Analysis Overview
SHA256
dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e
Threat Level: Known bad
The file 2024-06-01_eee8f4cb29e9a44eb4e8d3f70f1a1894_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 10:24
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 10:24
Reported
2024-06-01 10:26
Platform
win7-20240221-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eSnPEUr.exe | N/A |
| N/A | N/A | C:\Windows\System\AOdvgfd.exe | N/A |
| N/A | N/A | C:\Windows\System\BHPAvIW.exe | N/A |
| N/A | N/A | C:\Windows\System\wtSfdnB.exe | N/A |
| N/A | N/A | C:\Windows\System\mrWAJjI.exe | N/A |
| N/A | N/A | C:\Windows\System\QzYDhUP.exe | N/A |
| N/A | N/A | C:\Windows\System\eKVTpks.exe | N/A |
| N/A | N/A | C:\Windows\System\qlSHyaE.exe | N/A |
| N/A | N/A | C:\Windows\System\VEhUqVX.exe | N/A |
| N/A | N/A | C:\Windows\System\DNFyACa.exe | N/A |
| N/A | N/A | C:\Windows\System\hkbvOZf.exe | N/A |
| N/A | N/A | C:\Windows\System\iZOvCdS.exe | N/A |
| N/A | N/A | C:\Windows\System\UIKoafX.exe | N/A |
| N/A | N/A | C:\Windows\System\HGBkoUY.exe | N/A |
| N/A | N/A | C:\Windows\System\PLFfgxP.exe | N/A |
| N/A | N/A | C:\Windows\System\qvEbAAG.exe | N/A |
| N/A | N/A | C:\Windows\System\FMGKhvA.exe | N/A |
| N/A | N/A | C:\Windows\System\jbtKtUz.exe | N/A |
| N/A | N/A | C:\Windows\System\UjDXXLE.exe | N/A |
| N/A | N/A | C:\Windows\System\agsAWhZ.exe | N/A |
| N/A | N/A | C:\Windows\System\dwZFuDr.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_eee8f4cb29e9a44eb4e8d3f70f1a1894_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_eee8f4cb29e9a44eb4e8d3f70f1a1894_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_eee8f4cb29e9a44eb4e8d3f70f1a1894_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_eee8f4cb29e9a44eb4e8d3f70f1a1894_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\eSnPEUr.exe
C:\Windows\System\eSnPEUr.exe
C:\Windows\System\AOdvgfd.exe
C:\Windows\System\AOdvgfd.exe
C:\Windows\System\BHPAvIW.exe
C:\Windows\System\BHPAvIW.exe
C:\Windows\System\wtSfdnB.exe
C:\Windows\System\wtSfdnB.exe
C:\Windows\System\mrWAJjI.exe
C:\Windows\System\mrWAJjI.exe
C:\Windows\System\QzYDhUP.exe
C:\Windows\System\QzYDhUP.exe
C:\Windows\System\VEhUqVX.exe
C:\Windows\System\VEhUqVX.exe
C:\Windows\System\eKVTpks.exe
C:\Windows\System\eKVTpks.exe
C:\Windows\System\hkbvOZf.exe
C:\Windows\System\hkbvOZf.exe
C:\Windows\System\qlSHyaE.exe
C:\Windows\System\qlSHyaE.exe
C:\Windows\System\iZOvCdS.exe
C:\Windows\System\iZOvCdS.exe
C:\Windows\System\DNFyACa.exe
C:\Windows\System\DNFyACa.exe
C:\Windows\System\HGBkoUY.exe
C:\Windows\System\HGBkoUY.exe
C:\Windows\System\UIKoafX.exe
C:\Windows\System\UIKoafX.exe
C:\Windows\System\PLFfgxP.exe
C:\Windows\System\PLFfgxP.exe
C:\Windows\System\qvEbAAG.exe
C:\Windows\System\qvEbAAG.exe
C:\Windows\System\FMGKhvA.exe
C:\Windows\System\FMGKhvA.exe
C:\Windows\System\jbtKtUz.exe
C:\Windows\System\jbtKtUz.exe
C:\Windows\System\UjDXXLE.exe
C:\Windows\System\UjDXXLE.exe
C:\Windows\System\agsAWhZ.exe
C:\Windows\System\agsAWhZ.exe
C:\Windows\System\dwZFuDr.exe
C:\Windows\System\dwZFuDr.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2768-0-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2768-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\eSnPEUr.exe
| MD5 | fad15b13895711bd88d04289f64be693 |
| SHA1 | 0fe5e88cc1bb47c9955feb84d4b52e6b577e8d76 |
| SHA256 | a4d3a38cbc26061c94b43a0cf017a90ac13504fb81c094c1b654d18f78c387f4 |
| SHA512 | 00a6e46c8fce8efca660976f646b4dc7a73641cc5e0463391a0e985befc4372837a34a29382368b9cbf3f7cea698befb3bf41ad4013866ddf3975d43e4a3c2d8 |
memory/2768-6-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2860-9-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
\Windows\system\AOdvgfd.exe
| MD5 | eef2920da4ff09c8aae9b83e88a67da6 |
| SHA1 | c1798cc1cb20225902dcfe814893cbcfa2adea5b |
| SHA256 | 0f249714d52e941ca3f639ecf2c024c69b9fb85a074b8a003f3380ad140f1b12 |
| SHA512 | 25c4360268cbd3cec6ce0091b1fae9ac3fae3711b9e12aa59c0313cfb33d5443f6b90776317f9f03ef1ead231edcaa213d7bd9e2f915198cd2c5c3d005afcf15 |
\Windows\system\BHPAvIW.exe
| MD5 | 21291fc432693929327a4d3f0e1a8494 |
| SHA1 | b78acae6fbf36b9515d7ddba9e291b4a01885ed3 |
| SHA256 | 4caed6f00ac98793a7da7a8b9e2991a4e9f65b7cfc691235e04849cecc9673d7 |
| SHA512 | 72acc2a6748a34394ea8d17ea64f7968d772e9cc3cb54e3d66f5d81f21531f9448b876b58c1cf4ddba679d87b756a97c9eae8d765ed42c353dee94a880bcc348 |
memory/2768-22-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2548-21-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/3060-20-0x000000013FBD0000-0x000000013FF24000-memory.dmp
\Windows\system\wtSfdnB.exe
| MD5 | ecce49bca42e7fc30df7dbf7e2cba5ac |
| SHA1 | 0eaf08a526f5e1c687dbb2a1801ec17a0f30b32f |
| SHA256 | 9a4aa2a5e8e9225dc2714373d8e9e734bd3977664562cb6e2f730337cceee643 |
| SHA512 | 0dc30a53dad0682c29f9873c7dc7c8b1502eb8eb1a5f8628a5ffb4b500a261b77b98415bcf486c5868afcbfcfcdc142b53ff7b67dc825ac0963312a812bc304a |
memory/2768-28-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2468-29-0x000000013FCC0000-0x0000000140014000-memory.dmp
\Windows\system\QzYDhUP.exe
| MD5 | f80dff286fb8d083d87e2ce71eb9b62e |
| SHA1 | 2ef9f608716047ad4fb79e205b2c9c4e1cda03cc |
| SHA256 | ceb6baf7951a7a68fb63ab4ab4a2318fec4b6fda8fbd6dea666ffcc7f3fbe924 |
| SHA512 | c50a7d9b0480499a0782692925de185c3ab6bcb0c0001259a78170f82d6a58b12282dc4f412cad0d8b3e17b7148c5cffd41949b5650464ed0958fda82129ce9e |
memory/2768-40-0x000000013F510000-0x000000013F864000-memory.dmp
\Windows\system\eKVTpks.exe
| MD5 | c35963393868cac2140482e2295108ee |
| SHA1 | a111c44a6e4d65d65b47dffd359abbfad53e7986 |
| SHA256 | c222071aa6ed1304925a0a6633a3b72914d3c00f60483da5b2d3d163b688feee |
| SHA512 | 1a3882a952bc046e07026b86def3f7ce6d56a94a5435fc76c2d3483e14efcc1942dd9aecf36312c88200784e2440921d54d460ff6e158e5c899bb50ab4a4886f |
memory/2768-51-0x000000013F1C0000-0x000000013F514000-memory.dmp
\Windows\system\qlSHyaE.exe
| MD5 | 95b4d0373ccc634735feb55165d66b14 |
| SHA1 | 1f37510ba6be89b8dbfbf23854b161abca5e7435 |
| SHA256 | e0f6c9e47315dda7614cc17b83658d288c8a202978871639dc8ace41d799252f |
| SHA512 | f9ece46fa297ffdcf0788e7f7b49d85f3c92240a9f04f8fd9fa42c70b5ff54ac714a0d48a8f4aa0d227e63b076dc1995bc516a50f6751d1210ed3327014bb632 |
memory/2768-59-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2532-65-0x000000013FCB0000-0x0000000140004000-memory.dmp
\Windows\system\mrWAJjI.exe
| MD5 | 5c3dd8e989b4dd47d7572619ebbd702b |
| SHA1 | 377a9d82e4184d4219c1986717ca0750446293a3 |
| SHA256 | 4ffcd8bcc5562ed1c6225615cd78bc9a6d533725e8311f06759f41d5ef19fa99 |
| SHA512 | b72a363c97ad674534e61677e090e94cf1bee653f5864684a934ffdd230fa611996def4235795961f96263317819da1622148c431872b49fd61fed995c5eff17 |
C:\Windows\system\DNFyACa.exe
| MD5 | 4d387b27b6a9e633a2832ed591b59f62 |
| SHA1 | 5623f92249fe3d7a87ced56da07ad3fa6eb1eccf |
| SHA256 | 84eb7963b4f05de2400d77eacd3a2e27d543670b712cdced3f5413abda44bcfb |
| SHA512 | e48d5e1dfac79d0b1bbd0ebf0f20784e9b3f88db77e6908e416277f16f35a0ed815285eb6315f2716dc470855a6ca50da35a838ee7ecc074cea3cb53e383bdfb |
memory/2584-75-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2448-81-0x000000013F130000-0x000000013F484000-memory.dmp
C:\Windows\system\hkbvOZf.exe
| MD5 | 8312bd63264f209bb98086006d163caf |
| SHA1 | 7f763f7a34915c3c3a97a087fb6d93972ca1963f |
| SHA256 | eb6df786ea9d48e6f6a1d98448f5ea1fc62367749709c28ca05b2fa11c923b0f |
| SHA512 | e147a41b79f4aa55203e16db64f5ab5a7d974e382b183dbbb0c39a5e31e36ace3c949b7512a832da948c63a8ba3e8143b22a3dc119df52228143acd42e164c4d |
\Windows\system\UIKoafX.exe
| MD5 | 603446a0810e72bff494e32c5f7684e7 |
| SHA1 | 5ce2dad96361ac16610c78197097c2349518041c |
| SHA256 | 6f532ce4b15d4254b01a6e5ec686e77ae6c626294ec6f18ce8e138ed0c793e8f |
| SHA512 | 694a52618f6d5a09f09aba81e29d861da3dfd87c1984d4a9a3c9bd6e8e6e46756dd483846f75ecc17d2eb4d77aba96b56270a72dbaf0674a4aa6aab9c72231d2 |
memory/2768-94-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1884-95-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2476-96-0x000000013F1C0000-0x000000013F514000-memory.dmp
C:\Windows\system\jbtKtUz.exe
| MD5 | f17e59b12558b03394c483baf377c735 |
| SHA1 | 6bebc8502c1d9b2bfefe0c6ca6f10e5d5eacb817 |
| SHA256 | ce316baea42d74ce59261c2890ba7ae3076d3042e0946e73d0d611b8471e80a0 |
| SHA512 | 0452a1a2eaa6b02a293ca580013e4d8fba1165be700f666c9e449a8ecf57933a3bb06b89faf753a9e10385ee336c5db41a3de550e8d6a0f41280dec15c4e2e84 |
C:\Windows\system\FMGKhvA.exe
| MD5 | d6199e14d00e3b5e7a33df848996b95c |
| SHA1 | 8e8351c19431df8972fecdcae699b37fddaa1ea9 |
| SHA256 | 5ba2c116f9aee4882a4227c93e2329e4d8384f64a2dfe45a8f088d47755243d0 |
| SHA512 | f5d21a10b14b497770fc2fd69d1a44e8c95d630e36d9de43319c34ea8746eed10c2002adbc553d752635d0c9c156cbc3dbbb6d5fd37a41675cc133095f9b0745 |
\Windows\system\dwZFuDr.exe
| MD5 | d98fb8f8d83f3fafd8aaea11e7224d34 |
| SHA1 | 1376561723cce4e737b94f79f86b010df84e7054 |
| SHA256 | 9a245da734aed9eb1fb0194147db59cd4f52c57e4d5633304c8743c44fec98fc |
| SHA512 | b35419beaeb5aee3e171f5a58491e6e2e8639d714dba9eabc43d3e56801454b8b082d16a10483a5a821151a49c7c51ea212271db5054d83f39e5b95cddeca894 |
C:\Windows\system\UjDXXLE.exe
| MD5 | edf248e37559492e652acd0b4c03bdae |
| SHA1 | 6ec599d4691d00c7e3e701b3e0684c34d2a98af4 |
| SHA256 | 20f4a9a8d153b1540b7b06d5c0afc8cd26aba278e9508a8eb0f71081341ddfb6 |
| SHA512 | 0e7e356a81d0385f540a6ae6fc1c7a84fccf279d42852c8529314554694b5a5e1de65a8f5415f97aff4b3f3013d816670418acae9c8bfaba5f1a49fa46411063 |
C:\Windows\system\agsAWhZ.exe
| MD5 | 82398bc9492532b682f6851f420cb657 |
| SHA1 | 4d7daad7f4dfa4cc9e6fecf5d8b3cf57ff51849a |
| SHA256 | c99bfe5ce7bd4978d945b4dde8787a89d94609f943cd1ccc85891bbdf0df0b38 |
| SHA512 | 7d7c89e080a82f4917ccd2eaa7e5a9394a0833c753ac7c194506017feb3c4ef52b6efd25b1f3e37a9913a144d567f1dc88b95424f4258876e0a6c6f75b76b537 |
C:\Windows\system\PLFfgxP.exe
| MD5 | ce0b9712fffb75f710467b1ce87fcf4a |
| SHA1 | 13712cc622c5b3dfb286204fcf1e79c4a9d16390 |
| SHA256 | 81deb1b0686a88f2dede850b0066c729cae9d5ceacf195a2208facfc6c09cd68 |
| SHA512 | b36fcfdf9b534c75c30af28c6d266b1d12cc567b3cfa2eff829bb872f5853e890c27802a9057577a6d46f3d15ae97fbbc11d2d029a840f2cc872e54036bd6790 |
memory/2768-135-0x000000013F130000-0x000000013F484000-memory.dmp
memory/588-101-0x000000013F590000-0x000000013F8E4000-memory.dmp
C:\Windows\system\HGBkoUY.exe
| MD5 | 4921e98e00eb4ed10c231b4dc26ba81d |
| SHA1 | c9e4aeaa65851f4a975f2ef590e97feb6fbd99a1 |
| SHA256 | 7206e89b70f07e89fc8b7e84380353136282ef15fd26fafe54ef0274107cdc99 |
| SHA512 | b2dd34bc7b95c0fe696b43f5c0af4a14cea6918b56ad8e11da430355b7741aca297129c9bfe7197a5ef68761081723a8315bebe3a140264da1d09fb61f2f02c9 |
C:\Windows\system\qvEbAAG.exe
| MD5 | 499d8a91d7f315fbce87fe8b99eba96a |
| SHA1 | 46e5b26732d19a244283303e289cc6162c79ecf9 |
| SHA256 | ff656e0ddae1352fb5ceebb433c389975ecf84f9f1b69bebf7933c0dd9b2878e |
| SHA512 | 660ff5ae39686b1319b2283df6cf125268aff44b4a9069c5f6505ea03a390843c7981e5d14d2273eb7005f20da78fca920f647e3f8a141414e126d93c8b73113 |
C:\Windows\system\iZOvCdS.exe
| MD5 | 14de7df4cdf566663e127a9c5dc06c5a |
| SHA1 | 9a8d1584588a9f78eebaa73a59c1371e15a20614 |
| SHA256 | 4a59d9f20e14b5ca9a24ec0fdac2b75f5a772db541cc2f7c7c8a73f9d29b78a4 |
| SHA512 | ba2815752555d718f50f198a5fe31a8c837de007cf949f1455bc4636e7434b994838101c55d98ce84527650f8eaf23a259a7eb281327c5360f39dd8a00314751 |
memory/2768-86-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2880-70-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2476-57-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2860-52-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2532-137-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2768-136-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2768-45-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2512-42-0x000000013F510000-0x000000013F864000-memory.dmp
\Windows\system\VEhUqVX.exe
| MD5 | 7944f8687ced5236a2c6ce03651206a0 |
| SHA1 | 3d79633d0baad22e943b895eb549c979948f6482 |
| SHA256 | c088da2e51e7e3c4f45f4aacbe6cca3b9159cdde198e185827576201cd808691 |
| SHA512 | c1498b0ab6eab1e4a3a176e078d793d87189c6a2c608fbaced85e6ebebf1b7425ddd6d74af6ac4531d0426851cc06dc872cfcaac9857bc8aafb17cc03b955d24 |
memory/2380-91-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2192-77-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2768-76-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2768-63-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2584-36-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2880-139-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2768-138-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2768-140-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2192-141-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2448-142-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2768-143-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2380-144-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2768-145-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/1884-146-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/588-147-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2860-148-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/3060-149-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2548-150-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2468-151-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2512-152-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2584-153-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2476-154-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2532-155-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2880-157-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2192-156-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2448-158-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2380-159-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/1884-160-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/588-161-0x000000013F590000-0x000000013F8E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 10:24
Reported
2024-06-01 10:26
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YFqxbSG.exe | N/A |
| N/A | N/A | C:\Windows\System\ToqncVz.exe | N/A |
| N/A | N/A | C:\Windows\System\rXFiMnP.exe | N/A |
| N/A | N/A | C:\Windows\System\omKCwke.exe | N/A |
| N/A | N/A | C:\Windows\System\yhcLScK.exe | N/A |
| N/A | N/A | C:\Windows\System\DYPcxFr.exe | N/A |
| N/A | N/A | C:\Windows\System\BrmIGyM.exe | N/A |
| N/A | N/A | C:\Windows\System\kwzbvYt.exe | N/A |
| N/A | N/A | C:\Windows\System\lYkRBhj.exe | N/A |
| N/A | N/A | C:\Windows\System\KjjioSy.exe | N/A |
| N/A | N/A | C:\Windows\System\qBCFUvc.exe | N/A |
| N/A | N/A | C:\Windows\System\DVNRotB.exe | N/A |
| N/A | N/A | C:\Windows\System\upUFAJA.exe | N/A |
| N/A | N/A | C:\Windows\System\PqzeOVn.exe | N/A |
| N/A | N/A | C:\Windows\System\RGrrhUD.exe | N/A |
| N/A | N/A | C:\Windows\System\YrjTliA.exe | N/A |
| N/A | N/A | C:\Windows\System\XCvkhEh.exe | N/A |
| N/A | N/A | C:\Windows\System\gisLdWg.exe | N/A |
| N/A | N/A | C:\Windows\System\ycDyiSW.exe | N/A |
| N/A | N/A | C:\Windows\System\wDdtlgP.exe | N/A |
| N/A | N/A | C:\Windows\System\OJRTfhB.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_eee8f4cb29e9a44eb4e8d3f70f1a1894_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_eee8f4cb29e9a44eb4e8d3f70f1a1894_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_eee8f4cb29e9a44eb4e8d3f70f1a1894_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_eee8f4cb29e9a44eb4e8d3f70f1a1894_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\YFqxbSG.exe
C:\Windows\System\YFqxbSG.exe
C:\Windows\System\ToqncVz.exe
C:\Windows\System\ToqncVz.exe
C:\Windows\System\rXFiMnP.exe
C:\Windows\System\rXFiMnP.exe
C:\Windows\System\omKCwke.exe
C:\Windows\System\omKCwke.exe
C:\Windows\System\yhcLScK.exe
C:\Windows\System\yhcLScK.exe
C:\Windows\System\DYPcxFr.exe
C:\Windows\System\DYPcxFr.exe
C:\Windows\System\BrmIGyM.exe
C:\Windows\System\BrmIGyM.exe
C:\Windows\System\kwzbvYt.exe
C:\Windows\System\kwzbvYt.exe
C:\Windows\System\lYkRBhj.exe
C:\Windows\System\lYkRBhj.exe
C:\Windows\System\KjjioSy.exe
C:\Windows\System\KjjioSy.exe
C:\Windows\System\qBCFUvc.exe
C:\Windows\System\qBCFUvc.exe
C:\Windows\System\DVNRotB.exe
C:\Windows\System\DVNRotB.exe
C:\Windows\System\upUFAJA.exe
C:\Windows\System\upUFAJA.exe
C:\Windows\System\PqzeOVn.exe
C:\Windows\System\PqzeOVn.exe
C:\Windows\System\RGrrhUD.exe
C:\Windows\System\RGrrhUD.exe
C:\Windows\System\YrjTliA.exe
C:\Windows\System\YrjTliA.exe
C:\Windows\System\XCvkhEh.exe
C:\Windows\System\XCvkhEh.exe
C:\Windows\System\gisLdWg.exe
C:\Windows\System\gisLdWg.exe
C:\Windows\System\ycDyiSW.exe
C:\Windows\System\ycDyiSW.exe
C:\Windows\System\wDdtlgP.exe
C:\Windows\System\wDdtlgP.exe
C:\Windows\System\OJRTfhB.exe
C:\Windows\System\OJRTfhB.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2520-0-0x00007FF7F3920000-0x00007FF7F3C74000-memory.dmp
memory/2520-1-0x00000236D80A0000-0x00000236D80B0000-memory.dmp
C:\Windows\System\YFqxbSG.exe
| MD5 | 2b25867064220aae8ca51d4f28cfefd3 |
| SHA1 | 90a43647258002d41bb2d0cf0e2567f539cab561 |
| SHA256 | ad13c5f8b92bb950de505d50f4220bb7a428e8efacce57ba0d6e2e1660c921fa |
| SHA512 | 308ae032042e1d5ec718c9e1400b71c9f5a286cac90eb2cbb5427ccadadcc8835c5a1262aae268621031fffd6b4286c2112dab6b6c53c981b423981da6f56e27 |
C:\Windows\System\ToqncVz.exe
| MD5 | 6f191ae4a3b6b9c910fb59cc6b8e6b51 |
| SHA1 | dc93fd08ea31738ebe098ed6b742cd486dfc755a |
| SHA256 | 4e1a4cd996016467f2f0909ee97086a9380baf4c5e8ab14e599131b7aaf09484 |
| SHA512 | 774151369e66dee5457a0532c79147e8b5761f00e0926cda32a9236b4e9f04b0e6f96cf0a98a98b581be38c67c71fefaba4f7db8904905b6be6e22a44e7acb0f |
memory/3216-12-0x00007FF698280000-0x00007FF6985D4000-memory.dmp
C:\Windows\System\omKCwke.exe
| MD5 | 3930153f954c77b897d6bb3142bd488d |
| SHA1 | 37d23b499d2959adfd08bbc3e7d2d0fc8cc333a6 |
| SHA256 | 3ef76c07ba5d8a92e3262af294188f75fec9025aee2a18c0985b6a1ccce22883 |
| SHA512 | f5ae0ca9be85a336db9efbaf5aa533eecf7a5940e07b824a6c10dffa6ec25961848b912387bbb5951b8c6536576c1ba057a68b0e41fe428a027c1ee8c99377ad |
C:\Windows\System\yhcLScK.exe
| MD5 | dfeea88b2f0f7bbe6a076fe198853a4d |
| SHA1 | 5c9e75982850438bf92b4ae1eed3f9869382b4b6 |
| SHA256 | 67507ea9183e39ffec8ba211572f0e4c490ebc93ad03397f50fa6e5399975948 |
| SHA512 | c60879cd1b894ffba076c2dcc47ebff609cd1805795639e0ed5816cdfb9a481dfd8640e0fd95fe3335ab8a53f84fc7b8060dcc142c7d3b974c2d58475c39d5c8 |
memory/4524-26-0x00007FF74B2C0000-0x00007FF74B614000-memory.dmp
memory/4628-24-0x00007FF6078D0000-0x00007FF607C24000-memory.dmp
C:\Windows\System\rXFiMnP.exe
| MD5 | 17765a4ba22468f95addffcf5f2d3cab |
| SHA1 | 8780f748a0c5230d4b0da26349ce55eac1026437 |
| SHA256 | 9bb5a17a09c41cd9c130a94ea2c659b81debcbad5b8b5f4d658f60b26aabd3dd |
| SHA512 | 2d933e114f35c96477d5f9fd0d87713119981a4df65f6449d2dbe57a73bae36005879cb34e0cdc145f67a76fb3c8d5eb22e0890104a58e777964f13091fcc5d6 |
memory/2036-20-0x00007FF7CFE60000-0x00007FF7D01B4000-memory.dmp
memory/1832-34-0x00007FF7B53D0000-0x00007FF7B5724000-memory.dmp
C:\Windows\System\DYPcxFr.exe
| MD5 | 64ca405f30b793b3a2876130cdb24b1c |
| SHA1 | 8c4dbe80877b4ea3feaae16d02be7da4a298ac04 |
| SHA256 | 5fd753c52478c072a81641c07c9f6aa432d36deba08f343e32a42a62f10f7895 |
| SHA512 | a75cde18f7be2c910678f810d2a348d3f6eab7881778ccc902b3f23ff38c6486d1919d36fc5ed241f08630973a19d837d0ba26a31323f256538b82f363ce4343 |
C:\Windows\System\BrmIGyM.exe
| MD5 | e81651ce3e1e6cc08f4008ee941aad8a |
| SHA1 | 08d7cdd2417bc06a1678347fc8e2d78ed09e9e13 |
| SHA256 | d07fedf3b781d65646881414f3d230df7f25182aac2c32046e7318372a0e62c2 |
| SHA512 | 01113b891a5738aa32fd9111c7682ba7b27a65b52bd8ce7c2f41987d360e2fb8b9f37e6e2aefa2a5dfe25a5aaf2859270d54d95492b57f101252d2d36eeae091 |
memory/2708-42-0x00007FF75AF90000-0x00007FF75B2E4000-memory.dmp
C:\Windows\System\kwzbvYt.exe
| MD5 | 4fec54256747c0ebc9f9e37c678dfbc0 |
| SHA1 | 4b989d73df93913c5a9ed22f41a4c09b5e84f672 |
| SHA256 | f57e92bf635bf43a37bf95f270b6e0684af198060db35859dc53e087b82d4984 |
| SHA512 | b21fda849a6d08228e0dd0ce637d1fd6b3958dc89af7428027ca8b9df9f30d1fab57f0a6ae6cce736bc350deaea798274a102f066b1739df3da0e115b463ed99 |
memory/4388-51-0x00007FF7A5740000-0x00007FF7A5A94000-memory.dmp
memory/324-54-0x00007FF61D190000-0x00007FF61D4E4000-memory.dmp
C:\Windows\System\KjjioSy.exe
| MD5 | fe48f8459d4867adb1e2396a26aacb57 |
| SHA1 | 594cd7f84cb14519bd01dd4e77325006a1884a89 |
| SHA256 | a0e37a3a5cf9fe0f24ec73d479a815af55c0610b64ae2d9942488ac3c4a4bbfd |
| SHA512 | ac5f164ffb2781bc0f665658d835133fb366a8b9ad47b0f06cdee66bea16d5a715d02bc38fbf42e71039985af261c6d0701d6942a8f5f9c49ca589ce7bf9f7e4 |
C:\Windows\System\lYkRBhj.exe
| MD5 | fc902d04e6172ca0ca90e2b48b374cb2 |
| SHA1 | 6beb39dfe921f21de8c82cbd2398e4cfccbe9cbb |
| SHA256 | 24df3476f4e81d8d208e6e9f8a82f262db334f0c30d96742a3bae5d31310a678 |
| SHA512 | d066930b0a994c95d19e88f5a471579e74f848054aecf48cd88d47beb2356584a62b89ea515a7d4c77e6f9687dbafd1b343f1c1cd47c0f49a946e615e7115b92 |
C:\Windows\System\DVNRotB.exe
| MD5 | 05c8d2568fa80476a84c70381934a851 |
| SHA1 | 8257f74e78defd90403797247108906b6b23465f |
| SHA256 | 95b2d96a9694e784ee91fc3a03cefed90a0f309b9dce606ff1f21bed00949acf |
| SHA512 | eb37d0e08c6986cff04b4716d2c50cfaf24e05922dad861843b58a74e53caa04c21337a93b4907be823798050432ac8ef28cb24a1b2a4f13ec4d63b40fc685e7 |
C:\Windows\System\upUFAJA.exe
| MD5 | ed570b6363ed45977f800e9144fd9091 |
| SHA1 | 95fd6b80c0905e2f5d4f9cfa40ffee472b630ef1 |
| SHA256 | 69307139b46ff8540b99ebf8662b560291e729f9c6bc09a78c233bd74b7c57df |
| SHA512 | d3fcfa97016db477d922f9c5e87619243a1ebc1c4d5b7d7670cf03c4664e8784d1965110e2437311236ee78103861452b52e4ad1196cffae4e8f2ff60fe2f70b |
memory/4612-87-0x00007FF694D80000-0x00007FF6950D4000-memory.dmp
memory/2036-93-0x00007FF7CFE60000-0x00007FF7D01B4000-memory.dmp
memory/2244-112-0x00007FF7BD0E0000-0x00007FF7BD434000-memory.dmp
C:\Windows\System\ycDyiSW.exe
| MD5 | 80385843bc32c37f1e92b748654c8a3a |
| SHA1 | ba42bc39e5e1a053a3edc1a56235bd2e548127cc |
| SHA256 | 87cd50663909dd6c6adf2388eeeed2e913993020ac7339d8d463451443713229 |
| SHA512 | 2b0d1beb7eaeefaf74db1b78b5a6c30f958ad639b3050c273d59f17c11b11897663aa9b457f11907f71b794ae9252af2c9ff84f9509df8824f59fe4868f4baff |
C:\Windows\System\OJRTfhB.exe
| MD5 | a90973cbb2cd8d795c0edc6be3d68969 |
| SHA1 | 6776eadc7aecad81c7a7833a893098f77f604fac |
| SHA256 | 7003c3690e178cc5c50cd52075d6349457bbca9fba2fb04bfd0901a5ce241dca |
| SHA512 | c0c02d390cc6c3370d15485e5713ea2bbddc376e9f4437b08bbfa33febc7e07a219d794c84812fa64473d34ee82110ea8bdf3b3deaabbdfc633302ba89e7311a |
memory/3064-125-0x00007FF710B70000-0x00007FF710EC4000-memory.dmp
memory/4628-124-0x00007FF6078D0000-0x00007FF607C24000-memory.dmp
C:\Windows\System\wDdtlgP.exe
| MD5 | 3542fc885aa0cb13106333b4abe38cb9 |
| SHA1 | 8716bb027bb4fd6ef38ffdc1ff6fb51621d982fb |
| SHA256 | 1fb0a808e6a95fca8bade9096c47d182317081f0ae71a3952d1f2799ea9d5e7c |
| SHA512 | e322fb702ed8bf171adf7e875afecd0b37e1c5458d6065a3114f82c69718a8ae537018e754de98f7dd3af4c616ae9791a3c44178ce5eec3ef98539e7135ebee0 |
memory/5108-119-0x00007FF635A80000-0x00007FF635DD4000-memory.dmp
memory/5012-118-0x00007FF741BD0000-0x00007FF741F24000-memory.dmp
C:\Windows\System\XCvkhEh.exe
| MD5 | d98dbf2cb359b02437fd56fa044daef4 |
| SHA1 | f3b93cd9cc5d109624442379269d4fb050e1f659 |
| SHA256 | 9413b575882f07b452c2b6589fb837c52bd6a6cc65e91d93ba78405d702d2c65 |
| SHA512 | c5862679618f0fc0a693786edd84842d12d68862237963bf372da512adfff2d63dec9e4420b2f030a0f585038cf9ab974eaf604e6ba3c93964f1382d7f56b34b |
C:\Windows\System\gisLdWg.exe
| MD5 | 5987c6c62e7a6b5ddc46da3895d9233d |
| SHA1 | 24d7d36b8490aaa910161dc543ed4358ef6791eb |
| SHA256 | f4771208f8841b16f259c6fe0ef4f56b9bce9c458ae0d449ffb85fa3018825a7 |
| SHA512 | 53f92052d9b8dd54ff2fd4f4c23e75af91ed64756449aca9cc08e39333626a65a9de17cc7bd9068b06069ca3c59281154fd49cdef5758046177318b376136dfb |
memory/5032-113-0x00007FF75D880000-0x00007FF75DBD4000-memory.dmp
C:\Windows\System\YrjTliA.exe
| MD5 | 091c88b82b5f726dc0062701504b6f0e |
| SHA1 | 5d7fcda2af215544c55f33aa7434d5128f05cb1b |
| SHA256 | 5199697cd5cecf1609eb417da19f7f92787bd4c60aa4b20955341767095b135c |
| SHA512 | 65315f0b0acaf22f177d10f2119cc0a57c23feede9b30dfa90b7d75b1fa9dd7e75f596f4c5b0466a31e852a4ab8b06190e4ebefe6ca7eba6c15f0822a111ecd2 |
C:\Windows\System\RGrrhUD.exe
| MD5 | e157d6aeba8a374f58e70a5683c1e37f |
| SHA1 | a5ca659d7656c057b8840b8d7e2ab8c397bdcf94 |
| SHA256 | fcc323acf7a0c1089a2556829b206808afbd811d791c088f954646c8c231047c |
| SHA512 | a6da0735a91c684d9c2f40e929cae9af1bf218fddc565f756ad74ff1e67794989a714f4a091d8c64d3547d2e56d64b6ba24105a1dd237f80c4b325bdbf1a851f |
memory/3936-103-0x00007FF74D260000-0x00007FF74D5B4000-memory.dmp
memory/1448-102-0x00007FF756860000-0x00007FF756BB4000-memory.dmp
memory/1988-92-0x00007FF790D20000-0x00007FF791074000-memory.dmp
C:\Windows\System\PqzeOVn.exe
| MD5 | d99f11af272f4a707a6d6b42cb6fcfde |
| SHA1 | fb1b2bfe6d666ca4030fea015e0444e884f9c899 |
| SHA256 | 146a6b4b06d8158726f9b859a9dcc4cae0fce33706ef6c931355eb986a76a101 |
| SHA512 | cf8e6e0bc17a49ffcd33a0b61435b296815df4b3279dde5af659f0641edd28c87d0869d6145e90da22ba82c1961005c04e31fa3740ec0afc3cc22c554532be36 |
C:\Windows\System\qBCFUvc.exe
| MD5 | 288a932aa26b9835bd091e163461528a |
| SHA1 | 817245fd0d7a9a47c21ab19543eba8a9f1f6c542 |
| SHA256 | a9aa8f9c8f30fdc984d91b7c460fea742e35c49bff5cb89417ccd8c0a36012b1 |
| SHA512 | 5d969daacf01b187518d4bd4150c74139a9c20e9a174c011f78faa0fb1f79b82b2312dee3ab9457b68733343eb6c11d0ef13d2858b4051996884cb657d1dc1db |
memory/2208-79-0x00007FF6FDF30000-0x00007FF6FE284000-memory.dmp
memory/3960-69-0x00007FF7932E0000-0x00007FF793634000-memory.dmp
memory/2520-67-0x00007FF7F3920000-0x00007FF7F3C74000-memory.dmp
memory/464-53-0x00007FF749F50000-0x00007FF74A2A4000-memory.dmp
memory/2776-130-0x00007FF768710000-0x00007FF768A64000-memory.dmp
memory/4524-131-0x00007FF74B2C0000-0x00007FF74B614000-memory.dmp
memory/4388-132-0x00007FF7A5740000-0x00007FF7A5A94000-memory.dmp
memory/324-133-0x00007FF61D190000-0x00007FF61D4E4000-memory.dmp
memory/4612-135-0x00007FF694D80000-0x00007FF6950D4000-memory.dmp
memory/1988-136-0x00007FF790D20000-0x00007FF791074000-memory.dmp
memory/2208-134-0x00007FF6FDF30000-0x00007FF6FE284000-memory.dmp
memory/2244-137-0x00007FF7BD0E0000-0x00007FF7BD434000-memory.dmp
memory/1448-138-0x00007FF756860000-0x00007FF756BB4000-memory.dmp
memory/5032-139-0x00007FF75D880000-0x00007FF75DBD4000-memory.dmp
memory/5108-141-0x00007FF635A80000-0x00007FF635DD4000-memory.dmp
memory/5012-140-0x00007FF741BD0000-0x00007FF741F24000-memory.dmp
memory/3216-142-0x00007FF698280000-0x00007FF6985D4000-memory.dmp
memory/2036-143-0x00007FF7CFE60000-0x00007FF7D01B4000-memory.dmp
memory/4628-144-0x00007FF6078D0000-0x00007FF607C24000-memory.dmp
memory/1832-146-0x00007FF7B53D0000-0x00007FF7B5724000-memory.dmp
memory/4524-145-0x00007FF74B2C0000-0x00007FF74B614000-memory.dmp
memory/2708-147-0x00007FF75AF90000-0x00007FF75B2E4000-memory.dmp
memory/4388-148-0x00007FF7A5740000-0x00007FF7A5A94000-memory.dmp
memory/464-149-0x00007FF749F50000-0x00007FF74A2A4000-memory.dmp
memory/324-150-0x00007FF61D190000-0x00007FF61D4E4000-memory.dmp
memory/3960-151-0x00007FF7932E0000-0x00007FF793634000-memory.dmp
memory/4612-152-0x00007FF694D80000-0x00007FF6950D4000-memory.dmp
memory/2208-153-0x00007FF6FDF30000-0x00007FF6FE284000-memory.dmp
memory/1448-154-0x00007FF756860000-0x00007FF756BB4000-memory.dmp
memory/3936-155-0x00007FF74D260000-0x00007FF74D5B4000-memory.dmp
memory/3064-157-0x00007FF710B70000-0x00007FF710EC4000-memory.dmp
memory/1988-158-0x00007FF790D20000-0x00007FF791074000-memory.dmp
memory/5032-156-0x00007FF75D880000-0x00007FF75DBD4000-memory.dmp
memory/2244-159-0x00007FF7BD0E0000-0x00007FF7BD434000-memory.dmp
memory/2776-160-0x00007FF768710000-0x00007FF768A64000-memory.dmp
memory/5108-161-0x00007FF635A80000-0x00007FF635DD4000-memory.dmp
memory/5012-162-0x00007FF741BD0000-0x00007FF741F24000-memory.dmp