Analysis Overview
SHA256
685b16472bb3691a462668c09bab10e6363846d1c39add821c4889bd392a0c95
Threat Level: Known bad
The file 2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Xmrig family
Detects Reflective DLL injection artifacts
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 19:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 19:43
Reported
2024-06-09 19:46
Platform
win10v2004-20240426-en
Max time kernel
137s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BzgIBVg.exe | N/A |
| N/A | N/A | C:\Windows\System\foBdswi.exe | N/A |
| N/A | N/A | C:\Windows\System\RaMFqpm.exe | N/A |
| N/A | N/A | C:\Windows\System\hOmuemy.exe | N/A |
| N/A | N/A | C:\Windows\System\UWkRijB.exe | N/A |
| N/A | N/A | C:\Windows\System\sYYGgPf.exe | N/A |
| N/A | N/A | C:\Windows\System\vVNjteG.exe | N/A |
| N/A | N/A | C:\Windows\System\nNtYQgo.exe | N/A |
| N/A | N/A | C:\Windows\System\jTHJCQy.exe | N/A |
| N/A | N/A | C:\Windows\System\aBQviWQ.exe | N/A |
| N/A | N/A | C:\Windows\System\PIqVlVL.exe | N/A |
| N/A | N/A | C:\Windows\System\PXfkBFS.exe | N/A |
| N/A | N/A | C:\Windows\System\JeZPyWa.exe | N/A |
| N/A | N/A | C:\Windows\System\hgtBHhv.exe | N/A |
| N/A | N/A | C:\Windows\System\YJmREAY.exe | N/A |
| N/A | N/A | C:\Windows\System\jjBNSlm.exe | N/A |
| N/A | N/A | C:\Windows\System\GzSshfX.exe | N/A |
| N/A | N/A | C:\Windows\System\ixaaTPT.exe | N/A |
| N/A | N/A | C:\Windows\System\AnOsrOw.exe | N/A |
| N/A | N/A | C:\Windows\System\GHXtJVS.exe | N/A |
| N/A | N/A | C:\Windows\System\SaGEHQb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\BzgIBVg.exe
C:\Windows\System\BzgIBVg.exe
C:\Windows\System\foBdswi.exe
C:\Windows\System\foBdswi.exe
C:\Windows\System\RaMFqpm.exe
C:\Windows\System\RaMFqpm.exe
C:\Windows\System\hOmuemy.exe
C:\Windows\System\hOmuemy.exe
C:\Windows\System\UWkRijB.exe
C:\Windows\System\UWkRijB.exe
C:\Windows\System\sYYGgPf.exe
C:\Windows\System\sYYGgPf.exe
C:\Windows\System\vVNjteG.exe
C:\Windows\System\vVNjteG.exe
C:\Windows\System\nNtYQgo.exe
C:\Windows\System\nNtYQgo.exe
C:\Windows\System\jTHJCQy.exe
C:\Windows\System\jTHJCQy.exe
C:\Windows\System\aBQviWQ.exe
C:\Windows\System\aBQviWQ.exe
C:\Windows\System\PIqVlVL.exe
C:\Windows\System\PIqVlVL.exe
C:\Windows\System\PXfkBFS.exe
C:\Windows\System\PXfkBFS.exe
C:\Windows\System\JeZPyWa.exe
C:\Windows\System\JeZPyWa.exe
C:\Windows\System\hgtBHhv.exe
C:\Windows\System\hgtBHhv.exe
C:\Windows\System\YJmREAY.exe
C:\Windows\System\YJmREAY.exe
C:\Windows\System\jjBNSlm.exe
C:\Windows\System\jjBNSlm.exe
C:\Windows\System\GzSshfX.exe
C:\Windows\System\GzSshfX.exe
C:\Windows\System\ixaaTPT.exe
C:\Windows\System\ixaaTPT.exe
C:\Windows\System\AnOsrOw.exe
C:\Windows\System\AnOsrOw.exe
C:\Windows\System\GHXtJVS.exe
C:\Windows\System\GHXtJVS.exe
C:\Windows\System\SaGEHQb.exe
C:\Windows\System\SaGEHQb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2612-0-0x00007FF7A7DA0000-0x00007FF7A80F4000-memory.dmp
memory/2612-1-0x00000239C0490000-0x00000239C04A0000-memory.dmp
C:\Windows\System\BzgIBVg.exe
| MD5 | f5cde5295af5706b5e81ba1927b52f73 |
| SHA1 | f401ce5ca91a37fb204f3508e64650d2fd8b80ec |
| SHA256 | 755625df81200a0df197497f4e48fe32dd3106d9cead5cd5ad8227f545b25658 |
| SHA512 | 7839361e90cd9b74b64c17095b638dfbbfd2a2cf019376b3a8fb32e35a1c46bcc132076b1eb7b30dbbc61d79dc1d7738e7f820f65126fe2cf4d52aeba9ffa5aa |
memory/772-8-0x00007FF673060000-0x00007FF6733B4000-memory.dmp
C:\Windows\System\RaMFqpm.exe
| MD5 | 412351f25290751b95f86753702d8fd0 |
| SHA1 | 266e3e2a00056b84f30ff0acfba99f216555b1cc |
| SHA256 | e4ef18758b8dbdc5c903262ccb42169d33671da0a2c4256118d4985253c70982 |
| SHA512 | c9c3dde501fccb3f4907428c449613e0b0202d3b68c49ed390266e1db1709ba257b5d1aac8068d1c575ff62bce33a6ea72f1a72bc8d90432415b56cab36f2d53 |
C:\Windows\System\hOmuemy.exe
| MD5 | f4b1a40a4fcfc59b676329d8e7790a45 |
| SHA1 | 0f04e46f4e36c09da367419623e0842b2eb5e472 |
| SHA256 | 44279c81447860016d096c3b8874bfddf101d5412245f5f1bc6e81989842ae6a |
| SHA512 | fee0ba5c5725b1fd47efc4cbe3cc690ba3063ddd0711a7d0097d1e52c313cb73867b68bd4b9ed022dbda3ea6d3a31e8457686c7a71410724bd3a6e8f8f772537 |
memory/4900-24-0x00007FF611B50000-0x00007FF611EA4000-memory.dmp
memory/2952-23-0x00007FF6A4A70000-0x00007FF6A4DC4000-memory.dmp
memory/3168-20-0x00007FF60DFB0000-0x00007FF60E304000-memory.dmp
C:\Windows\System\foBdswi.exe
| MD5 | b224a828fb512e986268a7a9d5754a3d |
| SHA1 | 84dd21314025ad2fd5d283d482b87f48d77728fd |
| SHA256 | 80170091b14e4e835b67d2e4d1ef91d4394c5d19da96de64492b5a4d612d77d6 |
| SHA512 | d1b043bb6dcdfd4595018c016685f7d427b5254beb097517b899a534089cab4c79f6aceb91abb071fec6578f11bc0867ea964d441f52417dc3d15b472eb49b2f |
C:\Windows\System\UWkRijB.exe
| MD5 | 6b8294e6dea23c5585a79ffa25646ef4 |
| SHA1 | 9e2017ee1bb5672b89db43c34d01238c52ce2630 |
| SHA256 | 11e0b9bd2fb90b58753f69f74de68c22b4092954ab18330538b3172e56cd63ee |
| SHA512 | b3a86041847196a5e53ba1471f51397128146c5d49f7d3bd9e086ef35262acdbf2db19e4956508f40ff72e21f883c39d29199a9257fa275b3c506cc90ccad408 |
memory/4332-32-0x00007FF63FCE0000-0x00007FF640034000-memory.dmp
C:\Windows\System\sYYGgPf.exe
| MD5 | 9269d4980a4c556bf449fbff8fbb187f |
| SHA1 | d208e7b3a46486e441c046e7e5e12814946c4616 |
| SHA256 | 702f5a1121fe589eaf3821e4b4721f81a3fda1bef8c0da4453e327781c43f917 |
| SHA512 | 00113a99a3bff83450f3d0e671b5743cb5a44a228b5c22f980dc0eb7d3df180920168d9c2fbc5612d10a26fdb8dbd3624c6024f8a0296689b4ed04633c6f8f46 |
memory/1312-38-0x00007FF619310000-0x00007FF619664000-memory.dmp
C:\Windows\System\vVNjteG.exe
| MD5 | acf1a0b88634a2aff8f2fd0d0dbc522b |
| SHA1 | ace42ad2d33ebecc40eccd33419178c93407dcc2 |
| SHA256 | 50676f620dfa124df68bbd6722b1edd311545943bfde6c7d6d5b93ba31810a34 |
| SHA512 | a24c408ece0834a669509482a7a8d2056e7738e34ad2edb4d06f91b0ad284c86b6eb1370e991ce4579f99f6ba5853506f634dd6b3651ba4b1edd359d9595ab12 |
memory/2044-44-0x00007FF7156A0000-0x00007FF7159F4000-memory.dmp
C:\Windows\System\nNtYQgo.exe
| MD5 | a8b2bd827c82c6e02c0444381a5fbb59 |
| SHA1 | 1ed04b31eaccad37025295cb2c82c73e29fe05bb |
| SHA256 | 320ad45c5adce718fae1cf53945ff31217f81f8605151ba9f627b541dbf398da |
| SHA512 | bcccd04748528e1c41d0de9f77269825f981e050b6469b38faacb95a48ff2a1a3e4e8b229cff93f39bb9edd16d2748c107103efc6d9c5c044ead616c4d2ae0f7 |
C:\Windows\System\jTHJCQy.exe
| MD5 | e0a4a48b8f5c05d4e6cbb1e497b16fdd |
| SHA1 | e1ebfdead8de02c60ff32be1fe3e6e875183844f |
| SHA256 | 16200b2fd68d1d7aa0a3601c474d6f11fac6d824826faf402548346579337e91 |
| SHA512 | cef15bf6a5653d6d6dacc68b01913eeaa2942199218e6f0a08fcedb11863504c33458a12533b980ee49ce2942d95ff00364bd522c5c2c3a20ad91fa57f57c0f9 |
memory/3816-52-0x00007FF739AD0000-0x00007FF739E24000-memory.dmp
memory/344-56-0x00007FF6C20F0000-0x00007FF6C2444000-memory.dmp
C:\Windows\System\aBQviWQ.exe
| MD5 | 9af2be2e0318f7d1fe7d4f4617b08539 |
| SHA1 | 81bc6f5e35e63ad6f0bd8cd5af1c98c5d87a71b1 |
| SHA256 | 23c1126ba646228c1f3afbabe651ea36d7ff2bec2711731bc452585bfc2f2c5d |
| SHA512 | 90162bfa018aa1937a2cdebadd326dde22dd7db5aec4eef8fe2afd258e487c3ef51b727da3e41ef6766fdb17a1a3e078781f3c8fb5b0858215c82d8b942900b7 |
C:\Windows\System\PIqVlVL.exe
| MD5 | ab953950064d1e9de954d349396bc904 |
| SHA1 | bc8de6466bfff05f1a3af84a9ce593538f854567 |
| SHA256 | d5336ca0b22a633a96b307856931f0bf1d2ee71b451ef259155f1438ea78c97e |
| SHA512 | e2940ba6f4d53cc8a26702f06e727c198f44cd3193a9492e3efeeddde4f4a61e2390b478eef9beab6696205a2eeca83fbc40550fd70cb72f06ebcdd76158a118 |
memory/3232-62-0x00007FF6296A0000-0x00007FF6299F4000-memory.dmp
memory/2612-61-0x00007FF7A7DA0000-0x00007FF7A80F4000-memory.dmp
memory/2892-73-0x00007FF6AFCA0000-0x00007FF6AFFF4000-memory.dmp
C:\Windows\System\PXfkBFS.exe
| MD5 | 3d75dd6a8fda5a17f71d3741a6b957e7 |
| SHA1 | 1409198d48fd54f5f803df9c63475bbb6b1c5cfc |
| SHA256 | bc056ad447a8f57c3bf30f4ceee6afe261723e83c7229338389bf30dd0f59cbb |
| SHA512 | 4e0371df54df8fea298d271fba8ab2e57089ffefb100cc4be382f84789610e8c16d5c0afc6ad38b1a363329152088443b33d69c7dc0e10a342f83a15cb4fdab6 |
memory/3168-70-0x00007FF60DFB0000-0x00007FF60E304000-memory.dmp
memory/772-69-0x00007FF673060000-0x00007FF6733B4000-memory.dmp
C:\Windows\System\JeZPyWa.exe
| MD5 | 837e17005b931ec4ff994b673953a1e6 |
| SHA1 | 26c262e725a1e81c0fb81a675b87a1a3140fc148 |
| SHA256 | 0c1ce4aa5060c860974df198be785993a8e522cd38cfccaabf42b6f86dcb0177 |
| SHA512 | 948be0fda2e2631108d15c51f1b4d6d0129847dc54857c4409052f58b8f7f45671bc1b7096b82d846b87ca18e1ff92bd82fca3551164df0c6a65eb8243ed73e6 |
C:\Windows\System\hgtBHhv.exe
| MD5 | 9922d7d15307f0e176b05d2afcf09628 |
| SHA1 | 6faec32703a6501a2a1836b4bcd052c084b56d6e |
| SHA256 | 4abffa91f5749f0218c14a5ad50f7459350ae5f694f2f732a01c2264291fbecd |
| SHA512 | 6e62223222c6edeef7be57f3ef54c1372ac42ff80d8582fb2d90f343283f8eeb3934b682cb051210a86937ce986bfa292d4e7ddccfc56e991739f52d8140c489 |
memory/5064-77-0x00007FF780470000-0x00007FF7807C4000-memory.dmp
memory/3772-88-0x00007FF7C8360000-0x00007FF7C86B4000-memory.dmp
memory/4900-89-0x00007FF611B50000-0x00007FF611EA4000-memory.dmp
memory/3428-90-0x00007FF6ED1D0000-0x00007FF6ED524000-memory.dmp
C:\Windows\System\YJmREAY.exe
| MD5 | 3c9cbb4c1502ace4cb59a652c0f1bb68 |
| SHA1 | 8d487ad5e13b857858bbb14948cf03c34659b0f0 |
| SHA256 | 84be3689b8d98e47f2632a52418fc8644b1f8bd07234ac714b4f1b3c9a324230 |
| SHA512 | 09e7d174ce7584ccfb81c42ffdcbf06862a5dc3a18b9bd9f7096ba46cb3f069a97b81fb7c79faf943a1c986186ce41e4771058de4606e1991f713616d55561d8 |
memory/4332-95-0x00007FF63FCE0000-0x00007FF640034000-memory.dmp
memory/2400-96-0x00007FF633FF0000-0x00007FF634344000-memory.dmp
C:\Windows\System\jjBNSlm.exe
| MD5 | 66d1b09856291699d0f7394f1497fba6 |
| SHA1 | 95c1ee331d8800277ffb619e8c53dd79f519c9ba |
| SHA256 | 337522c0c9fcb74914f95b3815130529a0447e3a6c8c719642544afe03c37702 |
| SHA512 | 491e900b1bfe5e233f293177344771fe2e156dc20f4ee29dc25d144974ee5d01c639e137efcd7b26443fb933d9a6864c346bd7e33e1c856e3d380248c15610b2 |
C:\Windows\System\GzSshfX.exe
| MD5 | f3104c35b3c595ad2ace0d37fcb6e7e9 |
| SHA1 | 9bcd0a3e3241e10d1293b7cd80347bd094a6150d |
| SHA256 | 93d33404fdbdf2835f88ede5d3ecd0cfd73c17d51aec1c3bd6317ca3859e2418 |
| SHA512 | c8c7f1e44f76a163b907cadc09419735e31b6dd33d7e091b32255e5d1a667fb338a2a71245d6c08d0b886a457680a9d6dd2391234e2f4968d27cd7e793846b83 |
memory/5008-108-0x00007FF7D3490000-0x00007FF7D37E4000-memory.dmp
memory/1196-109-0x00007FF646880000-0x00007FF646BD4000-memory.dmp
C:\Windows\System\ixaaTPT.exe
| MD5 | 6d1e08dc8f4273a2eec6c6b8f95c15af |
| SHA1 | 5fc161b76f729cae37be2a7d8d40f8dcea66bac7 |
| SHA256 | 7df51ddb51953962df9da37ff8e8cab56b5237bf0bbd1a9e1af9e4a028678caa |
| SHA512 | a89d333106b6084530adea282d6ea27b6c14e6af302f9111c7a8007951758ec6f765083c5a579f75975554cbf558b2600f202f62a11c03589feb23f380b0cd96 |
memory/1200-115-0x00007FF64CC40000-0x00007FF64CF94000-memory.dmp
C:\Windows\System\AnOsrOw.exe
| MD5 | 4973f54d4501ad38e9df22100836766e |
| SHA1 | 8f1bd893226c6fd03746be5ea75267e9c8e00d75 |
| SHA256 | f6dbf3c1680c3d6edae1960fa6b6fb2e005845c9810a082b1af482c318bd60bc |
| SHA512 | 29f2146d7cd11cfb3f5501344909521c9b3d65b9830e19c120729c22699bbfc727e2df24920de25150b5b97f78b6b0efe5b1f05a220913bb451373fa83434127 |
memory/2220-121-0x00007FF7141C0000-0x00007FF714514000-memory.dmp
C:\Windows\System\GHXtJVS.exe
| MD5 | 9d6dde1c8497e542cb09d850a20ebcc4 |
| SHA1 | 9e814908c87c8aa0ac26b0d2860b6448aec685d2 |
| SHA256 | 5e6327d072111e0c15a5a91476f3badd8d8e0a6b1abba5ae9a525d57af3fca66 |
| SHA512 | 147926a780810223c5267917bb5174dbe5a973e7a3698dff13cb3af06161c51eaf4b3ab3f38f28f02d5c0f22bedb2ec36e13302728c7b3007c21901ea8d5467b |
C:\Windows\System\SaGEHQb.exe
| MD5 | 9c1e46aee3e313decd7a570d5ccca240 |
| SHA1 | 005c09273e686dd5c50faa50ba7f7e057b5d682b |
| SHA256 | c431f5023abaf26874ff2aaf83915cc932ab7d5295d3dea9cb32a6f323617694 |
| SHA512 | e494a418dacd459623ae4ae7fb34231f6656a9d2a8f01b351964fb47ade9e6e92e8a670aa84a4a1d954f701743256cab5a7113be85eb8f6850abd5998a41cc63 |
memory/2312-126-0x00007FF747390000-0x00007FF7476E4000-memory.dmp
memory/3232-125-0x00007FF6296A0000-0x00007FF6299F4000-memory.dmp
memory/1288-133-0x00007FF645720000-0x00007FF645A74000-memory.dmp
memory/2400-134-0x00007FF633FF0000-0x00007FF634344000-memory.dmp
memory/5008-135-0x00007FF7D3490000-0x00007FF7D37E4000-memory.dmp
memory/2312-136-0x00007FF747390000-0x00007FF7476E4000-memory.dmp
memory/772-137-0x00007FF673060000-0x00007FF6733B4000-memory.dmp
memory/3168-138-0x00007FF60DFB0000-0x00007FF60E304000-memory.dmp
memory/2952-139-0x00007FF6A4A70000-0x00007FF6A4DC4000-memory.dmp
memory/4900-140-0x00007FF611B50000-0x00007FF611EA4000-memory.dmp
memory/4332-141-0x00007FF63FCE0000-0x00007FF640034000-memory.dmp
memory/1312-142-0x00007FF619310000-0x00007FF619664000-memory.dmp
memory/2044-143-0x00007FF7156A0000-0x00007FF7159F4000-memory.dmp
memory/3816-144-0x00007FF739AD0000-0x00007FF739E24000-memory.dmp
memory/344-145-0x00007FF6C20F0000-0x00007FF6C2444000-memory.dmp
memory/3232-146-0x00007FF6296A0000-0x00007FF6299F4000-memory.dmp
memory/2892-147-0x00007FF6AFCA0000-0x00007FF6AFFF4000-memory.dmp
memory/5064-148-0x00007FF780470000-0x00007FF7807C4000-memory.dmp
memory/3772-149-0x00007FF7C8360000-0x00007FF7C86B4000-memory.dmp
memory/3428-150-0x00007FF6ED1D0000-0x00007FF6ED524000-memory.dmp
memory/2400-151-0x00007FF633FF0000-0x00007FF634344000-memory.dmp
memory/5008-152-0x00007FF7D3490000-0x00007FF7D37E4000-memory.dmp
memory/1196-153-0x00007FF646880000-0x00007FF646BD4000-memory.dmp
memory/1200-154-0x00007FF64CC40000-0x00007FF64CF94000-memory.dmp
memory/2220-155-0x00007FF7141C0000-0x00007FF714514000-memory.dmp
memory/1288-156-0x00007FF645720000-0x00007FF645A74000-memory.dmp
memory/2312-157-0x00007FF747390000-0x00007FF7476E4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 19:43
Reported
2024-06-09 19:46
Platform
win7-20240221-en
Max time kernel
131s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HLcSeXR.exe | N/A |
| N/A | N/A | C:\Windows\System\MGolwHM.exe | N/A |
| N/A | N/A | C:\Windows\System\bJWPQKs.exe | N/A |
| N/A | N/A | C:\Windows\System\pWBPUpd.exe | N/A |
| N/A | N/A | C:\Windows\System\IgWHYqz.exe | N/A |
| N/A | N/A | C:\Windows\System\wzhiQeD.exe | N/A |
| N/A | N/A | C:\Windows\System\HjHvVKR.exe | N/A |
| N/A | N/A | C:\Windows\System\ZkQQStn.exe | N/A |
| N/A | N/A | C:\Windows\System\fnqwOIu.exe | N/A |
| N/A | N/A | C:\Windows\System\GCyMAeW.exe | N/A |
| N/A | N/A | C:\Windows\System\HoCLTDB.exe | N/A |
| N/A | N/A | C:\Windows\System\PXXJVOr.exe | N/A |
| N/A | N/A | C:\Windows\System\WvNvmpG.exe | N/A |
| N/A | N/A | C:\Windows\System\lzELTjg.exe | N/A |
| N/A | N/A | C:\Windows\System\OOHMCdk.exe | N/A |
| N/A | N/A | C:\Windows\System\BmVWpDs.exe | N/A |
| N/A | N/A | C:\Windows\System\nJlShWq.exe | N/A |
| N/A | N/A | C:\Windows\System\dqcirMf.exe | N/A |
| N/A | N/A | C:\Windows\System\WuORgHm.exe | N/A |
| N/A | N/A | C:\Windows\System\kknBCOc.exe | N/A |
| N/A | N/A | C:\Windows\System\pNVqWmI.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\HLcSeXR.exe
C:\Windows\System\HLcSeXR.exe
C:\Windows\System\MGolwHM.exe
C:\Windows\System\MGolwHM.exe
C:\Windows\System\bJWPQKs.exe
C:\Windows\System\bJWPQKs.exe
C:\Windows\System\pWBPUpd.exe
C:\Windows\System\pWBPUpd.exe
C:\Windows\System\IgWHYqz.exe
C:\Windows\System\IgWHYqz.exe
C:\Windows\System\wzhiQeD.exe
C:\Windows\System\wzhiQeD.exe
C:\Windows\System\HjHvVKR.exe
C:\Windows\System\HjHvVKR.exe
C:\Windows\System\ZkQQStn.exe
C:\Windows\System\ZkQQStn.exe
C:\Windows\System\fnqwOIu.exe
C:\Windows\System\fnqwOIu.exe
C:\Windows\System\GCyMAeW.exe
C:\Windows\System\GCyMAeW.exe
C:\Windows\System\HoCLTDB.exe
C:\Windows\System\HoCLTDB.exe
C:\Windows\System\PXXJVOr.exe
C:\Windows\System\PXXJVOr.exe
C:\Windows\System\WvNvmpG.exe
C:\Windows\System\WvNvmpG.exe
C:\Windows\System\lzELTjg.exe
C:\Windows\System\lzELTjg.exe
C:\Windows\System\OOHMCdk.exe
C:\Windows\System\OOHMCdk.exe
C:\Windows\System\BmVWpDs.exe
C:\Windows\System\BmVWpDs.exe
C:\Windows\System\nJlShWq.exe
C:\Windows\System\nJlShWq.exe
C:\Windows\System\dqcirMf.exe
C:\Windows\System\dqcirMf.exe
C:\Windows\System\WuORgHm.exe
C:\Windows\System\WuORgHm.exe
C:\Windows\System\kknBCOc.exe
C:\Windows\System\kknBCOc.exe
C:\Windows\System\pNVqWmI.exe
C:\Windows\System\pNVqWmI.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1968-0-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/1968-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\HLcSeXR.exe
| MD5 | e6d39236c6c3bbad80aa4f4ac359e19a |
| SHA1 | f560181e99cde99fa7630b5b5ee584d2a25593dd |
| SHA256 | 295751311ebc380d5240329953a5e6672d3d8e17f8d63c5d54872fe441b23ca0 |
| SHA512 | 9b74bd36382fd9f6f08c1a5de4a61bcbfb25403cc64f1ad5f4002b1252729c9eb88b4109ac01e05e1dd585524e2f758c0f357cff4f23d1a09bb02c1f903db085 |
memory/2224-7-0x000000013FAF0000-0x000000013FE44000-memory.dmp
C:\Windows\system\MGolwHM.exe
| MD5 | dcb4dc41baeddab8623434d32d1e8966 |
| SHA1 | a74b6470d39da7b790e30ff95eb5dd67b6b855ce |
| SHA256 | 49f34f73cbc2be24b72104bcdfc0eccc786200acc2d933da374b0875d445bcdb |
| SHA512 | 7734b0dd4f3a103e36e2a44545ef0512c00c6c81683a1832d6a209e08258a2ae9dba4b5460a641c23be7b4b044e0ebca41433ba9daf26d493cba50732062eb8b |
C:\Windows\system\bJWPQKs.exe
| MD5 | 864a8441e26b3e8e957c9acf3e251837 |
| SHA1 | 628417a4aae68144d6f2e37bd6c1c31ad1ca34f2 |
| SHA256 | f8b722ee35a2d61590b549ff3b7bdae9d83aadc1bc7206caa56060a9ad5d7f09 |
| SHA512 | 08912f5bc8a9abe9cd9bac93e7ae0568d632653150ed5c597cda3e867a0779cc46a20dfba75f7352acd2bfc5acece29a06dced4effe4e5bd71da28cead87e0ad |
C:\Windows\system\pWBPUpd.exe
| MD5 | ba6a0045f9ac30f7e006723089e30636 |
| SHA1 | c18e9e01b9a9fb8ff62be6ad5c672f0f9d949c45 |
| SHA256 | e8fc2702cc3bb24b2fe4c2099e5949f6178ae29aa55d0364996b5c171dbf41c4 |
| SHA512 | 19abe864a6b79b0cbd40745dc9742dbbc5477220b71f5a1391540278da81303b9b6288d67abb27ae06fd3760bce11e5dc723c0632d4be795f7a4c8a432d3ddb7 |
memory/1968-17-0x000000013FD50000-0x00000001400A4000-memory.dmp
\Windows\system\IgWHYqz.exe
| MD5 | aa692ba1e3f8f6f79984cf16bb3f8f10 |
| SHA1 | 3656b07fea502d042f289ee6be65c91303d1c9e6 |
| SHA256 | 8e665cfbd5062b13fb715b04cef7e0151c5c4226c7fe8cb5879505fd9161b52e |
| SHA512 | 07c657c802f9360909707bab67b31c2f7259e16e2aabd9ebf8ea3d1828b8215ced3ad4cd7c0eb3118de5050f6fa558de3c4bc452f97061db3e6e86355a3d1205 |
memory/2252-29-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2824-36-0x000000013F500000-0x000000013F854000-memory.dmp
memory/1968-35-0x0000000002310000-0x0000000002664000-memory.dmp
memory/832-34-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/1968-33-0x0000000002310000-0x0000000002664000-memory.dmp
memory/1676-32-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/1968-31-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\wzhiQeD.exe
| MD5 | 021ff2193c050eb9cab075804dd31ada |
| SHA1 | e843bf76404a535f6c40573007322c8713b2c72e |
| SHA256 | 4380d7a6439d495104a643ffe12da654d08e43f778cba0c814e4110688a351ed |
| SHA512 | ded766b0b5c1680b6a8f7c602208c86f504065527f060d4265a7e6ff060d76a0122ae0e9a15de1a8b1a45fcd9b4ae8f06b635971f5b2b54fb20747c2234d94a4 |
memory/1968-40-0x0000000002310000-0x0000000002664000-memory.dmp
memory/1708-41-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2508-54-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2908-48-0x000000013FED0000-0x0000000140224000-memory.dmp
C:\Windows\system\GCyMAeW.exe
| MD5 | f42238fc519fba22e8d8af6993169ad8 |
| SHA1 | b7da6811b38bf063ba95d228dae84fba76627994 |
| SHA256 | 27ce505099859f537364c20e85e8243dc8ba13977c99c9b525011ede660fbec5 |
| SHA512 | f32fa35c80e0fc94fb651c1e4269bffe8145ccb85cfa46cbe991ad9e8e7948c3744414efc7cacb679bb8876cf2c645be9e9782709f2128b1ddc0e12c977bd2b9 |
memory/2644-63-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/1968-62-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2940-75-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2548-82-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1968-81-0x0000000002310000-0x0000000002664000-memory.dmp
memory/1968-97-0x0000000002310000-0x0000000002664000-memory.dmp
C:\Windows\system\WuORgHm.exe
| MD5 | 11663711f3127dd35213d3da4ac5b4f8 |
| SHA1 | b6f5188f7591f6c79751b8aabf5bcabf94d73038 |
| SHA256 | d845b2363cefbc0577cdbc2d586bfef05379d9054667e33f005e0f2c5f9e9045 |
| SHA512 | e83b48891eab195cbdd447e8ebe9e2b8ae868316fdb676f5955da8f96fc6cdf061ed3d33229190f91ef7d62787f43d6dec63febf937aa339a78884bbc6f092bf |
\Windows\system\pNVqWmI.exe
| MD5 | 080f30c9b61527c9d99beb302c7ef8b8 |
| SHA1 | fa049138ab3d0d8f1e076984b8729c56894486f9 |
| SHA256 | e994a76178906ae0460ce548457967945ace851c2c17bc6d22681253865ae203 |
| SHA512 | 90e7fd1a5abb6213a0834fb3a52148b5f9c4d85e8d79d0bd4df5e71c63ba65fa73f6169e3cb1dd9ab0666489ffceb4aa3662b1bfe25a0a0a15e971e5dd499a66 |
C:\Windows\system\kknBCOc.exe
| MD5 | 0756d6a392f3654873edccd325c37936 |
| SHA1 | 4e1d25e5069fe97a08ffa0ad0782f10e582a51a0 |
| SHA256 | 5cde3c263cc04550f5eeaf46e43d475d07fc5e174d348be04d1823f79261a717 |
| SHA512 | 4fa5809375cc0ad5beabc604dec4e3b7f36ae1d8c820a2e8ae769c36d2e33fed684cf60d6523119c27744e8459e28ad22480a77cb92ea4dd19df5c300155153a |
C:\Windows\system\dqcirMf.exe
| MD5 | 4def16bdbff1067709642458c0acd8bb |
| SHA1 | 7ba7d5af8678574310012f770dccaa5ee738bb45 |
| SHA256 | 8f941627b50a783f1e34df95c06c47b680ec77955de4ca9770830a1d141a493f |
| SHA512 | 79e3f8851664d74d0cde6cc1dc7335402dc8269a358f3473de687a8cb39071844c1a50055bab861df58bdbbd7f9a773aa7248d82e61e6d4b89ec28f97068b0f2 |
C:\Windows\system\nJlShWq.exe
| MD5 | f4d9af4ae05dff3e0604280a4a680d89 |
| SHA1 | 7604e568abeb7ef098af0b50ad49fe9532c6930a |
| SHA256 | 77aead3eba4dd7bf7c841dd0532c48810d5b6a2c910771c833f8900f520754d4 |
| SHA512 | 8a2bf66f251d60bfd8f75a886b1b91be20dd6739881872c442a268a26a58df46a9f7da2d86911215697439f16718a0a6cff810cf5110d26da5ba5e4a8dc42f7b |
C:\Windows\system\OOHMCdk.exe
| MD5 | 45962a74ce3b4d85c5b40ea5b957cfa7 |
| SHA1 | dd117a5be5c284c41b1af2c8222b4fca02a09a04 |
| SHA256 | 05b77279bf4d50925c34283c919998166105d912aa5e74e029bf58893d48a433 |
| SHA512 | 4abcf53e9d1b69a25df484d11ce0a170ddfc2fa8e1f68f44ccd7c92a7757eee2ebfe4903ce4ea6b7df0a7c83626a1fce9fd8781685f456d32cc270e3a8fa44e9 |
memory/1968-104-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2508-103-0x000000013FD60000-0x00000001400B4000-memory.dmp
C:\Windows\system\BmVWpDs.exe
| MD5 | 5960f755c81f11472b91e97a504afcd5 |
| SHA1 | 96a3528b480fa6b4483ab601866f795e77230013 |
| SHA256 | 10eda63adeb1f688fdc9875e49da6bcfffed9732e2aee3ad77851aade97b7d78 |
| SHA512 | a77c7f489b6434bf32dd57af74adcedb4b292b8790dec40bf26b10a72cfcce2bbf66c66182ea8aa4225510fb521fc39937e1b8d63bfa37ce34690a4007365cd3 |
memory/1996-90-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2632-137-0x000000013FB60000-0x000000013FEB4000-memory.dmp
C:\Windows\system\WvNvmpG.exe
| MD5 | 68f891b9ae3b3402f6557024114b6ead |
| SHA1 | 2d58e3a15af14166121dc5afd327594e5d71520c |
| SHA256 | 018e49af179f53b7883630269627fc00e3dc50bac10fb02698f2c73dc8a1b194 |
| SHA512 | 308e6eefe17f48c1603c5b31be075530ecf612821c5796650e5c83aca3ac9fae00cb1787c24cbcaf236d8627bf4677d0958570dcaf9c105f9953693c14a237a8 |
memory/1968-87-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2372-98-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2908-96-0x000000013FED0000-0x0000000140224000-memory.dmp
C:\Windows\system\lzELTjg.exe
| MD5 | 7db5dd33889915f795f8add0b4bfb1b7 |
| SHA1 | 34a1c7f950b9fca240dafdb23e3ecff1c9a89971 |
| SHA256 | dd500f381fde4bb83e116c20319634bd834e00157640761abfadfcb8bd66aacc |
| SHA512 | 88218398204a8b3b6c5f4e1368fb7a08d8356a0d6c13fdd9a25603cdb5a7c0b16985808bd0d398a67a50310c6bdcbbf9156e655ab04a51f04707f67541b0d0d6 |
memory/1708-86-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/1968-138-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\HoCLTDB.exe
| MD5 | 699347ad87f86e68690c0c5ccf173a37 |
| SHA1 | eb0ebf46eeae8a76b0dc33180fde0a6b3bee02d1 |
| SHA256 | bb87dfec6bf9a2a9fb376287a7a2f248e567d70ea869c2a988b3c1f489c2ff2c |
| SHA512 | bce5f4e8960bb4b5e334a3a63af7fcc0b79ef8ef4ec8fc17de919a54852e6cd40c55a46bcdd4351542b6b06a7da855d37ef7b3450155a9595c00b3b5ccc99bd5 |
memory/1968-72-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2940-139-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2224-71-0x000000013FAF0000-0x000000013FE44000-memory.dmp
C:\Windows\system\PXXJVOr.exe
| MD5 | 1dbdf201ef480e3ae1416d4d1cb0f838 |
| SHA1 | 1d91433a68fdc8e3058c3cebe837fd0801d3fcb5 |
| SHA256 | bf621fe86353c2f214ef3f046e89b053258c517226803d94b8d6d2a0dc6570f3 |
| SHA512 | 6864a194722e1a955cd6857212cbd48d2cf9639497d1c7e69fbdf603e3869fcde909b086bc45dc97d9558ac8cf775b4b1f160092bf50d1e83f6fcb9f5dd6b464 |
C:\Windows\system\fnqwOIu.exe
| MD5 | 76265dd26cccec1ced7c7b862079c86b |
| SHA1 | 4043e2e95d4e0fb534d06a27d2c129fd2a883049 |
| SHA256 | e68083e018a16f6dee7456cb0e4298b480c25d32d1e172053b1815e36bc11c18 |
| SHA512 | e1a062d4e8f533c66b541a80b7cbff4f942c3bd654493584acdfa77fa56568e745d01fb91d9c83564735ede704cd011b87db36f2db6550febe17d30dc402198f |
memory/2632-67-0x000000013FB60000-0x000000013FEB4000-memory.dmp
C:\Windows\system\HjHvVKR.exe
| MD5 | 59acd4f492353adc22107a80d1bccfc6 |
| SHA1 | ea1268a2c161ff12c7b5e524f01ad1a80d1359b0 |
| SHA256 | a0cc1a1f5328c511d00e839451107c47f62b331533d4cfdc3b0bf222b98ea576 |
| SHA512 | dfc5ea3d10acf17d614c160a0e2b62af193266cd60ad1566a7088a35eecfd34c410748df7ed65e978218066aac43ab7e68376e9b9c374db80d8ce187d313edc1 |
memory/2548-141-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1968-140-0x0000000002310000-0x0000000002664000-memory.dmp
memory/1968-53-0x000000013FD60000-0x00000001400B4000-memory.dmp
C:\Windows\system\ZkQQStn.exe
| MD5 | 58d7f55a7a0091b4458266e9c2ac82fe |
| SHA1 | 4c1a696f5ffaaa0dd698ab5a3f04f2c69cd30cef |
| SHA256 | 7376b2d63bfed299fb36c5283fea4577457efc723b53591d1727f19d0ee9e40d |
| SHA512 | da0d06c4313662378060284ece6066d769bad94f6dcd38f889a518161c04dd656727be02b6cffaa1ba98c3364502bfa1bae094909a0a6385d64da626d9cc3c50 |
memory/1968-142-0x0000000002310000-0x0000000002664000-memory.dmp
memory/1996-143-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1968-144-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2372-145-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/1968-146-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2224-148-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2252-147-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2824-149-0x000000013F500000-0x000000013F854000-memory.dmp
memory/1676-150-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/832-151-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/1708-152-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2908-154-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2508-153-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2644-155-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2632-156-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2940-157-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2548-158-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1996-159-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2372-160-0x000000013F750000-0x000000013FAA4000-memory.dmp