Analysis Overview
SHA256
897001ba457ed85b85496249e81287cfdd49e002fac630ffbcec46dc3e9ab5e5
Threat Level: Known bad
The file 2024-05-30_8abf68c9d0fa2133975bca27b79b0ade_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Cobaltstrike family
Cobaltstrike
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Xmrig family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 00:57
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 00:57
Reported
2024-05-30 01:00
Platform
win7-20240221-en
Max time kernel
150s
Max time network
138s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rDWHOCD.exe | N/A |
| N/A | N/A | C:\Windows\System\aYgbrVq.exe | N/A |
| N/A | N/A | C:\Windows\System\BxiYnLo.exe | N/A |
| N/A | N/A | C:\Windows\System\azAHkdm.exe | N/A |
| N/A | N/A | C:\Windows\System\JalRnNw.exe | N/A |
| N/A | N/A | C:\Windows\System\gzNpSaL.exe | N/A |
| N/A | N/A | C:\Windows\System\PuOqCRr.exe | N/A |
| N/A | N/A | C:\Windows\System\TsurtFV.exe | N/A |
| N/A | N/A | C:\Windows\System\zTIbWKc.exe | N/A |
| N/A | N/A | C:\Windows\System\utIKTmv.exe | N/A |
| N/A | N/A | C:\Windows\System\kGWVqro.exe | N/A |
| N/A | N/A | C:\Windows\System\BFxGski.exe | N/A |
| N/A | N/A | C:\Windows\System\kuGcGCR.exe | N/A |
| N/A | N/A | C:\Windows\System\NrLftqY.exe | N/A |
| N/A | N/A | C:\Windows\System\FLJdaPp.exe | N/A |
| N/A | N/A | C:\Windows\System\PAFTPMG.exe | N/A |
| N/A | N/A | C:\Windows\System\UVTTSTV.exe | N/A |
| N/A | N/A | C:\Windows\System\HfpiCOx.exe | N/A |
| N/A | N/A | C:\Windows\System\hECJFbE.exe | N/A |
| N/A | N/A | C:\Windows\System\wSNkQDR.exe | N/A |
| N/A | N/A | C:\Windows\System\LdFtdbE.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_8abf68c9d0fa2133975bca27b79b0ade_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_8abf68c9d0fa2133975bca27b79b0ade_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_8abf68c9d0fa2133975bca27b79b0ade_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_8abf68c9d0fa2133975bca27b79b0ade_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\rDWHOCD.exe
C:\Windows\System\rDWHOCD.exe
C:\Windows\System\aYgbrVq.exe
C:\Windows\System\aYgbrVq.exe
C:\Windows\System\BxiYnLo.exe
C:\Windows\System\BxiYnLo.exe
C:\Windows\System\azAHkdm.exe
C:\Windows\System\azAHkdm.exe
C:\Windows\System\JalRnNw.exe
C:\Windows\System\JalRnNw.exe
C:\Windows\System\gzNpSaL.exe
C:\Windows\System\gzNpSaL.exe
C:\Windows\System\PuOqCRr.exe
C:\Windows\System\PuOqCRr.exe
C:\Windows\System\TsurtFV.exe
C:\Windows\System\TsurtFV.exe
C:\Windows\System\zTIbWKc.exe
C:\Windows\System\zTIbWKc.exe
C:\Windows\System\utIKTmv.exe
C:\Windows\System\utIKTmv.exe
C:\Windows\System\kGWVqro.exe
C:\Windows\System\kGWVqro.exe
C:\Windows\System\BFxGski.exe
C:\Windows\System\BFxGski.exe
C:\Windows\System\kuGcGCR.exe
C:\Windows\System\kuGcGCR.exe
C:\Windows\System\NrLftqY.exe
C:\Windows\System\NrLftqY.exe
C:\Windows\System\FLJdaPp.exe
C:\Windows\System\FLJdaPp.exe
C:\Windows\System\PAFTPMG.exe
C:\Windows\System\PAFTPMG.exe
C:\Windows\System\UVTTSTV.exe
C:\Windows\System\UVTTSTV.exe
C:\Windows\System\HfpiCOx.exe
C:\Windows\System\HfpiCOx.exe
C:\Windows\System\hECJFbE.exe
C:\Windows\System\hECJFbE.exe
C:\Windows\System\wSNkQDR.exe
C:\Windows\System\wSNkQDR.exe
C:\Windows\System\LdFtdbE.exe
C:\Windows\System\LdFtdbE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2752-0-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2752-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\rDWHOCD.exe
| MD5 | 18a1be0eebcd926d551173a32e739285 |
| SHA1 | 9c24e4bc146ccd76a477f28899558c31b0a8fcab |
| SHA256 | d0f12ceebe8fe411e0c65e752d7e91f32648cfd0372bc79f7eb31e408c59e249 |
| SHA512 | c242fa94db285acb9106716a6f6cf8bc869ff994311d2beb9064563546db46f37c1bef0d96d5d68aeec6b3c48266098a719d4a0a1a3dcf1639435e35d7aaf2a2 |
memory/2752-6-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/2636-8-0x000000013F300000-0x000000013F651000-memory.dmp
\Windows\system\aYgbrVq.exe
| MD5 | b84841ec72eaabb1da666679fbf71369 |
| SHA1 | 7aa20bf9483fa252b6d1d4f9410e0f06bfbe22b2 |
| SHA256 | d8ad97fa49d682dd4c93459187b7c5c29fd8eac1c313d0ec0c5a2e829c7a33d7 |
| SHA512 | 611aa65804eb6379e6338818f167c036ad0c0596fcbe592adafcdf8273cabae168ce5c5ed531426bd417fe2bee73cceeae802ee0de488f42b85ab2add1eeb60b |
\Windows\system\BxiYnLo.exe
| MD5 | b057a8733edca30e18fb1ed9fe295f30 |
| SHA1 | 2a53ee87f76d1fffb2e7f1d5349bb7b03b8a3d90 |
| SHA256 | 4e53b7006626aa3629485565b477f1794919cecca4c0ece0ee1f0065d7497f20 |
| SHA512 | 07dff85d5d58f0562cf144c2b4fa0f566594ae0d893caf5986f695e6d9d3ca6a08b362cbc1d8d448fe89af818b5f70f3e5e2fde96cb4ee4f0092c60408f3a8a9 |
\Windows\system\azAHkdm.exe
| MD5 | e07cb5f8a165ad6251c4d507c7958732 |
| SHA1 | 5724e419c63876fe33248a798cad52da8ef1d747 |
| SHA256 | c4e3b76b4b376e4e76c71ec4f4e65c6614f378eb44344dd5397b5926710d45d2 |
| SHA512 | 3123602abf1daa06138c4c3b4ba109707de9be898eb996dda77d118522f454b8eb5923cc6a97d957b8a6947933eeffe1d6a8ed85ce02d394b83222bbef7d458f |
memory/2752-16-0x000000013F890000-0x000000013FBE1000-memory.dmp
\Windows\system\gzNpSaL.exe
| MD5 | c14fc1928d231c4a007ef3b43c022791 |
| SHA1 | 457135724e5f69ea82f1366d42dc639be9db0c28 |
| SHA256 | 7da5ce0de33a2b57cf77e9f3e851b5230323df29297261fde6afc817a9f39542 |
| SHA512 | f63223ce0c82ae80e2d4892f8c43f46591d9ab9c12746f09889799d58dcbeb3bd675f06571b022276d39a3a2428ba926c901d3a88855f6503831105566851ab6 |
memory/2752-40-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2588-42-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2752-29-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2896-20-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/2488-39-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/3068-26-0x000000013FA70000-0x000000013FDC1000-memory.dmp
C:\Windows\system\JalRnNw.exe
| MD5 | daa1e37483fad854e9fa252c39a2b1be |
| SHA1 | 62950c378fea51beaed8d47b5bcc4dae47eb42da |
| SHA256 | abf6e1010d7066e8abdedf790190bb0fd4ab97d75bc6eaeacb8ec926fc3bb092 |
| SHA512 | 5da53fc35865154779b8bb4050683a175bdfdfc58d0d924a1820984520b13d34e4bc57f6a5248d24ff5e2ba9140cfd36758c0dcd8f208558803a394c8ba1749a |
\Windows\system\PuOqCRr.exe
| MD5 | 972ec8a226aa6dae49e4f9b5f933f021 |
| SHA1 | 4d8ded08c08ecc6fb2e4eda228b762f1e351fffa |
| SHA256 | f2a9fa418f6269d3026cd606aca755e9c5a37fea66db695ed559abf32a6a7664 |
| SHA512 | e2c7dda4b37c13200495188f55a67664a1a526536846ca124313aee0c7c299ee5ce4117160ba31e2cdb0c9f94846823a9876880cab751c6dc8798f9aeebd116b |
memory/2492-51-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2752-50-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2752-45-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/2752-34-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/2056-33-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2752-22-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2752-56-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2700-57-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2752-55-0x0000000002250000-0x00000000025A1000-memory.dmp
C:\Windows\system\TsurtFV.exe
| MD5 | ee98e7b048297904a835566bf511fb31 |
| SHA1 | 8f21c54a0f137146458850c255363870e29606d5 |
| SHA256 | 349b56dacfeae049a36a64db6ea93e2e5610ddce5f5f2196cfde2ae11a690516 |
| SHA512 | 25dd43df655973d97b228a7048ad565f21bf86fcf578ff3e346127bff01a7d625ecc8cd20c37ba3fceaeef8fd37bad8a492f0bfd3106a5303ec5e2f794f60ef1 |
memory/2752-70-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2424-71-0x000000013F8E0000-0x000000013FC31000-memory.dmp
C:\Windows\system\utIKTmv.exe
| MD5 | e6b288c4d297a690b6744a77dd7f1ad5 |
| SHA1 | 5dc7b02ac5921d59f6dfd6f8c39b38d9222d29ad |
| SHA256 | 18221a5e00f1967b7231d7dc74eec635c67ad9984297b4a1e8d06ccaee1a798d |
| SHA512 | 85378282c56f2ddf77d6474535624b87160f08ed24050022b4bb419a52faaaadb8b66a9b177123c575f7e82c019a54cbce03fea00d6a201f0101dc6470992471 |
C:\Windows\system\kGWVqro.exe
| MD5 | 3f8e3cf93aa29a0c54d3161ed57ffbe5 |
| SHA1 | 9975f4994a82ed82c22e507ebb70a6cdb37d414d |
| SHA256 | 5624745832d380d1c54cb27f1e806257fb1e40be3d10379bbbb847bd4534ced8 |
| SHA512 | ef8bbc6b6b07de56030ee0ec5ceefd065bf52738d9ffe8a33400b97730f27073ce81887f93afb9b39cd27898fb3ba6f209b0262667f6e6fe42fd9e6694efd09a |
\Windows\system\NrLftqY.exe
| MD5 | a7d77ecb685fa27c7fc7f0e4c6bceac8 |
| SHA1 | 35d4101d80cf39653d10a267f8f456ee61fa4d5e |
| SHA256 | 76a8ef8b6cf3eb1dfaad8e93c2ecd20b5edc6b6996d49efcfb084018cf2a925c |
| SHA512 | 5f23d35233a7662290f47fa396112890606f52c9206812065e7ae1097af039e626d3b73d21070f90b068049c56c751dc4c8fbd536120bdf20cfaae9971b0cadf |
\Windows\system\zTIbWKc.exe
| MD5 | d061eeb1cdc0bc46b900e4fa56751126 |
| SHA1 | 8d3abff5725799570a81752e5aa22932a64005ef |
| SHA256 | 323ffc660c571decfe17c9c79f90e4fffbd16faf71262a40cc354e2d8515bdc4 |
| SHA512 | fb7b70c0ff3f19d2c4d0fa6ad68ca1b7ffa0fff3379ca3f6240c9220fb6e8514bb97174078d0b930f75a49f165ce1106976e7ba6aa0f0efeba1325843339572c |
memory/588-95-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2752-78-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/1032-101-0x000000013F740000-0x000000013FA91000-memory.dmp
C:\Windows\system\PAFTPMG.exe
| MD5 | 45bca07186ad984f538c2b0f2bb68992 |
| SHA1 | 91c67cd5444c1430d416725fa0775be786fc81a6 |
| SHA256 | 8fc5d7e3e3d2caaf28a7c0b99753f9ad81b8fab5c812c283a0cf090d8b563fa0 |
| SHA512 | f1c18d597c8ad2f76d26df9c05867398821deb56e54753cb01fa1c7149aa7737a5ba18a584fb6615f17e5db9dd367502b927b479ffa50fe32ec77b45d3d5d1e1 |
C:\Windows\system\FLJdaPp.exe
| MD5 | 47a9261cb3c81c7ff770518c0b0bc263 |
| SHA1 | 70c4f519744e30c2ed7c30c27b82087a15d63810 |
| SHA256 | 9b7ea7dfa5a2ad2d5c9f03f1a65c9bdd6fef2cfcaf1cdeb1ed00b4b4ffeedbbb |
| SHA512 | 728ff5c35e8e9a776360e81555315d8bb5ddd1128b1a2754655f23f93a43d8ad254ae5fb5a6c871dfbf4126c7f21ecd9d9e235bbd8fdd20573b98606d4dc0c6b |
C:\Windows\system\hECJFbE.exe
| MD5 | 2d5b37e614ebfd766f15820fbea26008 |
| SHA1 | d10940d01e9c49a3ebb8e809e1315159d0dd12b2 |
| SHA256 | aa62d11775464247fb886a38f422aa5c863dd31ce0a9ebec33c072391fdce3cf |
| SHA512 | e8f158e5f9b1e040cac19f73f1ad47bbde5bc97de075060dede1550f601486730e65222141c184615d650c03c67f7ae4d11e67cf91daa48256c685eed627b3bb |
\Windows\system\wSNkQDR.exe
| MD5 | ad51bd3b23b6a9d674b62f5ad2a4202c |
| SHA1 | 1adba0d0e6b3c81c85f3476a944666aa1b705c61 |
| SHA256 | 3dc7b2e3a8f4a9675e5a71b9af0e009daf4e135d110b6bb37344a9063656cf02 |
| SHA512 | 4d5adf44d428622ff15c7acc572cc5637db33e54fbc5640ad4622a8078276fba4e4386886cd11b8af71d96b9b2c74b14795278e2a2d52beb688af117c437e450 |
C:\Windows\system\LdFtdbE.exe
| MD5 | 97e9e836dcea7b4c2e116e4dc5c1e2d9 |
| SHA1 | 7e2ca0e7c17dd5d7b33ad3850c17fa26a9226eff |
| SHA256 | 7183c8282a419168229eabe4e4c70bf86b701e11c4fca9d07884d5629e1ae44f |
| SHA512 | 9181d912320ec906c006b988923b75c91ee8cbac660ba9ec700889251f61dc9c2015704e7125c15ba866be9d394aea59087f8441a8a7cef4fc75b2be9d6e8a57 |
C:\Windows\system\UVTTSTV.exe
| MD5 | 017b6a3bf7a8724d4aa744416e3df5e5 |
| SHA1 | c30afe7d0166df842c87ff02aae5a0e99c9e7ccb |
| SHA256 | 219c49ccc846dc4958320c47df7fc590e5a66e73c27fddefdaeb2165b51095f9 |
| SHA512 | 339d579ab0a00d8def5ca07fcd8868343bc05b394d668893f7d4837c67d8de1e79e1ab92d7e24abb462a439cf6a6d68509aa410877012661aee8c56440a98d3a |
C:\Windows\system\HfpiCOx.exe
| MD5 | 532645e17977018c2bfc141f35a4ef64 |
| SHA1 | 9cb372963ec31ef933c237006d78e8ac9614c47d |
| SHA256 | 30936746e424ba6876651cbc446672a639aa83eb71cded5ff74227cfec33691f |
| SHA512 | 8ec74cf1170c03796e6f0e5903a746f59ba19b590ff69584f50bf31a489163dfd6174c19af57d393751e24ef6baaf6a43a5a889f87bd6b41c7bb40806e249c49 |
memory/2752-110-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2588-109-0x000000013FC60000-0x000000013FFB1000-memory.dmp
\Windows\system\FLJdaPp.exe
| MD5 | f969c407b448be8c1d20105ff4abe855 |
| SHA1 | 0c417553ebe246624fa3a6e2195011dffd77f0fc |
| SHA256 | f3d66333057e2838b78ebeec39efa2af04fde3e9eabefc4cb8694cb9c96a517f |
| SHA512 | b5740f87b40e833bb4c9429414685721da4ea88d12662905cba44f214b55cc54e41e26b93da4d1368022e802e52bd7644ec3d8623f0c4fb2e4acc68c900aaf74 |
\Windows\system\kuGcGCR.exe
| MD5 | e16623d519223ecbd1682469e235d6e1 |
| SHA1 | f2d1e49ad537155aba3b3943d65ba7c01a45ad30 |
| SHA256 | 4ffcc75536aa47a6ccd117e55a171009925ce0cdfe6035735a862f570031b86e |
| SHA512 | f6fd07e37ff640d1e7d05a3cdc5ad7170bc64472668bd38c769f3186d26a304c072d6eb889428ef7756a2c0e7e4c6f14cdbe198d5947ec33ff96c52abb8a3285 |
memory/840-102-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2488-100-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2752-96-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2492-142-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2752-77-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2372-76-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/3068-65-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2636-62-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2752-94-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2752-91-0x0000000002250000-0x00000000025A1000-memory.dmp
C:\Windows\system\BFxGski.exe
| MD5 | 1b4520116174fa45f8711ffdc0b97aac |
| SHA1 | 0baa3f282a5d43b90cb024d9dc30c4764e0e611d |
| SHA256 | 05ed07fc780d4be290cdc8974a01b36fd46b1ffc1567cabe7087ff4899fb6c64 |
| SHA512 | be0fccb2115e7d008a79a71aa18ff3bc5fa2990cc329bd75d6d310e8874e66b0a24daf02d264f93549161dcaca007a4ab462f7a5cbd386110861f6836b17c474 |
memory/2480-83-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2752-143-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2752-150-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2700-151-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2424-154-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2372-155-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2480-156-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/1032-158-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2552-160-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/908-165-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2084-164-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2016-166-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2100-163-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/3008-162-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/1040-161-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/840-159-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2752-167-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2752-189-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/2752-190-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2752-211-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2636-215-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2896-224-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/3068-226-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2056-228-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2588-230-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2488-232-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2492-235-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2700-236-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2372-238-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2424-240-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2480-243-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/588-244-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/840-254-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/1032-256-0x000000013F740000-0x000000013FA91000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 00:57
Reported
2024-05-30 01:00
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\iGFJSih.exe | N/A |
| N/A | N/A | C:\Windows\System\ZPzTkbP.exe | N/A |
| N/A | N/A | C:\Windows\System\IWwjwfW.exe | N/A |
| N/A | N/A | C:\Windows\System\srGTZyW.exe | N/A |
| N/A | N/A | C:\Windows\System\NpugbYE.exe | N/A |
| N/A | N/A | C:\Windows\System\RGZaclS.exe | N/A |
| N/A | N/A | C:\Windows\System\lDWtaEX.exe | N/A |
| N/A | N/A | C:\Windows\System\HPevCjB.exe | N/A |
| N/A | N/A | C:\Windows\System\tWZaVsW.exe | N/A |
| N/A | N/A | C:\Windows\System\uJQksaU.exe | N/A |
| N/A | N/A | C:\Windows\System\NPdGVOD.exe | N/A |
| N/A | N/A | C:\Windows\System\CeKrsti.exe | N/A |
| N/A | N/A | C:\Windows\System\QUCtplr.exe | N/A |
| N/A | N/A | C:\Windows\System\oTurbJR.exe | N/A |
| N/A | N/A | C:\Windows\System\RiKsgYB.exe | N/A |
| N/A | N/A | C:\Windows\System\oZwzlSG.exe | N/A |
| N/A | N/A | C:\Windows\System\WKuKwHf.exe | N/A |
| N/A | N/A | C:\Windows\System\QqJjdAY.exe | N/A |
| N/A | N/A | C:\Windows\System\RYBXZXw.exe | N/A |
| N/A | N/A | C:\Windows\System\DFPzbOK.exe | N/A |
| N/A | N/A | C:\Windows\System\lwqsNCx.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_8abf68c9d0fa2133975bca27b79b0ade_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_8abf68c9d0fa2133975bca27b79b0ade_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_8abf68c9d0fa2133975bca27b79b0ade_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_8abf68c9d0fa2133975bca27b79b0ade_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\iGFJSih.exe
C:\Windows\System\iGFJSih.exe
C:\Windows\System\ZPzTkbP.exe
C:\Windows\System\ZPzTkbP.exe
C:\Windows\System\IWwjwfW.exe
C:\Windows\System\IWwjwfW.exe
C:\Windows\System\srGTZyW.exe
C:\Windows\System\srGTZyW.exe
C:\Windows\System\NpugbYE.exe
C:\Windows\System\NpugbYE.exe
C:\Windows\System\RGZaclS.exe
C:\Windows\System\RGZaclS.exe
C:\Windows\System\lDWtaEX.exe
C:\Windows\System\lDWtaEX.exe
C:\Windows\System\HPevCjB.exe
C:\Windows\System\HPevCjB.exe
C:\Windows\System\tWZaVsW.exe
C:\Windows\System\tWZaVsW.exe
C:\Windows\System\uJQksaU.exe
C:\Windows\System\uJQksaU.exe
C:\Windows\System\NPdGVOD.exe
C:\Windows\System\NPdGVOD.exe
C:\Windows\System\CeKrsti.exe
C:\Windows\System\CeKrsti.exe
C:\Windows\System\QUCtplr.exe
C:\Windows\System\QUCtplr.exe
C:\Windows\System\oTurbJR.exe
C:\Windows\System\oTurbJR.exe
C:\Windows\System\RiKsgYB.exe
C:\Windows\System\RiKsgYB.exe
C:\Windows\System\oZwzlSG.exe
C:\Windows\System\oZwzlSG.exe
C:\Windows\System\WKuKwHf.exe
C:\Windows\System\WKuKwHf.exe
C:\Windows\System\QqJjdAY.exe
C:\Windows\System\QqJjdAY.exe
C:\Windows\System\RYBXZXw.exe
C:\Windows\System\RYBXZXw.exe
C:\Windows\System\DFPzbOK.exe
C:\Windows\System\DFPzbOK.exe
C:\Windows\System\lwqsNCx.exe
C:\Windows\System\lwqsNCx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1020-0-0x00007FF795200000-0x00007FF795551000-memory.dmp
memory/1020-1-0x000001CEC5800000-0x000001CEC5810000-memory.dmp
C:\Windows\System\iGFJSih.exe
| MD5 | 4532c2b84e46d4d8ee6959212454f2a7 |
| SHA1 | 8eb1e25adf0f90e0ab70408de45eb540d38cf1be |
| SHA256 | 3511699ad48edb4c042abca46770f7b26f4a864948d92ea0dc0e7ef9443c3847 |
| SHA512 | f2abe32b96aa552e73149897ebe9ba96515f4c2eef85b28538c79a524cdbb3050a26888c18d4172c5389f3fe91cd37696d5ddc2492b77fa47865326029c18ace |
memory/700-8-0x00007FF63D830000-0x00007FF63DB81000-memory.dmp
C:\Windows\System\ZPzTkbP.exe
| MD5 | a762fed92b5c5fadc08d55482983ffd7 |
| SHA1 | b37de81162b0422f6dfcbf24aca6d788ab66ea35 |
| SHA256 | 8dad04586ae26fd29cf6847e3e9ff3ee80f693d9b905ba128a448662ece82a63 |
| SHA512 | 764da38776303582e8a0f57330c310c7f07d05ba233ed8f870db903eef717b115b1a08d7132209e425aeeafe28f3f785cb861b872c12846e2f1b40d0fe091ad2 |
C:\Windows\System\IWwjwfW.exe
| MD5 | a4b8d8240177d91ef4b5deec2472c81d |
| SHA1 | c0ffdf02af6eb26b851abcf0f3e40d1b249b4670 |
| SHA256 | e66ee40c3ce8d8466b758dd8b84210f5327d70dc50801d41ba98371f71732b3b |
| SHA512 | afc5cbe4132c018a70309f2527ded1e7c62e7c56eac6efd6e68471681d3ac70123242e6d15c4020b72da78b9d61aea486dd012ce76e3a63b8fe8290c3464067c |
C:\Windows\System\srGTZyW.exe
| MD5 | 223fc524e7aa025089987d638fb45818 |
| SHA1 | 0eb35e03bfaebeb857631b9e4d664a6260f6a2e8 |
| SHA256 | a47599f9188e5dc158836a078fe239541c26e80cd71355677658ed3ceedd8ece |
| SHA512 | 9b7cfa6c741427107be410b9bb44a291bfbaca382b16f6f09a59726eb0d56408a6bb39b6d4e15c6083bd2eaa83d0849ece7469d5ba8a2804b4428d2797e21383 |
memory/4424-26-0x00007FF6169D0000-0x00007FF616D21000-memory.dmp
memory/2256-21-0x00007FF74C410000-0x00007FF74C761000-memory.dmp
memory/1656-14-0x00007FF7D6E50000-0x00007FF7D71A1000-memory.dmp
C:\Windows\System\NpugbYE.exe
| MD5 | 0444e1beb0a2a7681e411e9e2a4149df |
| SHA1 | 959e705db5a021c99840f0d63cbe63dd444df286 |
| SHA256 | a565c0399b8daa498a760f89ad701f713d337fe0688d4ee6e44c3020fcf09e9e |
| SHA512 | 22652a6c1c136c915c99947f961cd98925a04b478132fd83b1efc19ad081c7c46040d4110c4fae668f81a0856d1d426b9dde3328105bab0b3acdc7abfce708fe |
memory/2740-31-0x00007FF6CD230000-0x00007FF6CD581000-memory.dmp
C:\Windows\System\RGZaclS.exe
| MD5 | 489838297cd0e9b379e26c0f0c0cad95 |
| SHA1 | 5200cdd71157ac4b6829e10b9dd3c11b70e5d072 |
| SHA256 | a1225bd2719f4771c83b20d1aa7fcf414ad615a0c47cc036a00e2596772373b1 |
| SHA512 | b774e8ea2dde65f4058f1274c5978325e7b13b73b91d5c1ff12058e61fd792ce507ae5481f213846e9dcc7c07290bc729485d47f3a35292cfc64c9a1655736c5 |
memory/1608-36-0x00007FF6621C0000-0x00007FF662511000-memory.dmp
C:\Windows\System\lDWtaEX.exe
| MD5 | 916d021e6672534f2581d3c7c804585b |
| SHA1 | d50f51007f70e4caf592306802723db2a9925c5f |
| SHA256 | 95e54eca310f719c91793e815a2996cf1f9ee8d40e9d2955558298b97a1ee742 |
| SHA512 | 6fc48b4bc0a897fea7bd5d08d68cfac1cd953a20cf8a5a59ed794b7a361284d560a255159d6696bd5c14edfc801d933ea32c25fc9b9241e8d668de2998bb77a7 |
memory/4540-42-0x00007FF7A98D0000-0x00007FF7A9C21000-memory.dmp
C:\Windows\System\tWZaVsW.exe
| MD5 | 1ce1b77f698fa85f79667a7962cb531a |
| SHA1 | 6ab45b6f0c9bf82fc68441e7fecb066f02e7f2d5 |
| SHA256 | 6b59f15097a10051efb55829afd386d1aa59db24b304be0e60e36039774a8877 |
| SHA512 | 62eaca3c6f6aabab88bdcecd22286d7da37a4c257595b5e144559ae3132a3dc29610494893b4b66902381a024c60d4ee6759d362a2afa7a7df1c0fc5f49b7789 |
C:\Windows\System\uJQksaU.exe
| MD5 | bcc9a019ac50d4fd394dde050f3d7bd1 |
| SHA1 | 365cd488176bbb626fa29986fefed0183a274d53 |
| SHA256 | 9b40eaf2e4b0267a49fb80aae91d8ab0c12325b8a2dc9d5aa04b1fa3e6ef08cf |
| SHA512 | 8fca288e7cabff928b6e67724a9576f19697becab29d785bafffee6254e065f5baa0f013b4fc3a03cf5cf714a6edfcdbeab5f5914daa8f631ed4d874be75dce2 |
memory/3136-55-0x00007FF664240000-0x00007FF664591000-memory.dmp
C:\Windows\System\HPevCjB.exe
| MD5 | a04a0138789aa226540d2701d07c4fa0 |
| SHA1 | 33d4c27cac3f8e8c5f2d0fc7eaa300fc0ba768ae |
| SHA256 | 068ed515bbe218dadf06ed7a77c9d0351aceb3c42dafd14de60043b22339820a |
| SHA512 | 752f245f1bbb8d51d439e2ad8c067983320022a62b8480d51b5d514867bc3ab0dc6eab3e28b9a49a612da6b165109283c18ded2bd21cfeaa365613027a6ab927 |
memory/3716-49-0x00007FF783400000-0x00007FF783751000-memory.dmp
memory/1020-62-0x00007FF795200000-0x00007FF795551000-memory.dmp
memory/3144-63-0x00007FF75C140000-0x00007FF75C491000-memory.dmp
C:\Windows\System\NPdGVOD.exe
| MD5 | 30df65084353f14a05e3482b06fd6590 |
| SHA1 | 02aed7c4b726a601ac3a88aa11f0d9a13dab9aea |
| SHA256 | 63b7fb275b0012fa4535ae8ce8fad0857f21928f3c9459540e0745d3bc751dcd |
| SHA512 | 88147d6685ea772e3b70382804d1f92b622f16b7eb01dc6f5ddf449328c0d8332be715c14bbb9eb729cf4abee670c728700dd4c8a1cb3e17dd72971aca153f27 |
C:\Windows\System\RiKsgYB.exe
| MD5 | 6d4bceeb66910bb40c012c1d31e95da4 |
| SHA1 | 4ac7e50337ab5283c2fb4a80a3310fc5b26578db |
| SHA256 | 98df7eea415f456c8426b1a2c6eb703eef610e2c127d5d86c2728a598999ddfd |
| SHA512 | 5864fa9f99d222d95b7993b0dddbb04c0729693a75f3cd9b8b173b1a5d166f6eff66ec2cfb32ad905221bdfeddec309bb3cd86ab116ebcb99d5f8c485aae5aec |
C:\Windows\System\oTurbJR.exe
| MD5 | 993b5a7aebc33fe682567e6934ca3a58 |
| SHA1 | 7337844e89481599d61234483f1a501c11b8d26a |
| SHA256 | 1d98d8b9914cd4dd73e87414a9056107ddd7ae47ad43cc342b9cbade9aef7d1f |
| SHA512 | a1ed0a8159a00aebfe7c806a0c040c6320d64f66700995995e4cd862975ded47b3ac574a9ceeecd88bddea4f90850c0a86bc124fbfe0d7801e5d15e2e81f280b |
C:\Windows\System\oZwzlSG.exe
| MD5 | c5c685aaddd487ad07a729d18bfe8c3d |
| SHA1 | 6a696aa904e401218260ff01fc31a15c6e95757a |
| SHA256 | 1bfa62e9f01e5fcf00c475d954b91841ada957a230c9d523f81069b917a5a22f |
| SHA512 | ee46c0eaf40cd1f133c6ca0636e02d1ff43c9a6bda3d16c58da4961b8ba514776e47602e91ebc9acf07f79df3ecea00a971e9afda4bd07a70fa4f4f2f1063c7b |
C:\Windows\System\QqJjdAY.exe
| MD5 | e2405dcbe1b7662abe00e95f7fdc1277 |
| SHA1 | 6333d222d277100cda49c66fb5ee43dfca1509ff |
| SHA256 | 332a5ac66ba9b7e0b152a51ca14fad559ca1bd6ea3192f7591b8b5bbe9ee9ffa |
| SHA512 | af42920fd1cd463eb4ac459fb4dbe4b516c28788473824474c017bd47b0c9baf692f6fba645798812a663e215fada08bf35f4ae385dd530844125647be614d82 |
memory/2188-112-0x00007FF7F4C20000-0x00007FF7F4F71000-memory.dmp
memory/3424-118-0x00007FF6DCA10000-0x00007FF6DCD61000-memory.dmp
memory/4260-117-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp
C:\Windows\System\RYBXZXw.exe
| MD5 | 305a0ec504069c146c59a80280e7be63 |
| SHA1 | 17f31d4fca64f3efbcc0d67b3fe20d79bb83507c |
| SHA256 | 5e9f3f71ed2f5af35f44356d9c017457827dda0e3c9e1b06df824dc2c441a55f |
| SHA512 | 645378de5a4aaa5c438ab5302da03322971f2c4a1af518e559c5bc9150cc6b3adbf1acef5a04ef67318e66bbb5fc172f93d9655ca8f9bcd9b38266c34c5c0317 |
C:\Windows\System\WKuKwHf.exe
| MD5 | b2b6b84445df12f045b0d964fa6fa380 |
| SHA1 | e665c1c500daf2c4176c9b4ae74211d0a5acde3b |
| SHA256 | f1dcc1b51c8cba5220d64bb9aefe04bcf351aa9f3c5248825bb77a89245847ca |
| SHA512 | b4f3a1e98524dd5ef2c6387a1579216a4f14bb15b967e53c260869e39fabdded1bc0602419a8e95430237fdc67944a7f2c313992fd01f1d7db76e44139810bc9 |
memory/1608-111-0x00007FF6621C0000-0x00007FF662511000-memory.dmp
memory/2740-106-0x00007FF6CD230000-0x00007FF6CD581000-memory.dmp
memory/428-101-0x00007FF6CC180000-0x00007FF6CC4D1000-memory.dmp
memory/4952-100-0x00007FF790A50000-0x00007FF790DA1000-memory.dmp
memory/5036-94-0x00007FF662DA0000-0x00007FF6630F1000-memory.dmp
memory/1744-86-0x00007FF6DEFD0000-0x00007FF6DF321000-memory.dmp
memory/2256-85-0x00007FF74C410000-0x00007FF74C761000-memory.dmp
C:\Windows\System\QUCtplr.exe
| MD5 | 1b29b38c1fe17aadac200d1a9cedb104 |
| SHA1 | 18d2ac0d3dafd496aa98af3cc8c1780731cbd6cc |
| SHA256 | 5a67596488a6b5d24e2bf77d1e2d8504bbd4307b49310519924bb24ab4d74eea |
| SHA512 | b5ca0e2064dbfc18c56fd6ab40dc6abeca98573956a0e5f73cccd5d3801793b46e2a3bd4328732b9d5125f01680d160eebf6e1ac4f13ad70fd010a140b5fd306 |
C:\Windows\System\CeKrsti.exe
| MD5 | 28d4f80bd1e2d63fb1e45a6a5ffdffc0 |
| SHA1 | 9637a67fb54fe69b8595d470f60db122d17eb1d1 |
| SHA256 | 7e8526b55c7dd9d31d4d1586305884d33a5e0a44c4c2872706b8236c05faffb4 |
| SHA512 | bfc4a43cd1c865713560285cf6dda66fd563b3e45042b998b5f654c8709dfb56aa7442edaf344472878f2a34b59d2ddb0e68dc8639db90548d561e486676f848 |
memory/3148-80-0x00007FF73C5F0000-0x00007FF73C941000-memory.dmp
memory/3696-72-0x00007FF615700000-0x00007FF615A51000-memory.dmp
memory/700-71-0x00007FF63D830000-0x00007FF63DB81000-memory.dmp
C:\Windows\System\DFPzbOK.exe
| MD5 | b5c79ef0d2a2b2214efc6b57ccffdfe1 |
| SHA1 | 0a930f47ccdae0f51339c9de76be017cbd42ea7f |
| SHA256 | 82fec7a24bd2470f32c09fb1fdc4932f8d139daaef26705cc1a204a780738224 |
| SHA512 | 5b8bb757bb76d638016a247de0ef4cc07a2913dfc94fb976723edcd998205e5f09dc4f0a13bee171b8bafbaa67a0bf8f4ed76b86da34898c97a57b8abc76716c |
memory/3716-133-0x00007FF783400000-0x00007FF783751000-memory.dmp
memory/4540-137-0x00007FF7A98D0000-0x00007FF7A9C21000-memory.dmp
C:\Windows\System\lwqsNCx.exe
| MD5 | f67319972ec7b9043b5981a9cc2c0928 |
| SHA1 | 83f48d607374b3b8f803978f76d7c41af87396b0 |
| SHA256 | c825d1876690c457caf50adbbfb2d4d4f92552954ff170c510b0343e79c07563 |
| SHA512 | ace043ea4695a3d05f4d5433242c938e0fed7b3dc66c06234385cf900033872376dd7896b11a99b1db030c86a62ef1bb49b4e311b73bdcbbf28c86f8de93da12 |
memory/4076-142-0x00007FF7C6FA0000-0x00007FF7C72F1000-memory.dmp
memory/1524-139-0x00007FF62D520000-0x00007FF62D871000-memory.dmp
memory/3136-134-0x00007FF664240000-0x00007FF664591000-memory.dmp
memory/1020-146-0x00007FF795200000-0x00007FF795551000-memory.dmp
memory/5036-151-0x00007FF662DA0000-0x00007FF6630F1000-memory.dmp
memory/4260-155-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp
memory/1524-157-0x00007FF62D520000-0x00007FF62D871000-memory.dmp
memory/2188-154-0x00007FF7F4C20000-0x00007FF7F4F71000-memory.dmp
memory/4952-153-0x00007FF790A50000-0x00007FF790DA1000-memory.dmp
memory/3424-156-0x00007FF6DCA10000-0x00007FF6DCD61000-memory.dmp
memory/4076-167-0x00007FF7C6FA0000-0x00007FF7C72F1000-memory.dmp
memory/1020-174-0x00007FF795200000-0x00007FF795551000-memory.dmp
memory/700-204-0x00007FF63D830000-0x00007FF63DB81000-memory.dmp
memory/1656-206-0x00007FF7D6E50000-0x00007FF7D71A1000-memory.dmp
memory/2256-208-0x00007FF74C410000-0x00007FF74C761000-memory.dmp
memory/4424-210-0x00007FF6169D0000-0x00007FF616D21000-memory.dmp
memory/2740-213-0x00007FF6CD230000-0x00007FF6CD581000-memory.dmp
memory/1608-221-0x00007FF6621C0000-0x00007FF662511000-memory.dmp
memory/4540-223-0x00007FF7A98D0000-0x00007FF7A9C21000-memory.dmp
memory/3716-225-0x00007FF783400000-0x00007FF783751000-memory.dmp
memory/3136-227-0x00007FF664240000-0x00007FF664591000-memory.dmp
memory/3144-229-0x00007FF75C140000-0x00007FF75C491000-memory.dmp
memory/3696-235-0x00007FF615700000-0x00007FF615A51000-memory.dmp
memory/3148-237-0x00007FF73C5F0000-0x00007FF73C941000-memory.dmp
memory/1744-239-0x00007FF6DEFD0000-0x00007FF6DF321000-memory.dmp
memory/5036-241-0x00007FF662DA0000-0x00007FF6630F1000-memory.dmp
memory/428-243-0x00007FF6CC180000-0x00007FF6CC4D1000-memory.dmp
memory/4952-245-0x00007FF790A50000-0x00007FF790DA1000-memory.dmp
memory/3424-248-0x00007FF6DCA10000-0x00007FF6DCD61000-memory.dmp
memory/4260-251-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp
memory/2188-250-0x00007FF7F4C20000-0x00007FF7F4F71000-memory.dmp
memory/1524-256-0x00007FF62D520000-0x00007FF62D871000-memory.dmp
memory/4076-258-0x00007FF7C6FA0000-0x00007FF7C72F1000-memory.dmp