Analysis Overview
SHA256
caf2386837d9f2670b1c1193fad18024967f873906578b473fa4bb11d75e41cb
Threat Level: Known bad
The file 2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
Xmrig family
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 22:15
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 22:15
Reported
2024-06-09 22:17
Platform
win7-20240221-en
Max time kernel
137s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CxWzNpt.exe | N/A |
| N/A | N/A | C:\Windows\System\UbEJChY.exe | N/A |
| N/A | N/A | C:\Windows\System\FqNCrKN.exe | N/A |
| N/A | N/A | C:\Windows\System\vMNEEoM.exe | N/A |
| N/A | N/A | C:\Windows\System\oUEiEfA.exe | N/A |
| N/A | N/A | C:\Windows\System\ImJzHYm.exe | N/A |
| N/A | N/A | C:\Windows\System\pqtfAKu.exe | N/A |
| N/A | N/A | C:\Windows\System\IsLCUJp.exe | N/A |
| N/A | N/A | C:\Windows\System\WuWisLo.exe | N/A |
| N/A | N/A | C:\Windows\System\vmuXMNV.exe | N/A |
| N/A | N/A | C:\Windows\System\OZLRABH.exe | N/A |
| N/A | N/A | C:\Windows\System\rGpRnwQ.exe | N/A |
| N/A | N/A | C:\Windows\System\fRHPivY.exe | N/A |
| N/A | N/A | C:\Windows\System\luiQdbn.exe | N/A |
| N/A | N/A | C:\Windows\System\wtLiTUA.exe | N/A |
| N/A | N/A | C:\Windows\System\AGfxFEo.exe | N/A |
| N/A | N/A | C:\Windows\System\IlFeBlJ.exe | N/A |
| N/A | N/A | C:\Windows\System\GLlgGod.exe | N/A |
| N/A | N/A | C:\Windows\System\QHtflyw.exe | N/A |
| N/A | N/A | C:\Windows\System\uZDVQRV.exe | N/A |
| N/A | N/A | C:\Windows\System\PSOqfuD.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\CxWzNpt.exe
C:\Windows\System\CxWzNpt.exe
C:\Windows\System\UbEJChY.exe
C:\Windows\System\UbEJChY.exe
C:\Windows\System\FqNCrKN.exe
C:\Windows\System\FqNCrKN.exe
C:\Windows\System\vMNEEoM.exe
C:\Windows\System\vMNEEoM.exe
C:\Windows\System\oUEiEfA.exe
C:\Windows\System\oUEiEfA.exe
C:\Windows\System\ImJzHYm.exe
C:\Windows\System\ImJzHYm.exe
C:\Windows\System\pqtfAKu.exe
C:\Windows\System\pqtfAKu.exe
C:\Windows\System\IsLCUJp.exe
C:\Windows\System\IsLCUJp.exe
C:\Windows\System\vmuXMNV.exe
C:\Windows\System\vmuXMNV.exe
C:\Windows\System\WuWisLo.exe
C:\Windows\System\WuWisLo.exe
C:\Windows\System\OZLRABH.exe
C:\Windows\System\OZLRABH.exe
C:\Windows\System\rGpRnwQ.exe
C:\Windows\System\rGpRnwQ.exe
C:\Windows\System\fRHPivY.exe
C:\Windows\System\fRHPivY.exe
C:\Windows\System\luiQdbn.exe
C:\Windows\System\luiQdbn.exe
C:\Windows\System\wtLiTUA.exe
C:\Windows\System\wtLiTUA.exe
C:\Windows\System\AGfxFEo.exe
C:\Windows\System\AGfxFEo.exe
C:\Windows\System\IlFeBlJ.exe
C:\Windows\System\IlFeBlJ.exe
C:\Windows\System\GLlgGod.exe
C:\Windows\System\GLlgGod.exe
C:\Windows\System\QHtflyw.exe
C:\Windows\System\QHtflyw.exe
C:\Windows\System\uZDVQRV.exe
C:\Windows\System\uZDVQRV.exe
C:\Windows\System\PSOqfuD.exe
C:\Windows\System\PSOqfuD.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2968-0-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2968-1-0x0000000001B20000-0x0000000001B30000-memory.dmp
\Windows\system\CxWzNpt.exe
| MD5 | e62fce9ea293de550b68269602e7a80d |
| SHA1 | c66a9d83b47439db5b3b7dd8b2791bb548dc5f87 |
| SHA256 | bbbcf3a2952aaba523c36444e05af41f59a6f63af2055273b9e12137bf1ec914 |
| SHA512 | 023f38e7a6a4d609ab082ec7f0e409e4f44aba6bd666ae5ec54794d9f73d94341b437c9b1e517cac17cf2333a92a1ac77da0b099f770982cab93a1d7ae38c8a6 |
memory/2968-8-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2512-9-0x000000013F690000-0x000000013F9E4000-memory.dmp
C:\Windows\system\UbEJChY.exe
| MD5 | 105794a63cd9d040e67eea283d75f1a6 |
| SHA1 | da0d4a32c4b58f7f8ea2ad3637548f8f7a00057a |
| SHA256 | 1a357176e3cff250eb481ca59c348a488156e49f1bacd1893e0b49416f645dfc |
| SHA512 | d8b7bc5c6b4b3f2b5b878e80910352b6732b06dca13896980497353ae97b083a58f18c61874cba98909edc439aedbc50fa5f9cfaa402a86023a7814a08d0e2c0 |
memory/2524-16-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2968-14-0x00000000022F0000-0x0000000002644000-memory.dmp
\Windows\system\FqNCrKN.exe
| MD5 | 066348e5abd4780c16404b974cedcb4b |
| SHA1 | 349a6d0fd8fef59bdec42fdd91840cb0f31e8296 |
| SHA256 | 30905c04ef799b82376d7690d1720e369c04eb7d171e976e7904329ef4be4b2c |
| SHA512 | 546fb534364f0262fddb7f2b40f300bd64a7fe22019338977ffee41f19f6c5cbbbc843f99210f3cfe8d5fe58d337fbfe51a23a014c598e278df6833817474e76 |
memory/2968-18-0x000000013F950000-0x000000013FCA4000-memory.dmp
\Windows\system\vMNEEoM.exe
| MD5 | 8d4d255bd596be6fb881357ebcd5a911 |
| SHA1 | 4f4677eaa803212850e428ba5bc236f7f1d13839 |
| SHA256 | 5506259ecd38cca0d9f456daa10b61c9e3994a6d3ea251485967dd4628325ae5 |
| SHA512 | 49033e54b52990a5205da9ff1c134482a6c84955fa7d19d064f864a3073d7f156ccb1ab623f8704018c2f1bd97fced9bb61bbd1ec35a6f614d71f1191dc7b8ee |
memory/2548-29-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\oUEiEfA.exe
| MD5 | a3cfebeab0fd6e095d149fe724f7a63b |
| SHA1 | 742c6d8d55f6c9d8bfb8bb8baf82926e904bc265 |
| SHA256 | 125b417565b5bc47921982091707aa1f33ece6c39f0957922beb3547fed2c300 |
| SHA512 | 6c98c24aa7baff71af342726ecb36c1a01ac811bc5f3ca967d557507f91db9d88f4e747303bb6e84f21085f5b88d1f258cff7948b7473a6245f8121926cc66d6 |
C:\Windows\system\ImJzHYm.exe
| MD5 | bbe808bd48bc6019bd9b0214f6700d7a |
| SHA1 | 3f8a324fa9ed6c7454e999d7154b254bb4ec6ff3 |
| SHA256 | b17cde79c1c8e3b1891590cadc34b636962f9ea06c3eb6f921b1ecff3cd70773 |
| SHA512 | ba32e355e6125aa35cdd048025b83f998d8075773ab360870337414b3772928316e0c2a390fa9afb4b3d1e988c9ab2d3295a4b1044a3881fecc28260cfccb1a4 |
\Windows\system\pqtfAKu.exe
| MD5 | 390245167a1b0550ace8ea4439225721 |
| SHA1 | a6695c3432c93b8efcc6497a24ac21373ee2e174 |
| SHA256 | b9eea21232a43d30ec775ae81fc09737cabcdc55532621e6ff865a32d6ff41f3 |
| SHA512 | 8e0a5b13edcaea6a224f864bd53e2fbd74d43d4cdd29e5eef6443a6f655000916581b14d4a41c1e37f6468b8f2cac5e8fcc6bacc77f11ac43839054365cfcdaf |
C:\Windows\system\IsLCUJp.exe
| MD5 | 1149d3a50a81f932305c0e0d3f8b0e69 |
| SHA1 | 91362cf88b241d8ae1d2509868d2f3c4f792181e |
| SHA256 | 87689faddfd19a4a376bd177582b331ae4fd917fb8b1c6590047fe5d8b90f688 |
| SHA512 | 1e8676ce9774c9760e39d43634e0bbf0a8286143f3b225aa0f9589f8895af90eab9a018194a9cac97ebc9b9aa6c46182517f9351374fe761d0c7506bd0eb20e2 |
memory/2968-58-0x000000013F320000-0x000000013F674000-memory.dmp
\Windows\system\vmuXMNV.exe
| MD5 | 6d9b9166fa9cdc928119e93b908a20db |
| SHA1 | 25ea26b588e1b45b3ea331c5afd3fa3e14e450db |
| SHA256 | bf1b2de68e5ba2f090271cc5b675c64ab583975bd58b89d2f6fdcd78d42f469d |
| SHA512 | 8976814ea2df63968cf148aab3d1cedeea32f804e21046061f667d3c9acbc26d46a25328a7eaa4f877e0487f7a61ccaab1df29ebcec87a2168ac8af4c2658984 |
memory/2968-65-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\OZLRABH.exe
| MD5 | 86967a84e99dc610623ec4159f9a58f4 |
| SHA1 | 923ff0925e0feb3bf1dd5fcd228a1d6475803e2f |
| SHA256 | c76ba36d8bf8c92cf43008997631c9585cc1d4a056a11764527fddd25431cfe8 |
| SHA512 | d3616af021a4123e86c78ac970fd9a05dc15022f838cbb5a1efda86abe188c8945f8656e2322fa09899b669cf1fad7fb159a82c8d75041e897cdef519e09cf5b |
memory/2684-86-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2808-102-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/552-104-0x000000013F890000-0x000000013FBE4000-memory.dmp
C:\Windows\system\wtLiTUA.exe
| MD5 | b8a605976fc5af13e9f20b66e89d8359 |
| SHA1 | 04a53cb787b5402b2387a853209a000ee0678233 |
| SHA256 | 75c0b2ad2975aae802263d73889c94bb651d02384d00073c7adebd50fd64a4d2 |
| SHA512 | 56c7cb6a50828993e8ce9aae658d57f8cd80a65a8d23d48168064701184067420554bc589719e4ded8a8d4d827c5e5ec655540a6ba21d0c363d3211d78700466 |
C:\Windows\system\GLlgGod.exe
| MD5 | 72b6a8ff944f3ea8a0d55aafd0dd636b |
| SHA1 | 5358116031750063fc1507928f2313e99422180e |
| SHA256 | 1b258dda8c761d7dcca7e297c0438d766ae6aa1b01f30f1d2468ea49b4c85d2a |
| SHA512 | 6644b29ac14474f4c259207a5b25ca71e7fd0f83e4eee52f0b535df21b0991d527f747155a1ed8d792bc98ea5cb9df7044ad51880d067bf9d5c4fc12834c661d |
C:\Windows\system\QHtflyw.exe
| MD5 | 8e0e6bf93635d4c9e856c65d4c24c8e3 |
| SHA1 | cb118a12e15f45fc54dd6f6ad6ffc142f34c91ba |
| SHA256 | a0c218e138e7bee3efe881c62e8854c0e33d49c79058ad2dfbe43367ca1d7435 |
| SHA512 | 880d7b8567eaf1cda0adce6a9459ecc77f01958379efcc53aa8a7898bcc99910264510e208612e1799cab34b1c2192d7ca3c9446d027f0cbe6415896a4884c32 |
\Windows\system\PSOqfuD.exe
| MD5 | 92bcc8e25e9ffd0715c471254e326671 |
| SHA1 | 17548a8ebf742245fc22b7c17d7483d8f9a715da |
| SHA256 | c27e30603ad99674905736159c88384e7ab9811aa6831925a69b608dd518c2ac |
| SHA512 | a2049668dc16de2c189838a8dba901f2a4bbb524921d1639a082e4f72d7bc0fa01835324e1ef8b2fa2a29ab4aa71a7e1ba18180c01ee4e26883b9b08b895717c |
C:\Windows\system\uZDVQRV.exe
| MD5 | b6793eedc79a47d861346b81a3d7c114 |
| SHA1 | 08bcf356cede220a785298255f74b862c5ea7e21 |
| SHA256 | 42b2a0e09e490fa0c8213fc69c2700315bfe97cf3225b48e2a34955fb135ab1e |
| SHA512 | b14f7dec20b07d0e34133c283edfe0ac630d17b9394e1b6d96bffebe51cd8c9e29bb7c149c89ae8e7d9cc5cee51aa6ce0a1e65274e162d56eef8d18b44ce38a7 |
C:\Windows\system\IlFeBlJ.exe
| MD5 | 0f964676f6b806c43aa6c28d14728428 |
| SHA1 | fecdbab3bf6489c2cd888fd21758ea9541921bae |
| SHA256 | 711a1695079d14d87e4ec0726c55db443ba74bd2c87aadb7249b485f75bf679b |
| SHA512 | 1a60b3be13dfb5f09780ac3a7ae13edb60aaf0b53b6ced5bdc6099576055b133c96d040b309b3314bee4e94688fbd8e30932afa5329f97aae96d3e23ea6e241f |
C:\Windows\system\AGfxFEo.exe
| MD5 | 1fc40020fc0860870a53f964aeb4c749 |
| SHA1 | 29f97cc6999c29d47283b73907036e75c28356c8 |
| SHA256 | cad20314c9256e823f0bf577e35a194e4e1b77d56912a169702b921fc58b495a |
| SHA512 | b723a2fa9886617160e47b7502e7c191c329ad363246582c213426de1f59a9fd07322911acab81589e52b1ad31540c337113ddf879fa0eb593c304fa7ad113e2 |
memory/2968-109-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2788-94-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2968-93-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\fRHPivY.exe
| MD5 | 91e8051369de72e744dd4be3f6f87732 |
| SHA1 | 66e0dfe98c1418c032736d9c5d250f3110bb9fa5 |
| SHA256 | 2c45c340f9532f5ca0d1cbc0adfe469e40d618ffa142097bff374164dfc865c9 |
| SHA512 | 7a320823eeac1538938ec0ce7d739feb4c0a33bd341a0d29963154abe71ce9ba6641b4c70c7acddc914de9f0be586dc14ed62d343663129eb3553175c5b27995 |
memory/2968-103-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2548-101-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\luiQdbn.exe
| MD5 | 0e519c57ff10f97ab5579fdc007cf2df |
| SHA1 | 7dafa09598207dbaaf287d9aedb9442b5854c730 |
| SHA256 | 1cad633c9e21f0f75921aa3d586b5aaca58e44334af1ce0ecfc09f2e605890f1 |
| SHA512 | 60a163aa887aab7cd361d7ba69dd20b851db4e04a9ebd6770845b699dd0a682a4e692e4b4acd86c68e62cf39fc7a0d31918467ef3ba1cc0a7b9e3fb90ffe3352 |
memory/2968-85-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/1668-84-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2540-77-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2968-75-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2888-74-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2968-71-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2524-68-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\WuWisLo.exe
| MD5 | 70f4e2da2545f7c1b1d480d30c795d97 |
| SHA1 | 13d4228fe8a44eb3b6fa3ae4510ed3f59ddc64bd |
| SHA256 | 293b6a058cc7d41aac21732a21f8b504c869e173160b7fc084f2c323ef1fb0d0 |
| SHA512 | 79ace437b1af747072038f2467457c2fb4258e9bfc3e950aa6fffc4e1ec9e943e5f292a0e0792149a272cb97e6f769ed530f7860bc5f714fbc3ce9470fecd557 |
memory/2660-83-0x000000013F950000-0x000000013FCA4000-memory.dmp
C:\Windows\system\rGpRnwQ.exe
| MD5 | 177e887249e35d94794298f4aec5fb8f |
| SHA1 | 76aaf9e0001d62dcb8649a9cb16be344c2b7d7d6 |
| SHA256 | 23fee6c024a143cf602bd09500e3100ab5616af6b1a04b1eb21b783a3d5ac8ff |
| SHA512 | 0e02a579560869b93d7bb5c1f33084c4e9fb7c62a1e80f8f798a210124f9a8f5efdc1cc8c5ef2c5f04ed1b65e80c7acff19db12269b271e35887789c365e634b |
memory/2672-46-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2968-34-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2476-57-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2620-56-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2968-53-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2968-41-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2808-39-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2660-22-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2968-26-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2672-140-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2620-141-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2968-142-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2968-143-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2968-144-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/1668-145-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2684-146-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2788-147-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2968-148-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2968-149-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2512-150-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2524-151-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2660-152-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2548-153-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2808-154-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2672-155-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2476-157-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2620-156-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2888-158-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2540-159-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2684-160-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/1668-161-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/552-162-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2788-163-0x000000013F130000-0x000000013F484000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 22:15
Reported
2024-06-09 22:17
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FiqffQl.exe | N/A |
| N/A | N/A | C:\Windows\System\oSxJEIN.exe | N/A |
| N/A | N/A | C:\Windows\System\giohIUR.exe | N/A |
| N/A | N/A | C:\Windows\System\VMqWZYx.exe | N/A |
| N/A | N/A | C:\Windows\System\EDtcZED.exe | N/A |
| N/A | N/A | C:\Windows\System\KvnmVGy.exe | N/A |
| N/A | N/A | C:\Windows\System\ybiPsAv.exe | N/A |
| N/A | N/A | C:\Windows\System\bzwyZTL.exe | N/A |
| N/A | N/A | C:\Windows\System\xWumsfX.exe | N/A |
| N/A | N/A | C:\Windows\System\iUoqBPQ.exe | N/A |
| N/A | N/A | C:\Windows\System\klrinwC.exe | N/A |
| N/A | N/A | C:\Windows\System\rYlAbWz.exe | N/A |
| N/A | N/A | C:\Windows\System\dZYbCAS.exe | N/A |
| N/A | N/A | C:\Windows\System\NznvjGB.exe | N/A |
| N/A | N/A | C:\Windows\System\nRwfOjk.exe | N/A |
| N/A | N/A | C:\Windows\System\JdUBUfj.exe | N/A |
| N/A | N/A | C:\Windows\System\ZtLNXGo.exe | N/A |
| N/A | N/A | C:\Windows\System\EHQgONj.exe | N/A |
| N/A | N/A | C:\Windows\System\BolrbRO.exe | N/A |
| N/A | N/A | C:\Windows\System\BJkzNOS.exe | N/A |
| N/A | N/A | C:\Windows\System\aLWFmFb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\FiqffQl.exe
C:\Windows\System\FiqffQl.exe
C:\Windows\System\oSxJEIN.exe
C:\Windows\System\oSxJEIN.exe
C:\Windows\System\giohIUR.exe
C:\Windows\System\giohIUR.exe
C:\Windows\System\VMqWZYx.exe
C:\Windows\System\VMqWZYx.exe
C:\Windows\System\EDtcZED.exe
C:\Windows\System\EDtcZED.exe
C:\Windows\System\KvnmVGy.exe
C:\Windows\System\KvnmVGy.exe
C:\Windows\System\ybiPsAv.exe
C:\Windows\System\ybiPsAv.exe
C:\Windows\System\bzwyZTL.exe
C:\Windows\System\bzwyZTL.exe
C:\Windows\System\xWumsfX.exe
C:\Windows\System\xWumsfX.exe
C:\Windows\System\iUoqBPQ.exe
C:\Windows\System\iUoqBPQ.exe
C:\Windows\System\klrinwC.exe
C:\Windows\System\klrinwC.exe
C:\Windows\System\rYlAbWz.exe
C:\Windows\System\rYlAbWz.exe
C:\Windows\System\dZYbCAS.exe
C:\Windows\System\dZYbCAS.exe
C:\Windows\System\NznvjGB.exe
C:\Windows\System\NznvjGB.exe
C:\Windows\System\nRwfOjk.exe
C:\Windows\System\nRwfOjk.exe
C:\Windows\System\JdUBUfj.exe
C:\Windows\System\JdUBUfj.exe
C:\Windows\System\ZtLNXGo.exe
C:\Windows\System\ZtLNXGo.exe
C:\Windows\System\EHQgONj.exe
C:\Windows\System\EHQgONj.exe
C:\Windows\System\BolrbRO.exe
C:\Windows\System\BolrbRO.exe
C:\Windows\System\BJkzNOS.exe
C:\Windows\System\BJkzNOS.exe
C:\Windows\System\aLWFmFb.exe
C:\Windows\System\aLWFmFb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/4156-0-0x00007FF66E830000-0x00007FF66EB84000-memory.dmp
memory/4156-1-0x0000017BBA880000-0x0000017BBA890000-memory.dmp
C:\Windows\System\FiqffQl.exe
| MD5 | 3fcdb688e8c19b11905630a97d14e64d |
| SHA1 | 682c147ecb2c67af0eaeeada57e20ae71502a627 |
| SHA256 | 66522fb45ecc823763520790ccc63f773a8ff28510b24158c548184d6cb596ca |
| SHA512 | 1f0e705bd50cdf112b3a91bc43a317b04a877e972d141495e17ffe29a293d870688a6842fbf13913a7b0ea4901ec0dcd931031f0caf6a3b087512ff78660c1d3 |
memory/3140-8-0x00007FF62AFA0000-0x00007FF62B2F4000-memory.dmp
C:\Windows\System\giohIUR.exe
| MD5 | a7ed7667814eb8e7a6190b3486aabc6f |
| SHA1 | 8d49c03c25cac356e0edb7e5e45d4be8bc43ffd4 |
| SHA256 | 7aaefac107830970ead3c41d75d710cf826d6fad26c36ad8238d3637ab1f98a8 |
| SHA512 | d2f5c3cf495900f83e6290ac11a33871af239184a0d5ca837ebfc0989511e52d41389b84b8ab10af5f33026866bb74f50764ab0d5d677396cf9e805d1a9368a3 |
C:\Windows\System\oSxJEIN.exe
| MD5 | ede064d84359de4ee07e65722705d2fd |
| SHA1 | 8a0e14598130378d0b344b6b648a4fa7536cf78e |
| SHA256 | c31358ad5eb0991bcc13a7f76124f2f471709e2cc0fcb94763eee829fae40a6e |
| SHA512 | 00d7fcfca1c0db0d5abc3878f381241fd2b3d17bf232a18a27912065c39858b635b5c03eb2b06831db95952c2af68c548f36883c60534b2113838f0401febf9c |
memory/244-12-0x00007FF71CE90000-0x00007FF71D1E4000-memory.dmp
memory/224-20-0x00007FF64F670000-0x00007FF64F9C4000-memory.dmp
C:\Windows\System\VMqWZYx.exe
| MD5 | 8290c7bcbe80af7f471a991d537172fc |
| SHA1 | a09ef950016e4fef38b186e525054f9b867b209b |
| SHA256 | 0850bd596325d3c2036e23132e5a61b3cb8be714fc191b32cfbb5c5239611452 |
| SHA512 | c48b6174d2f7b01d5b105714e0da600450a8d4319a9e4ab2e6c650cfeb370dfd17d59a7252aa3b0899832b6cda2f349503810bf8d802ee22177f4908cc086aa9 |
C:\Windows\System\KvnmVGy.exe
| MD5 | 68f72d23f7d4c62e0446d9fdc045f094 |
| SHA1 | 78097509cbd72fda5d8c5a0996a4f54cb0911a22 |
| SHA256 | 7b3afb37fc732d81887ac99aca1f264a42b774c4e886c0fe900fb6f7427b0ca7 |
| SHA512 | 088e5f153ccfe940870977a1f8c17ba288e7153bb27e8960c96bf8a5ddf784e95abc10b21d90b5a1bc0ee111c8cd67c8bf83d181d9890b083817a7528ff0b57d |
memory/1944-34-0x00007FF7C97C0000-0x00007FF7C9B14000-memory.dmp
C:\Windows\System\ybiPsAv.exe
| MD5 | 1ea109b9fc02e36c88b67fb1adfd540b |
| SHA1 | f49db66caef5308902f79ade2a9d585e9dd18027 |
| SHA256 | be70dcc3461a97d2b9a7cde953533f2acdfc40df4b514eb59f366d0f5cbc86ce |
| SHA512 | af0a473cc9202e64cab6cf992c9242b226dd06a72707f2567cfabc788b869adc3ef28347bafcd6520a4b9d2c6111fcbbdb28019c208e6171cbf53304bbc7dd24 |
C:\Windows\System\bzwyZTL.exe
| MD5 | f94eb12e044152a51a64188b29f233b7 |
| SHA1 | 9892193c2d1038f6d6a5395e68acbec4e62ab76e |
| SHA256 | ee2a9309a5253ee70c70bf2decffdb46cdd9002fc55c2fe1b16b876c1ff0b95b |
| SHA512 | c9a15557b61084faef2c3d869d7d98292d575aa682280498446f47ebdc77516092cf8f5ca38658e09fbb06d120c49fdd1d14f0a5a10d4ec0f9c23cad9c0c8610 |
memory/2740-44-0x00007FF7950B0000-0x00007FF795404000-memory.dmp
memory/3636-38-0x00007FF658B30000-0x00007FF658E84000-memory.dmp
memory/5000-37-0x00007FF6E1930000-0x00007FF6E1C84000-memory.dmp
C:\Windows\System\EDtcZED.exe
| MD5 | a77b9ceabdfa551e7c0a516ecb442111 |
| SHA1 | 802158ba12838cb750e56ff409e79838da695431 |
| SHA256 | 35a6d331fa87083cffc834b5cf008c4bbe154ed6deeb558612774e606c1c34cb |
| SHA512 | 2ab2b34205bf15ab074c882d9c5c24ec5fb01ef5bcab475edf6ff0278634a2f8f5836b3a03e59afa281cefaa4772f09e879ca524dfe312d6ff224d8ba292d829 |
memory/4604-50-0x00007FF7C6580000-0x00007FF7C68D4000-memory.dmp
memory/1596-54-0x00007FF65E6C0000-0x00007FF65EA14000-memory.dmp
C:\Windows\System\iUoqBPQ.exe
| MD5 | 1b18454a976268517ad2a6ba71f6eb67 |
| SHA1 | 714bbaa44b8135d05bedc68d361031624ec6bc1f |
| SHA256 | 2b0a4c5ddb456e4c2047aa081cccd416321254d01ca789b22932a9ff1addbc2d |
| SHA512 | 77c1b906e303618251596609fbe4a2364e02e9fdb7cc97e2ebf0d34567f898ceb24070e103aa010cf4a2eaa5abbf5813021430f3af4d2e57b056e0505488464f |
C:\Windows\System\klrinwC.exe
| MD5 | f20af8cfcde9621f21b122a303eca69c |
| SHA1 | 5d22d7d25cf285047e36878ca6cf380b47e7893f |
| SHA256 | 80eb157659d933583570c5b1b1f809586275fb086ef997d66c9e7ef04e85b4bd |
| SHA512 | 40be42f9871b80b818269ceb5d2b6741a8b3ef930f18c4cc742881575d1f5ae1861e8e3a58038ac31777546404b135acfe9169530131932d365e9370e7423078 |
memory/1140-60-0x00007FF60FCF0000-0x00007FF610044000-memory.dmp
C:\Windows\System\xWumsfX.exe
| MD5 | 7e1be4cc66c20f9e068f59070c032497 |
| SHA1 | 3598dccd5870e7c153be099b8920e907b35ec36b |
| SHA256 | 009a65bc465a7596e3d8b20266f90f6f956b66f3fedbbaf927ac85a583dc8077 |
| SHA512 | 20929b9147aa349f51823b3af194b6a040c7e0d52f355a9591c767dcf73357aa5dac6461304e18c429c10141c37e527f4b1559b8742bd65bf27fc4ba439591da |
memory/2708-68-0x00007FF681AC0000-0x00007FF681E14000-memory.dmp
C:\Windows\System\dZYbCAS.exe
| MD5 | e094a75206bfdd76737ba7d4b20c6ee2 |
| SHA1 | 24b5a87d710822e1c7a622c4e6daa855bfb54867 |
| SHA256 | fe0acdca7d49e82f21c811cbe6deaed5fff6df93c68f53a3f74a5c3d10d3d966 |
| SHA512 | fcd8f0c3a42aba1bdaaab16b37cc174da7098f7c10908f4f7d75db93e969d9bcd4a7deb28f24584f2cf21cb2526bf629d6143ea23e3bedf05e353e408ef14d68 |
memory/2580-74-0x00007FF7D2DA0000-0x00007FF7D30F4000-memory.dmp
memory/2124-81-0x00007FF7E7CE0000-0x00007FF7E8034000-memory.dmp
memory/4156-73-0x00007FF66E830000-0x00007FF66EB84000-memory.dmp
C:\Windows\System\rYlAbWz.exe
| MD5 | 94fc334fb8350d99e4470a560d4469ca |
| SHA1 | 06921d0cede720cd8efb8dd950fc9e1aaf674473 |
| SHA256 | bd283379e58922992f10469fed3722ae1981f3ca473388d27c6fb393adeb9d8e |
| SHA512 | 7e86e7ad6abd5b573079c9cfd4e2f8f993a3fc0ddc028c380ff26eced8434c5388bbdeec52dc8a4fb65df94e986eb28048544d286c4a6fc19ae4db813cd6e8b4 |
C:\Windows\System\NznvjGB.exe
| MD5 | 8053e15ea2032859e67e8d751b95f394 |
| SHA1 | ba789bf52447e5abb6644dc5039f5419d4de8106 |
| SHA256 | 10a2091b8737cc3da57d3e4af13410d2475241129447c3dce7c1fd341a141014 |
| SHA512 | 5fde367949f4419490c3ad11430a86ef7125733e307e5ac972f2ad2cf0dbd3b572a7fcd80685a1cd28fd030c5408c9655e429d2cfbbce65b215b22c0b7149a57 |
memory/244-87-0x00007FF71CE90000-0x00007FF71D1E4000-memory.dmp
memory/3952-88-0x00007FF7039D0000-0x00007FF703D24000-memory.dmp
C:\Windows\System\nRwfOjk.exe
| MD5 | a9a8d0ec3bdda959ca0d763252c128fe |
| SHA1 | f99d9dac56cd71b7ccc08c1cd3d8cb7b5db67761 |
| SHA256 | 62a336e0d8abe1d0acb1591ff938a07c5757557fe9eb36b5af7c25e76ab63c1b |
| SHA512 | 5432396a9748766d35116312e380409abce20b2bb012a3afcba2acd179911974335173fef92523c93b2970f29c2589d0787a9b57e041add985a93217485d7d77 |
C:\Windows\System\JdUBUfj.exe
| MD5 | a7cd07b0467453f3cfe2dff991aaaa99 |
| SHA1 | ed85251d0892ea751e419ca78690d2b1a245d209 |
| SHA256 | 80af2ba38105d1ead4c337e3dfa5fe4f482ae2913be42a4633b9c0facb62eacd |
| SHA512 | 39f127d0e419f28f4ef5c3340651fa1d2cf8ff3b8755152d2df97d2db785f4235eaacea2194b1ae424b74fe6172a49553b4b2c2894afcb09e9edb3e48dd451bd |
C:\Windows\System\ZtLNXGo.exe
| MD5 | 7aebc169dbb211326da9218f3f587093 |
| SHA1 | 538cb0c0554f1a637bbe9a64e6bc43773cd88918 |
| SHA256 | 87cdd5571ffe340db5ac2ef548b6c7b0abf895d0b511f801748731f94aed9fde |
| SHA512 | e0f5ab74e69d8fbc0a0dfd2043948343af9bdf40f48b24cb82a6932a5b0c6456b6fd1140a2da035f6586411fc53d34a921f1174f472dfe20b2edbe8177eb4846 |
memory/2740-108-0x00007FF7950B0000-0x00007FF795404000-memory.dmp
memory/1068-105-0x00007FF73C150000-0x00007FF73C4A4000-memory.dmp
C:\Windows\System\EHQgONj.exe
| MD5 | d311e8d4712f0de40f9c311d693c7508 |
| SHA1 | 4ba8ca917ba38c207e5b4b91a5793a28d9e24053 |
| SHA256 | 9e2c9f216ace53f10088364dac852828be0e7d0d73402a428ec27fd793f8abb0 |
| SHA512 | 62a18202b566c15fc09c03c1b3f53119d7cdfaf2872ecb5c4e1fb7ba1c8221618510c37648d1da2a431bf8c2294d1843e9a5889002ad04a42fecde0cca319ec6 |
memory/1596-118-0x00007FF65E6C0000-0x00007FF65EA14000-memory.dmp
memory/5068-119-0x00007FF7AF030000-0x00007FF7AF384000-memory.dmp
C:\Windows\System\BolrbRO.exe
| MD5 | 596c278f74380e3ef3ed2c794071aab5 |
| SHA1 | 2894acb3a1e6cea4bddc4a399339555600ac2ed9 |
| SHA256 | 4b7d9862651a7751cd2c82cf6f1eb85d0acfa9245c789a992ef1fd9b1170a85b |
| SHA512 | 9ce3f7946c9687c3896a91bef5c15ecbc020572dfd3379026f46ff30623ab61c45a00bcc81cc0bc99828938f3f2ff79f661883d5ca826b060232c51cb84c710a |
C:\Windows\System\BJkzNOS.exe
| MD5 | 69e4261080875204234e50a30ad19521 |
| SHA1 | ce0503f8f9e0dfcad17fcb3c8596b60cba59884a |
| SHA256 | 157d464eb8a83da100faa2c1225906b1fe9c057605e0cd35988f90cb9a29aefd |
| SHA512 | 80a3e48b6fee53c0227c70572565d1eb5abd486ddb6b562328ad43defa8a140710992fd94c0d2600f7d73afc346731e2be7ef5d2154ceec5b2d4cb86a856b2fb |
memory/4040-126-0x00007FF675580000-0x00007FF6758D4000-memory.dmp
C:\Windows\System\aLWFmFb.exe
| MD5 | 84edb66740a19e9bb03305bec9276a56 |
| SHA1 | 72e67ea699165cc1dc54e5df68f3d88cdbd6e6af |
| SHA256 | cfd7b9a1b2e86a544e683abd96631b444f4ce922784a6338701ff80bde99f5f8 |
| SHA512 | 87a6d9acb8555037e676f5eec61598ac449929bcebeb5c81cc0367e86d71e18b91f00f6dbed62ea1bf3cbed16b4a1c2255b7e98d30c59cbab89b99b38e9f5c38 |
memory/1140-125-0x00007FF60FCF0000-0x00007FF610044000-memory.dmp
memory/4676-117-0x00007FF654880000-0x00007FF654BD4000-memory.dmp
memory/2312-104-0x00007FF750F30000-0x00007FF751284000-memory.dmp
memory/2840-97-0x00007FF68C7C0000-0x00007FF68CB14000-memory.dmp
memory/3636-94-0x00007FF658B30000-0x00007FF658E84000-memory.dmp
memory/5112-134-0x00007FF652C80000-0x00007FF652FD4000-memory.dmp
memory/2580-133-0x00007FF7D2DA0000-0x00007FF7D30F4000-memory.dmp
memory/1068-135-0x00007FF73C150000-0x00007FF73C4A4000-memory.dmp
memory/5068-136-0x00007FF7AF030000-0x00007FF7AF384000-memory.dmp
memory/4040-137-0x00007FF675580000-0x00007FF6758D4000-memory.dmp
memory/3140-138-0x00007FF62AFA0000-0x00007FF62B2F4000-memory.dmp
memory/244-139-0x00007FF71CE90000-0x00007FF71D1E4000-memory.dmp
memory/224-140-0x00007FF64F670000-0x00007FF64F9C4000-memory.dmp
memory/1944-141-0x00007FF7C97C0000-0x00007FF7C9B14000-memory.dmp
memory/5000-142-0x00007FF6E1930000-0x00007FF6E1C84000-memory.dmp
memory/4604-145-0x00007FF7C6580000-0x00007FF7C68D4000-memory.dmp
memory/2740-144-0x00007FF7950B0000-0x00007FF795404000-memory.dmp
memory/3636-143-0x00007FF658B30000-0x00007FF658E84000-memory.dmp
memory/1596-146-0x00007FF65E6C0000-0x00007FF65EA14000-memory.dmp
memory/1140-147-0x00007FF60FCF0000-0x00007FF610044000-memory.dmp
memory/2708-148-0x00007FF681AC0000-0x00007FF681E14000-memory.dmp
memory/2580-149-0x00007FF7D2DA0000-0x00007FF7D30F4000-memory.dmp
memory/2124-150-0x00007FF7E7CE0000-0x00007FF7E8034000-memory.dmp
memory/3952-151-0x00007FF7039D0000-0x00007FF703D24000-memory.dmp
memory/2840-152-0x00007FF68C7C0000-0x00007FF68CB14000-memory.dmp
memory/2312-153-0x00007FF750F30000-0x00007FF751284000-memory.dmp
memory/1068-155-0x00007FF73C150000-0x00007FF73C4A4000-memory.dmp
memory/4676-154-0x00007FF654880000-0x00007FF654BD4000-memory.dmp
memory/5068-156-0x00007FF7AF030000-0x00007FF7AF384000-memory.dmp
memory/4040-157-0x00007FF675580000-0x00007FF6758D4000-memory.dmp
memory/5112-158-0x00007FF652C80000-0x00007FF652FD4000-memory.dmp