Analysis Overview
SHA256
53aa2abccd9967aa645323fdef3cf9e516f513a6b3669b8cb2606338ec6e6f8a
Threat Level: Known bad
The file 2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobaltstrike
Cobalt Strike reflective loader
xmrig
Xmrig family
XMRig Miner payload
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 08:03
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 08:03
Reported
2024-06-11 08:05
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\emeXVxL.exe | N/A |
| N/A | N/A | C:\Windows\System\vqzxDrz.exe | N/A |
| N/A | N/A | C:\Windows\System\XLzVWjv.exe | N/A |
| N/A | N/A | C:\Windows\System\cfqOdZk.exe | N/A |
| N/A | N/A | C:\Windows\System\buWdjCW.exe | N/A |
| N/A | N/A | C:\Windows\System\mdKcAEl.exe | N/A |
| N/A | N/A | C:\Windows\System\jjRVBBv.exe | N/A |
| N/A | N/A | C:\Windows\System\ydqVMLX.exe | N/A |
| N/A | N/A | C:\Windows\System\SmksLtK.exe | N/A |
| N/A | N/A | C:\Windows\System\QxfvPPi.exe | N/A |
| N/A | N/A | C:\Windows\System\aaZJEEp.exe | N/A |
| N/A | N/A | C:\Windows\System\vpVdBGT.exe | N/A |
| N/A | N/A | C:\Windows\System\OHCgklp.exe | N/A |
| N/A | N/A | C:\Windows\System\VgPciEp.exe | N/A |
| N/A | N/A | C:\Windows\System\bfTjydH.exe | N/A |
| N/A | N/A | C:\Windows\System\CEWGhdc.exe | N/A |
| N/A | N/A | C:\Windows\System\ZdHAjdg.exe | N/A |
| N/A | N/A | C:\Windows\System\QUBWBNJ.exe | N/A |
| N/A | N/A | C:\Windows\System\pZZZkyM.exe | N/A |
| N/A | N/A | C:\Windows\System\ppNCGZn.exe | N/A |
| N/A | N/A | C:\Windows\System\XvJKtzM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\emeXVxL.exe
C:\Windows\System\emeXVxL.exe
C:\Windows\System\vqzxDrz.exe
C:\Windows\System\vqzxDrz.exe
C:\Windows\System\XLzVWjv.exe
C:\Windows\System\XLzVWjv.exe
C:\Windows\System\cfqOdZk.exe
C:\Windows\System\cfqOdZk.exe
C:\Windows\System\buWdjCW.exe
C:\Windows\System\buWdjCW.exe
C:\Windows\System\mdKcAEl.exe
C:\Windows\System\mdKcAEl.exe
C:\Windows\System\jjRVBBv.exe
C:\Windows\System\jjRVBBv.exe
C:\Windows\System\ydqVMLX.exe
C:\Windows\System\ydqVMLX.exe
C:\Windows\System\SmksLtK.exe
C:\Windows\System\SmksLtK.exe
C:\Windows\System\QxfvPPi.exe
C:\Windows\System\QxfvPPi.exe
C:\Windows\System\aaZJEEp.exe
C:\Windows\System\aaZJEEp.exe
C:\Windows\System\vpVdBGT.exe
C:\Windows\System\vpVdBGT.exe
C:\Windows\System\OHCgklp.exe
C:\Windows\System\OHCgklp.exe
C:\Windows\System\VgPciEp.exe
C:\Windows\System\VgPciEp.exe
C:\Windows\System\bfTjydH.exe
C:\Windows\System\bfTjydH.exe
C:\Windows\System\CEWGhdc.exe
C:\Windows\System\CEWGhdc.exe
C:\Windows\System\ZdHAjdg.exe
C:\Windows\System\ZdHAjdg.exe
C:\Windows\System\QUBWBNJ.exe
C:\Windows\System\QUBWBNJ.exe
C:\Windows\System\pZZZkyM.exe
C:\Windows\System\pZZZkyM.exe
C:\Windows\System\ppNCGZn.exe
C:\Windows\System\ppNCGZn.exe
C:\Windows\System\XvJKtzM.exe
C:\Windows\System\XvJKtzM.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.121.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 78.239.69.13.in-addr.arpa | udp |
Files
memory/4876-0-0x00007FF688AE0000-0x00007FF688E34000-memory.dmp
memory/4876-1-0x000001F87E8A0000-0x000001F87E8B0000-memory.dmp
C:\Windows\System\emeXVxL.exe
| MD5 | 535fac48e40a7116af7a43378934657f |
| SHA1 | 2d83e7a819eee7a16bba69b90596a54b61c5090c |
| SHA256 | a9c289fc967d4e93e44e8fe90a8a6eae6f787b2ef90f7f064dea18bba9e54c35 |
| SHA512 | f196aeda2b81e6c30a5bffec495ea440124b06093a7d615c80a5c60fdf584c10f4937ea6d3654d52580e0bf4cec01b2731ede3805ac9fe3602f8717ecc235f17 |
memory/1876-8-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp
C:\Windows\System\XLzVWjv.exe
| MD5 | b5b6a323245caa23ecfbb24d7e1100a3 |
| SHA1 | 8c44d6e70caec7993313782d2f8243bf55cfd908 |
| SHA256 | f6df7f28dcc6e4290331efb79f9f82d9b5caf9e4f71dac3fc0ebad6cc4dfdf80 |
| SHA512 | b71d6ed2781cf8754c11f6191b3f99b5c95d2665ab37cb69b6a4cb23ebb9e906b9ce743f0ca0bc9f422222d180816f4fa1539471ce6c19d1ace7c0567582e97c |
C:\Windows\System\vqzxDrz.exe
| MD5 | e5a4e23c94a2cd62f4b5eab0ff69ccec |
| SHA1 | d2ecf1574f8819ca3bc4a5d9ad785720772859d0 |
| SHA256 | 7e167473bd094b75653cc1464caa79d05eca9b81ce51501e41a8e6db9e825048 |
| SHA512 | 149d6bf5e45f8eda595d8c6c6b2e292a29ff44b176f9e59a7f342a03760b323202a81f6a9886c85893fa0e08d6bdd524f960cc9c26c800b45f7353a09fc24301 |
C:\Windows\System\buWdjCW.exe
| MD5 | 1e72da1ae48cef11bd3ee9600b86febf |
| SHA1 | e2e6fb3e475fad74b9a2a4950637e2c5ad3e9462 |
| SHA256 | d58cf0e90633b7d6580446884966f9602c77eab1b37b22188270819f1648b695 |
| SHA512 | 189fce4f6cb9e5eaa481b20c490067a31b0dfd5e0c549f20de643ae9fb12671fc92b524273c4b75c626cc35c6c24191a54fd0f703cd1fc2873519b7e4202a462 |
C:\Windows\System\cfqOdZk.exe
| MD5 | 365e0845446d134c2e6ad9ea4d343664 |
| SHA1 | 9ef155d64f8de80d6f25ae3ac3216a3d880b6809 |
| SHA256 | 89e5df68ea4d80f94aa10b5099ce6b62dd115e1b229041ae78f94e5c0b142487 |
| SHA512 | ec38331274e393c35362cd16b0819dbd235b90fba40c01b1b5ad97d63163e35790a589c2966a141f6277ad2570a3d3c1aa87f8efe6301345753a3e08dc4829f5 |
memory/1596-40-0x00007FF7851E0000-0x00007FF785534000-memory.dmp
C:\Windows\System\ydqVMLX.exe
| MD5 | 34ffca504647d1ea9ef3d69654f3d769 |
| SHA1 | 140ee67ac4ad3b082b30fb72930321475231d7ca |
| SHA256 | d39b949fb8a610952c7da66ea758c2cefa9fa77eb8c5867870ed6e5b16d8a956 |
| SHA512 | c14171798814f6f5c89d799b32f6b143329506474f8c7fc6d74b444e7535b8f7bbf4e8b88e12f130296787eaa0494015745d36405567c64ada2aa5e37a117519 |
memory/4744-48-0x00007FF69F130000-0x00007FF69F484000-memory.dmp
memory/2420-53-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp
C:\Windows\System\QxfvPPi.exe
| MD5 | 0fcc4c67ddb30be2bb984a16beaad938 |
| SHA1 | a3a1aaea05f53b5c696f2d8b04ce7e7f3bcd94d9 |
| SHA256 | 53cf744357e58f6df2b98f724ab6883205e60d357b8e6523e8a7b79f47c0ad6c |
| SHA512 | 3e72a7ec12bbc8dbfbfd4460625e21899430fa7d9472f28b25a0010e2f85b0f5c339910c5d794d08217b4007c8cbed17ed25e7a28774708eb7d1a414cacfa32b |
C:\Windows\System\aaZJEEp.exe
| MD5 | 06a6f4b881cfc4020efddd53773494a0 |
| SHA1 | c36405f390408b546beef1561fb528a69f69ee3c |
| SHA256 | 9a27cba09715dcc8f3b4e32c93dab8d19067824d44f97c9979aa8c8f6997170a |
| SHA512 | ff144940f0566d18dd58568952d29736b5152b4a6c5ecbb9f080025802997d87b761ccd36e63717878a08edf15dc1bfed1a536df9e822224b2014fd10ec4a463 |
memory/3640-68-0x00007FF798D00000-0x00007FF799054000-memory.dmp
memory/1964-70-0x00007FF701DF0000-0x00007FF702144000-memory.dmp
C:\Windows\System\vpVdBGT.exe
| MD5 | a523f928375169e9144be7e68b3fdb1c |
| SHA1 | 92bc74bd2ee39ad763af5a0db1c471d728cce424 |
| SHA256 | 022640a38cabd43e0f6dfa19db02aeaf673dcb872f399d4087636a7a0eeb48af |
| SHA512 | 96a38816ce9c829dfdaef2c89303f950c5e1c4525e412747a2c0315997a5decc93a35172f65ac61c5423f8167a1ea29bfd5a8d010ee0dae5c149d41b667309dc |
memory/2920-69-0x00007FF772D20000-0x00007FF773074000-memory.dmp
memory/2636-66-0x00007FF620B90000-0x00007FF620EE4000-memory.dmp
C:\Windows\System\SmksLtK.exe
| MD5 | a92b6f0cb537f052a918a11539138e11 |
| SHA1 | d39f088610795b306b883ecf78ed95e828512fd3 |
| SHA256 | 5d2f8f720af14a887a0de98922aa334c184af4eb27978f3934adac3175aff201 |
| SHA512 | b9fdb60a7a36ba3651635478291adc7edae506b6d86d4365864cf8f18048abcea54491fdc78c71b5e9f7d369e58c973e6aaa6dc593f6dda4d17f4772dfbc2131 |
memory/3432-41-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp
C:\Windows\System\jjRVBBv.exe
| MD5 | a05b32c1a39b9170cea04e6e2de8790e |
| SHA1 | ff5bad39c1e997b5831a6cb294bbc5b7bcd61c1a |
| SHA256 | 8fdbc6f799ef83e9275c3830233a90504288006beb6e74e48f3770f4c35a4eac |
| SHA512 | 29e4ee2c1314e9e765c8c64757866e0cb358472d2809201b081ee1200d3d7eb719c1871d38116f49fa27e8c74deeb94e0c17a3884a0a20450faa2c5d226ae21e |
memory/4036-38-0x00007FF6C0590000-0x00007FF6C08E4000-memory.dmp
C:\Windows\System\mdKcAEl.exe
| MD5 | 6a3074ad81a30b32c89879fa4fbad5fe |
| SHA1 | 2cc14077271d98a55c7e1176a6c9bdc6a7ead2f8 |
| SHA256 | 4168c0c6dfbfbee1f244fef294e19620a823ab826d727a77a6b3c36f3fb905c7 |
| SHA512 | f37ab4923a5435f2ee6f573b24549b14dc2bef9bcaefc6d07ca5968a0530eaaaca1d7097dfb2d8e5a093ace1bddef2d62fac6da383b7e13cfe8442023c593790 |
memory/4388-22-0x00007FF647980000-0x00007FF647CD4000-memory.dmp
memory/2020-21-0x00007FF6BD660000-0x00007FF6BD9B4000-memory.dmp
C:\Windows\System\OHCgklp.exe
| MD5 | b0de1cd1aec4091a9cc837ad0dac0079 |
| SHA1 | 339be024641417633bf9fdc06690aad954b60a87 |
| SHA256 | 871e384267f5c12538257a15847203ed0de5d5970e568325cec81d817be91694 |
| SHA512 | 61d8ab1b8cf1cf2fcaf9e737c60830b2047e939bee8134acae841b83245f5d397600e3f51052cbcb5d1815fb4ba65c74e0a87f97bbcc93a55523d1439ec7741a |
memory/4876-78-0x00007FF688AE0000-0x00007FF688E34000-memory.dmp
C:\Windows\System\VgPciEp.exe
| MD5 | 4ea5bf8b9925bcb047217b12b0f3a82d |
| SHA1 | 923ce9df3f3f74643414e52e98202b0c3d8dc55d |
| SHA256 | 7345e8f482756da246da2217d6ce40c1cba8ec6c1ca5f06fbf62a03795d28343 |
| SHA512 | cd7d600c7d364873bec7709048aca7c68288401b6e28ad745796b83ded5d73bfb3664c86a041a170ce2688ebae415cf7cb0ff7115d910177da5c6546ec010b3b |
memory/4224-84-0x00007FF69F360000-0x00007FF69F6B4000-memory.dmp
memory/1956-81-0x00007FF791FC0000-0x00007FF792314000-memory.dmp
memory/1876-91-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp
C:\Windows\System\bfTjydH.exe
| MD5 | 9922d581de76ba0ef0d61aecca81374f |
| SHA1 | 8f284fbc45560740af49af3b5429bc5ceee00a15 |
| SHA256 | 7e8ddcba4615f85b6489be4ca5685eecf847d5a3497863a42ddbff8f6df4589d |
| SHA512 | f5e1d488c7bc03746ad8c0a6dab3f6f8e339e51fd5bc705d91f0b71e6910d411dd4450aa152e73c00899c9afaf5e8468615d56f99381c70002835e0025317c23 |
memory/2908-100-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp
C:\Windows\System\CEWGhdc.exe
| MD5 | d86ebc6d39894943a08c48cee0838592 |
| SHA1 | ae3c957e2049e17eacfe423494c3a4d6062c0274 |
| SHA256 | 6fc5645dd522c375eb24ec555c817a8fd5e152238396a395b293e2281c9e3b35 |
| SHA512 | 256a201cbab1f89ccac5faa66b388e903c5a5ad3da201be5061f6edb9e93aa7f034fbd59774ac7aa3b73a42761c1c93ac856ab7f4ec631daa1a2ff60f5e8c7bf |
memory/2364-97-0x00007FF780A90000-0x00007FF780DE4000-memory.dmp
C:\Windows\System\ppNCGZn.exe
| MD5 | 91f729216c92eb00aabf8b696cef6d4f |
| SHA1 | 2b00d5cc599cc18496d7d5cd349f7d8bc279795c |
| SHA256 | 3670f3345c9779686e77540f312590a58c61a54284c711f0568d54bd49d3d3d4 |
| SHA512 | f67f0137c167a54f388794867d02e519afdf1c82df33e8657716036d58f78752ae59ebe5eabdff42ae699744dce11b58e1b6abd93f3b586633314035201bd0dd |
C:\Windows\System\XvJKtzM.exe
| MD5 | b58de23e85c3e82ea0ac11128704cfa0 |
| SHA1 | 2741e9f59475ecd91243620b0d8df0995cce2c65 |
| SHA256 | a40fcf98f6c0224fcd7191001ff43cd3dc5ef7b8ce5421313cde757dca4c2de5 |
| SHA512 | 63312f92c22e395a38e5c7d42e8b8e74fc51d20c97c11017cd726c98e70d12f20a95e3644dc0106aa629499377372d4efa29d21074ddddb2bf55912d561f85ba |
C:\Windows\System\pZZZkyM.exe
| MD5 | f58eee34ffb6ef25460661a18a711a7b |
| SHA1 | f32043d3fb68cc19e6fdba8d812f31d8ac31380e |
| SHA256 | c51fc3f7e9b572e2ddaa495a5a8569b407ac542185e73887ae1f1fb685b99854 |
| SHA512 | 2cceb7b6a2d7ee0d0e2648d1b3488788608c6f1298fa10ae5b15fce94df4359df4ce8c3458c2c361474214d389f658b76b8496b3ec97f4a23cf5804f0d538db2 |
memory/4744-127-0x00007FF69F130000-0x00007FF69F484000-memory.dmp
memory/4372-128-0x00007FF7F40D0000-0x00007FF7F4424000-memory.dmp
memory/1236-130-0x00007FF69CD10000-0x00007FF69D064000-memory.dmp
memory/1672-126-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp
memory/536-116-0x00007FF78A850000-0x00007FF78ABA4000-memory.dmp
C:\Windows\System\QUBWBNJ.exe
| MD5 | ec864204a1d8d0b20fa07c5e353c7214 |
| SHA1 | 40f414b7277471be1f2c194877e62ae448289f97 |
| SHA256 | c1f6a580bedfba428d32774ca939779c8df2ba0cc279543b42dfb432cb9a79a3 |
| SHA512 | fe37236a2e589a00a0459acba4f6bcf2f5fb5ad984f5c2cfe62353e02408b69b6f1682ed776676b500d973a53a46fa1885972b7d0c833e0d223c8c50103fbc99 |
memory/1748-115-0x00007FF786EC0000-0x00007FF787214000-memory.dmp
C:\Windows\System\ZdHAjdg.exe
| MD5 | 3852fb02bb07ad00fca23c5bc7cd78d2 |
| SHA1 | 088ce8097b80534d1fd64dcda767c7eac74fb7dc |
| SHA256 | 75c8dfd1c69f8ca69ca0a6aa7a0ff36d70b333bcf0b1269dedfbd6d70aad09cc |
| SHA512 | 1b4e743c8f01cc91af8640070fcd2f4f840da659627dcb12e98b692b7265eb7075f71d5c29c003483d0b5a1ca26095731f6149e67f64e2f4352137be1847655d |
memory/2420-131-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp
memory/3640-132-0x00007FF798D00000-0x00007FF799054000-memory.dmp
memory/1964-133-0x00007FF701DF0000-0x00007FF702144000-memory.dmp
memory/1956-134-0x00007FF791FC0000-0x00007FF792314000-memory.dmp
memory/4224-135-0x00007FF69F360000-0x00007FF69F6B4000-memory.dmp
memory/2364-136-0x00007FF780A90000-0x00007FF780DE4000-memory.dmp
memory/2908-137-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp
memory/1672-139-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp
memory/1748-138-0x00007FF786EC0000-0x00007FF787214000-memory.dmp
memory/536-140-0x00007FF78A850000-0x00007FF78ABA4000-memory.dmp
memory/1876-141-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp
memory/2020-142-0x00007FF6BD660000-0x00007FF6BD9B4000-memory.dmp
memory/4388-143-0x00007FF647980000-0x00007FF647CD4000-memory.dmp
memory/4036-144-0x00007FF6C0590000-0x00007FF6C08E4000-memory.dmp
memory/1596-145-0x00007FF7851E0000-0x00007FF785534000-memory.dmp
memory/3432-146-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp
memory/4744-147-0x00007FF69F130000-0x00007FF69F484000-memory.dmp
memory/2420-148-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp
memory/2920-150-0x00007FF772D20000-0x00007FF773074000-memory.dmp
memory/2636-149-0x00007FF620B90000-0x00007FF620EE4000-memory.dmp
memory/3640-151-0x00007FF798D00000-0x00007FF799054000-memory.dmp
memory/1964-152-0x00007FF701DF0000-0x00007FF702144000-memory.dmp
memory/1956-153-0x00007FF791FC0000-0x00007FF792314000-memory.dmp
memory/4224-154-0x00007FF69F360000-0x00007FF69F6B4000-memory.dmp
memory/2364-155-0x00007FF780A90000-0x00007FF780DE4000-memory.dmp
memory/2908-156-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp
memory/1748-157-0x00007FF786EC0000-0x00007FF787214000-memory.dmp
memory/536-158-0x00007FF78A850000-0x00007FF78ABA4000-memory.dmp
memory/1236-159-0x00007FF69CD10000-0x00007FF69D064000-memory.dmp
memory/4372-160-0x00007FF7F40D0000-0x00007FF7F4424000-memory.dmp
memory/1672-161-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 08:03
Reported
2024-06-11 08:05
Platform
win7-20240221-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bKJkLXS.exe | N/A |
| N/A | N/A | C:\Windows\System\bHGxBIK.exe | N/A |
| N/A | N/A | C:\Windows\System\wUQqNYs.exe | N/A |
| N/A | N/A | C:\Windows\System\CXMDJxq.exe | N/A |
| N/A | N/A | C:\Windows\System\LSZiOUb.exe | N/A |
| N/A | N/A | C:\Windows\System\kUfpmWZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZyTkJLm.exe | N/A |
| N/A | N/A | C:\Windows\System\fWFZPBC.exe | N/A |
| N/A | N/A | C:\Windows\System\QCtVfbI.exe | N/A |
| N/A | N/A | C:\Windows\System\wXOfGLF.exe | N/A |
| N/A | N/A | C:\Windows\System\EOtkRJu.exe | N/A |
| N/A | N/A | C:\Windows\System\DPanNgd.exe | N/A |
| N/A | N/A | C:\Windows\System\IyeUQfD.exe | N/A |
| N/A | N/A | C:\Windows\System\AbJxchb.exe | N/A |
| N/A | N/A | C:\Windows\System\kzjmvPX.exe | N/A |
| N/A | N/A | C:\Windows\System\tYiCauZ.exe | N/A |
| N/A | N/A | C:\Windows\System\KQXWtoD.exe | N/A |
| N/A | N/A | C:\Windows\System\IVtRFIA.exe | N/A |
| N/A | N/A | C:\Windows\System\EsZMufv.exe | N/A |
| N/A | N/A | C:\Windows\System\aFfYSdi.exe | N/A |
| N/A | N/A | C:\Windows\System\LCBntov.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\bKJkLXS.exe
C:\Windows\System\bKJkLXS.exe
C:\Windows\System\bHGxBIK.exe
C:\Windows\System\bHGxBIK.exe
C:\Windows\System\wUQqNYs.exe
C:\Windows\System\wUQqNYs.exe
C:\Windows\System\CXMDJxq.exe
C:\Windows\System\CXMDJxq.exe
C:\Windows\System\LSZiOUb.exe
C:\Windows\System\LSZiOUb.exe
C:\Windows\System\kUfpmWZ.exe
C:\Windows\System\kUfpmWZ.exe
C:\Windows\System\ZyTkJLm.exe
C:\Windows\System\ZyTkJLm.exe
C:\Windows\System\fWFZPBC.exe
C:\Windows\System\fWFZPBC.exe
C:\Windows\System\QCtVfbI.exe
C:\Windows\System\QCtVfbI.exe
C:\Windows\System\wXOfGLF.exe
C:\Windows\System\wXOfGLF.exe
C:\Windows\System\EOtkRJu.exe
C:\Windows\System\EOtkRJu.exe
C:\Windows\System\DPanNgd.exe
C:\Windows\System\DPanNgd.exe
C:\Windows\System\IyeUQfD.exe
C:\Windows\System\IyeUQfD.exe
C:\Windows\System\AbJxchb.exe
C:\Windows\System\AbJxchb.exe
C:\Windows\System\kzjmvPX.exe
C:\Windows\System\kzjmvPX.exe
C:\Windows\System\tYiCauZ.exe
C:\Windows\System\tYiCauZ.exe
C:\Windows\System\IVtRFIA.exe
C:\Windows\System\IVtRFIA.exe
C:\Windows\System\KQXWtoD.exe
C:\Windows\System\KQXWtoD.exe
C:\Windows\System\EsZMufv.exe
C:\Windows\System\EsZMufv.exe
C:\Windows\System\aFfYSdi.exe
C:\Windows\System\aFfYSdi.exe
C:\Windows\System\LCBntov.exe
C:\Windows\System\LCBntov.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2276-0-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2276-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\bKJkLXS.exe
| MD5 | d02cfe09e8dae742e0bb2310fdaddb1b |
| SHA1 | 431ae36e0fa608f65249eab002d82b3f81625cc6 |
| SHA256 | c31e22d022f92251d1e761f5c724724ec8caac3846b10ac2ead474bad6b28c4a |
| SHA512 | bd7b1ea995375ea04bf486b5c696ded1201e9f91615b69df504cdf645797c5da4d8ea321fb234a38b5c3fe8f7e333aa3397568312f02c708b15ebd133622cfa6 |
C:\Windows\system\bHGxBIK.exe
| MD5 | 1c4ea5744fa82ba693d6034d82c5163e |
| SHA1 | 1b772d4ce4f40e4c5042d390f01ae506f642cb9b |
| SHA256 | e9e3c5a625aa55fb8b4178f3da417e9fd7963e780e89d30d7859cebd99e16c86 |
| SHA512 | cbe5de9ecd54c4e5bb53e2a81df0967a5119b76034298978b1e174fb37fb6e5cb54273015261bda5af6c6e14924c9a189c9a6e0d6e1ba4bdf52de71653c81370 |
memory/2588-14-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2276-9-0x000000013FBD0000-0x000000013FF24000-memory.dmp
C:\Windows\system\wUQqNYs.exe
| MD5 | d0bb47802c626cfdb0c3c513376f209d |
| SHA1 | d41c4fab88ade28304b61bb8173af2bd0d8cb123 |
| SHA256 | ba32d6b7d10b986946cb4a4b131e36d5cb8a82ea9ed1c69983662dab7099fbe1 |
| SHA512 | 8d1717f5eeceef471a736a24a5f6759298b52d423cf67f0362a010ebc6ec73d19f9d8b031690820347640c6f947677201399252ee30b1936ec270542a3324a97 |
C:\Windows\system\CXMDJxq.exe
| MD5 | 475db29d706f9a938014b46c844f6d5e |
| SHA1 | 2cc1090dd106aab0ca21ffe6addc11aba02cfa64 |
| SHA256 | 151fe7dfe900b45c214b10230866b36793995f0074999215869b534f6bdfffb7 |
| SHA512 | 1c6f9fb12dc9d89214ab5f08e8fe15311d4021fd97ca5785d1ff61f65471aa8966f0a09c4fb956f86118c3dd987632e723c0678264cc15b0b54f501d4a0b6745 |
C:\Windows\system\LSZiOUb.exe
| MD5 | 671ccb53becb8e06a9721e325c77486d |
| SHA1 | 8b014ec415b4723d2258004eb096a48454687a3d |
| SHA256 | 16bf638c2ef3105eb539ce92a74a0123ddc9986121b27db6a48349d5f7f2fef8 |
| SHA512 | d0c5b759c5cb0df0fa07f43912e72d90acf042b34bc48a2aa0204e0cd12bed74847fd7ad92aa2e5979c7557ae64b2d4b02db7134db0623b6e87660a9409f4c0c |
C:\Windows\system\kUfpmWZ.exe
| MD5 | f50549f33724b942a572722489350fd2 |
| SHA1 | ec94abc920c7e6718d4bc6b52103d54895e97b9e |
| SHA256 | 1f1bc9619b47d43fe2684cf1ba5543b5dd33c8842ccdf1439331e85dafee9073 |
| SHA512 | 54d903c1619b95e98362b4facce132360309dc68ee40119ebebed275cefab05cf5f9c654462abbd251babb9394d46ce86ceb1a4652587400ebad45e6be5a231f |
C:\Windows\system\ZyTkJLm.exe
| MD5 | 9fe84efd546ec998da7f5d901777894b |
| SHA1 | 78728d7fdab562af50dd47131aee3e04f1eaa830 |
| SHA256 | ace13c10e0360582d00fa7085512ef205e5d08003f6af7c9c982d32694205ae8 |
| SHA512 | 712b9f53a272b39bb8a57f210c982455e70bf0914e67e1a03d00fe197fcb8ddea2015fc451c6820f95fa699cf9d8124abd5bb042b67693e14e27d70197be3337 |
C:\Windows\system\QCtVfbI.exe
| MD5 | 89f0dca0de6db005d16f248776383251 |
| SHA1 | 237fd836e92ed9b1c96ca85b202836d7b66210bb |
| SHA256 | aee989d0ff5fa0aa753c61ae1d67f5c036bcef5425c1a92d6a567f54cff8afe3 |
| SHA512 | fd3069104787ff17cb481a01bfd7f02805059fbe1c50ee5191840b887e8f8dca82fb6d64ba0a68f65cdf47a934ff9ff5123f59843a698410420f3bac3edd77ed |
C:\Windows\system\wXOfGLF.exe
| MD5 | 889d629aeaed660b39d0a42c414a7c6a |
| SHA1 | 924a32cf7d41ba873cb13c21f687e14be6aed0e8 |
| SHA256 | fd6aac5666ac33d9abeb97883a3379acb6a77e437d0ff925f973ec804cd5e0cc |
| SHA512 | 5c23fd51c6043a8c1bbb07051874343bf871b277cb01274290f68d2b2a2cc1bb7cc58104940597e46b78da10e0aed5af0f166052027faf387008fb2c30821ad1 |
C:\Windows\system\AbJxchb.exe
| MD5 | 520bcc7a099f5cb55ba6f6465aa7e451 |
| SHA1 | 60279408daf4ab2ced22c1fc96d2f6a1e8d5ac25 |
| SHA256 | c00faf2ae55a323fbff92b362b9ea8680848b9961d31da9f7eef4cd17e6c0930 |
| SHA512 | d41e4b5442a61eda82480416f83a53a7dc6f6ab50e6a25b567198b796f74754f324bd452e321d5135ba949db59cae3f33e06eb8ac11a96a0271fd26774a657fc |
C:\Windows\system\tYiCauZ.exe
| MD5 | 37821aff103e3de89b2f8e25066d71b3 |
| SHA1 | da4c3b2426cd147614f221c02a6d5b1e39b57ce9 |
| SHA256 | df2458f4506a1e5aabb438a9ceda686123d780b22c6e245bce2956ea9759754f |
| SHA512 | 8d879124629e8a1c0e9c401c8d5b3aff6ad0fafa1ad6af24ba1a32a6cb53265ebf3250804d1926e729484ad1aa954eccc759c446b4f130efadd112d2c76bcdfc |
C:\Windows\system\kzjmvPX.exe
| MD5 | 0786195cadc0fa41eb78a95b6722ec2e |
| SHA1 | 38716692ad625830c235af61d3a037ea074a49f6 |
| SHA256 | eaf1a9010ab1108bde102e773253339e485e9768d90827dccd3a7c16551570b0 |
| SHA512 | 2b0cdbf81dbd3878ed60670f860f79458aea56709db33ac950ba43bd8eb688a5c6b3247fdabd1e7bb5c8c3f5e149b71d03e17f1d7aa28973dea0eb113b26f9d1 |
memory/2504-97-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2540-101-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2276-103-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2276-100-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2592-99-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2276-98-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2276-96-0x0000000002280000-0x00000000025D4000-memory.dmp
C:\Windows\system\EsZMufv.exe
| MD5 | e040a03258934497b52867a6918a11d7 |
| SHA1 | 2a88e150ba4570793fae2ce7430e375115cafa82 |
| SHA256 | 22c243d9c752b3550abafaa0ef08bf14211d31ee33e3ce767b3a4e94843144ac |
| SHA512 | f4a1c581eb4f421514fab92c6512b38fbfddd8ab76aa7fd0a18e848c166348030bfad1d496d1427a247a5f0003df74ac0dca54b1a3f82a4f580a03a07d09fc5f |
memory/1664-122-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2276-121-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2276-120-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/784-119-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2276-118-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2056-117-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2276-116-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2116-115-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2276-114-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2408-113-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2276-112-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2440-111-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2276-110-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2548-109-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2276-108-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2624-106-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2620-91-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2276-90-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2568-89-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2276-88-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
\Windows\system\IVtRFIA.exe
| MD5 | e2750a77b9ce489cb7dea0a7c90dd930 |
| SHA1 | 98259b1a14ad9ab4493d8e52022ac36d8f769cbb |
| SHA256 | 6896ecc8e6ef9479277ac9a579d760309bab2bce49c634543a80ad5833ff477c |
| SHA512 | e2f9120d556cfb3583477293e999f10d1be06e0222502e4e2575aba1ec4cb796042dcfbd1b125a81224dc6a4ba78aaff7ba6e424d0b6d122e364ba25efb05324 |
\Windows\system\aFfYSdi.exe
| MD5 | 8c93929ee3b1798487bf92e72c9f6d02 |
| SHA1 | b6ab72988429b74c6e602febcecb70046ed389c0 |
| SHA256 | 133705e6267af289c8ea8ead9e0712947f827e1a6fc08e035c7cddcb48e94bef |
| SHA512 | 042f5138a600f15507ec163255fc25229a18029916d948a7a62c096f64b7c6b0963be41e9fde7155e370da94c0717fd96382bf51395bf7e6e6b498e6e87ec55e |
C:\Windows\system\KQXWtoD.exe
| MD5 | 28078b9f29d07151fbfd92c2c22b6889 |
| SHA1 | 1901e7518ca550f298a1c684c4bb6d83586d29c6 |
| SHA256 | bd30ddf9300123ebe69fff07a14760b9323a173999e830c7721889e72844c155 |
| SHA512 | e59b52b73577223fcd1b4ec25ba6b331935a23271655e3bdfb0b80cc034cd13b29a903e85cc9b995c5de6592a7f5d2128083a4979445d0ab091dc9ee7f1084f3 |
C:\Windows\system\IyeUQfD.exe
| MD5 | c17817de18dacb9678df7f7291518451 |
| SHA1 | 9a7a83bca807607a550f08181b2553a6ad07a172 |
| SHA256 | 7e8f70b2cfac9359259df766b89942ef0eb1ccc713801a3935c81dbafe041984 |
| SHA512 | 515b1420c19995e1785160c41d6d5e33a09b0f1bc80ce08aacd7135bb43acbb7fd721986c0ab8eb22e6b1fd5800d0a2fb1911fb6ca39c4e285801593c61d3737 |
C:\Windows\system\DPanNgd.exe
| MD5 | c7224d636430fc4755514f51a0258466 |
| SHA1 | b529fcbf0627595d85695f3946cc97a2076f5c84 |
| SHA256 | 3c1bd8a20aa36ae806fa899a92f54dda0b5632b21e8250dc9cd86b9e4e196495 |
| SHA512 | 44cc4d03f2c048c1c1bc4a1b7a9eda469249524aea57460315d9ccdd9053da34537512ebb54475cee72ffc5986a5265af9e69da5c0e44a7f4ee48339dea3a32f |
C:\Windows\system\EOtkRJu.exe
| MD5 | e273b87e7fcc67ebbab9aec60fb33b51 |
| SHA1 | 651ad68d389cafb47c32b3a3da55aea70ddc4da3 |
| SHA256 | 68416524a768bc562e0547d713fbd035a07ac63ccddc8c7d9f62c682f69acbb5 |
| SHA512 | 7207c17589a1147923be2ed94f5befe7741b44dd958b5efd5713c8b25187e2eae8e7a78a92104dc883e5bcb256b2c74fc83fefbb924ec302e1e40bbfe6d8d32c |
C:\Windows\system\fWFZPBC.exe
| MD5 | d331755e315bb6f22c06aca8f7b7d339 |
| SHA1 | 51d73e4046944bc86ccec2eb86a8675a53df565d |
| SHA256 | b174b0164f5988c26283931f79a89736102c6924a7ca50b36e5b863fc30b1d73 |
| SHA512 | 26211570c179a21bd2951c04571e2cc618318e94850205a63271ea1b0b2aa14c65160ffe90cee759d6bddb82cc91e58444e499262e5f1ade8ca4f53250b01586 |
\Windows\system\LCBntov.exe
| MD5 | b2b4a8fe470db6acaae70730ee64ba0d |
| SHA1 | eb6d6e54a819282331ec543cd0805dcbb7e27677 |
| SHA256 | f6aa17cce221a8ecbee37879dd09c670d0ac92d94e1e42ef2a35a73ae01d9825 |
| SHA512 | ac2f4171edf6c2395ddbaa41bd73556bd03f2541e49c3a93bc978643638d88e3b7b5ca0532ce0678c77d53078a59128471d90497bcc134860bc850c981262970 |
memory/2276-136-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2588-137-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2276-138-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2276-139-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2588-140-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/1664-141-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2568-142-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2620-143-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2504-144-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2592-145-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2540-146-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2624-147-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2548-148-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2440-149-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2408-150-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2116-151-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2056-152-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/784-153-0x000000013F7F0000-0x000000013FB44000-memory.dmp