Analysis Overview
SHA256
7b42d2f25b67245f385a923ccb9aa28f1831d753087984c160b0b32d5721a503
Threat Level: Known bad
The file 2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike
XMRig Miner payload
Cobaltstrike family
xmrig
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 04:45
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 04:45
Reported
2024-06-10 04:50
Platform
win7-20240221-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qPetckh.exe | N/A |
| N/A | N/A | C:\Windows\System\CRFwntD.exe | N/A |
| N/A | N/A | C:\Windows\System\LhAsFiu.exe | N/A |
| N/A | N/A | C:\Windows\System\hKJxSnF.exe | N/A |
| N/A | N/A | C:\Windows\System\NAQQZTQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qHRPASa.exe | N/A |
| N/A | N/A | C:\Windows\System\wuhkSgu.exe | N/A |
| N/A | N/A | C:\Windows\System\zUMHIKO.exe | N/A |
| N/A | N/A | C:\Windows\System\ZLZPjcl.exe | N/A |
| N/A | N/A | C:\Windows\System\lrCicGD.exe | N/A |
| N/A | N/A | C:\Windows\System\hUeQLxX.exe | N/A |
| N/A | N/A | C:\Windows\System\FqvCKxF.exe | N/A |
| N/A | N/A | C:\Windows\System\ciKLhmF.exe | N/A |
| N/A | N/A | C:\Windows\System\eTesOkB.exe | N/A |
| N/A | N/A | C:\Windows\System\yULUIrw.exe | N/A |
| N/A | N/A | C:\Windows\System\igXaePc.exe | N/A |
| N/A | N/A | C:\Windows\System\OwkBpUM.exe | N/A |
| N/A | N/A | C:\Windows\System\EJXXzaQ.exe | N/A |
| N/A | N/A | C:\Windows\System\aQVpZzK.exe | N/A |
| N/A | N/A | C:\Windows\System\FuqhzMh.exe | N/A |
| N/A | N/A | C:\Windows\System\kWtJMWy.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qPetckh.exe
C:\Windows\System\qPetckh.exe
C:\Windows\System\CRFwntD.exe
C:\Windows\System\CRFwntD.exe
C:\Windows\System\hKJxSnF.exe
C:\Windows\System\hKJxSnF.exe
C:\Windows\System\LhAsFiu.exe
C:\Windows\System\LhAsFiu.exe
C:\Windows\System\NAQQZTQ.exe
C:\Windows\System\NAQQZTQ.exe
C:\Windows\System\qHRPASa.exe
C:\Windows\System\qHRPASa.exe
C:\Windows\System\wuhkSgu.exe
C:\Windows\System\wuhkSgu.exe
C:\Windows\System\zUMHIKO.exe
C:\Windows\System\zUMHIKO.exe
C:\Windows\System\ZLZPjcl.exe
C:\Windows\System\ZLZPjcl.exe
C:\Windows\System\lrCicGD.exe
C:\Windows\System\lrCicGD.exe
C:\Windows\System\hUeQLxX.exe
C:\Windows\System\hUeQLxX.exe
C:\Windows\System\FqvCKxF.exe
C:\Windows\System\FqvCKxF.exe
C:\Windows\System\ciKLhmF.exe
C:\Windows\System\ciKLhmF.exe
C:\Windows\System\eTesOkB.exe
C:\Windows\System\eTesOkB.exe
C:\Windows\System\yULUIrw.exe
C:\Windows\System\yULUIrw.exe
C:\Windows\System\igXaePc.exe
C:\Windows\System\igXaePc.exe
C:\Windows\System\OwkBpUM.exe
C:\Windows\System\OwkBpUM.exe
C:\Windows\System\EJXXzaQ.exe
C:\Windows\System\EJXXzaQ.exe
C:\Windows\System\aQVpZzK.exe
C:\Windows\System\aQVpZzK.exe
C:\Windows\System\FuqhzMh.exe
C:\Windows\System\FuqhzMh.exe
C:\Windows\System\kWtJMWy.exe
C:\Windows\System\kWtJMWy.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1896-0-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/1896-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\qPetckh.exe
| MD5 | 6189332d86c9348ac47283258c190a7c |
| SHA1 | f6dc39b5475af2c244c9eb8f9b55e8792aafbdc9 |
| SHA256 | 594853168962cf940e5f3394f538ec6b6690fb74141ad89a6df4a0da6847c0bd |
| SHA512 | c09892beeb9047d5dd9a0f03a5e6025e3c2c168ba1a3acbfd142eb29f854f5ffb58c9a01ce69eecc642fd7117c28ff5c94d718db7314620ef69105ff775889f3 |
C:\Windows\system\CRFwntD.exe
| MD5 | 98ddbea8b700025cfea6cdb4aa3e43e8 |
| SHA1 | 50ceb41fa98f8da019e896ed8b56fb815ade85c3 |
| SHA256 | f3d04b1b505bbd1edfc225f0ff843d2d6e124620e1863f1cebccc8fb38f1e763 |
| SHA512 | d10c79b9ffe04655d2ed28a606ef98f8550b5560c30acde63f1522d23a06ada25993e4c72d6366952d8876ac8ea72ef7e8996ba2e92abd973881f2d8a97c9a8a |
C:\Windows\system\hKJxSnF.exe
| MD5 | 0c4fa25607b4370165ec346f1ab5cf33 |
| SHA1 | e793a93cf0e5f3e380ba686a46b04e292ac07498 |
| SHA256 | f680fd2e7e49c6829b698cc5e2e48b3f3ec8ee78dfde1c28c492f9f7a1d1aa8a |
| SHA512 | 57cf1299c34833ccdb24babcc7aeb948098cf922afcd315f5a5058d132d8d7c108e23a581403cea07290b7bffcfee0f7a4aa118bae4b90c90b7ccd5b4bd86e46 |
C:\Windows\system\hKJxSnF.exe
| MD5 | b5d6c8b472f6137523570f20868f4041 |
| SHA1 | 61a520c4e5802e3278d223745c0d5b53798489c3 |
| SHA256 | df7d971e23b4ededa31b1693094cae103f35c8a092bea9c558c1e9bba9ccc324 |
| SHA512 | 310f2bca69858a022c70080fd06c881ff6459ee943f0afef48d3fc47591912fad27b5857e0c076a90ca0c03ab0f8ff278f0a7686305712014a6bb182fc4a4229 |
C:\Windows\system\NAQQZTQ.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
C:\Windows\system\LhAsFiu.exe
| MD5 | 97670e65f1680ff81eb8df51e3d05a19 |
| SHA1 | fb3855e5edea54ee0b085846a58c839af4527392 |
| SHA256 | e7f2eb724c4956bea424be0998d301d17a7f50b9336cb82d2ee941cd2201fcbb |
| SHA512 | acb88104ef3e253f89fb89fe1b28dc7bcb9c6e1a1df0e6387f0f0c205f704b0802eba1fe86cf90f9ffde967f235775bb86d085046fef92fd5b62fcaf42ea8d36 |
memory/1984-16-0x000000013F280000-0x000000013F5D4000-memory.dmp
C:\Windows\system\wuhkSgu.exe
| MD5 | 5fa795b3b7fbfdb00bd1230752e0c717 |
| SHA1 | c04df1c0104752fc707883394c20b7a38d950291 |
| SHA256 | 824077dfd6a62e9e36be5c206334d0508de5a3b956ad1bd496fa2e71eb9a9179 |
| SHA512 | de08f47b777576f6d8782f91ad503bcf8fdc3c8ebfac425ac7200b990be02ae05d557511a5745c3ce08c930b4d0fe264f704e0ed5826f20f19f9a35af8cd315a |
C:\Windows\system\ciKLhmF.exe
| MD5 | 2e820f8af7aa3bf225d37608a0a87341 |
| SHA1 | b813ceb09756bee341a57c9525bd3abdbe863ab8 |
| SHA256 | de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa |
| SHA512 | 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4 |
C:\Windows\system\igXaePc.exe
| MD5 | c640e7276248ae97642c2a7bf34e461f |
| SHA1 | c86ee302e90005334c41f03ad1020133e971ca75 |
| SHA256 | 487238a42789387dd63d77ce6301803af0e8b6b4838fe5e37fd3c7a1c6c8df9d |
| SHA512 | 39a62ff93da5786eb18c588fe52f317b9ac0af058cf8492aac9a86def4ed525a2902436231143b3b479d9567d6f9126d4bcd27fcc18427c127150dafae026ec6 |
C:\Windows\system\kWtJMWy.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
\Windows\system\kWtJMWy.exe
| MD5 | d1f135638dc4374f54c16a2e064cb07e |
| SHA1 | 9468b1b5db6c91110e844d2200e59e0ec34dc070 |
| SHA256 | 83729fdc15adda77299e5d83e74c8ec61df7e73280b3c980fe671e8860674b11 |
| SHA512 | 2994d556c682a89eb4e5ee05d99f8a967acaf9b482c14044f87300187360214567dca5c0ebd02617569bae4370c9a06d23f296634244c08f8d23e6af12cc8bc0 |
C:\Windows\system\FuqhzMh.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
\Windows\system\FuqhzMh.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\system\aQVpZzK.exe
| MD5 | cd2955deacec5bcac8863a9361763e34 |
| SHA1 | 4137af6a07d50f6878ee4cf5bb66b6d7e5608978 |
| SHA256 | e914e1eddbafb997430ddab6003407fe97a55d5e93d126b5f3bab557f28db2f2 |
| SHA512 | a1ae2ff1f589dfd72ba0dc794dddd6d14840ebdbfc3eb27dbee1e90345a0121d5c6b4f8214259aff2494bfc9f8ad15408db61825a59f771d192e92b2760f7a69 |
C:\Windows\system\EJXXzaQ.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
\Windows\system\EJXXzaQ.exe
| MD5 | 64608890dcd212091a87599b2f0612b4 |
| SHA1 | 642cba6fdd06687bf7b84652d1d79a4e1e6a2442 |
| SHA256 | b0713465db08a043a2fc63565826669db6692aab975c0e29a5185ae16112322b |
| SHA512 | 9bdeddb8d2b5d212ce44eb56a90491fbba59fad54bddc0d8b4b8bf820f02cd20cd341a5b8d7dee63bec0cc37a66e5649ab2d3fa0a94759da8902674545d3a347 |
C:\Windows\system\OwkBpUM.exe
| MD5 | 85714472751594131947fac558962608 |
| SHA1 | a05b32aaada2e070d00cdfcbec88fbf67aaabf0e |
| SHA256 | 92c34106909f58c0120bc05675400c833638d8d332fece8b9a49a392214b13df |
| SHA512 | e79aca615484a1f92992de3420cafa89b3132ddb953ec96d545f5e00e52da5b0793c0ee9437d0eb409242467ecdfd717653ae6b6798d32fbe8a75f5445c0e1ba |
\Windows\system\igXaePc.exe
| MD5 | 30ac98cd6ec57605801f546c6567c9ef |
| SHA1 | 6432a7a9703259b40c10be16db7b39adce1f130c |
| SHA256 | 1d79da8549c3799713a6109d1bea90e413cb0fc53e299dddf783bb6ae4dd26dd |
| SHA512 | 008fa4cea1ffdd4b38dc10823add1593d558af9d475052938882c7d1a85f52e714a536b08725eed77f52d0cd239c5e9bf7d392702d03009a532a7faeb1d5ef33 |
\Windows\system\yULUIrw.exe
| MD5 | cf26e0d9bd7a2d965883d0f1d159c45f |
| SHA1 | b849d7d4f3d2d8072543ed7154069361d0c67e92 |
| SHA256 | 7c98bf851775d40674541d1fe6d5d27a4faf48221d2ac15896c95daf459dbdba |
| SHA512 | b98cbe03180fa5d6512490041a501e4ccc11c2019f9abc670b643db7545dad83c94ca89efb8a62f73f40fbe63edf29412523659921df7ef641af9c5acf6b5bc7 |
memory/2888-109-0x000000013FFD0000-0x0000000140324000-memory.dmp
C:\Windows\system\eTesOkB.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
memory/1896-110-0x000000013FB10000-0x000000013FE64000-memory.dmp
\Windows\system\eTesOkB.exe
| MD5 | c83a72fd32d1ea03c4c25e0b40a06534 |
| SHA1 | de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1 |
| SHA256 | c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359 |
| SHA512 | 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c |
memory/2088-116-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/1896-117-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/1896-115-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2644-118-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2384-120-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1896-119-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2524-114-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/1896-125-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2852-126-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/1896-131-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/1896-130-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/1852-129-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/1896-128-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2820-127-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2428-124-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/1896-123-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2356-122-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2408-121-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2556-113-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2616-112-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/1896-111-0x000000013FD80000-0x00000001400D4000-memory.dmp
\Windows\system\FqvCKxF.exe
| MD5 | 7714ececc84a592d7a9154c3fb31cb2e |
| SHA1 | a16046ebfebdfbab8185480106746e6a16da82fc |
| SHA256 | 9dd5c6e62613d6169639255ec82cc443f0b9cc1238a3a32d153d7dda373a2b22 |
| SHA512 | 18b148c513f6096f10d821cc4f19f65615647e4b0141ffd1cddcaa9f2ed0f375cf4d139ee9638520902b969facf7a00104c2d951b3a4a979cfd18831f0db2b1d |
\Windows\system\hUeQLxX.exe
| MD5 | c5f33c208b8352c92ff94fbc2b599111 |
| SHA1 | 0842e8833ca026da14c777f19216ac8823767900 |
| SHA256 | 6fd2df6d3131682515e5fc159d81918ada218168622149be278bff78e6839f6f |
| SHA512 | 62f9100bcb029dacf5e5850ff2c364497a0db747c663dacd840839ef6bb501ef0b8fddc8b075af9a33043a07665b866db4f1c551c78513d6efa407abe8c56db5 |
C:\Windows\system\lrCicGD.exe
| MD5 | 3c4936ba91eaa69f7fdbfccc9b857022 |
| SHA1 | d97c8ba6655ec64594f86192c6bdb9c832040c3a |
| SHA256 | f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10 |
| SHA512 | 327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9 |
\Windows\system\lrCicGD.exe
| MD5 | 992e15ebc2245cf970acce9948576d6c |
| SHA1 | 3322f50d4aebf915abc8a5277cd07a23adf5f127 |
| SHA256 | 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5 |
| SHA512 | 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7 |
C:\Windows\system\ZLZPjcl.exe
| MD5 | 8a74009f7dd9c036cc12b3f189bd9ac6 |
| SHA1 | e53d33c260bb77d6ec7f4c05d6b7a52ccd5f9de0 |
| SHA256 | b349cfcd57c9962c2310b863621992c24963856bb8765a72596762e3d22c0932 |
| SHA512 | 6b058797ebf39246aeec4041256bec3900d2fe258c40c7a628ad2f0a7c71cd84516d0e4598c1b869d273f2d776086698842e42f21ab1a8adea547d9c55a56876 |
\Windows\system\wuhkSgu.exe
| MD5 | 17fc50ceee2e03d90dc66d1b696ae04c |
| SHA1 | edb9bfabb63dae8151ef58d586ad8bd320e46954 |
| SHA256 | fc4616ed39d09901bce558c977cf8c1b0bb141044fdc081427724967ba6dd3fa |
| SHA512 | d8c3393f993fa67b8b0595df5ee762653e8d56a623f080da9228a5a0d869ef0a7edc1d904724d72b970bf2e625e4a5f9c12c3697e318c3a3b3b8ac5cb30955dc |
\Windows\system\qHRPASa.exe
| MD5 | 67d7d0c360c2defa9a36a47a23af7dd6 |
| SHA1 | efd9d2994e80ef40cbaab5f7ef02420aebe17206 |
| SHA256 | 0521cd0d1d60fc081a5e4d3f28f5a76a962e60920d871e29a2de526b0e72b791 |
| SHA512 | f5338aedc9e177da3d3af04e6946e9f03280307d40c8e1e2e21b270727d9ec57427c8f7861835c62a83f44226e722c786902eaaa4187cfaefc3a81305ca12e2b |
\Windows\system\hKJxSnF.exe
| MD5 | 6e20c1464f2f11359d03740e39e646c8 |
| SHA1 | e90209ae46e403e71a97b0f056c5611d8850af0f |
| SHA256 | e9593ce32c1f94db36680e392134bf6ea24ae6d0ede4ec413f37566a5f2d14d1 |
| SHA512 | 3c5d83e738534c4ac0713b5c116bdf631b564cab66985488e774409d89d4217b15f7b4d1125192155a4943ff3a81fa41e606de408ffb1a46a6a0a426634ea7fe |
\Windows\system\NAQQZTQ.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
memory/1896-8-0x0000000002300000-0x0000000002654000-memory.dmp
memory/1896-132-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/1896-133-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/1984-134-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2888-135-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2556-136-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2524-138-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2616-137-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2644-140-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2384-141-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2088-139-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2408-142-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2356-143-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2428-144-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2852-145-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2820-146-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1852-147-0x000000013FFC0000-0x0000000140314000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 04:45
Reported
2024-06-10 04:50
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qPetckh.exe | N/A |
| N/A | N/A | C:\Windows\System\CRFwntD.exe | N/A |
| N/A | N/A | C:\Windows\System\hKJxSnF.exe | N/A |
| N/A | N/A | C:\Windows\System\LhAsFiu.exe | N/A |
| N/A | N/A | C:\Windows\System\NAQQZTQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qHRPASa.exe | N/A |
| N/A | N/A | C:\Windows\System\wuhkSgu.exe | N/A |
| N/A | N/A | C:\Windows\System\zUMHIKO.exe | N/A |
| N/A | N/A | C:\Windows\System\ZLZPjcl.exe | N/A |
| N/A | N/A | C:\Windows\System\lrCicGD.exe | N/A |
| N/A | N/A | C:\Windows\System\hUeQLxX.exe | N/A |
| N/A | N/A | C:\Windows\System\FqvCKxF.exe | N/A |
| N/A | N/A | C:\Windows\System\ciKLhmF.exe | N/A |
| N/A | N/A | C:\Windows\System\eTesOkB.exe | N/A |
| N/A | N/A | C:\Windows\System\yULUIrw.exe | N/A |
| N/A | N/A | C:\Windows\System\igXaePc.exe | N/A |
| N/A | N/A | C:\Windows\System\OwkBpUM.exe | N/A |
| N/A | N/A | C:\Windows\System\EJXXzaQ.exe | N/A |
| N/A | N/A | C:\Windows\System\aQVpZzK.exe | N/A |
| N/A | N/A | C:\Windows\System\FuqhzMh.exe | N/A |
| N/A | N/A | C:\Windows\System\kWtJMWy.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qPetckh.exe
C:\Windows\System\qPetckh.exe
C:\Windows\System\CRFwntD.exe
C:\Windows\System\CRFwntD.exe
C:\Windows\System\hKJxSnF.exe
C:\Windows\System\hKJxSnF.exe
C:\Windows\System\LhAsFiu.exe
C:\Windows\System\LhAsFiu.exe
C:\Windows\System\NAQQZTQ.exe
C:\Windows\System\NAQQZTQ.exe
C:\Windows\System\qHRPASa.exe
C:\Windows\System\qHRPASa.exe
C:\Windows\System\wuhkSgu.exe
C:\Windows\System\wuhkSgu.exe
C:\Windows\System\zUMHIKO.exe
C:\Windows\System\zUMHIKO.exe
C:\Windows\System\ZLZPjcl.exe
C:\Windows\System\ZLZPjcl.exe
C:\Windows\System\lrCicGD.exe
C:\Windows\System\lrCicGD.exe
C:\Windows\System\hUeQLxX.exe
C:\Windows\System\hUeQLxX.exe
C:\Windows\System\FqvCKxF.exe
C:\Windows\System\FqvCKxF.exe
C:\Windows\System\ciKLhmF.exe
C:\Windows\System\ciKLhmF.exe
C:\Windows\System\eTesOkB.exe
C:\Windows\System\eTesOkB.exe
C:\Windows\System\yULUIrw.exe
C:\Windows\System\yULUIrw.exe
C:\Windows\System\igXaePc.exe
C:\Windows\System\igXaePc.exe
C:\Windows\System\OwkBpUM.exe
C:\Windows\System\OwkBpUM.exe
C:\Windows\System\EJXXzaQ.exe
C:\Windows\System\EJXXzaQ.exe
C:\Windows\System\aQVpZzK.exe
C:\Windows\System\aQVpZzK.exe
C:\Windows\System\FuqhzMh.exe
C:\Windows\System\FuqhzMh.exe
C:\Windows\System\kWtJMWy.exe
C:\Windows\System\kWtJMWy.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/944-0-0x00007FF63E150000-0x00007FF63E4A4000-memory.dmp
memory/944-1-0x0000012430A10000-0x0000012430A20000-memory.dmp
C:\Windows\System\qPetckh.exe
| MD5 | 6189332d86c9348ac47283258c190a7c |
| SHA1 | f6dc39b5475af2c244c9eb8f9b55e8792aafbdc9 |
| SHA256 | 594853168962cf940e5f3394f538ec6b6690fb74141ad89a6df4a0da6847c0bd |
| SHA512 | c09892beeb9047d5dd9a0f03a5e6025e3c2c168ba1a3acbfd142eb29f854f5ffb58c9a01ce69eecc642fd7117c28ff5c94d718db7314620ef69105ff775889f3 |
memory/752-6-0x00007FF735B10000-0x00007FF735E64000-memory.dmp
C:\Windows\System\hKJxSnF.exe
| MD5 | 210dc6bdff74481cefd4b3ac65168815 |
| SHA1 | a6fe8913f5c544886bd742b6321219c79ee53bdb |
| SHA256 | 02f849832e15f12fd85d1231faa83aba742ab70ab9deba6e7635de9d13e81daf |
| SHA512 | cc520bc1f8c6889549b3d769b4125b0666e899b538f02ae640a25ef3def38071f5d54da23a0b4c8c29bb1e5a4075d19935b74f4c8e64e43249cf037960ccf19a |
C:\Windows\System\CRFwntD.exe
| MD5 | 28b714814bd20a40fb5f5cd79ec90d33 |
| SHA1 | 3025dde39423cbaa732f0a80fa65bd99cfeda6f8 |
| SHA256 | b566bf8245e42684615a7f68b265d5556ef466df20efd60a1870f0be3f15f588 |
| SHA512 | 80cf781846291d355a5bc77b083784aea88d4600c76e912e2b9c0d92149c06a09e70c83459a50e023809c6567f05cd25dd34b29c461daf674bd7bcec26a149e9 |
memory/4860-20-0x00007FF64D8F0000-0x00007FF64DC44000-memory.dmp
C:\Windows\System\LhAsFiu.exe
| MD5 | 97670e65f1680ff81eb8df51e3d05a19 |
| SHA1 | fb3855e5edea54ee0b085846a58c839af4527392 |
| SHA256 | e7f2eb724c4956bea424be0998d301d17a7f50b9336cb82d2ee941cd2201fcbb |
| SHA512 | acb88104ef3e253f89fb89fe1b28dc7bcb9c6e1a1df0e6387f0f0c205f704b0802eba1fe86cf90f9ffde967f235775bb86d085046fef92fd5b62fcaf42ea8d36 |
C:\Windows\System\NAQQZTQ.exe
| MD5 | 4e982d454be6a94412ccb93347ac561e |
| SHA1 | 45fdef1bab940d4d0c91ad50d4d9fb21bcf109e3 |
| SHA256 | e52c18bfb655dba63059a79b51dbded78554b85042544cf7e02767eeb6585b6f |
| SHA512 | 374ff404bfe25f99477cc81b9a1d35dae04c0e6e6e77381942a942928404cb1e96835713ab4b481b81b67266700b1ba61e7993a1b2a1e52e5e481415354544bb |
C:\Windows\System\qHRPASa.exe
| MD5 | c8cfc1a4842f167de3c2fc30fa0fb9d7 |
| SHA1 | a6ebeadf6b4c4edc953619ad094c628be63fedcc |
| SHA256 | cdf2a343b60a71f96ec526b8674c725e41eb8589125c2e1da2ed9bd18ade99b2 |
| SHA512 | bb63168c8f8460f0624d1e7ef26c0487fa2da43b7c2cc71a7eaef185822167ad9920efbbbfd35288804938da1a3b26b32c36fafb614af36a748e0615754179f8 |
C:\Windows\System\wuhkSgu.exe
| MD5 | 0771f1aabae63a5e5112658969b6d5d1 |
| SHA1 | 6bd2abb49c8a5058f37adaa9d7613a39a1a7267a |
| SHA256 | 1d3ae39eff8bcb6ff4c994afc210f9f2cea6c7be42b1407e8ac9153b27b6b7f6 |
| SHA512 | d612905276bb914e25f82621a980939d239138febd74a225f6e8bee2584457b6d687ddb3980ad390d6d4c0cbb65f0756f5a2dfbd8208e2427fceb26f390db8ea |
C:\Windows\System\lrCicGD.exe
| MD5 | 551ebd62c0edbd273085266cd43fc25a |
| SHA1 | 771a66a9f6c07916a93072c48e914480b3c74fe8 |
| SHA256 | f582d9240d9b31cbbcfb5de3d20e5921c6dd89bcf58562383b69b474cb01bdbb |
| SHA512 | ff46377423de12cfb1836275d545b12e03567271a67d9138200ebc818a582664611a92c1025e8d29442d0d014ff2f8377b6bac8be5c865880b841e4598c200ea |
C:\Windows\System\ZLZPjcl.exe
| MD5 | ca7874797c51af95160d66c61c9f3499 |
| SHA1 | 1afc74ba045808b8836846b4696a8b35a0e6926d |
| SHA256 | f205bc8e9396250dd82cc50f0baaab41b670eab42576ba91f25be292a499ac63 |
| SHA512 | ecdd1721bb7ae7b9674d87e489a654852440dc68f0126cb7012d5e59098be7f949279a9600f90223d3d157762957c16097453a68ee6fb43499e493a37ec267c2 |
memory/396-62-0x00007FF700950000-0x00007FF700CA4000-memory.dmp
memory/3612-58-0x00007FF66E000000-0x00007FF66E354000-memory.dmp
C:\Windows\System\zUMHIKO.exe
| MD5 | a3f9ca693d13f5fe11d9ab41cb0cdbcb |
| SHA1 | 82e936659f7724d4a51610c4343ca68ab5f0cd3d |
| SHA256 | 9c1eb011a09aff30488b084bef61b34d0c2074e570b3641c69c3e408bb8acbdb |
| SHA512 | c20e1d8412f7db46b8c90dc2ed99ad67dbc1af2be452979b520345640278ed2910718bbc1bfa211c6b3406ceb7086d1faaed901f3636d882dc7850d6b01dc625 |
memory/3400-54-0x00007FF7871C0000-0x00007FF787514000-memory.dmp
memory/812-51-0x00007FF623880000-0x00007FF623BD4000-memory.dmp
memory/60-43-0x00007FF79BF00000-0x00007FF79C254000-memory.dmp
memory/1468-30-0x00007FF65F9F0000-0x00007FF65FD44000-memory.dmp
memory/1844-24-0x00007FF662BD0000-0x00007FF662F24000-memory.dmp
memory/4544-14-0x00007FF70B2A0000-0x00007FF70B5F4000-memory.dmp
C:\Windows\System\hUeQLxX.exe
| MD5 | 641d52970116ac5f7622aae1407d1165 |
| SHA1 | aa24c85abfe4bb67b71c9a70a4dc1c64ac259ab8 |
| SHA256 | 9e29c5b9a965b55c00eb0fc6e28ec6adc36b5c4d19623a6f78bf529204e9966e |
| SHA512 | deebd96d990ff2f512ee36cb75a2302516c5eedadefacc08dd159b9f44c798508c2318ea53aa95501de43b491855c042375990b86a76ce6108f64797594a3f13 |
memory/2084-68-0x00007FF719DD0000-0x00007FF71A124000-memory.dmp
C:\Windows\System\FqvCKxF.exe
| MD5 | 7714ececc84a592d7a9154c3fb31cb2e |
| SHA1 | a16046ebfebdfbab8185480106746e6a16da82fc |
| SHA256 | 9dd5c6e62613d6169639255ec82cc443f0b9cc1238a3a32d153d7dda373a2b22 |
| SHA512 | 18b148c513f6096f10d821cc4f19f65615647e4b0141ffd1cddcaa9f2ed0f375cf4d139ee9638520902b969facf7a00104c2d951b3a4a979cfd18831f0db2b1d |
memory/2536-75-0x00007FF6CDC60000-0x00007FF6CDFB4000-memory.dmp
C:\Windows\System\ciKLhmF.exe
| MD5 | 7befa4f2ec45d010a2ad2f246ba0d7a4 |
| SHA1 | 39e394bb451871033bcdc821a19f2b4b0189b49b |
| SHA256 | 6b0cf2cf16e7747e6e8aeeab5f4af2ceec9a030dce0d21661a337a2d985e9154 |
| SHA512 | 9e86719c60054ee63eec0d54d8173f698618bd31eafc8634246a7719b482de811f27b41c0bb7fd588ba18f4706b6d74d8d12c18c4c5bd71682b38e1515b9d8cf |
C:\Windows\System\eTesOkB.exe
| MD5 | d72aa71a9ebfb4f322fbea9083e70474 |
| SHA1 | 1da5361ab4de63c1e448f2276d3e3dd99ee0a4a1 |
| SHA256 | 8dde8a8e9986490a3103fe38b912e80df5b56fe824914dec90ce2fe8cb4bc650 |
| SHA512 | af12ac250c7e5efd48de355dd58f0906316ffa218e2ed9ca2db26d98a21fa25e39774bb62e9a1c4fc8997b4b74159f36ea9c7ee8283fe5a24123efc2014f15e0 |
memory/1868-88-0x00007FF6FDB60000-0x00007FF6FDEB4000-memory.dmp
C:\Windows\System\yULUIrw.exe
| MD5 | 193fc8ac1ff697a91e729ecd3eb15d21 |
| SHA1 | fa37723635307bbdd02e90db3873283563d8eae8 |
| SHA256 | b7cf926a9c24b68dd5997a5f0ac5f4cc905df138c20bd0274991a08c7790baf5 |
| SHA512 | 85ba7119dfef6bd18d3a6164de9c77f2fbc5b61ce7e171aea20c8ba22e0dadeb82c61212b0483dd83316c0cf2f8dcad7bdfb359d918179a4df6731e9f3f87784 |
memory/4168-90-0x00007FF6DDFB0000-0x00007FF6DE304000-memory.dmp
memory/2472-85-0x00007FF74E110000-0x00007FF74E464000-memory.dmp
memory/752-82-0x00007FF735B10000-0x00007FF735E64000-memory.dmp
memory/944-72-0x00007FF63E150000-0x00007FF63E4A4000-memory.dmp
C:\Windows\System\igXaePc.exe
| MD5 | 2253bb82793ce359f2ba5330ec91ced0 |
| SHA1 | 3192761f8f37e51f0291f7f325bbb96b7703002b |
| SHA256 | 76b18316c68544505d436268b9e62e845b2809fa59326ce6b60702e37748e10e |
| SHA512 | 8657f9145ad1c3c0a04528cfda95b88400d5a13ce634da406b54683d6740ec5048d621ec9c5658fb3e59db53ee2b719c56e765d8fbc69d8b704023469e2e77bc |
memory/3248-101-0x00007FF7AF870000-0x00007FF7AFBC4000-memory.dmp
C:\Windows\System\aQVpZzK.exe
| MD5 | 0ece9f7e895f1525d3de17c6dab8c22c |
| SHA1 | f0c7c9a063b9b11af11e173369157533f08c0452 |
| SHA256 | 5eaf8f927d19929d4aab0b266512d7a49db5c2e7ee2c6d91f8d8ee651081f1b9 |
| SHA512 | 2f96498bba26cab6077423d9e8b4f06c93cb7a0c69a5e2684f776c9d74c6d8b83f21037457d922a603947fed51c99d17c314157061c9545a44ddb3760f16da1e |
C:\Windows\System\FuqhzMh.exe
| MD5 | 7e941c6044f17b2521e01bdfe5c43a40 |
| SHA1 | 65c436dde6add6baec22405b300f34af99fede1b |
| SHA256 | 7fd995ccbc10e29c11a0ff8ca7bc8ae1fc6e83d7fc2e63635c97b884f7282b77 |
| SHA512 | 1482bc79cd6c68d3bc07c77a1eb8274b0319e32934a6f2a5252829cc96f591ee1f36813fc6578b92d43843798e4e6072a5db7e24ab1392d99cc4ae7ab4da2d59 |
memory/2752-124-0x00007FF684B00000-0x00007FF684E54000-memory.dmp
memory/3612-119-0x00007FF66E000000-0x00007FF66E354000-memory.dmp
memory/3400-117-0x00007FF7871C0000-0x00007FF787514000-memory.dmp
memory/2784-116-0x00007FF7C79E0000-0x00007FF7C7D34000-memory.dmp
memory/4380-113-0x00007FF6B4680000-0x00007FF6B49D4000-memory.dmp
C:\Windows\System\EJXXzaQ.exe
| MD5 | 8865e8e21ff78d30b99f70e03d4e96ab |
| SHA1 | 8c1417e42dc109202b77533ed1e0ad73fd15f02c |
| SHA256 | 0ca986be3ac5bef3769c51c3d537c68b3abfcca2a3ddc9b19d5d898989ba94b5 |
| SHA512 | 449ad25780ac39cf43747835151ad387145f51841b14cee76ffa7f645370e25e2343c105819afd1f7f7fcef2df33d090e92257a6d7b73c58108efa6d9f839003 |
memory/1468-109-0x00007FF65F9F0000-0x00007FF65FD44000-memory.dmp
C:\Windows\System\OwkBpUM.exe
| MD5 | 85714472751594131947fac558962608 |
| SHA1 | a05b32aaada2e070d00cdfcbec88fbf67aaabf0e |
| SHA256 | 92c34106909f58c0120bc05675400c833638d8d332fece8b9a49a392214b13df |
| SHA512 | e79aca615484a1f92992de3420cafa89b3132ddb953ec96d545f5e00e52da5b0793c0ee9437d0eb409242467ecdfd717653ae6b6798d32fbe8a75f5445c0e1ba |
memory/1844-98-0x00007FF662BD0000-0x00007FF662F24000-memory.dmp
memory/2988-130-0x00007FF67E720000-0x00007FF67EA74000-memory.dmp
memory/396-128-0x00007FF700950000-0x00007FF700CA4000-memory.dmp
C:\Windows\System\kWtJMWy.exe
| MD5 | d1f135638dc4374f54c16a2e064cb07e |
| SHA1 | 9468b1b5db6c91110e844d2200e59e0ec34dc070 |
| SHA256 | 83729fdc15adda77299e5d83e74c8ec61df7e73280b3c980fe671e8860674b11 |
| SHA512 | 2994d556c682a89eb4e5ee05d99f8a967acaf9b482c14044f87300187360214567dca5c0ebd02617569bae4370c9a06d23f296634244c08f8d23e6af12cc8bc0 |
memory/1652-134-0x00007FF7682B0000-0x00007FF768604000-memory.dmp
memory/2536-135-0x00007FF6CDC60000-0x00007FF6CDFB4000-memory.dmp
memory/1868-136-0x00007FF6FDB60000-0x00007FF6FDEB4000-memory.dmp
memory/4168-137-0x00007FF6DDFB0000-0x00007FF6DE304000-memory.dmp
memory/3248-138-0x00007FF7AF870000-0x00007FF7AFBC4000-memory.dmp
memory/752-139-0x00007FF735B10000-0x00007FF735E64000-memory.dmp
memory/4544-140-0x00007FF70B2A0000-0x00007FF70B5F4000-memory.dmp
memory/4860-141-0x00007FF64D8F0000-0x00007FF64DC44000-memory.dmp
memory/1844-142-0x00007FF662BD0000-0x00007FF662F24000-memory.dmp
memory/60-143-0x00007FF79BF00000-0x00007FF79C254000-memory.dmp
memory/1468-144-0x00007FF65F9F0000-0x00007FF65FD44000-memory.dmp
memory/812-145-0x00007FF623880000-0x00007FF623BD4000-memory.dmp
memory/3400-146-0x00007FF7871C0000-0x00007FF787514000-memory.dmp
memory/3612-147-0x00007FF66E000000-0x00007FF66E354000-memory.dmp
memory/396-148-0x00007FF700950000-0x00007FF700CA4000-memory.dmp
memory/2084-149-0x00007FF719DD0000-0x00007FF71A124000-memory.dmp
memory/2536-150-0x00007FF6CDC60000-0x00007FF6CDFB4000-memory.dmp
memory/2472-151-0x00007FF74E110000-0x00007FF74E464000-memory.dmp
memory/1868-152-0x00007FF6FDB60000-0x00007FF6FDEB4000-memory.dmp
memory/4168-153-0x00007FF6DDFB0000-0x00007FF6DE304000-memory.dmp
memory/3248-154-0x00007FF7AF870000-0x00007FF7AFBC4000-memory.dmp
memory/4380-155-0x00007FF6B4680000-0x00007FF6B49D4000-memory.dmp
memory/2784-156-0x00007FF7C79E0000-0x00007FF7C7D34000-memory.dmp
memory/2988-157-0x00007FF67E720000-0x00007FF67EA74000-memory.dmp
memory/2752-158-0x00007FF684B00000-0x00007FF684E54000-memory.dmp
memory/1652-159-0x00007FF7682B0000-0x00007FF768604000-memory.dmp