Analysis Overview
SHA256
ac50e7ca93e199e177e6471425847e4ebc9a25214c96896985a726ec9493db22
Threat Level: Known bad
The file 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Xmrig family
xmrig
Detects Reflective DLL injection artifacts
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 12:36
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 12:36
Reported
2024-06-08 12:39
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LosdpiY.exe | N/A |
| N/A | N/A | C:\Windows\System\vmyXzRf.exe | N/A |
| N/A | N/A | C:\Windows\System\OTEuVUz.exe | N/A |
| N/A | N/A | C:\Windows\System\rZrJwOZ.exe | N/A |
| N/A | N/A | C:\Windows\System\PjnmIzj.exe | N/A |
| N/A | N/A | C:\Windows\System\vLkwPoc.exe | N/A |
| N/A | N/A | C:\Windows\System\feXqrgt.exe | N/A |
| N/A | N/A | C:\Windows\System\CYXzbAc.exe | N/A |
| N/A | N/A | C:\Windows\System\ockHrkR.exe | N/A |
| N/A | N/A | C:\Windows\System\uiGiUxh.exe | N/A |
| N/A | N/A | C:\Windows\System\xJrTfZK.exe | N/A |
| N/A | N/A | C:\Windows\System\ANHofLM.exe | N/A |
| N/A | N/A | C:\Windows\System\nPMUIIh.exe | N/A |
| N/A | N/A | C:\Windows\System\TZNBWyH.exe | N/A |
| N/A | N/A | C:\Windows\System\GWQHzhT.exe | N/A |
| N/A | N/A | C:\Windows\System\NsTndpb.exe | N/A |
| N/A | N/A | C:\Windows\System\uoqkODq.exe | N/A |
| N/A | N/A | C:\Windows\System\kxMwVhj.exe | N/A |
| N/A | N/A | C:\Windows\System\XrAyDHM.exe | N/A |
| N/A | N/A | C:\Windows\System\INKZVkb.exe | N/A |
| N/A | N/A | C:\Windows\System\FprZOuL.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\LosdpiY.exe
C:\Windows\System\LosdpiY.exe
C:\Windows\System\vmyXzRf.exe
C:\Windows\System\vmyXzRf.exe
C:\Windows\System\rZrJwOZ.exe
C:\Windows\System\rZrJwOZ.exe
C:\Windows\System\OTEuVUz.exe
C:\Windows\System\OTEuVUz.exe
C:\Windows\System\PjnmIzj.exe
C:\Windows\System\PjnmIzj.exe
C:\Windows\System\vLkwPoc.exe
C:\Windows\System\vLkwPoc.exe
C:\Windows\System\feXqrgt.exe
C:\Windows\System\feXqrgt.exe
C:\Windows\System\CYXzbAc.exe
C:\Windows\System\CYXzbAc.exe
C:\Windows\System\ockHrkR.exe
C:\Windows\System\ockHrkR.exe
C:\Windows\System\uiGiUxh.exe
C:\Windows\System\uiGiUxh.exe
C:\Windows\System\xJrTfZK.exe
C:\Windows\System\xJrTfZK.exe
C:\Windows\System\ANHofLM.exe
C:\Windows\System\ANHofLM.exe
C:\Windows\System\nPMUIIh.exe
C:\Windows\System\nPMUIIh.exe
C:\Windows\System\TZNBWyH.exe
C:\Windows\System\TZNBWyH.exe
C:\Windows\System\GWQHzhT.exe
C:\Windows\System\GWQHzhT.exe
C:\Windows\System\NsTndpb.exe
C:\Windows\System\NsTndpb.exe
C:\Windows\System\uoqkODq.exe
C:\Windows\System\uoqkODq.exe
C:\Windows\System\kxMwVhj.exe
C:\Windows\System\kxMwVhj.exe
C:\Windows\System\XrAyDHM.exe
C:\Windows\System\XrAyDHM.exe
C:\Windows\System\INKZVkb.exe
C:\Windows\System\INKZVkb.exe
C:\Windows\System\FprZOuL.exe
C:\Windows\System\FprZOuL.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 201.201.50.20.in-addr.arpa | udp |
Files
memory/1020-0-0x00007FF6E18E0000-0x00007FF6E1C34000-memory.dmp
memory/1020-1-0x0000027881FD0000-0x0000027881FE0000-memory.dmp
C:\Windows\System\LosdpiY.exe
| MD5 | 4269671564194ae52627ee0884990d8b |
| SHA1 | 56dde78423e7b6b41fc7eb8589341d1013ae006d |
| SHA256 | 2cf747115782882e6e42a9bb97a714d04766c6b8b5a7b76a766c71ba588f2e27 |
| SHA512 | 33cf6bf4528bbfc4c5901b99fcf9fe5b0447c82bd856f592ea4fbeeefd7e75a5c13887dbb3ea69da5df3bf9a021d3293f4618f4416c2c91cdfa4b92e78a31d44 |
memory/1368-8-0x00007FF617D70000-0x00007FF6180C4000-memory.dmp
C:\Windows\System\vmyXzRf.exe
| MD5 | 9c5d32c4afc1843e52b82ebb7e9649e1 |
| SHA1 | 47fcde724542a6c741ea1efcba5661220b6f0883 |
| SHA256 | eef194d431eb488b5ef87ae1228c290ad61b4a44b76ed0f98790cd14400014d6 |
| SHA512 | 1fb9d100536ff158fd560cb794f1fe1187acb61e3fb01baa2dcd723cee5ab0ef9b5f83b4897a8566350a5eb80ba13950905e42b825a91fe7b97e294420d091ce |
C:\Windows\System\vLkwPoc.exe
| MD5 | 85c2fe618f37eb8c0cc26c9154dacc96 |
| SHA1 | f63dc625b904d4957620c3007544eb241889eca3 |
| SHA256 | eaa064bd4f46f781f706f72f4d027294c4eddb9cab80cf4e48203e6ca8992466 |
| SHA512 | a7a59831841d42c7627136a08c42b97776ae2e64b0479975cffde387132bc04b01ec108861c8a9ed2cde8507ba21d1fa4fd91b114443e350dec8accffd4cb111 |
C:\Windows\System\CYXzbAc.exe
| MD5 | dc0a94eaf1bca21ffb15febc1f15ef55 |
| SHA1 | fc4d6c637075d64e386489ce99c052f38e01eb59 |
| SHA256 | c3b609e2f24b547f24d9ceceeeb78d4b968180a9e5db097f669bbba4ea0b55af |
| SHA512 | c4f5bb7817fcbb94484621de05cce06c972a530a45f2ea96f7f683cbd4cdc0468bc8ced9ca0b231b2d77d7b77b6b2f798aa4fd4f155da20919d91e20eae91d85 |
memory/2784-48-0x00007FF7406B0000-0x00007FF740A04000-memory.dmp
memory/1388-54-0x00007FF6E5DC0000-0x00007FF6E6114000-memory.dmp
memory/3736-60-0x00007FF63DC60000-0x00007FF63DFB4000-memory.dmp
C:\Windows\System\uiGiUxh.exe
| MD5 | 8c531b0dcd171ffc991f2e2312f51d2e |
| SHA1 | 89f73bd4b3a19a155d825edec277aefa2de336ee |
| SHA256 | ef37e14cdd80db96b4a4fdba3fc1b5d6b2697d2f625b3e0678a2cf62f389fd75 |
| SHA512 | b6d9fc197c4b38acd5751380f2452ce77bbfb9fa8e58fe34833ca9468195502658e48344ab19cc9d0d2e214185e9eeb5fb7886ee1f4a49798da87b1173ea37a8 |
C:\Windows\System\xJrTfZK.exe
| MD5 | dac460e7570b4e722974a9e9528580b0 |
| SHA1 | 13d9a0c59ef87874120d9591f7c1583390cbc807 |
| SHA256 | b79747208bd7d2ce13d244b83446b5f52bc76bc1fe2ec0ee80fa1c4307931c18 |
| SHA512 | 015f5a38666b8cd897aa3ec5157860e4d40a08618219b61a0796634ec48e4641b7dc642ff6340234973bbe438f3cf355b939bd86be84ddc318f7ea623fef0002 |
memory/2560-66-0x00007FF66A660000-0x00007FF66A9B4000-memory.dmp
memory/5100-65-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp
memory/2156-62-0x00007FF77CA40000-0x00007FF77CD94000-memory.dmp
memory/1668-61-0x00007FF6012C0000-0x00007FF601614000-memory.dmp
C:\Windows\System\ockHrkR.exe
| MD5 | e2b0d46ecc1b6526fa3897e098ff087e |
| SHA1 | f95d71d3510b8115cc2fb1daf289e796d38582a3 |
| SHA256 | 21bc417b4d29781b0cb421595f360571bbc0b3964ec1343d98f9c36035b22001 |
| SHA512 | 6fe7448fe051cdffaec1ed37acede9de191b70b9da103ea23a31d33bc9bee0f07f5128b269e0aba036588e08a77766f615f70b83a9cf72c9e53062d0f7a5ee81 |
C:\Windows\System\feXqrgt.exe
| MD5 | 719013a90d2522d6ad78aa918b0531ba |
| SHA1 | 0007555e2e199cc5ea75dfe08992979486a09400 |
| SHA256 | 6c9b05d1e12e2ebfc4cc81d6638100f4d0c15a5445cda3f637f0138b121c1917 |
| SHA512 | d4a4248f150481db28892ce64f90b92dfe548a6b2ec4e2f2b92c88701c3b9ed232ecf1dea06452c0244889474c9f702c844932e1c9cd4695063e74103ffc2555 |
memory/3232-39-0x00007FF7FC020000-0x00007FF7FC374000-memory.dmp
C:\Windows\System\PjnmIzj.exe
| MD5 | 32466adffb1861a1c881bdc9c4dccb24 |
| SHA1 | 634d0e69e9502ee2d60a1a0df2128780d5b4ec33 |
| SHA256 | ad6687e517016abff65051e8a000d39586de101c1860199a39a96c1a76b42406 |
| SHA512 | 48477f85b7583ce04d4a597caa8fd86ede4be2c98ccae431f5a943e154b270eb52a48fae8ad909237dd25e3303503b67ecfd09fbe54b5a65177101e2fbe3346e |
C:\Windows\System\rZrJwOZ.exe
| MD5 | ff5e3f1f47ed732e045ec4845aa67984 |
| SHA1 | a87ef7421b17b26b50c98e1c1c14a35b1e03a127 |
| SHA256 | ba65667d5bb0c3c619c3cebf8fdda08e915513db94da09997aff91a2eb99fa7e |
| SHA512 | e54cfc6286fb7b703e718113db05a7cc72a3749eca9f9026df1a4afbb1dac0c690dae1010fadf6e5ccc919e0c798a2073ecc94fd2ac0540d1aa6a9e2467d786b |
memory/1484-29-0x00007FF6CC890000-0x00007FF6CCBE4000-memory.dmp
memory/4344-23-0x00007FF63C120000-0x00007FF63C474000-memory.dmp
C:\Windows\System\OTEuVUz.exe
| MD5 | 93601547a84534600b3005f8985281a5 |
| SHA1 | 3acd3c8cf38e0614fd4c69579e1bcf8f4522b8db |
| SHA256 | e6d879a078fb7608f948817667060f20c1d4c0155f343cd98ae6d02dd34acda4 |
| SHA512 | 75963bf81952a33478ef6f6fa39057e0f6da644c3a235bd426f8a16953381d0691ce5f27e09aa11c4fd86252a314c93d98b2b3a1f1365e7b714f28607d4ceadf |
C:\Windows\System\ANHofLM.exe
| MD5 | 764a81c5dc9a890dfbf1dca4dc603729 |
| SHA1 | 5022f5f67a089f6c0fd9ffd0816e3f412f71f80b |
| SHA256 | 53d942ea337fef3d832c2cf10915323fee4ce5bdbb0e4ddfb93733a542294349 |
| SHA512 | 396fd14a6afb1fd4767238e6903abbd9e002abc45eb2c12d4b6345a24e86a19f6b263e86b9d446cb6bda55d88c5bbb2611242a44ae7d6768bbff4818f7d53a9c |
memory/4092-74-0x00007FF6748D0000-0x00007FF674C24000-memory.dmp
C:\Windows\System\nPMUIIh.exe
| MD5 | 6af5ce0049c5a0226b3d792cc6653354 |
| SHA1 | cfb0d8133dfd0f938aa7f16e860f467f989e81b0 |
| SHA256 | 5e82da46d4ba995c6a79111579d809400d0655e3c08f0286835564ce82487a17 |
| SHA512 | 14b29b6101bc9a6a3c4c1d36d45d3d799b43799fb35254bf10178d65c647ecc0ba39ef5c6aee3b6afba6d55b8f36a0ec803c5b315193c377e7d47bcf430b1999 |
C:\Windows\System\TZNBWyH.exe
| MD5 | eb090510d87cda9f5a1579175d8c80b9 |
| SHA1 | ea6ad65017d223b5e030d6ab8c777b997378f0ea |
| SHA256 | 8f08027c2b7f6137a444fae9ae20ebd8088c086a67febeb9da30aeecaba0ddc3 |
| SHA512 | 860dc651e18c4a8b743f609b7414c562bf7cdcf2da5a986b37a3ea7176737b16065f345d7f0361668a6f89933927122840f9eb3f7fe167173e777c860745fcc0 |
C:\Windows\System\GWQHzhT.exe
| MD5 | 83ebeb2c7ddee8c6b46597c6cd4df1fc |
| SHA1 | 345e338dbcabcf31fd23d51abd81a838bd7a6a14 |
| SHA256 | d4dfe76cb67512257720bc257cef10d435fadd23bd6e0472084305d2675138b2 |
| SHA512 | 0a7e7ebc7334972725b5852b628414ea2c236e598fe59dcc2bda881a64195472153043483f36270bb6a58927865e28bc0994294855bd7151071b6b0e7fe9d6a7 |
memory/1676-87-0x00007FF793790000-0x00007FF793AE4000-memory.dmp
memory/3624-80-0x00007FF6A7090000-0x00007FF6A73E4000-memory.dmp
memory/4932-92-0x00007FF693110000-0x00007FF693464000-memory.dmp
C:\Windows\System\NsTndpb.exe
| MD5 | 6d36d68da44d9c2d3f0c5f716e8cd6f9 |
| SHA1 | 22f58ffc8fa540630ba4293ca27abbf4c6627198 |
| SHA256 | ccab98ca5391dd5318f3e67f1158c5eea07d8d1ea1a174e65607e142db4ac20d |
| SHA512 | 0c72e698142cced620d312f2c95116f2f80f8c6b95f2064314869affd4f27cd24425dcd3861b82bcb7cca7ea24c20c60827139cfde5d07a100e4efff94dc0ea2 |
C:\Windows\System\uoqkODq.exe
| MD5 | cffff41f4fd9442c233323e29a5e38f3 |
| SHA1 | dc464c418e1ffed6e83d036651882852d417d046 |
| SHA256 | 3cb687c81d6a6af806fa887069a862f3ddb9637024beb35e4ebeb838881c45eb |
| SHA512 | 313810560aa3da4e478ff53b25c46b81a79077d1ce89cb2f6a14041e600a6bd490b75cc0687e524551a59d6a450bf3f4351438bd1898afd3853e17cf8b4b8c76 |
C:\Windows\System\kxMwVhj.exe
| MD5 | a973bd1746a972b361368f4bde6b6dca |
| SHA1 | f64a3847b02d53594f2a664e3b2e1d22663ff4d5 |
| SHA256 | d8c6b3116b1dfbabc790304ae2000eff1d74ec658b9f0c26338cd757768bb919 |
| SHA512 | a0713774bc5f6afe8cdb6749d796bb02d4043b27791e956cf61286c54145c427ac3a3ee284feee53ee86d02dfd1913459ea335d1fb99a082f8df42af93aedcb9 |
memory/3232-116-0x00007FF7FC020000-0x00007FF7FC374000-memory.dmp
C:\Windows\System\XrAyDHM.exe
| MD5 | 95aa19f6dbdf29e2f55f139ce18cdfca |
| SHA1 | 2769ac0b4adaff43efdbcc2c6f53f034bbd0a2d1 |
| SHA256 | 6fc53f3a64bbe634348cf83d5b431e04c131ac10c86643b7c723fa442ed826c9 |
| SHA512 | a9debd3c32019da7f553bcfd600bff666ac7d24d42cf7ae419abec5514da45a669aa05ddde0743995c6632ace7fd0e885a41592abbbe4bf5c0a065ad1fbfe98b |
C:\Windows\System\FprZOuL.exe
| MD5 | e0362e3daa9efbeea66ca6a3c8234186 |
| SHA1 | 42631daa95f24113db2b8a045857679e8b923397 |
| SHA256 | 8f0bbf8ef3dd57d070a103d18247374d09c75640fb06f2a30308a667c6fe3eaf |
| SHA512 | a6ecf93b81a5da63060eaeab44d7a7af922cf009ea7408bb9b72a00cebdac4c8a5a1a29f50f03fd77c0868e8c66dde4513d21b765c659cdcab095517b6dd085b |
C:\Windows\System\INKZVkb.exe
| MD5 | 3081eb1f5fa8d417003a3d839bcf1f7f |
| SHA1 | 7d46fd4e1296e1ad234e2bac225903b5fa2d4506 |
| SHA256 | 1de95474feb63fbc5cfaadf591307fd0eee9cde0ae673b693a3ea6f60bae9e71 |
| SHA512 | 7d84e6b9c49bfd09006089eb63bca84d9999dd8e91ac930afd3dbb955f0b19c461c02ef320b918a1180cbe5aa202b64666ec273a96ad563ed3392cc723ab9ea6 |
memory/1484-113-0x00007FF6CC890000-0x00007FF6CCBE4000-memory.dmp
memory/3684-111-0x00007FF7931F0000-0x00007FF793544000-memory.dmp
memory/1020-104-0x00007FF6E18E0000-0x00007FF6E1C34000-memory.dmp
memory/1848-99-0x00007FF690860000-0x00007FF690BB4000-memory.dmp
memory/4968-127-0x00007FF685BD0000-0x00007FF685F24000-memory.dmp
memory/4168-129-0x00007FF6F76E0000-0x00007FF6F7A34000-memory.dmp
memory/4620-130-0x00007FF6F8110000-0x00007FF6F8464000-memory.dmp
memory/1576-128-0x00007FF6DD490000-0x00007FF6DD7E4000-memory.dmp
memory/2560-131-0x00007FF66A660000-0x00007FF66A9B4000-memory.dmp
memory/3624-132-0x00007FF6A7090000-0x00007FF6A73E4000-memory.dmp
memory/1848-133-0x00007FF690860000-0x00007FF690BB4000-memory.dmp
memory/3684-134-0x00007FF7931F0000-0x00007FF793544000-memory.dmp
memory/1368-135-0x00007FF617D70000-0x00007FF6180C4000-memory.dmp
memory/4344-136-0x00007FF63C120000-0x00007FF63C474000-memory.dmp
memory/2784-137-0x00007FF7406B0000-0x00007FF740A04000-memory.dmp
memory/1484-138-0x00007FF6CC890000-0x00007FF6CCBE4000-memory.dmp
memory/3232-139-0x00007FF7FC020000-0x00007FF7FC374000-memory.dmp
memory/1388-140-0x00007FF6E5DC0000-0x00007FF6E6114000-memory.dmp
memory/3736-141-0x00007FF63DC60000-0x00007FF63DFB4000-memory.dmp
memory/2560-142-0x00007FF66A660000-0x00007FF66A9B4000-memory.dmp
memory/2156-144-0x00007FF77CA40000-0x00007FF77CD94000-memory.dmp
memory/1668-143-0x00007FF6012C0000-0x00007FF601614000-memory.dmp
memory/5100-145-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp
memory/4092-146-0x00007FF6748D0000-0x00007FF674C24000-memory.dmp
memory/3624-147-0x00007FF6A7090000-0x00007FF6A73E4000-memory.dmp
memory/1676-148-0x00007FF793790000-0x00007FF793AE4000-memory.dmp
memory/4932-149-0x00007FF693110000-0x00007FF693464000-memory.dmp
memory/1848-150-0x00007FF690860000-0x00007FF690BB4000-memory.dmp
memory/3684-151-0x00007FF7931F0000-0x00007FF793544000-memory.dmp
memory/4968-153-0x00007FF685BD0000-0x00007FF685F24000-memory.dmp
memory/4168-154-0x00007FF6F76E0000-0x00007FF6F7A34000-memory.dmp
memory/4620-152-0x00007FF6F8110000-0x00007FF6F8464000-memory.dmp
memory/1576-155-0x00007FF6DD490000-0x00007FF6DD7E4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 12:36
Reported
2024-06-08 12:39
Platform
win7-20240221-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LosdpiY.exe | N/A |
| N/A | N/A | C:\Windows\System\vmyXzRf.exe | N/A |
| N/A | N/A | C:\Windows\System\rZrJwOZ.exe | N/A |
| N/A | N/A | C:\Windows\System\OTEuVUz.exe | N/A |
| N/A | N/A | C:\Windows\System\PjnmIzj.exe | N/A |
| N/A | N/A | C:\Windows\System\vLkwPoc.exe | N/A |
| N/A | N/A | C:\Windows\System\feXqrgt.exe | N/A |
| N/A | N/A | C:\Windows\System\CYXzbAc.exe | N/A |
| N/A | N/A | C:\Windows\System\ockHrkR.exe | N/A |
| N/A | N/A | C:\Windows\System\uiGiUxh.exe | N/A |
| N/A | N/A | C:\Windows\System\xJrTfZK.exe | N/A |
| N/A | N/A | C:\Windows\System\ANHofLM.exe | N/A |
| N/A | N/A | C:\Windows\System\nPMUIIh.exe | N/A |
| N/A | N/A | C:\Windows\System\TZNBWyH.exe | N/A |
| N/A | N/A | C:\Windows\System\GWQHzhT.exe | N/A |
| N/A | N/A | C:\Windows\System\NsTndpb.exe | N/A |
| N/A | N/A | C:\Windows\System\uoqkODq.exe | N/A |
| N/A | N/A | C:\Windows\System\kxMwVhj.exe | N/A |
| N/A | N/A | C:\Windows\System\XrAyDHM.exe | N/A |
| N/A | N/A | C:\Windows\System\INKZVkb.exe | N/A |
| N/A | N/A | C:\Windows\System\FprZOuL.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\LosdpiY.exe
C:\Windows\System\LosdpiY.exe
C:\Windows\System\vmyXzRf.exe
C:\Windows\System\vmyXzRf.exe
C:\Windows\System\rZrJwOZ.exe
C:\Windows\System\rZrJwOZ.exe
C:\Windows\System\OTEuVUz.exe
C:\Windows\System\OTEuVUz.exe
C:\Windows\System\PjnmIzj.exe
C:\Windows\System\PjnmIzj.exe
C:\Windows\System\vLkwPoc.exe
C:\Windows\System\vLkwPoc.exe
C:\Windows\System\feXqrgt.exe
C:\Windows\System\feXqrgt.exe
C:\Windows\System\CYXzbAc.exe
C:\Windows\System\CYXzbAc.exe
C:\Windows\System\ockHrkR.exe
C:\Windows\System\ockHrkR.exe
C:\Windows\System\uiGiUxh.exe
C:\Windows\System\uiGiUxh.exe
C:\Windows\System\xJrTfZK.exe
C:\Windows\System\xJrTfZK.exe
C:\Windows\System\ANHofLM.exe
C:\Windows\System\ANHofLM.exe
C:\Windows\System\nPMUIIh.exe
C:\Windows\System\nPMUIIh.exe
C:\Windows\System\TZNBWyH.exe
C:\Windows\System\TZNBWyH.exe
C:\Windows\System\GWQHzhT.exe
C:\Windows\System\GWQHzhT.exe
C:\Windows\System\NsTndpb.exe
C:\Windows\System\NsTndpb.exe
C:\Windows\System\uoqkODq.exe
C:\Windows\System\uoqkODq.exe
C:\Windows\System\kxMwVhj.exe
C:\Windows\System\kxMwVhj.exe
C:\Windows\System\XrAyDHM.exe
C:\Windows\System\XrAyDHM.exe
C:\Windows\System\INKZVkb.exe
C:\Windows\System\INKZVkb.exe
C:\Windows\System\FprZOuL.exe
C:\Windows\System\FprZOuL.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1984-0-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/1984-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\vmyXzRf.exe
| MD5 | 9c5d32c4afc1843e52b82ebb7e9649e1 |
| SHA1 | 47fcde724542a6c741ea1efcba5661220b6f0883 |
| SHA256 | eef194d431eb488b5ef87ae1228c290ad61b4a44b76ed0f98790cd14400014d6 |
| SHA512 | 1fb9d100536ff158fd560cb794f1fe1187acb61e3fb01baa2dcd723cee5ab0ef9b5f83b4897a8566350a5eb80ba13950905e42b825a91fe7b97e294420d091ce |
C:\Windows\system\OTEuVUz.exe
| MD5 | 93601547a84534600b3005f8985281a5 |
| SHA1 | 3acd3c8cf38e0614fd4c69579e1bcf8f4522b8db |
| SHA256 | e6d879a078fb7608f948817667060f20c1d4c0155f343cd98ae6d02dd34acda4 |
| SHA512 | 75963bf81952a33478ef6f6fa39057e0f6da644c3a235bd426f8a16953381d0691ce5f27e09aa11c4fd86252a314c93d98b2b3a1f1365e7b714f28607d4ceadf |
C:\Windows\system\PjnmIzj.exe
| MD5 | 32466adffb1861a1c881bdc9c4dccb24 |
| SHA1 | 634d0e69e9502ee2d60a1a0df2128780d5b4ec33 |
| SHA256 | ad6687e517016abff65051e8a000d39586de101c1860199a39a96c1a76b42406 |
| SHA512 | 48477f85b7583ce04d4a597caa8fd86ede4be2c98ccae431f5a943e154b270eb52a48fae8ad909237dd25e3303503b67ecfd09fbe54b5a65177101e2fbe3346e |
C:\Windows\system\vLkwPoc.exe
| MD5 | 85c2fe618f37eb8c0cc26c9154dacc96 |
| SHA1 | f63dc625b904d4957620c3007544eb241889eca3 |
| SHA256 | eaa064bd4f46f781f706f72f4d027294c4eddb9cab80cf4e48203e6ca8992466 |
| SHA512 | a7a59831841d42c7627136a08c42b97776ae2e64b0479975cffde387132bc04b01ec108861c8a9ed2cde8507ba21d1fa4fd91b114443e350dec8accffd4cb111 |
memory/2620-36-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2912-25-0x000000013F270000-0x000000013F5C4000-memory.dmp
C:\Windows\system\feXqrgt.exe
| MD5 | 719013a90d2522d6ad78aa918b0531ba |
| SHA1 | 0007555e2e199cc5ea75dfe08992979486a09400 |
| SHA256 | 6c9b05d1e12e2ebfc4cc81d6638100f4d0c15a5445cda3f637f0138b121c1917 |
| SHA512 | d4a4248f150481db28892ce64f90b92dfe548a6b2ec4e2f2b92c88701c3b9ed232ecf1dea06452c0244889474c9f702c844932e1c9cd4695063e74103ffc2555 |
memory/2348-56-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\ockHrkR.exe
| MD5 | e2b0d46ecc1b6526fa3897e098ff087e |
| SHA1 | f95d71d3510b8115cc2fb1daf289e796d38582a3 |
| SHA256 | 21bc417b4d29781b0cb421595f360571bbc0b3964ec1343d98f9c36035b22001 |
| SHA512 | 6fe7448fe051cdffaec1ed37acede9de191b70b9da103ea23a31d33bc9bee0f07f5128b269e0aba036588e08a77766f615f70b83a9cf72c9e53062d0f7a5ee81 |
memory/2820-72-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/640-79-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2516-98-0x000000013F1C0000-0x000000013F514000-memory.dmp
C:\Windows\system\GWQHzhT.exe
| MD5 | 83ebeb2c7ddee8c6b46597c6cd4df1fc |
| SHA1 | 345e338dbcabcf31fd23d51abd81a838bd7a6a14 |
| SHA256 | d4dfe76cb67512257720bc257cef10d435fadd23bd6e0472084305d2675138b2 |
| SHA512 | 0a7e7ebc7334972725b5852b628414ea2c236e598fe59dcc2bda881a64195472153043483f36270bb6a58927865e28bc0994294855bd7151071b6b0e7fe9d6a7 |
C:\Windows\system\INKZVkb.exe
| MD5 | 3081eb1f5fa8d417003a3d839bcf1f7f |
| SHA1 | 7d46fd4e1296e1ad234e2bac225903b5fa2d4506 |
| SHA256 | 1de95474feb63fbc5cfaadf591307fd0eee9cde0ae673b693a3ea6f60bae9e71 |
| SHA512 | 7d84e6b9c49bfd09006089eb63bca84d9999dd8e91ac930afd3dbb955f0b19c461c02ef320b918a1180cbe5aa202b64666ec273a96ad563ed3392cc723ab9ea6 |
C:\Windows\system\XrAyDHM.exe
| MD5 | 95aa19f6dbdf29e2f55f139ce18cdfca |
| SHA1 | 2769ac0b4adaff43efdbcc2c6f53f034bbd0a2d1 |
| SHA256 | 6fc53f3a64bbe634348cf83d5b431e04c131ac10c86643b7c723fa442ed826c9 |
| SHA512 | a9debd3c32019da7f553bcfd600bff666ac7d24d42cf7ae419abec5514da45a669aa05ddde0743995c6632ace7fd0e885a41592abbbe4bf5c0a065ad1fbfe98b |
\Windows\system\FprZOuL.exe
| MD5 | e0362e3daa9efbeea66ca6a3c8234186 |
| SHA1 | 42631daa95f24113db2b8a045857679e8b923397 |
| SHA256 | 8f0bbf8ef3dd57d070a103d18247374d09c75640fb06f2a30308a667c6fe3eaf |
| SHA512 | a6ecf93b81a5da63060eaeab44d7a7af922cf009ea7408bb9b72a00cebdac4c8a5a1a29f50f03fd77c0868e8c66dde4513d21b765c659cdcab095517b6dd085b |
C:\Windows\system\kxMwVhj.exe
| MD5 | a973bd1746a972b361368f4bde6b6dca |
| SHA1 | f64a3847b02d53594f2a664e3b2e1d22663ff4d5 |
| SHA256 | d8c6b3116b1dfbabc790304ae2000eff1d74ec658b9f0c26338cd757768bb919 |
| SHA512 | a0713774bc5f6afe8cdb6749d796bb02d4043b27791e956cf61286c54145c427ac3a3ee284feee53ee86d02dfd1913459ea335d1fb99a082f8df42af93aedcb9 |
C:\Windows\system\uoqkODq.exe
| MD5 | cffff41f4fd9442c233323e29a5e38f3 |
| SHA1 | dc464c418e1ffed6e83d036651882852d417d046 |
| SHA256 | 3cb687c81d6a6af806fa887069a862f3ddb9637024beb35e4ebeb838881c45eb |
| SHA512 | 313810560aa3da4e478ff53b25c46b81a79077d1ce89cb2f6a14041e600a6bd490b75cc0687e524551a59d6a450bf3f4351438bd1898afd3853e17cf8b4b8c76 |
C:\Windows\system\NsTndpb.exe
| MD5 | 6d36d68da44d9c2d3f0c5f716e8cd6f9 |
| SHA1 | 22f58ffc8fa540630ba4293ca27abbf4c6627198 |
| SHA256 | ccab98ca5391dd5318f3e67f1158c5eea07d8d1ea1a174e65607e142db4ac20d |
| SHA512 | 0c72e698142cced620d312f2c95116f2f80f8c6b95f2064314869affd4f27cd24425dcd3861b82bcb7cca7ea24c20c60827139cfde5d07a100e4efff94dc0ea2 |
memory/1984-107-0x0000000002440000-0x0000000002794000-memory.dmp
memory/2692-100-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2584-99-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2664-93-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1984-92-0x000000013F050000-0x000000013F3A4000-memory.dmp
C:\Windows\system\nPMUIIh.exe
| MD5 | 6af5ce0049c5a0226b3d792cc6653354 |
| SHA1 | cfb0d8133dfd0f938aa7f16e860f467f989e81b0 |
| SHA256 | 5e82da46d4ba995c6a79111579d809400d0655e3c08f0286835564ce82487a17 |
| SHA512 | 14b29b6101bc9a6a3c4c1d36d45d3d799b43799fb35254bf10178d65c647ecc0ba39ef5c6aee3b6afba6d55b8f36a0ec803c5b315193c377e7d47bcf430b1999 |
C:\Windows\system\TZNBWyH.exe
| MD5 | eb090510d87cda9f5a1579175d8c80b9 |
| SHA1 | ea6ad65017d223b5e030d6ab8c777b997378f0ea |
| SHA256 | 8f08027c2b7f6137a444fae9ae20ebd8088c086a67febeb9da30aeecaba0ddc3 |
| SHA512 | 860dc651e18c4a8b743f609b7414c562bf7cdcf2da5a986b37a3ea7176737b16065f345d7f0361668a6f89933927122840f9eb3f7fe167173e777c860745fcc0 |
memory/1984-95-0x0000000002440000-0x0000000002794000-memory.dmp
memory/1984-78-0x0000000002440000-0x0000000002794000-memory.dmp
memory/2912-77-0x000000013F270000-0x000000013F5C4000-memory.dmp
C:\Windows\system\xJrTfZK.exe
| MD5 | dac460e7570b4e722974a9e9528580b0 |
| SHA1 | 13d9a0c59ef87874120d9591f7c1583390cbc807 |
| SHA256 | b79747208bd7d2ce13d244b83446b5f52bc76bc1fe2ec0ee80fa1c4307931c18 |
| SHA512 | 015f5a38666b8cd897aa3ec5157860e4d40a08618219b61a0796634ec48e4641b7dc642ff6340234973bbe438f3cf355b939bd86be84ddc318f7ea623fef0002 |
memory/1356-84-0x000000013FC40000-0x000000013FF94000-memory.dmp
C:\Windows\system\ANHofLM.exe
| MD5 | 764a81c5dc9a890dfbf1dca4dc603729 |
| SHA1 | 5022f5f67a089f6c0fd9ffd0816e3f412f71f80b |
| SHA256 | 53d942ea337fef3d832c2cf10915323fee4ce5bdbb0e4ddfb93733a542294349 |
| SHA512 | 396fd14a6afb1fd4767238e6903abbd9e002abc45eb2c12d4b6345a24e86a19f6b263e86b9d446cb6bda55d88c5bbb2611242a44ae7d6768bbff4818f7d53a9c |
memory/1984-71-0x000000013F270000-0x000000013F5C4000-memory.dmp
C:\Windows\system\uiGiUxh.exe
| MD5 | 8c531b0dcd171ffc991f2e2312f51d2e |
| SHA1 | 89f73bd4b3a19a155d825edec277aefa2de336ee |
| SHA256 | ef37e14cdd80db96b4a4fdba3fc1b5d6b2697d2f625b3e0678a2cf62f389fd75 |
| SHA512 | b6d9fc197c4b38acd5751380f2452ce77bbfb9fa8e58fe34833ca9468195502658e48344ab19cc9d0d2e214185e9eeb5fb7886ee1f4a49798da87b1173ea37a8 |
memory/2428-65-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/1984-64-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1984-63-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2524-51-0x000000013F570000-0x000000013F8C4000-memory.dmp
C:\Windows\system\CYXzbAc.exe
| MD5 | dc0a94eaf1bca21ffb15febc1f15ef55 |
| SHA1 | fc4d6c637075d64e386489ce99c052f38e01eb59 |
| SHA256 | c3b609e2f24b547f24d9ceceeeb78d4b968180a9e5db097f669bbba4ea0b55af |
| SHA512 | c4f5bb7817fcbb94484621de05cce06c972a530a45f2ea96f7f683cbd4cdc0468bc8ced9ca0b231b2d77d7b77b6b2f798aa4fd4f155da20919d91e20eae91d85 |
memory/1984-47-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/1984-24-0x0000000002440000-0x0000000002794000-memory.dmp
memory/1984-20-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2584-42-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2516-41-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2588-34-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/1984-30-0x0000000002440000-0x0000000002794000-memory.dmp
C:\Windows\system\rZrJwOZ.exe
| MD5 | ff5e3f1f47ed732e045ec4845aa67984 |
| SHA1 | a87ef7421b17b26b50c98e1c1c14a35b1e03a127 |
| SHA256 | ba65667d5bb0c3c619c3cebf8fdda08e915513db94da09997aff91a2eb99fa7e |
| SHA512 | e54cfc6286fb7b703e718113db05a7cc72a3749eca9f9026df1a4afbb1dac0c690dae1010fadf6e5ccc919e0c798a2073ecc94fd2ac0540d1aa6a9e2467d786b |
memory/1984-28-0x000000013F340000-0x000000013F694000-memory.dmp
memory/1984-27-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/3044-15-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1984-11-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2348-138-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\LosdpiY.exe
| MD5 | 4269671564194ae52627ee0884990d8b |
| SHA1 | 56dde78423e7b6b41fc7eb8589341d1013ae006d |
| SHA256 | 2cf747115782882e6e42a9bb97a714d04766c6b8b5a7b76a766c71ba588f2e27 |
| SHA512 | 33cf6bf4528bbfc4c5901b99fcf9fe5b0447c82bd856f592ea4fbeeefd7e75a5c13887dbb3ea69da5df3bf9a021d3293f4618f4416c2c91cdfa4b92e78a31d44 |
memory/1984-139-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/1984-140-0x0000000002440000-0x0000000002794000-memory.dmp
memory/640-141-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/1356-142-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2692-143-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/3044-144-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2588-145-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2912-146-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2620-147-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2516-148-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2584-149-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2524-150-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2348-151-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2428-152-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2820-153-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/640-155-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/1356-154-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2664-156-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2692-157-0x000000013F930000-0x000000013FC84000-memory.dmp