Analysis Overview
SHA256
fa6175780620e6730632b9cc4adcc4f4b40785fab98ce076d6fc492fcf86f6a4
Threat Level: Known bad
The file 2024-06-08_e01a5af1ad156d6d8fe4e476f94e1a09_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike
Xmrig family
XMRig Miner payload
Cobaltstrike family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 21:17
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 21:17
Reported
2024-06-08 21:19
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MNYmyLj.exe | N/A |
| N/A | N/A | C:\Windows\System\TVlNCwG.exe | N/A |
| N/A | N/A | C:\Windows\System\QRVxBHE.exe | N/A |
| N/A | N/A | C:\Windows\System\JjmWPTY.exe | N/A |
| N/A | N/A | C:\Windows\System\nlkHBjH.exe | N/A |
| N/A | N/A | C:\Windows\System\YSrxSGj.exe | N/A |
| N/A | N/A | C:\Windows\System\lxXlLVj.exe | N/A |
| N/A | N/A | C:\Windows\System\NLSmYPY.exe | N/A |
| N/A | N/A | C:\Windows\System\ijvXOXW.exe | N/A |
| N/A | N/A | C:\Windows\System\jCiWzdU.exe | N/A |
| N/A | N/A | C:\Windows\System\VvUROvp.exe | N/A |
| N/A | N/A | C:\Windows\System\CVRhZsk.exe | N/A |
| N/A | N/A | C:\Windows\System\NsqDPFM.exe | N/A |
| N/A | N/A | C:\Windows\System\lALXkeV.exe | N/A |
| N/A | N/A | C:\Windows\System\lnvadew.exe | N/A |
| N/A | N/A | C:\Windows\System\xoChBLf.exe | N/A |
| N/A | N/A | C:\Windows\System\EqhWmuS.exe | N/A |
| N/A | N/A | C:\Windows\System\gCCjaiH.exe | N/A |
| N/A | N/A | C:\Windows\System\NzrnkQC.exe | N/A |
| N/A | N/A | C:\Windows\System\NMEDzmJ.exe | N/A |
| N/A | N/A | C:\Windows\System\HnnfrvB.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_e01a5af1ad156d6d8fe4e476f94e1a09_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_e01a5af1ad156d6d8fe4e476f94e1a09_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_e01a5af1ad156d6d8fe4e476f94e1a09_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_e01a5af1ad156d6d8fe4e476f94e1a09_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\MNYmyLj.exe
C:\Windows\System\MNYmyLj.exe
C:\Windows\System\TVlNCwG.exe
C:\Windows\System\TVlNCwG.exe
C:\Windows\System\QRVxBHE.exe
C:\Windows\System\QRVxBHE.exe
C:\Windows\System\JjmWPTY.exe
C:\Windows\System\JjmWPTY.exe
C:\Windows\System\nlkHBjH.exe
C:\Windows\System\nlkHBjH.exe
C:\Windows\System\YSrxSGj.exe
C:\Windows\System\YSrxSGj.exe
C:\Windows\System\lxXlLVj.exe
C:\Windows\System\lxXlLVj.exe
C:\Windows\System\NLSmYPY.exe
C:\Windows\System\NLSmYPY.exe
C:\Windows\System\ijvXOXW.exe
C:\Windows\System\ijvXOXW.exe
C:\Windows\System\jCiWzdU.exe
C:\Windows\System\jCiWzdU.exe
C:\Windows\System\VvUROvp.exe
C:\Windows\System\VvUROvp.exe
C:\Windows\System\CVRhZsk.exe
C:\Windows\System\CVRhZsk.exe
C:\Windows\System\NsqDPFM.exe
C:\Windows\System\NsqDPFM.exe
C:\Windows\System\lALXkeV.exe
C:\Windows\System\lALXkeV.exe
C:\Windows\System\lnvadew.exe
C:\Windows\System\lnvadew.exe
C:\Windows\System\EqhWmuS.exe
C:\Windows\System\EqhWmuS.exe
C:\Windows\System\xoChBLf.exe
C:\Windows\System\xoChBLf.exe
C:\Windows\System\gCCjaiH.exe
C:\Windows\System\gCCjaiH.exe
C:\Windows\System\NzrnkQC.exe
C:\Windows\System\NzrnkQC.exe
C:\Windows\System\NMEDzmJ.exe
C:\Windows\System\NMEDzmJ.exe
C:\Windows\System\HnnfrvB.exe
C:\Windows\System\HnnfrvB.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5076-0-0x00007FF7FB2C0000-0x00007FF7FB614000-memory.dmp
memory/5076-1-0x0000022FF4F10000-0x0000022FF4F20000-memory.dmp
C:\Windows\System\MNYmyLj.exe
| MD5 | 8c1d74f6b252fea57c0452dac6e1e078 |
| SHA1 | cc806e6ef345c0b88f8b92ddd079944f180cc735 |
| SHA256 | e530bce15453ca62e33800f1bd0f7d89ec7b1e57280b3851310e4e02d1f22aba |
| SHA512 | 38577c36cb5500c506f90f705f679dd4e9e4eeebce2455fe1c8f9d5f2602254370c18e2477b02b6272b3854dd61031a62f9b16c2bf3a25e3e5955d37f23c8f2a |
memory/748-8-0x00007FF6CC8D0000-0x00007FF6CCC24000-memory.dmp
C:\Windows\System\TVlNCwG.exe
| MD5 | 40eb9d82f78fd215d19eb8cb5865ab59 |
| SHA1 | db4eb8f9f51c199ecd45fa8fd8132183eeb87def |
| SHA256 | 888692dbb7ed18f03b55189d473e2676eeb6fac7eac21008fea98964c8ec561f |
| SHA512 | 6770740f90bd7093fbfea03173309954d1d0c0de93246d2f683f3ec668f1a49ccd6f928d4dcd61764e6d43ee2bd17a1524995c1aee275a4b3e35e5b31f58ffc9 |
C:\Windows\System\QRVxBHE.exe
| MD5 | 5464813efe64b15efa438dd0b9930142 |
| SHA1 | a796077feb5915e5ab4642d4d92b1556956f69d7 |
| SHA256 | 852389c5213b3c7acc1e25fdbaf0b7c57c4b900e1a049ad9afdadb3eb3294b2c |
| SHA512 | b07b08925ac99bfbeda24522f7cb9e17c8664153fe8734df981b92cf8ba0e092343274c94eefaf5101a98b8cd82f9d7422eb9fd528dbde65a4c425f3752ac4a3 |
memory/1392-14-0x00007FF7AB0B0000-0x00007FF7AB404000-memory.dmp
memory/5060-20-0x00007FF72BFB0000-0x00007FF72C304000-memory.dmp
C:\Windows\System\JjmWPTY.exe
| MD5 | 866c22aa83d280f87f5c4f9c21d68b71 |
| SHA1 | 0769a2af0a483342c0fd96388de64a8ecc04d8f2 |
| SHA256 | 6c99ceb726f055310747fc7a971713a07489190f30733aaf6354dddb6eba4e87 |
| SHA512 | 1a5b0d3a125ef5206fb7283f324f93712de94cb4210bc4e77b475a8b92816210b738032e0c57585b4c02a477e8af335ba30c6633009d95e97279794da1eed930 |
C:\Windows\System\nlkHBjH.exe
| MD5 | 92ec80f491218f4d0b7d43433ee6dc27 |
| SHA1 | 94309f4a2ced7b9cc38a29c31f079be9f8c84b69 |
| SHA256 | b0dae9e646371e3eb0d4af841854aaaa5b7a9b8acc0283aaa9740a4683ab6314 |
| SHA512 | 6daf68f384022d3daef203eeffb3b67f1e3eacdac53e84c6c9bbfaa291472fce55805ee1036ae8167966d39db42ead0ed4a4c76a9b4b52093db7962ca13a9894 |
memory/4412-28-0x00007FF6C68C0000-0x00007FF6C6C14000-memory.dmp
memory/956-34-0x00007FF684970000-0x00007FF684CC4000-memory.dmp
C:\Windows\System\YSrxSGj.exe
| MD5 | a56d824c2032177b01274ced286496b1 |
| SHA1 | 50b00e52b615396c9d5331bf2bc23b98fe6ac617 |
| SHA256 | 092c684c2c0282e67127198f3015281bb843f18914c4c51411d1a19b071cf83a |
| SHA512 | 83ecf536c4483fe296972fa1b1951959760e40e02e61435316a5ddadf97902fcf9696e42a18480025cad222ed26e92e5d82f2c4b706cfa612e1f337a3799cb68 |
C:\Windows\System\lxXlLVj.exe
| MD5 | cde35eba67555f99c8326877655f9b74 |
| SHA1 | 477b5834e8bf99a1fe332cad60d5f90d5cf7e6da |
| SHA256 | 6bbb0cc87204802274223c4704869a38593407ba60c2f861895c07dac33b47d2 |
| SHA512 | 4229dfb216fccf7bb174bfdbf2a6b1b6f2396bc569ad67bf778805da25e83dd8bb6c67e769c0a375e73a93143af2d2b387ffc3e5297646bff4aed933b3539b5d |
memory/4996-40-0x00007FF7A7A40000-0x00007FF7A7D94000-memory.dmp
memory/2560-44-0x00007FF7A9880000-0x00007FF7A9BD4000-memory.dmp
C:\Windows\System\NLSmYPY.exe
| MD5 | a8a86b697994df44b3f218d47eea2357 |
| SHA1 | 6672b3cceea72c61df16b911025e374873fca102 |
| SHA256 | 010d9a39a8ea1be2df4120fd8cd89bef20e857c80dbfe38290287dac2b21e43a |
| SHA512 | beb9f8969d06fbe916f4e18ccbaf2625622f444ecf65406b1e9661a0001f7786ac9a4105d640e57999f222c18431a54550425599c0c64552adcab50152662a7e |
C:\Windows\System\CVRhZsk.exe
| MD5 | 8c8ba0694c86228821fa0d6e523ff88a |
| SHA1 | c64c116d88bc20fb692a79befeb630818f8c169c |
| SHA256 | e4090cede0704c5b751658563278de84f586641e023d938241cd108358538d4d |
| SHA512 | ab0c47f8919371c557c9e9c74757e909e431497a3701b1e377056dcc24b214859330851dba7bd1685e4857703de7cca45f34ddd7fb6b3131779eac9126d3c7cb |
C:\Windows\System\NsqDPFM.exe
| MD5 | b98be59f4bd18baa9a581d965a2f7708 |
| SHA1 | a20677cd6a9e78d618e8d7ed81fab4a64af1d71d |
| SHA256 | 3e216e1163ffce42e5485570f46700b7ccbde618494cfa70d820db77916ae980 |
| SHA512 | a84d10c1f08127950d5c9c0dc20124c5cdf41e9163bc7c03310df931cecca05f07bc4106e6c67e8860173f15eddd9a6b29c6a419922e1627b379504588ef962c |
memory/1624-75-0x00007FF62BBB0000-0x00007FF62BF04000-memory.dmp
memory/4384-85-0x00007FF7A6410000-0x00007FF7A6764000-memory.dmp
memory/3580-94-0x00007FF6468F0000-0x00007FF646C44000-memory.dmp
memory/2160-105-0x00007FF7CD6F0000-0x00007FF7CDA44000-memory.dmp
C:\Windows\System\gCCjaiH.exe
| MD5 | 7121042537a8edbfa637992d0afcf455 |
| SHA1 | 409ae5f0cd797bd8e48d4bb5e92fb33bc318ffbf |
| SHA256 | 43d564d2e0aeafbfdf938330d0dcea0f1fa0924be3a195502fc02754f787b92b |
| SHA512 | d575dd2a745eca907438e0b327db882fadd9fb6c169a75a3361be4a79148f2e3f237cd35f612278e575c7bd3f8f3d6dd96e71c205ca60ff840317a5870cef212 |
C:\Windows\System\NzrnkQC.exe
| MD5 | 6af1d463cc23f692d204b24d5a17e328 |
| SHA1 | da87540ba3daba4787c51367d3d0c75a2d2898f7 |
| SHA256 | dd824bd8d241ed15380e55c0b73d7918c6918763f3d9f612f286372b8de0d026 |
| SHA512 | 20eaebccd9111b629b05bc8ad56c86acab1af395952442a79fea60d582e67d6d9251337c58a207e9a5cd0ed0e23796f4d90232bb94f9809642a00133ce36134c |
memory/1792-116-0x00007FF7522B0000-0x00007FF752604000-memory.dmp
memory/5056-110-0x00007FF763420000-0x00007FF763774000-memory.dmp
C:\Windows\System\EqhWmuS.exe
| MD5 | cd8e105350714e4f170c5f42036cbec8 |
| SHA1 | 0e753361aeb4e0c01fe02922714d38a456cb0bcf |
| SHA256 | 60518ba3eba54da15a53385f0ae7795f149ed373cf7cf007aec1a1d5787fc6a9 |
| SHA512 | 031d577a2634b5d76ccdd22bcd85fc1d19e31036112d91d64fd93ce2c58f082cac343fbadd397dda0ea8546e8af5d1134a36c8ab19fca152c6cea5b1d2523a45 |
C:\Windows\System\xoChBLf.exe
| MD5 | 2644873e3e83d672c8e0a9586a049214 |
| SHA1 | 370d93d9ad5737bd4f0b50a1ec4dc4c22120aae5 |
| SHA256 | 8e37df0dc965d4e5094a5220bda02f9b2d30899d93307f5a70a9f4b296e56c33 |
| SHA512 | d851f649539614a3bfdb133222ea675760a5e04023e82fbb293726c012671532f91af08d3704bc00701fd60139167dd130ed7b4392401ac630e048c9e3b6f363 |
memory/4332-101-0x00007FF701A20000-0x00007FF701D74000-memory.dmp
C:\Windows\System\lnvadew.exe
| MD5 | a84ce1107f17dfed8d9ac3fdb4a83d6a |
| SHA1 | af9f8bcc9b0562483868793b0fd93d79d173611e |
| SHA256 | 8a77349da39c9cabda1418f0a925f7e76d818f99ce1dc700f02195ffa2ffac4e |
| SHA512 | 530f2b5cbfa38d7ee4e56b136145ef8151b34b80aded931bd7b0e8c61220bbeadef02cea8e46d0253b2ef819a7e981e32fe9d9f8f2d9c732ba58172415832399 |
memory/1460-100-0x00007FF66BE60000-0x00007FF66C1B4000-memory.dmp
memory/396-95-0x00007FF739E10000-0x00007FF73A164000-memory.dmp
C:\Windows\System\lALXkeV.exe
| MD5 | 19d6cf86ed0495da75f1037762a0391b |
| SHA1 | 3efe1f2e53aa543f4da8f73c4c6d24b7dc5a6855 |
| SHA256 | dee1143deea659706b189293bb73878375a36ee7f42bf6fc0677320aedc6c22c |
| SHA512 | dcd1e489b27733021ae37891cd4904936b44825412d194c424653609af7ec8ce8bc3599850e240479ff92124bdaf9113f5fff6f20251c75bb4805e39b378dfa7 |
memory/748-86-0x00007FF6CC8D0000-0x00007FF6CCC24000-memory.dmp
memory/3956-76-0x00007FF6A6560000-0x00007FF6A68B4000-memory.dmp
C:\Windows\System\VvUROvp.exe
| MD5 | 6d4decabd2b289bc84dd03b6edffa80c |
| SHA1 | 6103b99db9c7af64e7d17c641e6a8849e31fdb5f |
| SHA256 | 0c85c85d83a8ef5e2f7c306f3fdcc3720c773015a1a16daa67fe0d93d0befc51 |
| SHA512 | d63d2b41576ecea2e12b4d00aff68bea5a18995e815e02cfbdf6e0fa99d8fdbf28dfd4adb1c654740acf3cd70b84f4cb8b6ae891d1a97b8eaeb827452504a3f2 |
C:\Windows\System\jCiWzdU.exe
| MD5 | 4e1242b7788ef5137cf8db6689004971 |
| SHA1 | cde1537c5a5eb8c0f6166e01c34bc39b76c69e6a |
| SHA256 | 69f1cdd7ec2e6c9c2b0d799720819a4c2dd38d2879cd484338225b42e541c39f |
| SHA512 | 662662726b25b5b903aef971c784f9d91d882bcf92331739d90a21377dba588163a1a5babc187206e7fcf79de6c79c89fd95cdc142325d6aa440e738b368691f |
memory/5076-63-0x00007FF7FB2C0000-0x00007FF7FB614000-memory.dmp
C:\Windows\System\ijvXOXW.exe
| MD5 | 62ae553ceab1e035437e4bb84a9d733a |
| SHA1 | 93a137e5a59180b7f5f2bb2cd35189252c0d5a0b |
| SHA256 | b9665c4045a7119ff582d28f0236406e1ce651231785130de831d4b4fe2ee9c4 |
| SHA512 | 28d54ddf7d03e8b931f3e61bbfc1520f1ebed014f31a52ec6c0dff98bfba021a044bb5792d3d1752d050f72f63ecc96513e0a01e20b3adef466056954a2b7d95 |
memory/2280-56-0x00007FF6AF3A0000-0x00007FF6AF6F4000-memory.dmp
memory/4376-50-0x00007FF6DEF90000-0x00007FF6DF2E4000-memory.dmp
C:\Windows\System\NMEDzmJ.exe
| MD5 | d613e3dcf06340bbddb0fdeccb01e848 |
| SHA1 | fa7030042d925cc744b8945cd51d1af5a0e1a594 |
| SHA256 | bbdea78b8a39317b674e0ed839c570981ea692c31930d23cbba698d9c3669ec3 |
| SHA512 | 756dc0e4d7593e44d7ad39013284e173b0fe852d22c5148ff141a5d8410cb3887e49d400c2b8bc81eb22b9c6799489d0902f9e1a12c110cef454d7b925e0de7c |
memory/4764-125-0x00007FF7B2C00000-0x00007FF7B2F54000-memory.dmp
C:\Windows\System\HnnfrvB.exe
| MD5 | 0bd7d638c8e2d058c4c8c9e62fdb8acd |
| SHA1 | 73b40f359c257d00e0e75bc81a46bef09d706eed |
| SHA256 | 865669c960807f6cf8c8ca9fd8580c11e1e19017f77970a8a259cdee6e1f23ba |
| SHA512 | b5275d072a0a518234a4bb03fc7fec4eb439e15f291fff43eeae79d193b62188bfcbc0fc25021faabe5267cd949e476170e5bcc4fc90cd4751a664323e6688d8 |
memory/4996-129-0x00007FF7A7A40000-0x00007FF7A7D94000-memory.dmp
memory/4588-130-0x00007FF75FAE0000-0x00007FF75FE34000-memory.dmp
memory/4376-131-0x00007FF6DEF90000-0x00007FF6DF2E4000-memory.dmp
memory/2280-132-0x00007FF6AF3A0000-0x00007FF6AF6F4000-memory.dmp
memory/3956-133-0x00007FF6A6560000-0x00007FF6A68B4000-memory.dmp
memory/1460-134-0x00007FF66BE60000-0x00007FF66C1B4000-memory.dmp
memory/4332-135-0x00007FF701A20000-0x00007FF701D74000-memory.dmp
memory/2160-136-0x00007FF7CD6F0000-0x00007FF7CDA44000-memory.dmp
memory/5056-137-0x00007FF763420000-0x00007FF763774000-memory.dmp
memory/1792-138-0x00007FF7522B0000-0x00007FF752604000-memory.dmp
memory/748-139-0x00007FF6CC8D0000-0x00007FF6CCC24000-memory.dmp
memory/1392-140-0x00007FF7AB0B0000-0x00007FF7AB404000-memory.dmp
memory/5060-141-0x00007FF72BFB0000-0x00007FF72C304000-memory.dmp
memory/4412-142-0x00007FF6C68C0000-0x00007FF6C6C14000-memory.dmp
memory/956-143-0x00007FF684970000-0x00007FF684CC4000-memory.dmp
memory/4996-144-0x00007FF7A7A40000-0x00007FF7A7D94000-memory.dmp
memory/2560-145-0x00007FF7A9880000-0x00007FF7A9BD4000-memory.dmp
memory/4376-146-0x00007FF6DEF90000-0x00007FF6DF2E4000-memory.dmp
memory/2280-147-0x00007FF6AF3A0000-0x00007FF6AF6F4000-memory.dmp
memory/1624-148-0x00007FF62BBB0000-0x00007FF62BF04000-memory.dmp
memory/3580-149-0x00007FF6468F0000-0x00007FF646C44000-memory.dmp
memory/4384-150-0x00007FF7A6410000-0x00007FF7A6764000-memory.dmp
memory/3956-151-0x00007FF6A6560000-0x00007FF6A68B4000-memory.dmp
memory/396-152-0x00007FF739E10000-0x00007FF73A164000-memory.dmp
memory/2160-154-0x00007FF7CD6F0000-0x00007FF7CDA44000-memory.dmp
memory/1460-153-0x00007FF66BE60000-0x00007FF66C1B4000-memory.dmp
memory/4332-155-0x00007FF701A20000-0x00007FF701D74000-memory.dmp
memory/5056-156-0x00007FF763420000-0x00007FF763774000-memory.dmp
memory/1792-157-0x00007FF7522B0000-0x00007FF752604000-memory.dmp
memory/4764-158-0x00007FF7B2C00000-0x00007FF7B2F54000-memory.dmp
memory/4588-159-0x00007FF75FAE0000-0x00007FF75FE34000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 21:17
Reported
2024-06-08 21:19
Platform
win7-20240508-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JcwHgsy.exe | N/A |
| N/A | N/A | C:\Windows\System\GmrFAMR.exe | N/A |
| N/A | N/A | C:\Windows\System\hZuSkwB.exe | N/A |
| N/A | N/A | C:\Windows\System\jjBLurm.exe | N/A |
| N/A | N/A | C:\Windows\System\XCnMgBE.exe | N/A |
| N/A | N/A | C:\Windows\System\WJMJEYX.exe | N/A |
| N/A | N/A | C:\Windows\System\bMaBTfa.exe | N/A |
| N/A | N/A | C:\Windows\System\vwhqbFD.exe | N/A |
| N/A | N/A | C:\Windows\System\gGDHhxc.exe | N/A |
| N/A | N/A | C:\Windows\System\QbROpZr.exe | N/A |
| N/A | N/A | C:\Windows\System\rjosbAu.exe | N/A |
| N/A | N/A | C:\Windows\System\Grarnza.exe | N/A |
| N/A | N/A | C:\Windows\System\KvVrtSC.exe | N/A |
| N/A | N/A | C:\Windows\System\mHSdiPM.exe | N/A |
| N/A | N/A | C:\Windows\System\hfwyXiA.exe | N/A |
| N/A | N/A | C:\Windows\System\cRrbtyl.exe | N/A |
| N/A | N/A | C:\Windows\System\wufQrkc.exe | N/A |
| N/A | N/A | C:\Windows\System\IvFtezy.exe | N/A |
| N/A | N/A | C:\Windows\System\vKtSXLP.exe | N/A |
| N/A | N/A | C:\Windows\System\bFXjKJC.exe | N/A |
| N/A | N/A | C:\Windows\System\GbWZDpE.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_e01a5af1ad156d6d8fe4e476f94e1a09_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_e01a5af1ad156d6d8fe4e476f94e1a09_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_e01a5af1ad156d6d8fe4e476f94e1a09_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_e01a5af1ad156d6d8fe4e476f94e1a09_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\JcwHgsy.exe
C:\Windows\System\JcwHgsy.exe
C:\Windows\System\GmrFAMR.exe
C:\Windows\System\GmrFAMR.exe
C:\Windows\System\hZuSkwB.exe
C:\Windows\System\hZuSkwB.exe
C:\Windows\System\jjBLurm.exe
C:\Windows\System\jjBLurm.exe
C:\Windows\System\XCnMgBE.exe
C:\Windows\System\XCnMgBE.exe
C:\Windows\System\WJMJEYX.exe
C:\Windows\System\WJMJEYX.exe
C:\Windows\System\bMaBTfa.exe
C:\Windows\System\bMaBTfa.exe
C:\Windows\System\vwhqbFD.exe
C:\Windows\System\vwhqbFD.exe
C:\Windows\System\gGDHhxc.exe
C:\Windows\System\gGDHhxc.exe
C:\Windows\System\QbROpZr.exe
C:\Windows\System\QbROpZr.exe
C:\Windows\System\rjosbAu.exe
C:\Windows\System\rjosbAu.exe
C:\Windows\System\KvVrtSC.exe
C:\Windows\System\KvVrtSC.exe
C:\Windows\System\Grarnza.exe
C:\Windows\System\Grarnza.exe
C:\Windows\System\IvFtezy.exe
C:\Windows\System\IvFtezy.exe
C:\Windows\System\mHSdiPM.exe
C:\Windows\System\mHSdiPM.exe
C:\Windows\System\vKtSXLP.exe
C:\Windows\System\vKtSXLP.exe
C:\Windows\System\hfwyXiA.exe
C:\Windows\System\hfwyXiA.exe
C:\Windows\System\bFXjKJC.exe
C:\Windows\System\bFXjKJC.exe
C:\Windows\System\cRrbtyl.exe
C:\Windows\System\cRrbtyl.exe
C:\Windows\System\GbWZDpE.exe
C:\Windows\System\GbWZDpE.exe
C:\Windows\System\wufQrkc.exe
C:\Windows\System\wufQrkc.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1900-0-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/1900-1-0x0000000000100000-0x0000000000110000-memory.dmp
\Windows\system\JcwHgsy.exe
| MD5 | 0a49d2738a0794a10b4c61a990c34a2d |
| SHA1 | cef9f9f3d85d1b64f71d9bccf7cb915b973b9c85 |
| SHA256 | 2b871fca7955e34642afcdac4dd5feb7b2e9bff23136e5f994cc5aa5cbde84b2 |
| SHA512 | daaab53b63296db627546f7ad49c5a291369273600b77e1dd6f3408cc3e45396d47a93fbd7116a0ed2b41d46092388a346c61408803750df8b8f21a114288d92 |
C:\Windows\system\GmrFAMR.exe
| MD5 | c581be7bc935c5a4e3fc4633247adf29 |
| SHA1 | 6fffea905134a0a60e43d99b2a2144a9b804f9bd |
| SHA256 | 981288a8b084882aee25a6534f263d65dec93b84bf31638973f44db2b014b532 |
| SHA512 | b99b181c6d682694322aa2c0ec027fae082898914b5ceade314c95e7e31512e9e4f7a3032ec90c78dd959dd15def44d73c65b3549736020e3bd924b1ef385fd7 |
C:\Windows\system\hZuSkwB.exe
| MD5 | b31fdc119770e78ddd8a19d6b47ff15a |
| SHA1 | c2fbaf5f9ce2d3fd430ea730f49f4c712a96bd3f |
| SHA256 | 8b1259e9e3f908733b1d25ba26fc773585c3dc1f525bff9a09a669494a02017a |
| SHA512 | 836df48e0c256e00b0b8c585fe6f9646b978551c7c136455fbba33284c7b02e86d1baf37eff8a94987d44c4f8e0026aa712cc73ef515c9d06eea4df288a2bd5e |
memory/1900-25-0x0000000002370000-0x00000000026C4000-memory.dmp
C:\Windows\system\jjBLurm.exe
| MD5 | f7e8f9fc7445865c3fdab7160676dc3b |
| SHA1 | aa49fd3671b02b60e65a0ec9bb46ff18d809d3b3 |
| SHA256 | 484e7d72dc04938d393eeb36a8158753599f0cecf44b8938883e7ed40f1d4cd2 |
| SHA512 | 9f4297e48cf8b7efee8716ae6a2ef713889ac39811740f86d97e450d8a40076d93640a8097f96450d9db9d97a35d67df3f73c77d00309611f63982fe2950d614 |
memory/2288-28-0x000000013FE10000-0x0000000140164000-memory.dmp
C:\Windows\system\XCnMgBE.exe
| MD5 | 0855e5b0084c0a09cc6f77198e34d8bf |
| SHA1 | 925e083bac1c48ebdd9f722d7859fa2cd5ebc31a |
| SHA256 | 638288911fbf6c0c9a72ca210f2587754410ad1f1e38e6ad55ee366247c5d93f |
| SHA512 | b27268fb22061c469cf2adca86ec64154bf7929676f090404e7eb580cf9b76dfc13368f1bbe59b33d7a603bc6ed7b47e86cbdec1fb49f3cd1cec4dec32601c8e |
memory/2604-36-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/1900-41-0x000000013F200000-0x000000013F554000-memory.dmp
memory/1900-56-0x000000013F4B0000-0x000000013F804000-memory.dmp
C:\Windows\system\QbROpZr.exe
| MD5 | 21157d556a480ef23a7c5eb3ca5864d9 |
| SHA1 | 8c2f3722ff86b0f057810bf8cec84a29405849af |
| SHA256 | 99bf3f0e3d740c45ffb43294b9da44759b4124e8efe919ae85a04cefe4288224 |
| SHA512 | 1d7c21a7f809a115182d1dd3c657a899ac15998f572445656006aca2398017f0cb8bed565d6dee5eb471b38e1e6467e353f28dcfa041d3ac81cc7f38df20f67f |
C:\Windows\system\rjosbAu.exe
| MD5 | 1ab9d09548dd444d2a93fdae671b9223 |
| SHA1 | c4cc7512502835e85453ee17f8e20345c47e46a9 |
| SHA256 | 2ead3b068f187a2bc2dbf760975309018728ce92621ffe1ae7ca8b11d640d149 |
| SHA512 | 5296cbb13981df1b5e578664ad605bf5fd4c3231844713943a001b08a5273e3dbf14c5f19f93b4d7ddb62c07b4985e0eccfd858e6b9653737c95b3e316259d1e |
memory/2924-94-0x000000013F0C0000-0x000000013F414000-memory.dmp
C:\Windows\system\cRrbtyl.exe
| MD5 | 5e740c82918e8e779b8547d095c5d5ae |
| SHA1 | 1673eda1c5e5472649a1a476d224af59ad636310 |
| SHA256 | b86f00f6ea7f5ceac6d41dd3d57a9180b9915d77055e81fce0cb638d51a73fd3 |
| SHA512 | 3f19b1f1ecbe1e05b0fc07970790592b7e2942d31e25cfa84569951eb8013caf18a210039c95c77a62ce1751e63b9178c2ea620e64155734f21f3b0ab52e7cb8 |
C:\Windows\system\hfwyXiA.exe
| MD5 | c96a45a26edde44eb5804939637b6c8a |
| SHA1 | 55231edcf5f10d7a790aadd9771e1e150d4db913 |
| SHA256 | a94b4832366d63c11088b9125e0704616d64b415b22f2b91825c03b2d526d2ea |
| SHA512 | 72112fdf1963dc963c17f707f15327e42a8ce200be46bb2a79b0cecd31c99546015f4f3280383200ac9006dec4c0a06ee839760614bf831842dcbf434afe245f |
\Windows\system\GbWZDpE.exe
| MD5 | e1ef4fce7add33583c64b482db1ddd2e |
| SHA1 | c84081ba4f5e2e67728f8266d324fc760f3da7ec |
| SHA256 | f9b9de699849241b970b901200c6efbdff37bb283f955779b835943cbd065bd8 |
| SHA512 | 2e3f394da0bb9f3ccf575b4540d85faa581fd59312900d9e9cef242a7503d60169d08243dc7cfba46fc89647b38c5860f5edd38404b1e6f94419afce0cf9665c |
memory/1900-110-0x000000013F2B0000-0x000000013F604000-memory.dmp
\Windows\system\bFXjKJC.exe
| MD5 | a77800d49363b9971b7fc5caeebe9ba5 |
| SHA1 | 83a75626abc32d4c51b5901d92905515a75c4391 |
| SHA256 | cbbabc9282037c57711bd632e0e39661733232e25c29ebebf5ab57e532e16ca8 |
| SHA512 | a96df10d6f2262c199639e1bc116911cf98a45526af802cedb7969184c13220769698f31945a5abe32202397005b7756567f9910f18c6c8ff6725376e8aed97c |
memory/1900-102-0x0000000002370000-0x00000000026C4000-memory.dmp
\Windows\system\vKtSXLP.exe
| MD5 | 8405d36c0293fbb073588375f609ffbd |
| SHA1 | 2dbbc23f92b137f59e5ed36dc396a24c0fd65ca5 |
| SHA256 | 12b4740120375ffbc9360d902140acc56e83c320fbadf81fb9852dc19236317e |
| SHA512 | 47fb9892f7e34f4bbfe6b2330100bab6fc35b00f574fc19dced482e82bc1986f76f51662b720883cd525945eced7938739d5435850223c7a965db6f93a7f0ccb |
\Windows\system\IvFtezy.exe
| MD5 | c4266a65beda7626ac1effb41cdcf750 |
| SHA1 | 5a8a07c6f2231fcaee8c8170415a9bedc2d85ce8 |
| SHA256 | 88af7ee8fe37af90a5392dc451c60d43f25160d5c76ff3b31b75f95020be14a0 |
| SHA512 | c516525d7a7faf3f1f52f4f2bc0d88f6c752b682a75dbfab6f1c246c2b0d71e0793b13fc8a0441ae5789857e16a7028545b76f561f3a6db9020f07c063145533 |
C:\Windows\system\wufQrkc.exe
| MD5 | 149b77dc31c515841a29528b55f70267 |
| SHA1 | f124cce4602c50c664675b9326355d0d964b33f2 |
| SHA256 | f47db679a4fc373d2954bb90ef0748fdf7174d73b9f353070b0fda8ece32cb7f |
| SHA512 | 79ae2f0ac0014a648005f5dd0ffb5afc7f0429f233bf69b16dc6169f3dc340adc25a882c0d0539c6cc9ce3b51b305439c7a4c39845d3b5032d2b753b16de6c16 |
memory/1900-122-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2648-136-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2504-82-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1900-79-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/1900-76-0x000000013FB30000-0x000000013FE84000-memory.dmp
\Windows\system\KvVrtSC.exe
| MD5 | d1a26f6176aec13f583afe4f1a761f07 |
| SHA1 | 9ee4c9edb46fcdb1d8557d7ed368241450b8407f |
| SHA256 | 61cdb9adce7420d647daac836ddddc8d29f05e706ee69871632959e8c44aaf5e |
| SHA512 | 60b345e5a50f039ff30260d9a142a39ab3d96edc8e81d3602e560cf801032b05d945b19c4cc7e352bfbcfb6815a0eb8c32a7d1a2f10e9a3318d32e3b1c884ea7 |
C:\Windows\system\mHSdiPM.exe
| MD5 | 1a72388f2e22b36fe4a77ed35a25dc5f |
| SHA1 | 4f84105a2ba428e2530a97557ef3a521237f4d02 |
| SHA256 | 4f99b1d29f00aafe50c941a2092f2cfe0b40d6458a7fc361a43e002fc35aca14 |
| SHA512 | 5184adb7f74d2a31878ddbcfc68a31c8d73b9f9281a6877bf95b4524a6df742303808b588df5dbddfbcd539e7e7582ac194685ee9f3b40d0a45e266e10b319ae |
memory/2288-98-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/1448-90-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/1900-89-0x000000013F5E0000-0x000000013F934000-memory.dmp
C:\Windows\system\Grarnza.exe
| MD5 | 900162f92670722fdbe612d549bc89ab |
| SHA1 | cb99c3e96542797700cc258c232e3569232dcfdf |
| SHA256 | 8a8c60653510c0c85f395f6be7e4466b6a2caeb8912f25049c76e789416e0f76 |
| SHA512 | 019991780a6b80a1c35d8f3490609fb309075c593c6cc5404c0663475561a6fc8a3997997e96dfa324738a35664f711c9be8ff9a895c9858b8f52b7c5f09528a |
memory/2588-57-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2528-74-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/1900-73-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2452-64-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/1900-63-0x000000013F5C0000-0x000000013F914000-memory.dmp
C:\Windows\system\vwhqbFD.exe
| MD5 | 313a57c336f7e6fbb647e089935a3769 |
| SHA1 | 7ef0abf69f2214aad36b0bc2256653a4aca327c7 |
| SHA256 | 335523ca7bab504a6c0cd24cd4d7cffce3a1276b34e81361fc6b3cdf56fe5100 |
| SHA512 | 20fd0a8db64fe8444611bf7ac91e7aa90e883283326edd2484e3e963301c9fd37e56bf920571f0d070a8cf672ea288003739f57b178e998f940319cfdff59ed1 |
C:\Windows\system\gGDHhxc.exe
| MD5 | 96d0908d253bda134bdeba7dd5683daf |
| SHA1 | 3dfd7549367e2f2e613f5079a02ec43b40c21ad9 |
| SHA256 | 871809017a12e2f23ac5f284aadaacc97ff8f223a948cac3eb462d7750bc63ca |
| SHA512 | 168452021bdfdfbfba1db7052477433708cc775f2dc018332ba26b320b9f07be08aa6ebcd2b9c4a589557466a3dbd5eef25f9ce7eb211a2b953a65b95db16f32 |
memory/2488-50-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/1900-49-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2648-42-0x000000013F200000-0x000000013F554000-memory.dmp
C:\Windows\system\bMaBTfa.exe
| MD5 | b53fd0d9f4e3ea477c8fcb509ed2e4f6 |
| SHA1 | 651628410d24226ada7386e85769b8a2f734f8aa |
| SHA256 | 416ddbd09318f7818f4b5ec73e8f546446b7cafd29918a2ebf027f27b2a7668d |
| SHA512 | 1d00bee2610bf06a2db236b93e148bafda3abe8da8861fdd340f6d91d5f673a081bc055b8377ec12c1950516f868754c6f091abf03ae587709be9532e31f48f9 |
C:\Windows\system\WJMJEYX.exe
| MD5 | 04241019100f80a8a9192c1eb44064b6 |
| SHA1 | b04d1f121f767f1a8a7db9929c6164c5d56b207a |
| SHA256 | 3481ac00d6cf5cdd3fd43aa49e410a2b46d9b9e1a82ec8e85d38e949be4a5433 |
| SHA512 | 9618693977a6b48fef6e3099adc2c0f7f9d3b123775de199d5a1557c7878d5d9d74b2fe68a97757f7434a30e523579dbd040d927153aacae4b36dacbecc0bd20 |
memory/1900-35-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/3000-26-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/1900-24-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2744-23-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/1900-137-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/1900-20-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/1904-19-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/1900-138-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/1900-139-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/1900-140-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/1448-141-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/1904-142-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2744-143-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/3000-144-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2604-145-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2488-147-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2288-146-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2588-148-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2452-149-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2528-151-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2648-150-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2504-152-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2924-153-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/1448-154-0x000000013F5E0000-0x000000013F934000-memory.dmp