System\JeUpuzH.exe
C:\Windows\System\JeUpuzH.exe
C:\Windows\System\vJyApuh.exe
C:\Windows\System\vJyApuh.exe
C:\Windows\System\fbGisJh.exe
C:\Windows\System\fbGisJh.exe
C:\Windows\System\BdUCkMO.exe
C:\Windows\System\BdUCkMO.exe
C:\Windows\System\atoHRbj.exe
C:\Windows\System\atoHRbj.exe
C:\Windows\System\jUtUNdi.exe
C:\Windows\System\jUtUNdi.exe
C:\Windows\System\tFjfnxb.exe
C:\Windows\System\tFjfnxb.exe
C:\Windows\System\BIZCqZZ.exe
C:\Windows\System\BIZCqZZ.exe
C:\Windows\System\YZYADDR.exe
C:\Windows\System\YZYADDR.exe
C:\Windows\System\hAGOBQA.exe
C:\Windows\System\hAGOBQA.exe
C:\Windows\System\KiLMsnW.exe
C:\Windows\System\KiLMsnW.exe
C:\Windows\System\hoqOuZQ.exe
C:\Windows\System\hoqOuZQ.exe
C:\Windows\System\lZXinBA.exe
C:\Windows\System\lZXinBA.exe
C:\Windows\System\JUIFqUY.exe
C:\Windows\System\JUIFqUY.exe
C:\Windows\System\YEJVoNw.exe
C:\Windows\System\YEJVoNw.exe
C:\Windows\System\FSFGWdp.exe
C:\Windows\System\FSFGWdp.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1968-0-0x00000000003F0000-0x0000000000400000-memory.dmp
memory/1968-2-0x000000013F240000-0x000000013F594000-memory.dmp
\Windows\system\aHvKVhH.exe
| MD5 | c59688da11d39e62832ebdb9361b4976 |
| SHA1 | c7a9f0ff7da05e495d0a0aeec67df0ced7846a8c |
| SHA256 | de3efa1f06808498d6bbc50355072b41295caee310aff197fa467f6b0f691268 |
| SHA512 | 5a08fe3fd053e66b632441151bc12b644d5b4cc0e2f7ce00f8e488d63332e31b4d08a895236715873feffab66078bb700847b332281ec33a1401a4471bc5eea5 |
memory/1968-6-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/3008-8-0x000000013F8E0000-0x000000013FC34000-memory.dmp
\Windows\system\KWbdyEf.exe
| MD5 | 04aa09ed29e3413a045d545793c211e7 |
| SHA1 | 4bdbde3b5e5ca60ac450e32b548a8ac54d0a1ef7 |
| SHA256 | f058b7ddcf3e9286f013c727cbb7b3249187abb432cbe1507d98c44f64981919 |
| SHA512 | ae742a6ba6ef9ac3ac5705f888990bb5f623c096dd87a482a7a2d0dcf4cb74eaa2d10dd298f77511b07b5b8e07f31e895e8be1a5aab22ae13799bf469f5dd393 |
\Windows\system\lTzmwYP.exe
| MD5 | f96716b4aa2b572162d91b0fc05dec4f |
| SHA1 | 4a10b73b22269fa78d587af3ea9e1cffbaee3f70 |
| SHA256 | d4083f7a6f2d41dbed0a1f76943be9149daa478f23260d304c341dfd5cf3e7e2 |
| SHA512 | 3cd650b87bc6ad9f3602d50058e854b605c46b59a4c5fabffe136bbe171b9f0eeffc0367f65179f78ed036fb3ade7072934a58922153f3e9fb9ef305bf880f3d |
C:\Windows\system\oAQZqht.exe
| MD5 | a47115b9ca02b0919f8dea9b64895c36 |
| SHA1 | eb8e6ba1a4bfe8f8b08bb92c4a48421653c1c444 |
| SHA256 | 2d2bf25993575c5bff611aa019a9e7f8bcd82fb8b8d30e7600a9cc8e66065637 |
| SHA512 | f329b8afaf879699b8562e954e17c47904e0e92a96fb18722e4f72658b22cc0ea9a08d4005f32cae2678d42fff115cee0912287172bb2ba3e7e93b8f2f2baae7 |
memory/1968-28-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2736-29-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2664-26-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1968-23-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2596-14-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2788-35-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2488-43-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/1968-42-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/1968-34-0x000000013FF20000-0x0000000140274000-memory.dmp
C:\Windows\system\JeUpuzH.exe
| MD5 | e962a30a22a6cba30f82d58139aa33ff |
| SHA1 | e4c6b84f07301f32157680ee3160d5c71010f341 |
| SHA256 | f8122527d3cfc9c0f45c6568e4cee517e01115afe8def921bea10b701bfcd3af |
| SHA512 | dd629fe2b66d31e4457fcaf281f9a95c79971eb8d187bcf3e6b2792cba774b5d1d0ca4a776b805a899bdb085c523731b82c08572257cc7ab058d6ee92a647646 |
C:\Windows\system\SYDPzmd.exe
| MD5 | 31d8d6bed97811a2c8183dd7d0723e30 |
| SHA1 | fe92dd6854990487d605c4d3835f29701e2c6903 |
| SHA256 | f95003cd4fbc9fb6f5a2389e1903c388fbf207916950034606e016e54c0dc249 |
| SHA512 | 569211519f8da4b174ec58872e6431a022aa6a277e9d1fdc7a4fbceb717394a8fcfefa27f972a043f8d8527001fb4f7daba077ee4f3fd081fb2ab23a78901dd8 |
memory/2780-49-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2532-56-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/1968-55-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
C:\Windows\system\atoHRbj.exe
| MD5 | 3c31f53fa79ccb3c2cca0949b6030d81 |
| SHA1 | 4a03ad35d77e44e23f3b5610e2ea1d1a347b9847 |
| SHA256 | 67ed21380a3469eb1475f6f43e8bdfb2782a4672220fa520c044e53a779bcb48 |
| SHA512 | 1518917693336449ac711668ef043bf27fd40ab3866fabbaac88cbb7dbc345f47ea28b9fc81702bd84f809351bcc635c876805054c620a9b63387b2a058a57d9 |
memory/2504-63-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1596-69-0x000000013F050000-0x000000013F3A4000-memory.dmp
\Windows\system\jUtUNdi.exe
| MD5 | 86d114f7a1ac68e3dd9dae8af90507f8 |
| SHA1 | 1017bce5f8d7990fccef767220361c1d27e58a8d |
| SHA256 | 8d11e4de38cc6b8eb4e71043702bd2478111134d5d8b7ba79a9146aa6fd95df3 |
| SHA512 | 3e81b6f7c9c85f813b6d2ff4cd77a8931e6d0c407929b552535d3de10bc5f1fb9301797073182ee784de0b6159368bd218eb14ee0ba9b1a1168611ea2ece5e80 |
C:\Windows\system\YZYADDR.exe
| MD5 | 85031710d40453d68c36f1c697d4aa93 |
| SHA1 | 20a1ad6ad6947f3f06de1a4afb4a227c31d07eb9 |
| SHA256 | 81a3c270179558414a6fc4c28fcc49457304b6ce9cdd5eda3b4235103f4e6ef0 |
| SHA512 | 2294790c0a670a758183f25961dec0fccdb989edf82f040c62163d826ec3607376cd36ad5bd6c03310dfaa1d4447859ade98f67975452dbf9cec24feeac6db9c |
memory/1588-99-0x000000013FC60000-0x000000013FFB4000-memory.dmp
C:\Windows\system\lZXinBA.exe
| MD5 | ea3d70e2748e9830d552e5c4d5f85ea0 |
| SHA1 | 4a380bdb4bfa866ae5e2e0a3afd0b50f149277cf |
| SHA256 | 71f74a6c2d529860a168585751e84f97ba0700399ffb23a9271c3683feb6bc29 |
| SHA512 | b999180c30a1db69a3610f79c54476d983af0fd28627f594f700912f40ae48fe949627f3aaa81b14aaeda9d0e0b2120bfac0f60bba36484ba6c7ac98b0c5fe90 |
\Windows\system\FSFGWdp.exe
| MD5 | c9248cbe49a2ca6c61cd67acc3833c83 |
| SHA1 | 546576bf34dc353a9e8df92513fdd3b542171fa7 |
| SHA256 | 11c28cb2773d5a3283610acab0c1b03cbf73180a6792491c6e44a2e60ecb1f49 |
| SHA512 | 9f1a0a64336f9c3958e6a587839ee5727961686bfd2327d2dd78847814a9930730bd5a841e2958413f1d89b14f3b6de7f557ac9f552df229e4c4e242efe9ddeb |
C:\Windows\system\YEJVoNw.exe
| MD5 | 62c6eba47634f877dc30bafbe07ae0b1 |
| SHA1 | 3a769d5764e2ddca363ba936dff31a003da51ece |
| SHA256 | 13a806d9617141522060a3a10b62ef9561853d6137767be9c72f31bd6665ee8f |
| SHA512 | 2a783b53643b28b2872f2b80cf13da725f40d0cc1712a52bfaa7d75b4ed9360de13b6bf242a56770874540bf4f8d9a9aba2770b514631aa8176683c2610d3d7e |
C:\Windows\system\JUIFqUY.exe
| MD5 | 775983015164f26ffb297f3b03d11bf0 |
| SHA1 | a67981ccd9d8482696fe14da51a958e0dae4f553 |
| SHA256 | 8f0f1bbac317c77ab5c42455b152165dacdb7a13629edd28174df712995c5974 |
| SHA512 | 01b25692bd4767fa80059e197666161ecc053e755ef7aca14d002f342a8cb7ba1ceac0a1ce47c33cd84fa31ce4714b319ceb87463ca3f26b81f5ce6171628760 |
C:\Windows\system\hoqOuZQ.exe
| MD5 | c3cf9225e2ddd589b80bf81e9d12fa8a |
| SHA1 | fd8eb7742ad44cafff6b1bfb21407e9f663c15b0 |
| SHA256 | 76c353c7a099c64049191926eecddfd5c148e29f2b34ec2186c4c05b819e5e1a |
| SHA512 | 05329e6c946a2fe73865086885d9ee2cf55e80c11077b24049af9e6cf95d0e0111b7755d4cf17a0dd5e3d52e92a17f5f18f5e15de66c2c5c99907c6af4f58520 |
C:\Windows\system\hAGOBQA.exe
| MD5 | 95922d25b21b1a1fdb3b7de9a092a552 |
| SHA1 | ff627df1bc295827fb238c66964885ab1437d70a |
| SHA256 | 81d00a0922847d8f307771cf9925415b4415d606fdd3fe12eae6b0b869cb1029 |
| SHA512 | 9dc3027a138f85cc5b6f3e63ea2eaf1cf4785042b232713c243c86ec73485b5bfe33d03b7c2f13837ee043aa3a6c2fcdc0d841d438d11bdc0394283d37dba3d8 |
C:\Windows\system\KiLMsnW.exe
| MD5 | 70268d965d3bd1193610da9a3bfa8cc3 |
| SHA1 | 06bf23ae25c33d798cca2879258e821cb8dd0b1e |
| SHA256 | a464504611dbd33f44a3a779a46aa49d36392e5dcf810b862987b5eacca1beba |
| SHA512 | de33ab058cb52a66dbbe08d7c3d8dbe6687f79f943d9e45334c831d3311f7fb5c3575788069c7b36b7a1b876ea9c364beaf8ace02a071cc780581b32d7d5a0d3 |
memory/1584-92-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2780-136-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/1968-91-0x000000013F680000-0x000000013F9D4000-memory.dmp
C:\Windows\system\BIZCqZZ.exe
| MD5 | 8336c4934bb1e5fe2e12d9bb5cdc4465 |
| SHA1 | 3fb07cd23105b00cc838c7d41c43d9ad5fe9e4b5 |
| SHA256 | b201120b6454d9aa484f2b7546dc11729fa3b0df003eceddccf68b3610aaa275 |
| SHA512 | 9e2657f9f762c04d0bbb187bdef1629b6ab4a2f1d2b39b5d44fbaa3fe1b5cec5099e8591646ea0d7543438915d5fb937ba12ae339867cd6178eb4a7a953d1d56 |
memory/1968-98-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2524-77-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/1968-76-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2664-75-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2596-74-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2788-97-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2632-85-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1968-84-0x000000013F9E0000-0x000000013FD34000-memory.dmp
C:\Windows\system\tFjfnxb.exe
| MD5 | 7c7f8f6479618853f012c8da98b9bffc |
| SHA1 | 46aa73d757dad3e3b8c91a1326c5a479b0ab2dda |
| SHA256 | a86d9876b15c62bd397d0a1ac6b9b1b2af010158f2d99a5b26b169de454f7559 |
| SHA512 | e67281a2f76277b8345fd29178ecc8f2c307473a5533ef9e3b7a616e48e44b52b18d833983a48c1590b1d8d7056859da486a195c45465ebe7c58ae822a4c2d80 |
memory/2532-137-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/3008-62-0x000000013F8E0000-0x000000013FC34000-memory.dmp
C:\Windows\system\BdUCkMO.exe
| MD5 | 9d242080a29101ea417121d269e439c1 |
| SHA1 | 6f79fc31b3ba8276808c322445d11b1ea761cc03 |
| SHA256 | 44153767998c3a1183345bc741fe0e21dfe013097c546771fd585bab9504c558 |
| SHA512 | cae98a1492089bc496495789912e4e7b1d34d637f549b5602ee6157b426d93d0dd62ff91ce4ef1ffb2b8969a92468ff7a0e73666fde7ba81852f4b8e0dbf406d |
C:\Windows\system\fbGisJh.exe
| MD5 | fee2b4540de28d4de1d225c97b5dee6b |
| SHA1 | d8c558259b66e1d6345ab66fdd9cadae8f0aaac5 |
| SHA256 | c015f6c3ff440179f573e6c996c08b4048b52565aadf4bb46e96aee9f904b417 |
| SHA512 | 87a6ef6c605f8a7ef9ae000f283ff61932f95592847ed05fe5a7e861990c62b40be94cd00295d7eb5ffe6dab71a1466175ab0684e7dcc440b41e0d349c78de94 |
memory/1968-48-0x000000013F240000-0x000000013F594000-memory.dmp
C:\Windows\system\vJyApuh.exe
| MD5 | 165717a7c7d307a6143ad7cbf6835ea5 |
| SHA1 | b4f8617c191ee61946a8ea4cb3ef7ff1367b20b8 |
| SHA256 | 82a95b066496a88e96baca069e7b712f0f6ad1f163d4f664140abfc559215c34 |
| SHA512 | 255955ca0e116893cf47073538db874b7ff4b3e7f91c64c420865cc278cdff15af3d1ccb6c8fa3901733c39d049d8fb40c13f1ed6567f5ae1039bdbc07e9d35d |
memory/2504-138-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1968-139-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/1596-140-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1968-141-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2524-142-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2632-143-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1968-144-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1584-145-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1968-146-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/1588-147-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/1968-148-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/3008-149-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2596-150-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2664-151-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2736-152-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2788-153-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2488-154-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2780-155-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2532-156-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2504-157-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1596-158-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2524-159-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2632-160-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1584-161-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1588-162-0x000000013FC60000-0x000000013FFB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 08:43
Reported
2024-06-08 08:46
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\drYpgIA.exe | N/A |
| N/A | N/A | C:\Windows\System\WFVlAoc.exe | N/A |
| N/A | N/A | C:\Windows\System\MLiRNja.exe | N/A |
| N/A | N/A | C:\Windows\System\OIurKJm.exe | N/A |
| N/A | N/A | C:\Windows\System\iHAKULg.exe | N/A |
| N/A | N/A | C:\Windows\System\LnzdIhT.exe | N/A |
| N/A | N/A | C:\Windows\System\Euwkhcr.exe | N/A |
| N/A | N/A | C:\Windows\System\yireyTD.exe | N/A |
| N/A | N/A | C:\Windows\System\vFTRQmI.exe | N/A |
| N/A | N/A | C:\Windows\System\mTyPanL.exe | N/A |
| N/A | N/A | C:\Windows\System\NoalAQd.exe | N/A |
| N/A | N/A | C:\Windows\System\tgfWTfS.exe | N/A |
| N/A | N/A | C:\Windows\System\IRpOKeL.exe | N/A |
| N/A | N/A | C:\Windows\System\BndfJif.exe | N/A |
| N/A | N/A | C:\Windows\System\YhrMxek.exe | N/A |
| N/A | N/A | C:\Windows\System\UOAQHXR.exe | N/A |
| N/A | N/A | C:\Windows\System\ypwFQvv.exe | N/A |
| N/A | N/A | C:\Windows\System\idBiwaO.exe | N/A |
| N/A | N/A | C:\Windows\System\nwrzkJB.exe | N/A |
| N/A | N/A | C:\Windows\System\uuASpvp.exe | N/A |
| N/A | N/A | C:\Windows\System\IMNddgG.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\drYpgIA.exe
C:\Windows\System\drYpgIA.exe
C:\Windows\System\WFVlAoc.exe
C:\Windows\System\WFVlAoc.exe
C:\Windows\System\MLiRNja.exe
C:\Windows\System\MLiRNja.exe
C:\Windows\System\OIurKJm.exe
C:\Windows\System\OIurKJm.exe
C:\Windows\System\iHAKULg.exe
C:\Windows\System\iHAKULg.exe
C:\Windows\System\LnzdIhT.exe
C:\Windows\System\LnzdIhT.exe
C:\Windows\System\Euwkhcr.exe
C:\Windows\System\Euwkhcr.exe
C:\Windows\System\yireyTD.exe
C:\Windows\System\yireyTD.exe
C:\Windows\System\vFTRQmI.exe
C:\Windows\System\vFTRQmI.exe
C:\Windows\System\mTyPanL.exe
C:\Windows\System\mTyPanL.exe
C:\Windows\System\NoalAQd.exe
C:\Windows\System\NoalAQd.exe
C:\Windows\System\tgfWTfS.exe
C:\Windows\System\tgfWTfS.exe
C:\Windows\System\IRpOKeL.exe
C:\Windows\System\IRpOKeL.exe
C:\Windows\System\BndfJif.exe
C:\Windows\System\BndfJif.exe
C:\Windows\System\YhrMxek.exe
C:\Windows\System\YhrMxek.exe
C:\Windows\System\UOAQHXR.exe
C:\Windows\System\UOAQHXR.exe
C:\Windows\System\ypwFQvv.exe
C:\Windows\System\ypwFQvv.exe
C:\Windows\System\idBiwaO.exe
C:\Windows\System\idBiwaO.exe
C:\Windows\System\uuASpvp.exe
C:\Windows\System\uuASpvp.exe
C:\Windows\System\nwrzkJB.exe
C:\Windows\System\nwrzkJB.exe
C:\Windows\System\IMNddgG.exe
C:\Windows\System\IMNddgG.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.227.11:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4172-0-0x00007FF6E9CD0000-0x00007FF6EA024000-memory.dmp
C:\Windows\System\WFVlAoc.exe
| MD5 | 4d0b8fb2e36a61053c4487a6dcfa4ea0 |
| SHA1 | 7752018f04697d2f17a39ca56f49d6c45d84dac0 |
| SHA256 | af94cad45b5efeb9089612695341a0bf41e7427f7ed18584a46093d8785f83bf |
| SHA512 | 71bfff9c1d800b90099c23fac3178c561e825fbfba10c50cd7b749b1645528a719e9d292fa4b12907c37d631debd882df88fdda93b5630e5a690ee37cb0f8449 |
C:\Windows\System\MLiRNja.exe
| MD5 | e00123716811aad26e6b6826897e491b |
| SHA1 | a09fd362dfa075d0730357f81e368f61c45bb724 |
| SHA256 | 9d9f94f486234a77926595285684cd2309b3a324dabe7f4c4bdcbe32ce393a04 |
| SHA512 | 56930d0741aadb645fff3fbee0176bc78fee2a3b5a497c8043dcc916924614f4d01101a0914617dfb3eb17ad1825299bcb0c252abbba5bba6e42ffb096c6a12e |
memory/2848-20-0x00007FF7D1050000-0x00007FF7D13A4000-memory.dmp
memory/3732-14-0x00007FF7084D0000-0x00007FF708824000-memory.dmp
memory/1668-8-0x00007FF6EBD40000-0x00007FF6EC094000-memory.dmp
C:\Windows\System\drYpgIA.exe
| MD5 | bc5af2dc92c389109611805ff90065df |
| SHA1 | 73fac57b70354df865a70e30a8c3a34cc5944d33 |
| SHA256 | eae347d281e30f55aaec50910cffae598b9b8316511180954200c715ed7a33f5 |
| SHA512 | 6eaefc67e5546aa94813e59475404ce54e68feef6c385c012b7152cc44acf9292008786f513b0a20a036906073c6f9d6153fd8f666f6138b7937144bce52090f |
memory/4172-1-0x0000013E7C860000-0x0000013E7C870000-memory.dmp
C:\Windows\System\OIurKJm.exe
| MD5 | 5b34b85fa26c28716e4f7f89150bf2b5 |
| SHA1 | 00840b9d145431b911196e290ee433b246fe195d |
| SHA256 | fa99100a7b6f7f3f458e8eb929b7b1ce6ec113bd0306abc987bfd29bd02071b9 |
| SHA512 | 8cfbdc8018d9a9866164f195ac44213b4f803262d869d5b4d922cf0a1468752d59404fdae734d7e991d407248ec37da823730792fc9d556e48dc411eb4718900 |
C:\Windows\System\iHAKULg.exe
| MD5 | 683158fd1db098fccdebced8ae521ff4 |
| SHA1 | 3c3b6d5e2ddcb85af08c8a4aa31a496ea623164f |
| SHA256 | 6363b9cb88f06adf4dd7c98885907f8cc2aa482e01e80c624b5ebed5a88ee26c |
| SHA512 | f3d1ecf292dab174e0801f8834195aa02e637beb3771bddc622107a4c5de3af5270acf833edb1b1144aceb9298ba0d0cd0d7d400d199986bc4733d95ff494cc1 |
memory/4948-46-0x00007FF66A490000-0x00007FF66A7E4000-memory.dmp
C:\Windows\System\mTyPanL.exe
| MD5 | c1739e82df12289021dd4a0a2c0b89df |
| SHA1 | f4501383f987f4d573a7d4208e8c00aae70858ac |
| SHA256 | eb5fdec70376c3951f88b30cdc69b3424b8dcc7e00080cc0f9c49025ab5fd6ce |
| SHA512 | 1e5ed1b46e122d6982fc099bb4efbea81ad185977649619263260df804c2ca6b9b5a3b8f41d7a69787e92695818886c6fa61f54051ade15c40e6d632610e8937 |
C:\Windows\System\vFTRQmI.exe
| MD5 | 63b87786d7a880dfd4fbf0debb67cfb7 |
| SHA1 | 49f6493b2a0cc050cad64679f685e75a5eb337dc |
| SHA256 | 9e246a79eb6a51482705cbf96e199215e5f32f0804ddfe9413da2f6a32fae278 |
| SHA512 | 1336bf0090b04c4b386910d90c41ad6a11e8148b9de21e11730351b65cbb3f2e21d493804b9c84fd6e6e6700d6afc48e3a9d070ecf06e61c2d57aa602cb02fac |
memory/2804-60-0x00007FF7A7340000-0x00007FF7A7694000-memory.dmp
memory/4788-57-0x00007FF6CEC80000-0x00007FF6CEFD4000-memory.dmp
C:\Windows\System\LnzdIhT.exe
| MD5 | b169e22aa207fb820cd389590a725663 |
| SHA1 | 26d4ee998963bb3f3e86853ae897ff69ecd3e862 |
| SHA256 | bb56703a15c649ff08337a60a82650090951cd055db4e1d77aef5300e48feb22 |
| SHA512 | 70d65d83cf543b4a15320d16665b5ead25979bdf8e8b53fdd767cbd088c1dd31abc16add734028cf4d32e2295db665e360ca1c82c7b5c4eb3f521ad47792770a |
C:\Windows\System\Euwkhcr.exe
| MD5 | 702d0e1d8426a8c173c9687ef807d4e6 |
| SHA1 | 100b52b59eadc043100228db25aa69f6bf323e66 |
| SHA256 | 2dfa68afc48feb69459bef7dba93e381e2bd14a3643d1c782eef68437218c9b1 |
| SHA512 | b4e126879a4ab92da9c1a16c26df1970f59288d0c9cd6928d38b749e2fd33b4c92fe3d4cc0610e4c9c8493740961692de947cbda23cb469db33aa98a62ab7461 |
C:\Windows\System\yireyTD.exe
| MD5 | 694948af9a3526e920f529653720a633 |
| SHA1 | 978954965076da5164a7457e95ad25d19cb6ec53 |
| SHA256 | 13559c0f0b4ee777c50bf10f868d38ddc038c9806410b5c6d164f64690301e5c |
| SHA512 | 85e7a3fd77ac8ea4c6f5cf4d7290064b2344b48c5d7c040a4e8cb7e2253f607e4d3adeabc3b0a1e403dd33356eff14dca138964ddb1749a349384a54dc01bd16 |
memory/4688-49-0x00007FF716520000-0x00007FF716874000-memory.dmp
memory/5008-42-0x00007FF6AC040000-0x00007FF6AC394000-memory.dmp
memory/1652-38-0x00007FF663810000-0x00007FF663B64000-memory.dmp
memory/588-26-0x00007FF633230000-0x00007FF633584000-memory.dmp
C:\Windows\System\NoalAQd.exe
| MD5 | 04aaf2afda0c579aa2bb3aaa9a7af828 |
| SHA1 | bff99949c9220d922cfddb2a89ec22701d0f7557 |
| SHA256 | 219f122d1df30cff755a89066c8d29e16e0a2c6c01b20d1e1fd49628bf7089a0 |
| SHA512 | 9b5edf26422525b833c8f93551c6fc688140b848948880c29995cbfb6aacbf671cc275af721585b5e4a2e13e5e5c94d504098023b4a2926b04f22204c05152fe |
C:\Windows\System\IRpOKeL.exe
| MD5 | ecab78c9b8c30c28b0032980329cfbe7 |
| SHA1 | 8e9b679a75cc84930da8c6573a2f5140a39f136e |
| SHA256 | 5dcc60e53bb30bc19a30a0226ca8ae1dcf31f000131ff55836d29cf283f860a0 |
| SHA512 | f2acef3da5d608b9b9362f91e07d92ad469645b454ecf458a47b87cc64ec15fad7816d53b4fb494c16d1db39c13d314e5c53f119ffc346ef3bb1ea45841882c5 |
memory/4172-78-0x00007FF6E9CD0000-0x00007FF6EA024000-memory.dmp
memory/3584-72-0x00007FF76A8B0000-0x00007FF76AC04000-memory.dmp
C:\Windows\System\tgfWTfS.exe
| MD5 | f22fda7cf7028ec7ed71adf51c89268f |
| SHA1 | ea7dc58a0ff5315d700220aa71a7af2e85cc043d |
| SHA256 | 360b5da5785d71d1f73b332e59c74139cb8ccc06c19cf19fa5163f0c4254c052 |
| SHA512 | edca5b368da7746820e2bd888749e9b2547ebd8225cf250712672cade73b5f0e40cd2d570e82272c5d1fb827863355b2eea2d7719d907614b66e7633a9b13f8e |
C:\Windows\System\BndfJif.exe
| MD5 | d4215261c237c5bb8978ab8f5ea35252 |
| SHA1 | 5b361c6c0758fbf6ecd45a22dc1afac072c799d9 |
| SHA256 | d89673898dc360e61606e61722d8a34469090c0c6de6101c36ce30da0a1a4dae |
| SHA512 | 35db2fc59cb3fe0f3ec6d9de22eddf67ea49c1830f01f89a65970afd9a6a081a9f6945edda06f47adcc8006512539882fa01aac458f91927d3d6e62e6ff223c5 |
memory/2264-88-0x00007FF7BF2E0000-0x00007FF7BF634000-memory.dmp
memory/2212-92-0x00007FF6495C0000-0x00007FF649914000-memory.dmp
C:\Windows\System\YhrMxek.exe
| MD5 | f6a4d6f04a8c85a1e43b6259bc051ba6 |
| SHA1 | 77e1778d6b5f9d8723a6bca8088c645bc3808530 |
| SHA256 | 9b2f24979780d26ec01826b6df11867041daa500dfd2d8bdc024b11155348f19 |
| SHA512 | a8062ccecbe3e2aaf62f7c5f6db58cf271ea95513184eb399785dd2a61567d4d72aeda50c91d3da1a505c99cabab54aae5b8500cce087120d4cc19f53b427788 |
C:\Windows\System\UOAQHXR.exe
| MD5 | 9e0884ab8e9633422ac425be6d3e8a21 |
| SHA1 | 74e3feaabc5c4eabd560a3a8b03b41f8e9687ea0 |
| SHA256 | 9c414d5ae29d578c5148d40ebf4589d1aa450bb23f4b20b758b20ba5d6ca53b2 |
| SHA512 | 16af839d8fac05283e2674c6cca1c11e9010f98005195a30e13f23e7a6c2854de9a3ef80ac42ca8c5aba5c2800db857a85ac3a02d22d688cfa8c10f0122b36b1 |
memory/4860-98-0x00007FF752D80000-0x00007FF7530D4000-memory.dmp
memory/3216-95-0x00007FF65D780000-0x00007FF65DAD4000-memory.dmp
memory/3992-77-0x00007FF607900000-0x00007FF607C54000-memory.dmp
C:\Windows\System\ypwFQvv.exe
| MD5 | 9292028ce0e8d14d3b6968919bf646c8 |
| SHA1 | 33c468b2fc3a921dc8bf10ae6d2794b6c5a0e300 |
| SHA256 | 78eb2e2d59201643e492bc3fd22bd9b59d4b287d6d315c39c81f72217ec29758 |
| SHA512 | 0f9d4f72ba9865d0652c61fc09316a9cab338e4e39b373f1d99b0b670b13b7341232a614c59fbc139288e208591de22c6bc395e6f9602587fcaa0cad89aa3dd5 |
memory/2496-107-0x00007FF6048E0000-0x00007FF604C34000-memory.dmp
C:\Windows\System\idBiwaO.exe
| MD5 | 893b192de4ab62dd01aaf5e15a11e8ff |
| SHA1 | 0648d141248c10c482985b82c3bc38ab4fa6bcda |
| SHA256 | dc8160cc265da5bb4f62dd628f112a583ad774780bbb398852432ba9faa1b52f |
| SHA512 | f33ec6791b5db34f15b7030383e619b9214fe6406b7dfc8bd46f1ed177dbef2a26a1796fec3b76d37bffa358b0b2d172ed45a00d0f9b52fa3da90e9f37a5ea17 |
memory/3732-105-0x00007FF7084D0000-0x00007FF708824000-memory.dmp
memory/2848-111-0x00007FF7D1050000-0x00007FF7D13A4000-memory.dmp
C:\Windows\System\nwrzkJB.exe
| MD5 | 102b8337e82b71299519126ec765cbf3 |
| SHA1 | 0de4bf5de3812c29f55b3fc73c37422fc6d1dd59 |
| SHA256 | bf84aa2d3d00c7606eef3da7d2d25856562cf7657033c356d7b69a1848a993e5 |
| SHA512 | cd2b8bb02e9a50e86ff5aebb0e585153ac57f11a81f3466b2257c92d60e1d517617cf2186201e9bad414989a445ce90b9a6c88743a0de83c28722276f45463ce |
memory/4728-125-0x00007FF7C3970000-0x00007FF7C3CC4000-memory.dmp
C:\Windows\System\IMNddgG.exe
| MD5 | c5c38ada3d1c712d0a85fd1e4e9add27 |
| SHA1 | e402dc3bb9ebe23aa0a839025a4f643c1447634d |
| SHA256 | 41c6e0c4e139c71372eac7d76739b5aa33be0297832e1c0b8c86412fa4c3bfb0 |
| SHA512 | f6792bdb064f92524cac42e42ef3015d910157934329bb5c0c55253babb11ef0b23dc44796e1f190ab6a528da5b198ba1d4a7994a07624939e5ef7bb362f043e |
C:\Windows\System\uuASpvp.exe
| MD5 | c39a88172b9f7311761b7fe7c26ae7bc |
| SHA1 | 69228d6f9005813c58ac2902b5b157b25e0b8ace |
| SHA256 | 8e28a53bf4acc0946a91f4dc85538227442f847d64d3c97c66fc68e838d32e01 |
| SHA512 | c26291a328f0de612d5035bc4e2ed62b6cb2643f13b155e755e2976351364ffa3b4681489e52c81f9145be01ad2e1ade2e1e6633bf8dc341356ecaa0ff27eb69 |
memory/4688-128-0x00007FF716520000-0x00007FF716874000-memory.dmp
memory/4260-126-0x00007FF60A3C0000-0x00007FF60A714000-memory.dmp
memory/5008-121-0x00007FF6AC040000-0x00007FF6AC394000-memory.dmp
memory/1652-120-0x00007FF663810000-0x00007FF663B64000-memory.dmp
memory/588-119-0x00007FF633230000-0x00007FF633584000-memory.dmp
memory/5000-113-0x00007FF6B0120000-0x00007FF6B0474000-memory.dmp
memory/4948-134-0x00007FF66A490000-0x00007FF66A7E4000-memory.dmp
memory/4968-135-0x00007FF6F8C10000-0x00007FF6F8F64000-memory.dmp
memory/2804-136-0x00007FF7A7340000-0x00007FF7A7694000-memory.dmp
memory/4788-137-0x00007FF6CEC80000-0x00007FF6CEFD4000-memory.dmp
memory/3992-138-0x00007FF607900000-0x00007FF607C54000-memory.dmp
memory/2212-139-0x00007FF6495C0000-0x00007FF649914000-memory.dmp
memory/4860-140-0x00007FF752D80000-0x00007FF7530D4000-memory.dmp
memory/4728-141-0x00007FF7C3970000-0x00007FF7C3CC4000-memory.dmp
memory/4260-142-0x00007FF60A3C0000-0x00007FF60A714000-memory.dmp
memory/1668-143-0x00007FF6EBD40000-0x00007FF6EC094000-memory.dmp
memory/3732-144-0x00007FF7084D0000-0x00007FF708824000-memory.dmp
memory/2848-145-0x00007FF7D1050000-0x00007FF7D13A4000-memory.dmp
memory/588-146-0x00007FF633230000-0x00007FF633584000-memory.dmp
memory/1652-147-0x00007FF663810000-0x00007FF663B64000-memory.dmp
memory/5008-148-0x00007FF6AC040000-0x00007FF6AC394000-memory.dmp
memory/4688-149-0x00007FF716520000-0x00007FF716874000-memory.dmp
memory/4788-151-0x00007FF6CEC80000-0x00007FF6CEFD4000-memory.dmp
memory/2804-150-0x00007FF7A7340000-0x00007FF7A7694000-memory.dmp
memory/4948-152-0x00007FF66A490000-0x00007FF66A7E4000-memory.dmp
memory/3584-153-0x00007FF76A8B0000-0x00007FF76AC04000-memory.dmp
memory/3216-154-0x00007FF65D780000-0x00007FF65DAD4000-memory.dmp
memory/2264-155-0x00007FF7BF2E0000-0x00007FF7BF634000-memory.dmp
memory/3992-156-0x00007FF607900000-0x00007FF607C54000-memory.dmp
memory/2212-157-0x00007FF6495C0000-0x00007FF649914000-memory.dmp
memory/4860-158-0x00007FF752D80000-0x00007FF7530D4000-memory.dmp
memory/2496-159-0x00007FF6048E0000-0x00007FF604C34000-memory.dmp
memory/5000-160-0x00007FF6B0120000-0x00007FF6B0474000-memory.dmp
memory/4728-161-0x00007FF7C3970000-0x00007FF7C3CC4000-memory.dmp
memory/4968-162-0x00007FF6F8C10000-0x00007FF6F8F64000-memory.dmp
memory/4260-163-0x00007FF60A3C0000-0x00007FF60A714000-memory.dmp