Analysis Overview
SHA256
413ea32c50accd19799ca4cb87fec49c8271e827ef75eb988706ef0ad5a1c2c2
Threat Level: Known bad
The file 2024-06-11_1bfcf2f5626791a76e87281650c5ee9d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobaltstrike
XMRig Miner payload
Cobalt Strike reflective loader
xmrig
UPX dump on OEP (original entry point)
Xmrig family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 13:47
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 13:47
Reported
2024-06-11 13:49
Platform
win7-20240221-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dUFkoFd.exe | N/A |
| N/A | N/A | C:\Windows\System\VoPkPWi.exe | N/A |
| N/A | N/A | C:\Windows\System\LqmWGwz.exe | N/A |
| N/A | N/A | C:\Windows\System\RWPTwTm.exe | N/A |
| N/A | N/A | C:\Windows\System\yVRrLZH.exe | N/A |
| N/A | N/A | C:\Windows\System\hCptVpD.exe | N/A |
| N/A | N/A | C:\Windows\System\hFxjoeG.exe | N/A |
| N/A | N/A | C:\Windows\System\mCAKpSi.exe | N/A |
| N/A | N/A | C:\Windows\System\FwBFEyL.exe | N/A |
| N/A | N/A | C:\Windows\System\WghsQJF.exe | N/A |
| N/A | N/A | C:\Windows\System\MRXGzRG.exe | N/A |
| N/A | N/A | C:\Windows\System\rWFqLbO.exe | N/A |
| N/A | N/A | C:\Windows\System\XyEfDKK.exe | N/A |
| N/A | N/A | C:\Windows\System\YdsXRtD.exe | N/A |
| N/A | N/A | C:\Windows\System\zHEVZaI.exe | N/A |
| N/A | N/A | C:\Windows\System\DySxfaU.exe | N/A |
| N/A | N/A | C:\Windows\System\nahsgGE.exe | N/A |
| N/A | N/A | C:\Windows\System\SFwDSHP.exe | N/A |
| N/A | N/A | C:\Windows\System\RXfIeHc.exe | N/A |
| N/A | N/A | C:\Windows\System\RKjhhxB.exe | N/A |
| N/A | N/A | C:\Windows\System\pUfmAkj.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_1bfcf2f5626791a76e87281650c5ee9d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_1bfcf2f5626791a76e87281650c5ee9d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_1bfcf2f5626791a76e87281650c5ee9d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_1bfcf2f5626791a76e87281650c5ee9d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dUFkoFd.exe
C:\Windows\System\dUFkoFd.exe
C:\Windows\System\VoPkPWi.exe
C:\Windows\System\VoPkPWi.exe
C:\Windows\System\LqmWGwz.exe
C:\Windows\System\LqmWGwz.exe
C:\Windows\System\RWPTwTm.exe
C:\Windows\System\RWPTwTm.exe
C:\Windows\System\yVRrLZH.exe
C:\Windows\System\yVRrLZH.exe
C:\Windows\System\mCAKpSi.exe
C:\Windows\System\mCAKpSi.exe
C:\Windows\System\hCptVpD.exe
C:\Windows\System\hCptVpD.exe
C:\Windows\System\zHEVZaI.exe
C:\Windows\System\zHEVZaI.exe
C:\Windows\System\hFxjoeG.exe
C:\Windows\System\hFxjoeG.exe
C:\Windows\System\DySxfaU.exe
C:\Windows\System\DySxfaU.exe
C:\Windows\System\FwBFEyL.exe
C:\Windows\System\FwBFEyL.exe
C:\Windows\System\nahsgGE.exe
C:\Windows\System\nahsgGE.exe
C:\Windows\System\WghsQJF.exe
C:\Windows\System\WghsQJF.exe
C:\Windows\System\SFwDSHP.exe
C:\Windows\System\SFwDSHP.exe
C:\Windows\System\MRXGzRG.exe
C:\Windows\System\MRXGzRG.exe
C:\Windows\System\RXfIeHc.exe
C:\Windows\System\RXfIeHc.exe
C:\Windows\System\rWFqLbO.exe
C:\Windows\System\rWFqLbO.exe
C:\Windows\System\RKjhhxB.exe
C:\Windows\System\RKjhhxB.exe
C:\Windows\System\XyEfDKK.exe
C:\Windows\System\XyEfDKK.exe
C:\Windows\System\pUfmAkj.exe
C:\Windows\System\pUfmAkj.exe
C:\Windows\System\YdsXRtD.exe
C:\Windows\System\YdsXRtD.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2888-0-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2888-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\dUFkoFd.exe
| MD5 | bf33d1c6dd90971b2621a487fa043ee5 |
| SHA1 | b131766c3bc8d1a35651613863b2334b48d1857d |
| SHA256 | 7f8e641a3a750d16a6db1d727e8e8e0fc048eb48e9cc2208f3468b3cc6ca032e |
| SHA512 | d5ec44e68d7503963d904d487f9199b8afedd96a338e024967ac2ae3d4f76651be2ab6ca001a197bea4821af3b87b26c1caa7d935d9c84a94c30286a2ad19b1e |
memory/2888-8-0x0000000002480000-0x00000000027D4000-memory.dmp
\Windows\system\VoPkPWi.exe
| MD5 | 60404eecc26f5b23accaf6caae93dbc8 |
| SHA1 | a9bb169a0c904f14a5f326649a9232a60875ff34 |
| SHA256 | ca4130f468fac3e7d8b607917e428c6a83d1ebfe2e06b838ebad2e7aa935dd46 |
| SHA512 | 4d4e5b9010cee02356e149981ff26e596a3d67149a61da174fe8997a34d52ac915c15f6fda588eb9671bd6c160d42d57fe5c517e475115ab792d91ff5a8b2d3d |
C:\Windows\system\LqmWGwz.exe
| MD5 | 6b064d8d2361119a2facb377453bcf33 |
| SHA1 | 4996b4f23096cb750996192aebb8cdbcae42d1f3 |
| SHA256 | b071c00cc8e05483b919d99f6eff91ce9dcd31119206f71ec8a745eee593a68b |
| SHA512 | 6147e30f50d7ff2d544f6dbb3c2bf39b2515d71d9e3097a7be299131af6bb104fa9a676791db1180c12723b0c4cb22d0207c8eb52428b02208cb1a7f8036ed78 |
memory/2888-20-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2784-19-0x000000013F320000-0x000000013F674000-memory.dmp
C:\Windows\system\RWPTwTm.exe
| MD5 | 2c2cd2329745c0a1fd8ab98302d0e506 |
| SHA1 | 6f7696614fe91e3bd24627d190387c61fb9a79ad |
| SHA256 | 1469be52d1d3840187d676036cc747d64687ecd79bdb038823a604c65fe14ed1 |
| SHA512 | 7e57f58ae87b9f534f5ee6ee859de17804c095e4fd0dc22e1122b25cd845501738355e0d01db1b43a60af7265245d0ce025cf0fdf82778cb3f99e1a1432fb74e |
memory/2888-26-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2888-33-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2888-112-0x000000013F790000-0x000000013FAE4000-memory.dmp
C:\Windows\system\hFxjoeG.exe
| MD5 | 0b76febe5636765c9971faef0b4b0f03 |
| SHA1 | ee8645a3526551a8735d8fb12cabc66fcc82ccef |
| SHA256 | 0bd1ac679b12455f26f95325dc81f5162849515bcd51ed142d4559abe550ae31 |
| SHA512 | ba66556a34f019f191d0ef2dbd9b51c543c7a5ccea76d9ea196232fe0ff543d08588ff25780e8bb497c8a2588b1c244cca84f4138719d82ba6925cc2503fd175 |
C:\Windows\system\XyEfDKK.exe
| MD5 | 395c7fad32c8820155a03208d23d5388 |
| SHA1 | 712b3df075291938b812eb5e97e1692d07d9709a |
| SHA256 | 6de2c7298101657035c8e6e87395ebc5e3878b9c37c408551777b03bb0553140 |
| SHA512 | 84037e972231cd6316a8641d5d3db544d5245cb5a3587c9532159be692a6c9211cfe971ee525f41bab0b19d1327d06bd2ceb10253c7d678128097d7387aec9ac |
\Windows\system\pUfmAkj.exe
| MD5 | 85eecbe34f1dd620d5e30096d255bc73 |
| SHA1 | 4d051ba1d95623192764c54253cf2aef8c4b5f0a |
| SHA256 | 0599d04b66c5b911d40ef8f2d88271880f0ef3ec66f65b24a1d098b9bf0eb000 |
| SHA512 | c2a78a19cb3a45fa6ca3ab65133bd597065a0a5e52874d2579bb84250eda68a71ae9bec7a1be4aececb42c523ec9ed25edb5b727030f644a402be73631bd4b97 |
memory/2888-92-0x0000000002480000-0x00000000027D4000-memory.dmp
\Windows\system\RKjhhxB.exe
| MD5 | 019a4756eb0a2bf7cf303b867637542a |
| SHA1 | 2b5aa423c226ab7520d9eecdcb7e66731000dbde |
| SHA256 | 1d181818f1e2f6d20485f74a74ef216e7fa26084163e87cb4ac779764aab8de8 |
| SHA512 | 9d735696cd09c36b62eacce65b721e54cceda58e197ea2f3585faf37c7a8dc3f85ed737614db5ac623e148f7d4e6d6535ffd861a4748ccf2e8677be92b4beb83 |
\Windows\system\RXfIeHc.exe
| MD5 | 8e677d5773a29600f26b28be25607033 |
| SHA1 | 16d027302d2e0ff857046d63d1c4bba9559a9ffa |
| SHA256 | 78b571af9b70206bd0f5f8f4f9cdefc8082ea432d6175168d185718bf48a059a |
| SHA512 | 5f891473e387138ab7cbd443f74537309917a645922ad9ca126a998d7cfac36e3c0ae977a061a306f23d0506e469136448d05c8072b27ba76ab45568ed80cfae |
memory/3040-76-0x000000013F380000-0x000000013F6D4000-memory.dmp
\Windows\system\SFwDSHP.exe
| MD5 | a25afbcddc0d441611a4c84ac85a2912 |
| SHA1 | 10edd9a79f03a65bdaf88bf3053112577b521f64 |
| SHA256 | 49181bc14ad9f5f572fa09159a9cb3e2ffa81e400593603e8554f2f3c7d027ca |
| SHA512 | 85a72a52481c675a3800d6a1b68ba79f9c4a554e83f76c8892e31b4b58d6168a93689f11765aad0636dafb8af887ec8ef9cb7ebc268a5bd7d448df1a1a8c8ae2 |
memory/2888-67-0x000000013FB60000-0x000000013FEB4000-memory.dmp
\Windows\system\nahsgGE.exe
| MD5 | f9bb666c375bafe5bb759561167fb359 |
| SHA1 | 8db0504bfc2103d6012f3daba3c9c3b53485f363 |
| SHA256 | 3cb3ce6b25098e8f80c56c963d9195fc1c3535964d63e5973f7c37284dcb50c6 |
| SHA512 | 448c21a8ecb9cbdc1ac62a52f9c18e59b95ad9c895fdbd3e281dcc94d2026ea104c48d56ae789eb7ac1da59c5d78594ff22d85baa63f338d432285e3f512a734 |
\Windows\system\DySxfaU.exe
| MD5 | caa75ae732df4d1a334292fc6a12f191 |
| SHA1 | c1b33e6113b276179dbd56338d5b36acab483ae7 |
| SHA256 | 587ed996f96a214e662a3c67bb53fc74ddfa82f53633743b0b81a4a1a997ebb2 |
| SHA512 | aff6382783a472244e2235b800e61c4268513f5c92d86635784d670760ed9c25fbe6518972ccbef36ddc8cb08b6702cc20ef196ed178a796321e2344bbfecdb6 |
C:\Windows\system\hCptVpD.exe
| MD5 | 42bfd571b868aa7e3f21605c42f2e15c |
| SHA1 | cfa8e77bc8310d854d16ebafae5004be5bbe64d3 |
| SHA256 | 92edd82f5b6060fe95cd98f192faf21cda5e5d8948878ef4c29575605bbe7208 |
| SHA512 | d498ba8f2cb7d6b62fd868b5d0765dc15cce7dc60c89eb5b74d38b46d04b7bba284b3e807fbf54d7b7eb608364469e68d25868234edd03c8a262c3119a2ad03a |
\Windows\system\zHEVZaI.exe
| MD5 | 2378ac4365595242066736a3a2d89e34 |
| SHA1 | c75b2da28718e66d6ff266e7deacd2574d64c1f9 |
| SHA256 | 58a7e33376eb5a5fe3b4865b001d1eddd20c919bea33dbe6202b9ea916467e18 |
| SHA512 | 161f9514eebb25d9eb19ebffc4a9464bd8d5339bcc7bb5f2238559e60c4a921486f900535e8b3ad7cc5ad5819283c0bf8fe94f24fa2cfca7b48c82eb8b2175b7 |
C:\Windows\system\pUfmAkj.exe
| MD5 | 484f9bd860840f7d2331986e4199e3d2 |
| SHA1 | eb5448cac8a274aecd2e2e996f7a8c535ce8dfe2 |
| SHA256 | d792f6a1d133eaf0c847fb75869638ea7611e35c703fc655348b58642f5eef41 |
| SHA512 | 30de83fe0665fd35b3e5b2ef1bcd329c5b3c3cda1a0fab51d4301e97e4af95f143875fb670b8aa6d25ab7572333b6c08ac07f838a0611a2110ce3153537d12d2 |
C:\Windows\system\RXfIeHc.exe
| MD5 | 32041569ce29a5ef50883ca4e87e40ae |
| SHA1 | 62752d482ea7fbac09b013a4fe013fc0d3df3abe |
| SHA256 | 2e3378fbc771dcf65b54c5f4fc3d8b2f4d91a4c0824d0dd8ab6cf9cad9802f08 |
| SHA512 | f73e85b6685b7d4ce370cfab3ac9dd8c2d17fe49cb93ecb85f5f1ba15be35390697e7a824474b95109c653c60fc79b37d0e3c8a6792ee455c62ff2a12d3837b4 |
C:\Windows\system\SFwDSHP.exe
| MD5 | 3841d3131bdc70a1cf74942213460680 |
| SHA1 | e066ede4ce1cfdb2ea8111ae73f718eb8b157bd9 |
| SHA256 | b4d269eec56539100336c47edcf07ade25ee028ddd2f468b5ccafc2495eaa0a4 |
| SHA512 | 77b6c9843e542c6ef34515300b738e90e6b505a929acee13a482482161e043ddee1028dddba920c8c9ca07a42160a603ae89b3ec75270ab6e028949695a5b7fe |
C:\Windows\system\nahsgGE.exe
| MD5 | fe57f8188564cd40e581d657eb39a51c |
| SHA1 | a769db5a955895999e8cfad6f9c2156a7679ab61 |
| SHA256 | 509f676438e0a62ce998520d6b512997df34dab53b716afecb70fde12451e067 |
| SHA512 | bedc7b8c666d75b4b2a51cdf1cbb44229891d399ac024af5950af15345f2453cff67fc09503257cefbe1a68d8da92c49e28e020e981fdb43101104e23819a72e |
memory/2888-113-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/1388-111-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2888-110-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/572-109-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2888-108-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2888-107-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2888-106-0x000000013F900000-0x000000013FC54000-memory.dmp
C:\Windows\system\YdsXRtD.exe
| MD5 | bf935fdffc8badc00216f2d77b3930d6 |
| SHA1 | 776037ff9fc89af1bb1ac7350bbdc8dead5ae2ad |
| SHA256 | 58bb2ba619fb424688d039ace5015e582c5fe06cd35fa50ba2d122d254b66e5b |
| SHA512 | dd2fd3e298bb3f977c6ef23d0f308cde8d57b03ec9172d81f03d1834b5d3ccf30bb63309c72916eee8fe8b1159927b0253a454a6b5eb8989272e83bc329a2f9a |
memory/2368-104-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2500-103-0x000000013F340000-0x000000013F694000-memory.dmp
C:\Windows\system\rWFqLbO.exe
| MD5 | 5465f21c596aba6d980910787c94b2bf |
| SHA1 | e268e5a841768397b79247e131af116d71611dfb |
| SHA256 | 3477179f91b3f08d1cdb02c36f538d68a3d111ac86aefcbdfe5ff3e255b6076a |
| SHA512 | 5644733f57724d9d08663adabbd3ee7adbfe9a65b2eb93d465d1ae25a67cee8dec06a9abb08feadfd7660d2b187dd7c74fbd336a9b8a2b23026a82ab75081ce1 |
\Windows\system\rWFqLbO.exe
| MD5 | 18247d7880140b18ecd39ee1adfc731b |
| SHA1 | a157eaa9dd320bef6dfdb40a50d13608394c09ca |
| SHA256 | 652d7057f0ddb4d1a2f5d0f36605fc024f3683e540781cf247d44de8bd9de6cf |
| SHA512 | 86e803ee8318313ac7802d21e9ddf99485d8242e09c937616b13b7f0891cbb086eda558be30105ad71b938275dcac935eb0d6bca4b99ccf49510a012cfc00f29 |
memory/2888-81-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
C:\Windows\system\MRXGzRG.exe
| MD5 | a1df3420cf46306b933f609aa091bde6 |
| SHA1 | 03ce76e9fe6f2cdeb3378102ed49d48485ec7843 |
| SHA256 | bcae40deb504422275dc41ae536981fa1c76529cec89792a5d25e945abde44e6 |
| SHA512 | 3e324e98cff88b9150fadb48b306851323411ebcf6295fe7b9fbe18ab5bc686dfb423f26e2dbc80e5e8b763023d53f53f102d1a25698637c3423030b33d31eb2 |
memory/2524-72-0x000000013F2D0000-0x000000013F624000-memory.dmp
C:\Windows\system\WghsQJF.exe
| MD5 | 3e60b8924a5cccdad29ccb19715a8d60 |
| SHA1 | 179a163647a2233ed14cd4f54f5d616477e6de20 |
| SHA256 | ef4fa87cf004a32da5fabd24aa7e3f1eda9725312d8cc0de2b168684a65d2725 |
| SHA512 | 14e2a74ccddcf250416deeff8e45ff69ccf25c5bb57e52c23908f5995e4fb254143beeab3dc66228f64b2bcf56d8adb5b42b1b927f7fa8c72fbd3197bd68ce74 |
C:\Windows\system\FwBFEyL.exe
| MD5 | f71a3ac0e9a124ab6355b61b28d228b3 |
| SHA1 | 03ba496b2cd54b90e9b66b15e39cf4a7f3966838 |
| SHA256 | 5841cba962df09eb7bc6c3b9b5f57325523fbb93fd05236e164769fb03431df6 |
| SHA512 | 201ea152229004d12db9b8c1bdce8ff8dec5d1114f80f59564aa64de5bf506b2d598bc31c04fc1e7971b242d30f8e8444ea95092d104ddf687c483c1ff284bab |
memory/2400-60-0x000000013F450000-0x000000013F7A4000-memory.dmp
C:\Windows\system\mCAKpSi.exe
| MD5 | 073a5218b8792e3de913fc790d1d812f |
| SHA1 | c30b649d482244e57016dcef8589f016cd841f2e |
| SHA256 | a55bf036dc280375bb9937df984a872fff7dd89249e4d7a49fe7a317a9be6744 |
| SHA512 | 6d1defa39e7213de279bbd3f55f5875bfef6554bd8cfc070860197e886d1aac8bebb3fbe2dab9600a61ec4fa2f5970d396c3312d438d5c1ce9a61de4b6fd77ee |
\Windows\system\hFxjoeG.exe
| MD5 | b3ed407a7d1afb94198c956e056349a3 |
| SHA1 | e1fd8cc5524612c3e045bfc6d426b59bbae5ba59 |
| SHA256 | 3adae77b419ece69d49b2e26e2747f4021f5c9b0ccb9eec2cda237f45bf9cbb5 |
| SHA512 | c8840a3d2a131528bb75ecabd1f0ac0b8c4e54526a82cc7d8f683b61d2f79bc8f3e81aec60c1e374d621529b6d9d3780bb3e0b636f1563a8d7cd860bf7c8181d |
memory/2488-37-0x000000013F870000-0x000000013FBC4000-memory.dmp
C:\Windows\system\yVRrLZH.exe
| MD5 | 58d39f0bf2f084d3e55239b9b658e8ee |
| SHA1 | 06ebda44988d0b1b6273bb6152315dfee5d3f794 |
| SHA256 | 04dc12d37fcc84a10c2bb1eca34878388e2d87ad667bf4a9e42e54ac15398e8b |
| SHA512 | 208853f59f9a816683ff26aa9c7c3eb03b87f9b15ab56f83d438be8344da48d87cbbabb519a43e611f023589a54261ac22375fe52d448917988eda4d815dde0d |
memory/2640-28-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2640-132-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2944-25-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2960-24-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2488-133-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2888-134-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/3040-135-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2888-136-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/572-137-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/1388-138-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2784-139-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2960-141-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2944-140-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2488-142-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2640-143-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2400-144-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2524-146-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2368-147-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2500-145-0x000000013F340000-0x000000013F694000-memory.dmp
memory/3040-148-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/1388-150-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/572-149-0x000000013F720000-0x000000013FA74000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 13:47
Reported
2024-06-11 13:49
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PmVzZCP.exe | N/A |
| N/A | N/A | C:\Windows\System\zwocGtS.exe | N/A |
| N/A | N/A | C:\Windows\System\sXRCyyf.exe | N/A |
| N/A | N/A | C:\Windows\System\JOAUQNk.exe | N/A |
| N/A | N/A | C:\Windows\System\mBdTeDM.exe | N/A |
| N/A | N/A | C:\Windows\System\dAiHdod.exe | N/A |
| N/A | N/A | C:\Windows\System\CaIMIui.exe | N/A |
| N/A | N/A | C:\Windows\System\cPDdcCS.exe | N/A |
| N/A | N/A | C:\Windows\System\gXWTHuG.exe | N/A |
| N/A | N/A | C:\Windows\System\snJyCJJ.exe | N/A |
| N/A | N/A | C:\Windows\System\Tlcawif.exe | N/A |
| N/A | N/A | C:\Windows\System\nhymthO.exe | N/A |
| N/A | N/A | C:\Windows\System\xzExYft.exe | N/A |
| N/A | N/A | C:\Windows\System\ITSkuvC.exe | N/A |
| N/A | N/A | C:\Windows\System\YIoXKTj.exe | N/A |
| N/A | N/A | C:\Windows\System\ZQprteZ.exe | N/A |
| N/A | N/A | C:\Windows\System\cMayTml.exe | N/A |
| N/A | N/A | C:\Windows\System\URXaAKW.exe | N/A |
| N/A | N/A | C:\Windows\System\WjDhZfd.exe | N/A |
| N/A | N/A | C:\Windows\System\hPzXWyX.exe | N/A |
| N/A | N/A | C:\Windows\System\eDNruJf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_1bfcf2f5626791a76e87281650c5ee9d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_1bfcf2f5626791a76e87281650c5ee9d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_1bfcf2f5626791a76e87281650c5ee9d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_1bfcf2f5626791a76e87281650c5ee9d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\PmVzZCP.exe
C:\Windows\System\PmVzZCP.exe
C:\Windows\System\zwocGtS.exe
C:\Windows\System\zwocGtS.exe
C:\Windows\System\sXRCyyf.exe
C:\Windows\System\sXRCyyf.exe
C:\Windows\System\JOAUQNk.exe
C:\Windows\System\JOAUQNk.exe
C:\Windows\System\mBdTeDM.exe
C:\Windows\System\mBdTeDM.exe
C:\Windows\System\dAiHdod.exe
C:\Windows\System\dAiHdod.exe
C:\Windows\System\CaIMIui.exe
C:\Windows\System\CaIMIui.exe
C:\Windows\System\cPDdcCS.exe
C:\Windows\System\cPDdcCS.exe
C:\Windows\System\gXWTHuG.exe
C:\Windows\System\gXWTHuG.exe
C:\Windows\System\snJyCJJ.exe
C:\Windows\System\snJyCJJ.exe
C:\Windows\System\Tlcawif.exe
C:\Windows\System\Tlcawif.exe
C:\Windows\System\nhymthO.exe
C:\Windows\System\nhymthO.exe
C:\Windows\System\xzExYft.exe
C:\Windows\System\xzExYft.exe
C:\Windows\System\ITSkuvC.exe
C:\Windows\System\ITSkuvC.exe
C:\Windows\System\YIoXKTj.exe
C:\Windows\System\YIoXKTj.exe
C:\Windows\System\ZQprteZ.exe
C:\Windows\System\ZQprteZ.exe
C:\Windows\System\cMayTml.exe
C:\Windows\System\cMayTml.exe
C:\Windows\System\URXaAKW.exe
C:\Windows\System\URXaAKW.exe
C:\Windows\System\WjDhZfd.exe
C:\Windows\System\WjDhZfd.exe
C:\Windows\System\hPzXWyX.exe
C:\Windows\System\hPzXWyX.exe
C:\Windows\System\eDNruJf.exe
C:\Windows\System\eDNruJf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5084-0-0x00007FF799390000-0x00007FF7996E4000-memory.dmp
memory/5084-1-0x0000023C3A550000-0x0000023C3A560000-memory.dmp
C:\Windows\System\PmVzZCP.exe
| MD5 | e9b671fa6ab0e1520633db328d3aa828 |
| SHA1 | 900e913119a332e49dc60d6ed90b9db53a13b75b |
| SHA256 | 844bac7dc2890eb0e1aeb92455140c249ad3296807e4019114083fbba3258292 |
| SHA512 | 081048f890093f737c3e4090663103f4156a24992c9b5d57e762a0a5943ca22a13076603f5544020e238f789d4f9c7ecf478301e4e7a8926d5c1e221d75067f4 |
memory/2972-7-0x00007FF7784C0000-0x00007FF778814000-memory.dmp
C:\Windows\System\sXRCyyf.exe
| MD5 | c9d23607887befd6f8737e8aed3f22f4 |
| SHA1 | d4ef283ca82d73a359fb753154558b0c5325c005 |
| SHA256 | 99a1f384779f46305653b2c2f0948cc6101ad0616dfee68a6e96f3526bb6544b |
| SHA512 | f6a4f659a636dfb81304b719a83fbbedae855bd0bf24a9f3d1698e63b07e2ab8cb1bb76dee25bacfe9afe12993790a7b7de9e7d316be52fc8943daf1e8c22320 |
memory/1112-14-0x00007FF74FB00000-0x00007FF74FE54000-memory.dmp
C:\Windows\System\zwocGtS.exe
| MD5 | b2d3029370b775758b2d733faa3f1686 |
| SHA1 | 515fdf0429b8bf8778a4c72f2d3e899048a37282 |
| SHA256 | a6e70dde8cac3c25106343d15004864b2d118cad0f4610de3bd0b9b71d3118f0 |
| SHA512 | 0ade0f19f8bffe22fec9b26c5d9f4389692ed8824661b1cbf2424c9bdc190b8148c513d3cb6983536ff3bcdcd44474978bb680e4e9dfe818ff674e6885bd8ea1 |
memory/2624-18-0x00007FF63B960000-0x00007FF63BCB4000-memory.dmp
C:\Windows\System\JOAUQNk.exe
| MD5 | ce9738f5391856e2897289a7e79bec9a |
| SHA1 | d6b2184f30d7e2d7eaea40bea69ec9fb504e732d |
| SHA256 | 669337aaeaeb6bb198c18a617ce195b910a08c8562b42e00aa805611d45c5eb4 |
| SHA512 | b4615bae912bdd8f72c983b7787c4bc649bd99419996fe015ba2b97ed57b183a8b993c04c08b4310b152565bc3d42aea0d3f5107c23378653669e9fc40f05a51 |
memory/4324-26-0x00007FF706580000-0x00007FF7068D4000-memory.dmp
C:\Windows\System\mBdTeDM.exe
| MD5 | ac727b2b4108b768dea7a6925b9e9417 |
| SHA1 | c40f58428c5668ff28cb7656e89b93136cf6311a |
| SHA256 | c520f7991b2b54d79ff80bbb21871faddd296d813e88a6b48f46a6d029d72f17 |
| SHA512 | bc431532efad370d4c5e7eacd269543820fb14e060d378ff9cb057ecbeaa798e7a2ce3f1e6860ce7b3d95eb83657a633cae70adb309e19b23b2ca2f6a2710239 |
memory/2384-32-0x00007FF68B230000-0x00007FF68B584000-memory.dmp
C:\Windows\System\dAiHdod.exe
| MD5 | bad580252b1cdd570bcf12bc1dfce9da |
| SHA1 | cfd123001e330d760fe6899608987c1f14e36b95 |
| SHA256 | 2ab21387dcc34088d942f3f9c0c19b994e993d95f4fa61226ada9ec7af817b88 |
| SHA512 | a477eb00dbf29039b962e73057fa5775bf056c659c010e533b8271b2a4370300832b1661415b1f5cb4cd61c504d287a23df50bccbb7c2246811842150a9aec74 |
memory/1648-38-0x00007FF7E4B50000-0x00007FF7E4EA4000-memory.dmp
C:\Windows\System\CaIMIui.exe
| MD5 | b3af175e3ff2415e50b3ed60799bf636 |
| SHA1 | bfa5fcd276afe2dcba8aac0861988424924e1cfa |
| SHA256 | e9b8df175a1ef3d6d6a4171b61a1394ba660132190ebdf8c621f624467d576bb |
| SHA512 | cde0ae3832969aaee287237cae400d84c695876cd8ebca83f683cc2807d662a6badd2b78acb24e5e69e1fe5757f3a0027d27510525751e924857a19a6fb4d1d4 |
C:\Windows\System\cPDdcCS.exe
| MD5 | 937d1d96300f4e2789fab8012abea1c6 |
| SHA1 | aa50163623130ba42a20c3641c33290a34657e8e |
| SHA256 | 02437284f4bdc8d2d8ebce662e7fa8e9cc65eba41cc8751348be3f4f5a464879 |
| SHA512 | d5af85f06d873a40c6a511b19441421243bc6384038c6cd6c628691c26f1be8e661fd3b3e7d2d13a8f7999655ee51cedf65cc25164a1d98890ff9a39dc945ade |
memory/3064-48-0x00007FF6D6820000-0x00007FF6D6B74000-memory.dmp
memory/4272-42-0x00007FF7A5360000-0x00007FF7A56B4000-memory.dmp
C:\Windows\System\gXWTHuG.exe
| MD5 | 40a68ee3052d907843b910084e44ffca |
| SHA1 | 981208199caad5de7dc86a9c5ec7c4807f55ae29 |
| SHA256 | 0c87882b3c68ee4c69a6629ad913d31efdc29a07b8eed2ebe9763e79f09a5d73 |
| SHA512 | 7b3512f39d77f4b9737ef66fe67c247251798df8bfb22298cc324bd61c99c7e33a55074b48de7d64b077e087aa41d22f6defe51d0b629183ac96ef7c1ac3f400 |
C:\Windows\System\snJyCJJ.exe
| MD5 | ea68e4bb9ea7c546b8b79541d49454f4 |
| SHA1 | 302108b6f08777ab63ec99165a64a59951f9fb46 |
| SHA256 | 0dd5a2dcb5457684f791d5c08408daf0350b8e31df05fbe4438ab8ac321cdb1a |
| SHA512 | a9e9de76e3819e9ad8f4e47e70df6f4534122f8743ea5b69bbb9cc21bb38e305a46dabb82d136f43f5f754c5f8a4bb25439270bbea3cb0c8706cb0ef35374dd0 |
memory/2252-55-0x00007FF6CA160000-0x00007FF6CA4B4000-memory.dmp
C:\Windows\System\Tlcawif.exe
| MD5 | a8d2e03e95cb47c3c5dcc2c28d61e9dc |
| SHA1 | 53e8ed482035eb5e8df2dc8d916da2cc1949938f |
| SHA256 | dec2c6c93dd238ae68f883ec6b903e10e3b347fda5d5ef6b03f944fa5891bb2e |
| SHA512 | f7b64fcb9a3b391de86364b5f10219bf42ac108273812e8decb03159664085fad678646c571db8e1e065b5be9fc99aa1e1e699e96f42941f8ede16276aead578 |
memory/3660-65-0x00007FF7C7500000-0x00007FF7C7854000-memory.dmp
memory/5084-63-0x00007FF799390000-0x00007FF7996E4000-memory.dmp
memory/3888-82-0x00007FF6A0CC0000-0x00007FF6A1014000-memory.dmp
memory/388-86-0x00007FF72B830000-0x00007FF72BB84000-memory.dmp
memory/2624-88-0x00007FF63B960000-0x00007FF63BCB4000-memory.dmp
C:\Windows\System\ITSkuvC.exe
| MD5 | 022747af38a937c88982b02ec1389f0e |
| SHA1 | 7c00dfeb20ced0cbc829e37e2a76bbe1a4fb8230 |
| SHA256 | d00f8c83e2c5e6d103c75cc5e0fed71e67ec42f9bfcacbca8492e751b8798eeb |
| SHA512 | 99847d69705bd983713dd0b63960932e19e970fb54ab67e3b1b6d1aceed875aabd15a1ae4b80e7c31c973fb9f03b95ea0a059928c6de6baf9b620926216c1a3c |
memory/1248-87-0x00007FF798FE0000-0x00007FF799334000-memory.dmp
memory/1112-85-0x00007FF74FB00000-0x00007FF74FE54000-memory.dmp
C:\Windows\System\xzExYft.exe
| MD5 | 150291a7df0ae65a7fefa815551eb02b |
| SHA1 | 92058bbddc19dafb3ae564aa1b39362ebbda570a |
| SHA256 | c474e316b25b27fff09ad86119ebf17c41b73662f863a138fd99dacf13827a28 |
| SHA512 | b73e0dc0ed3bdb4ea51308adf671afb313d33b20aa5da13d1d28b9e8e5cd594db153da5fc351dea011feea3c4e02e2b1a4ef486292e2e0afaf063d97f8b82578 |
memory/4884-75-0x00007FF73EF50000-0x00007FF73F2A4000-memory.dmp
memory/2972-74-0x00007FF7784C0000-0x00007FF778814000-memory.dmp
C:\Windows\System\nhymthO.exe
| MD5 | 959b13c952752e73ba40379533d24574 |
| SHA1 | 67bb2c76a97d9330b829dc4b7ce597cfebf30906 |
| SHA256 | 611a5b53e58a3971f39798022dbe40f19cf9c5f7fbdcc86a6c0f2f73cf4e45c1 |
| SHA512 | 3746815b07e1cbc79ac580fd79aa657a6e277daec9a8cd3ca831ca6a025bd97268e83f2eb275266fb8d8fe939982c65754ff6a38a0b390f90edef6cb5d8584cb |
C:\Windows\System\YIoXKTj.exe
| MD5 | 5bfdf3c4fdc77eec4db347c7e76819fd |
| SHA1 | 69f35f69972e7a9ac683f8268430d4a0d30161bb |
| SHA256 | aa1b240df3522fd775b06f57617e1f9a3fb7a3262a5f220a17c759f7bd801fd5 |
| SHA512 | c35dac6260414fad6cd7ff34f36e360d84df2fb8cc2050163ea06f5d5def83eae0074c6cdf228cdb425310ff260c85b7bc232113b8a544673c0047bd52b9ad36 |
memory/1460-96-0x00007FF6C1E90000-0x00007FF6C21E4000-memory.dmp
C:\Windows\System\ZQprteZ.exe
| MD5 | a77ffa18a62fe19f756e05b84029add9 |
| SHA1 | 3dd94fc4406d2daeccbbf78d6628edc23b9da0f5 |
| SHA256 | 143c85d1c844097791c359497273c2d0609424dd6d1e988faed35ff5c4330101 |
| SHA512 | 37c37864bbcf4ae81022a3841b704a3086362762f186ff40c7f8513b3a62f721be50b84e058e3be73acf25dee6f788b1ccce29c7761829d9926738086286665b |
memory/4324-95-0x00007FF706580000-0x00007FF7068D4000-memory.dmp
memory/1640-103-0x00007FF6CA4E0000-0x00007FF6CA834000-memory.dmp
C:\Windows\System\cMayTml.exe
| MD5 | 9df2459f3a84dbabfc6489d92780691b |
| SHA1 | 304f0242fb7a12365b081bb5f786247f45bbd8b0 |
| SHA256 | bf31816312057c164fc10347e7a890ae548a404aae178a5a5b3e8fdcc1b73e63 |
| SHA512 | 6a66c494c9ede1e0e06fbf37d2bf60fdc877092e873f30bb8138a624852c04a86dedfe8f27db0095d38676b1aeeb2ba5e1a962b59c1dbf1c46434ee0bdf071d4 |
C:\Windows\System\URXaAKW.exe
| MD5 | 075541d839ba4d2719dfd8b25e6f4a10 |
| SHA1 | cd1eedecf99b863a5259898de6abf6a6342a07a4 |
| SHA256 | 9ef995f0ccca6fa23c40d2d1f3f129783525f6b8058db22911a7e14e762bd6ac |
| SHA512 | 03c84785dd41ad18a83b71c57c97403308f2428a08b211fcc80e9cafdb0ef053b9761aa352e8a2e0e2d06c49a52385b5491def494aeca6511acc2f32767ed783 |
memory/4900-114-0x00007FF72B0C0000-0x00007FF72B414000-memory.dmp
memory/4640-116-0x00007FF712D60000-0x00007FF7130B4000-memory.dmp
C:\Windows\System\WjDhZfd.exe
| MD5 | a463c7560a488a751a287eb24faa1d81 |
| SHA1 | 395b127879e368fa663c47da42c132ace3d7e267 |
| SHA256 | a8050a3f02960aa587f31cbeb51a53a9556f81decf14a49195815f1f055b5762 |
| SHA512 | 17139e5b35e224f476ec878d46ec91fce7bfcb33039898d175b7dc862babaecb5b2cf524c6c01fb85c1db139b8112677dea40b3ffcc1bb46214dd2fc44f51772 |
C:\Windows\System\hPzXWyX.exe
| MD5 | 51437488121e0d1f3b90ee96700fa029 |
| SHA1 | 59ac2d0d321506e613450b5e239464a475723794 |
| SHA256 | 83a16ae57ac5bce57976f0d75a19fec36a194888291663e26d2b157047a21ca3 |
| SHA512 | 71ada14c5327b8af5b7b98b0ad7125a6614b8c3cef6a0ce6329099141009cd48270b1514309a4420281293ba934f039d689d77154b7a9fbd6c838f33e15e1da1 |
C:\Windows\System\eDNruJf.exe
| MD5 | 1336a68ed6b77ab89af45bc8eb7391e7 |
| SHA1 | ccde46442bea27995c5cc2842fedda0e30f48db3 |
| SHA256 | 56bda362c7c6c596d0e991e5b69dfdd7b0de8dc6c18d09d177106037e0a4e985 |
| SHA512 | f13878a676c7c36a66d0581903c07e58a57ab5f4c2a34a290c69085e9d615e01abbf24e5b18337044538ffc883df984ba0ab93c384319c17164dacf68c82e940 |
memory/3064-124-0x00007FF6D6820000-0x00007FF6D6B74000-memory.dmp
memory/4272-115-0x00007FF7A5360000-0x00007FF7A56B4000-memory.dmp
memory/1668-132-0x00007FF782AD0000-0x00007FF782E24000-memory.dmp
memory/2732-133-0x00007FF6B2A70000-0x00007FF6B2DC4000-memory.dmp
memory/2252-134-0x00007FF6CA160000-0x00007FF6CA4B4000-memory.dmp
memory/2948-135-0x00007FF714B10000-0x00007FF714E64000-memory.dmp
memory/4884-136-0x00007FF73EF50000-0x00007FF73F2A4000-memory.dmp
memory/1248-137-0x00007FF798FE0000-0x00007FF799334000-memory.dmp
memory/1460-138-0x00007FF6C1E90000-0x00007FF6C21E4000-memory.dmp
memory/1640-139-0x00007FF6CA4E0000-0x00007FF6CA834000-memory.dmp
memory/2972-140-0x00007FF7784C0000-0x00007FF778814000-memory.dmp
memory/1112-141-0x00007FF74FB00000-0x00007FF74FE54000-memory.dmp
memory/2624-142-0x00007FF63B960000-0x00007FF63BCB4000-memory.dmp
memory/4324-143-0x00007FF706580000-0x00007FF7068D4000-memory.dmp
memory/2384-144-0x00007FF68B230000-0x00007FF68B584000-memory.dmp
memory/1648-145-0x00007FF7E4B50000-0x00007FF7E4EA4000-memory.dmp
memory/4272-146-0x00007FF7A5360000-0x00007FF7A56B4000-memory.dmp
memory/3064-147-0x00007FF6D6820000-0x00007FF6D6B74000-memory.dmp
memory/2252-148-0x00007FF6CA160000-0x00007FF6CA4B4000-memory.dmp
memory/3660-149-0x00007FF7C7500000-0x00007FF7C7854000-memory.dmp
memory/3888-150-0x00007FF6A0CC0000-0x00007FF6A1014000-memory.dmp
memory/4884-151-0x00007FF73EF50000-0x00007FF73F2A4000-memory.dmp
memory/388-152-0x00007FF72B830000-0x00007FF72BB84000-memory.dmp
memory/1248-153-0x00007FF798FE0000-0x00007FF799334000-memory.dmp
memory/1460-154-0x00007FF6C1E90000-0x00007FF6C21E4000-memory.dmp
memory/1640-155-0x00007FF6CA4E0000-0x00007FF6CA834000-memory.dmp
memory/4900-156-0x00007FF72B0C0000-0x00007FF72B414000-memory.dmp
memory/4640-157-0x00007FF712D60000-0x00007FF7130B4000-memory.dmp
memory/1668-158-0x00007FF782AD0000-0x00007FF782E24000-memory.dmp
memory/2948-159-0x00007FF714B10000-0x00007FF714E64000-memory.dmp
memory/2732-160-0x00007FF6B2A70000-0x00007FF6B2DC4000-memory.dmp