Analysis Overview
SHA256
6c346143928bb8d6ebdab335cdc17403286288887c222dc5d8f6987f1dc749b9
Threat Level: Known bad
The file 2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike family
Xmrig family
UPX dump on OEP (original entry point)
xmrig
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:33
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:33
Reported
2024-06-01 15:36
Platform
win7-20240221-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\onEAcHk.exe | N/A |
| N/A | N/A | C:\Windows\System\wSFrBth.exe | N/A |
| N/A | N/A | C:\Windows\System\iScmToK.exe | N/A |
| N/A | N/A | C:\Windows\System\xiGMMxf.exe | N/A |
| N/A | N/A | C:\Windows\System\ZmRjiiN.exe | N/A |
| N/A | N/A | C:\Windows\System\IEoHnfJ.exe | N/A |
| N/A | N/A | C:\Windows\System\kzXnPGa.exe | N/A |
| N/A | N/A | C:\Windows\System\Wnepmcv.exe | N/A |
| N/A | N/A | C:\Windows\System\ANcSoLJ.exe | N/A |
| N/A | N/A | C:\Windows\System\icMsxmH.exe | N/A |
| N/A | N/A | C:\Windows\System\xvJFBlk.exe | N/A |
| N/A | N/A | C:\Windows\System\QPIVwhm.exe | N/A |
| N/A | N/A | C:\Windows\System\GYtJzyb.exe | N/A |
| N/A | N/A | C:\Windows\System\VyTKblV.exe | N/A |
| N/A | N/A | C:\Windows\System\kHqoUcw.exe | N/A |
| N/A | N/A | C:\Windows\System\SXIJfli.exe | N/A |
| N/A | N/A | C:\Windows\System\QBQFcSp.exe | N/A |
| N/A | N/A | C:\Windows\System\BdKDirX.exe | N/A |
| N/A | N/A | C:\Windows\System\TxjnLdg.exe | N/A |
| N/A | N/A | C:\Windows\System\KsOFudn.exe | N/A |
| N/A | N/A | C:\Windows\System\DbnwdaH.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\onEAcHk.exe
C:\Windows\System\onEAcHk.exe
C:\Windows\System\wSFrBth.exe
C:\Windows\System\wSFrBth.exe
C:\Windows\System\iScmToK.exe
C:\Windows\System\iScmToK.exe
C:\Windows\System\xiGMMxf.exe
C:\Windows\System\xiGMMxf.exe
C:\Windows\System\ZmRjiiN.exe
C:\Windows\System\ZmRjiiN.exe
C:\Windows\System\IEoHnfJ.exe
C:\Windows\System\IEoHnfJ.exe
C:\Windows\System\kzXnPGa.exe
C:\Windows\System\kzXnPGa.exe
C:\Windows\System\Wnepmcv.exe
C:\Windows\System\Wnepmcv.exe
C:\Windows\System\ANcSoLJ.exe
C:\Windows\System\ANcSoLJ.exe
C:\Windows\System\icMsxmH.exe
C:\Windows\System\icMsxmH.exe
C:\Windows\System\xvJFBlk.exe
C:\Windows\System\xvJFBlk.exe
C:\Windows\System\QPIVwhm.exe
C:\Windows\System\QPIVwhm.exe
C:\Windows\System\GYtJzyb.exe
C:\Windows\System\GYtJzyb.exe
C:\Windows\System\VyTKblV.exe
C:\Windows\System\VyTKblV.exe
C:\Windows\System\kHqoUcw.exe
C:\Windows\System\kHqoUcw.exe
C:\Windows\System\SXIJfli.exe
C:\Windows\System\SXIJfli.exe
C:\Windows\System\QBQFcSp.exe
C:\Windows\System\QBQFcSp.exe
C:\Windows\System\BdKDirX.exe
C:\Windows\System\BdKDirX.exe
C:\Windows\System\TxjnLdg.exe
C:\Windows\System\TxjnLdg.exe
C:\Windows\System\KsOFudn.exe
C:\Windows\System\KsOFudn.exe
C:\Windows\System\DbnwdaH.exe
C:\Windows\System\DbnwdaH.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1688-0-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/1688-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\onEAcHk.exe
| MD5 | dd39fcd84f00a94dd9704873b0f63fbc |
| SHA1 | 39d791719af7d5efa55e390f3ae80f7e0201793b |
| SHA256 | 25384896cfb7468ac609cbe7c89e8ba9681432a0a00d0aab18c5814a7a686afa |
| SHA512 | f23c06cd1b77ced5a267232c78d8beabcf48d997f2871b6017436ba4759c929504483dfe6e05eb1902cd549b0d9768046e35fbee7d2133a3a0cb65b56835e794 |
memory/1688-6-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2948-8-0x000000013FF70000-0x00000001402C4000-memory.dmp
C:\Windows\system\iScmToK.exe
| MD5 | 80d72d8d47d131914baed404eed64dd0 |
| SHA1 | 40b731d4ddae41ae05186fe039a32bde1d5759f5 |
| SHA256 | 6bf3cef1d9cebeced2db7242c6336b30e4dddbf3d84440b1cb9c311db52ddf45 |
| SHA512 | 190b3cf650c278c4e449e42b3f6fdad82a419361077e9ae511f0a9d5a5058aeef67a42a2c5c2fb0b87f6524bc1debdb9ceedd73d396669ee6fcdc3584e9b9d6d |
memory/1688-14-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2480-22-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/1688-23-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2440-18-0x000000013FCF0000-0x0000000140044000-memory.dmp
C:\Windows\system\wSFrBth.exe
| MD5 | 391daf65b7e246f9d8192c6d8d653253 |
| SHA1 | 9024fc0b114e517e794f79e060e3ecdcb6d82d57 |
| SHA256 | c759efbcdc61b502d7536a04dad9d5da477d6088b5e1e5f17ca57d1fd9a4cd34 |
| SHA512 | 4257c968910455999414d23ffa40f4d1df76535e62da055b7e1e2e6b099dfb0a2052b49a94c6864bfdaa6fa7a66cfedc4704f5df10025de23fe8df6010366a0f |
C:\Windows\system\xiGMMxf.exe
| MD5 | 759e94d90d40834817349b47cfc2f83f |
| SHA1 | 6364442e7cb86fc7055680ebe5de71bbcba4694e |
| SHA256 | 60900e7393af57dc3ba482236f58b70bc349e038fa88482e5a43200f32018712 |
| SHA512 | 4d83df23cb26828ee6c5e509ebb620d95fcf2c0791d89acd11c1ef3cc93dbb4588dd8c24d635bb7b80fac3031b50513c820ee975404ac2d90e05a63b72d97146 |
memory/1688-28-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2508-30-0x000000013F8B0000-0x000000013FC04000-memory.dmp
C:\Windows\system\IEoHnfJ.exe
| MD5 | 8799396249ec1432a566183204e5e823 |
| SHA1 | 5181c4490c2a1186a1862fde3efb3c27ff38de3e |
| SHA256 | 64876f22c2c6b0e4ce68baa79458d9361148dca8fd44ff2fcd54ed7defbe7ad1 |
| SHA512 | 246b7d8c42aa80e0f8245dd0346eeb7a7aa3edffe551f328271b776e5281b363ea9894f4e4020a068482afbf9e81a2e40be2dcda25e9697219370e6db3202d75 |
memory/1688-42-0x000000013FEF0000-0x0000000140244000-memory.dmp
\Windows\system\ZmRjiiN.exe
| MD5 | 71448f818beb5e5d1e4014a117fc7a79 |
| SHA1 | 5c649242d9513472fd9bf5e518e6ffb88c8b1819 |
| SHA256 | 3054dc2a02773d41776838297bd64e06bb0d51a4e3a1d22ca08310efaf55585f |
| SHA512 | de46a471fc9dc39664921599db8e8239bf0815fc4eb6b5c3e716dc40901bb62eb93376d69ecd0b48ba558ac8142004f615d424f308de5ce2d06d55871299c75f |
memory/2704-43-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2540-41-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
\Windows\system\kzXnPGa.exe
| MD5 | 0e776831ce6dc89e987a5f31d1a1f77a |
| SHA1 | e522ffcc0c59099e3e852572c8538e032a0f3aff |
| SHA256 | 187a5d2a4ed77cb3e1166022919df75a4fe6ba8573b332d82069a48b01121013 |
| SHA512 | fb5b659ea8bc37c60044543c673e55b89688662a20eb9b5ed0cbebe8b8483bd5d3ef4039a52c0364e4822373a13e3f1c531f555a678ed9ff2295b55ec4a52c45 |
memory/1688-47-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2376-49-0x000000013F720000-0x000000013FA74000-memory.dmp
C:\Windows\system\Wnepmcv.exe
| MD5 | e56176411bc2ac2778e0f61808c08cf2 |
| SHA1 | 5be3f75998408ec6b2a503cc933a3ef7ad701840 |
| SHA256 | 5ee03d3283053e56327bf0574e5a175c6b89dcef0cb71ac231ec913b5f08995e |
| SHA512 | 0777e7d31a91ef07b3be812836501ecef35f538dccb5d3001985976c6f5535936c117f9a04e80692855c930f867705b081a7c67a6866ba5bcfe574ee2bfb05e9 |
memory/1688-53-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2464-56-0x000000013FD10000-0x0000000140064000-memory.dmp
\Windows\system\icMsxmH.exe
| MD5 | dc8065041351e1cbd8ba65d2140efb78 |
| SHA1 | 7f6f530b9c3d135fb7ac71c8015547719268434b |
| SHA256 | 53122be4bfb6403d5439f67565c9d452d8b88b5f37cb4cb4e9b41fda2ea7a684 |
| SHA512 | 7e36b01776c5e4f07e83874da37c1c2e80323d4742019baf746d95597bb911e30395af724466226f27708949aa9f9109e65ce3479f3d191019f6adc4b7a11cb9 |
memory/2440-71-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2948-70-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2368-69-0x000000013F450000-0x000000013F7A4000-memory.dmp
C:\Windows\system\xvJFBlk.exe
| MD5 | ec269f46cd75138ea33fb6d339379e47 |
| SHA1 | fe0137d6b3e00f3085da5941c09212cf5477c8bc |
| SHA256 | af8b573d67b0d80d30241d763d74559d7640592e2e104085d0040208a7488178 |
| SHA512 | fd2adb3604546874f463b2b0bce84dfe1b3fbe095f818196eacb0a5dac09ddf92012abfac0d9c8227a9738dbfd14d923fff1f1357646f3aed39c447a0d82f642 |
memory/2784-79-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/1688-86-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/1476-87-0x000000013F9F0000-0x000000013FD44000-memory.dmp
C:\Windows\system\VyTKblV.exe
| MD5 | 2fe4347f7fa0a954252cae9900434dbc |
| SHA1 | 83bd7c4bcaec3cbae44d8ca5d5f0362359764d4e |
| SHA256 | 3589eacfe6300863707de308dabb8c4d807e30a7bee46337b7ff6e068addceb1 |
| SHA512 | 1506a82a78e183f79cac6739fb8021f9c9380f201e6c6260be3f08d9f9b85671645a34f32fca2d8848cf7bfb4f33ea19fcfccb806c12a1b25385696a3bba2998 |
memory/536-94-0x000000013F040000-0x000000013F394000-memory.dmp
memory/1508-100-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/1688-99-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\BdKDirX.exe
| MD5 | bb9d653524726c1b550616e6fd5d87dc |
| SHA1 | bb13a12e8c0cf93b4760526c574346dbcbe121a3 |
| SHA256 | 93fcb30cfd27deb13359ceb51b05a06895d505444bad87f7f2a6240537482199 |
| SHA512 | 86d4d3aba560379fe7b4da9cfaf3ede69cbef82e12bd2d82c8e0d79662f2ba0c102334d8cd5cd4bed171055457503713b509142817e8a05a46920e33c97f502c |
C:\Windows\system\TxjnLdg.exe
| MD5 | b024d50b1d48f844571ef9b3ae661011 |
| SHA1 | 3c80e306eff8e76db78aed1bcbbef76ad9ce8803 |
| SHA256 | 4c7bf1e4c827381ceccdab005c91cb60f60e3fe2dc50482aa538c2c006767dea |
| SHA512 | 7383bbc5a4318dfc35d80daad644c6c3e03302b7f59b7885bb6f45101954600c17b572b0b1210cb4fd238496fd4c912c85d28a874e675256666b68cc1b1aa525 |
\Windows\system\DbnwdaH.exe
| MD5 | a19ff3e61e4032b70d6ea245a20de0ff |
| SHA1 | e495e872eec6229c20297f24facc5e24af4512ef |
| SHA256 | 2444af42f45feb5f2cc3f48f67ae56f8c242d452c94d2de9db23a782c843c100 |
| SHA512 | c7278ca181d868684209ca5beeaefed293de8c2d7816116f6eb501c4b51d6f90f9a1e5581fd870d77362695bbeb15ffc4ee5a418a24ce751fa981b9911402897 |
C:\Windows\system\KsOFudn.exe
| MD5 | a2c8435c316d9fbb27901da9273a9d5e |
| SHA1 | 9c83386c11ef4c224e8dea5c0c8d21c11a7805dd |
| SHA256 | e868a73d76ce7402466ba7f51756401cadc2ebbfcbdaa2f15fcc945fbea7fd62 |
| SHA512 | eef82bb82b29208f92072e5a5ae92d4e22e748bdfa34b2f78532a7f0fbcd2cca1388ed8cf13f00caa0a7d359887b7694b01634df619f21ea7564f1019f17beb8 |
C:\Windows\system\QBQFcSp.exe
| MD5 | 821c1abe1982a48d476704aa0b1afef0 |
| SHA1 | 4f4774d525f0d24860b0c0493498213e6264a0b0 |
| SHA256 | d3ce8098d05442aeeec994e664d64cca6f66ea4756ba7622908b9173f6e286e7 |
| SHA512 | 359caa00431da6b995a02b33c450285bbe0a00dac4fbe2e8d06c5f0b2db5af597fe6b84bad76c295e366571681a8d39583b28533440f19f37d87bbf73a5ebda5 |
memory/2376-138-0x000000013F720000-0x000000013FA74000-memory.dmp
C:\Windows\system\SXIJfli.exe
| MD5 | ace7c4b50d4a7d48c46d3dde09480582 |
| SHA1 | a6b756535b2e9cbe38322328fa7d33f6c358ba58 |
| SHA256 | 709b716dd3f70490e8b5f29b9c91646051937550c0ad8f1453238a03d01a7425 |
| SHA512 | 33fba870f58f148eeabe4e5e0d2bed16732746de63ce8a79bcc1952a4405005f9269491b84f574e9d23bfb4f7af07e3cbfb5b7f141fffef7ff7d8526dbbf155b |
memory/1688-106-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\kHqoUcw.exe
| MD5 | 68e3b4bda3ccb8ab41b0057c7c6ac218 |
| SHA1 | 84b98310d5d8e562a155817d15bab0ec17479136 |
| SHA256 | 9e8d5813f2447e064a14bc0ee353c976789eb24476dbd44ff011c2ea92a15780 |
| SHA512 | 7eb5b274ea0f31229f55dea6d1cc280a10ed69e9095b91a10f2171ad6b0b004973b7ab78f500dbeee2ff8583d7e9976368facde1d67467d0414b3b13c26fc8f3 |
C:\Windows\system\GYtJzyb.exe
| MD5 | e65d34e70f7de54448526844e3fa4b1f |
| SHA1 | 02daeaf8dd76a9a2f9748dfffc14d25678973069 |
| SHA256 | 29ea56aaeb39d24599a6aed9d7a3c22c00588f44f27a453d856433ff00fa1b74 |
| SHA512 | 3b247e271791ce370bcc62429f102e9d8bdcf1b519643717f96537c5282f420030fc5a048e0d5282fcddbd09461238d55230ebc78ec7864a0e696b2fc373dda8 |
memory/2508-85-0x000000013F8B0000-0x000000013FC04000-memory.dmp
C:\Windows\system\QPIVwhm.exe
| MD5 | 3cf6904d9f71b87de5b688b6d02482c1 |
| SHA1 | 25e3ad945e65da42e9482dbb04a9968811c48f45 |
| SHA256 | e1b3b8352b205b2435863d4b9572d46546141873f085c92859fbc784ef66cbe9 |
| SHA512 | 8c1dba5cbde691839e4c932304d394d04698afaceb975588f4846d93668af3c1d2b1efda9aef0f4813c3367b557b23650026a82ea1ee82495c6172affd40eeb2 |
memory/2368-140-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/1688-139-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/1688-77-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2480-76-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/1688-75-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2056-74-0x000000013FA90000-0x000000013FDE4000-memory.dmp
C:\Windows\system\ANcSoLJ.exe
| MD5 | 14999af42eafea81b7ae3ac6cd334e24 |
| SHA1 | 36680e5c91170ec0cf7b3e1141a6b6ce04f465b1 |
| SHA256 | d79aa0f08413a74333f3f94d7e9ba520ded8c214e53b6cac41f57c195cc4a955 |
| SHA512 | 20a61f4bbfa65a19d6564653209f2abfcadb43e55171a6ecc1d7d3ab2fb27bb48c04a2380f61dddd1e8ed83e49afb4068fb19b9465c7d5a2a8dc407f0401a33d |
memory/1688-64-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/1688-141-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/1688-142-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2784-143-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/1688-144-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/1476-145-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/1688-146-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/536-147-0x000000013F040000-0x000000013F394000-memory.dmp
memory/1688-148-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/1508-149-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/1688-150-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2948-151-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2440-152-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2480-153-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2508-154-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2704-156-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2540-155-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2464-157-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2376-158-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2056-159-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2368-160-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2784-161-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/1476-162-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/536-163-0x000000013F040000-0x000000013F394000-memory.dmp
memory/1508-164-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:33
Reported
2024-06-01 15:36
Platform
win10v2004-20240426-en
Max time kernel
137s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YdjrDle.exe | N/A |
| N/A | N/A | C:\Windows\System\Orlkqhk.exe | N/A |
| N/A | N/A | C:\Windows\System\fPgfufm.exe | N/A |
| N/A | N/A | C:\Windows\System\GbGvMOr.exe | N/A |
| N/A | N/A | C:\Windows\System\oroRfuX.exe | N/A |
| N/A | N/A | C:\Windows\System\ptrQNTs.exe | N/A |
| N/A | N/A | C:\Windows\System\vuteDVw.exe | N/A |
| N/A | N/A | C:\Windows\System\gvsBttc.exe | N/A |
| N/A | N/A | C:\Windows\System\yEKnbJH.exe | N/A |
| N/A | N/A | C:\Windows\System\KimlEJS.exe | N/A |
| N/A | N/A | C:\Windows\System\iYFJGaJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZxdhkaF.exe | N/A |
| N/A | N/A | C:\Windows\System\aiICmOd.exe | N/A |
| N/A | N/A | C:\Windows\System\sPkMotd.exe | N/A |
| N/A | N/A | C:\Windows\System\FaWIcQp.exe | N/A |
| N/A | N/A | C:\Windows\System\RtehfYk.exe | N/A |
| N/A | N/A | C:\Windows\System\tpXWOHg.exe | N/A |
| N/A | N/A | C:\Windows\System\HoVwlnn.exe | N/A |
| N/A | N/A | C:\Windows\System\hBqkqfj.exe | N/A |
| N/A | N/A | C:\Windows\System\vCALUvX.exe | N/A |
| N/A | N/A | C:\Windows\System\yzIByfT.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\YdjrDle.exe
C:\Windows\System\YdjrDle.exe
C:\Windows\System\Orlkqhk.exe
C:\Windows\System\Orlkqhk.exe
C:\Windows\System\fPgfufm.exe
C:\Windows\System\fPgfufm.exe
C:\Windows\System\GbGvMOr.exe
C:\Windows\System\GbGvMOr.exe
C:\Windows\System\oroRfuX.exe
C:\Windows\System\oroRfuX.exe
C:\Windows\System\ptrQNTs.exe
C:\Windows\System\ptrQNTs.exe
C:\Windows\System\vuteDVw.exe
C:\Windows\System\vuteDVw.exe
C:\Windows\System\gvsBttc.exe
C:\Windows\System\gvsBttc.exe
C:\Windows\System\yEKnbJH.exe
C:\Windows\System\yEKnbJH.exe
C:\Windows\System\KimlEJS.exe
C:\Windows\System\KimlEJS.exe
C:\Windows\System\iYFJGaJ.exe
C:\Windows\System\iYFJGaJ.exe
C:\Windows\System\ZxdhkaF.exe
C:\Windows\System\ZxdhkaF.exe
C:\Windows\System\aiICmOd.exe
C:\Windows\System\aiICmOd.exe
C:\Windows\System\sPkMotd.exe
C:\Windows\System\sPkMotd.exe
C:\Windows\System\FaWIcQp.exe
C:\Windows\System\FaWIcQp.exe
C:\Windows\System\RtehfYk.exe
C:\Windows\System\RtehfYk.exe
C:\Windows\System\tpXWOHg.exe
C:\Windows\System\tpXWOHg.exe
C:\Windows\System\HoVwlnn.exe
C:\Windows\System\HoVwlnn.exe
C:\Windows\System\hBqkqfj.exe
C:\Windows\System\hBqkqfj.exe
C:\Windows\System\vCALUvX.exe
C:\Windows\System\vCALUvX.exe
C:\Windows\System\yzIByfT.exe
C:\Windows\System\yzIByfT.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1432-0-0x00007FF705EE0000-0x00007FF706234000-memory.dmp
memory/1432-1-0x0000020E8A970000-0x0000020E8A980000-memory.dmp
C:\Windows\System\YdjrDle.exe
| MD5 | 396e1e7c1ea486a7f8cf509641c7bc2c |
| SHA1 | ca3bf5b9880ca7793665e56214e747f6b468a070 |
| SHA256 | 1abe987baf5ffcbaf0b4e60e34bae14641e82893c940899e8b69316e4f40dd93 |
| SHA512 | e6a87e7a6e7adabcaa37825342f9c80ec25e4a63d0994cb217a47f11246306256c1a57b946011fe16d4ed2776a9969179261ee1b335f9e43bee62e315d820af8 |
memory/4104-7-0x00007FF608A50000-0x00007FF608DA4000-memory.dmp
C:\Windows\System\Orlkqhk.exe
| MD5 | 2ed13a93b2bea7c88c650fa2f8315ec1 |
| SHA1 | 1d4c6f74ea75061849ceb2933f50ccd0c14afc8d |
| SHA256 | 1a0d2e84e1ebceaeec3403251d0d42c058fd2639b1114ff847e81821b8e6e219 |
| SHA512 | 3a055795a647adc295ecaaa08adfd5304d6104be0a157483aaf413c35f1a5950ad5595a1eadf9db8172d2ef8e1c0c7fe4a69f0d6ebd1eab0fe26cd870778ab49 |
C:\Windows\System\fPgfufm.exe
| MD5 | 7845a60597d70a14617bc646b30e2a93 |
| SHA1 | c99d01de716d6ab8546f0190bdacbea003b93c5a |
| SHA256 | 73420af31a0e1512100151d24ecda17ac01f19f056a1fa2f480535a0cde5e4ac |
| SHA512 | 5f0d6470c47ff13d4fd2a46178a568913fba50ed69f6aa5d3c46c6bbe00976f1442a67acb9a94edfd0468bc1a3514795d633b52b4ec36adfc30d13b85b6688ec |
memory/3840-13-0x00007FF668FA0000-0x00007FF6692F4000-memory.dmp
C:\Windows\System\GbGvMOr.exe
| MD5 | 6c66b881a53e9a91c87990c365b37321 |
| SHA1 | a17e0beeed055e72642e1c9bedcebc0939c34341 |
| SHA256 | fa4f922417bd767ace46af79482880407a1c903627f7861871f8cb5aa6ed9e85 |
| SHA512 | 8f6d94a8271374c9deccea0a2e04e0ffc3ee971039d52df7ed75858a3724ad5d203be8ff4ab841b957856abceff6c548b49c9931fd42bcbe747ddad9d5ead3f3 |
memory/2976-20-0x00007FF609800000-0x00007FF609B54000-memory.dmp
memory/2168-26-0x00007FF619300000-0x00007FF619654000-memory.dmp
C:\Windows\System\oroRfuX.exe
| MD5 | fd7674147f5b133d6a16d8f211f93ece |
| SHA1 | ce2b2a69fb85ed842df3096d9cd6a0521a6ba1c9 |
| SHA256 | b40ecd13992b680f0cf1c9f92660d452c90b182eaf9fa85b45552c5035c6aba0 |
| SHA512 | 02f8bbdd70202d51b3b90ee7d72ef03af315a233789877cbb0716c507f8833dfefb2d028799807a9b8291d618032bb99ce0d1d5e2fc1fb20317fad8ab3e1fdc9 |
memory/2460-32-0x00007FF7CC240000-0x00007FF7CC594000-memory.dmp
C:\Windows\System\ptrQNTs.exe
| MD5 | b95dcc10281d629e1256ad42d30a79ca |
| SHA1 | be261387d1baaee224c3fe307f798f643da1f80e |
| SHA256 | 0b394308cdde061b6d6e591729dbe9b67c67b472455dd630c0044c7360da2c9b |
| SHA512 | c9121988922b39541bff4411e77e0e6c4f7b6318dc19af86778587b52f21c2f0b73c59b60c45f4bc14dd6c1be2a8a319abd221e44333a067ee9625fa9dd0a6a4 |
C:\Windows\System\vuteDVw.exe
| MD5 | 70035995e9daedd7cb8688f89855f96b |
| SHA1 | 27d4b8e915a888f820d6c57247aa4d395ff604bb |
| SHA256 | 7532f8da172a05eb040bdef3e13746490713c92fb17cf37195a5687b06e09497 |
| SHA512 | c72ad4bc9e383830598afbc825df3a94d4e6ee382acb99bdbc1d05e375ba74ea2afac90d564ffbb7a1879385abf50d2d5dde2a7dcd2605bf75de1a2b4cd6c231 |
memory/2904-38-0x00007FF765C40000-0x00007FF765F94000-memory.dmp
C:\Windows\System\gvsBttc.exe
| MD5 | f97330215f354d65453b579b60607cb6 |
| SHA1 | 6f758d6137452753e6ccd1863da0b04c4e52eb78 |
| SHA256 | bdbbbcb6e58e2c950f0cb09b7cc1eef9f81c473c1aa452dd20881b36e5ff9a8f |
| SHA512 | e9e701f95f95e6e03c95523f32ebd73ab7212ee88282d540de7528cb5c3149979f0af313c794e7cf5b281c5333d8414d1db82931b43f48ce307835253134c69c |
memory/1424-44-0x00007FF64E1E0000-0x00007FF64E534000-memory.dmp
memory/3248-50-0x00007FF601FD0000-0x00007FF602324000-memory.dmp
C:\Windows\System\yEKnbJH.exe
| MD5 | f3a9457e224aaadd294dc17293833ed8 |
| SHA1 | a2c6115e4fa2fe107b6683b2045f85c768844541 |
| SHA256 | 623e6d1925a2882399bb177734d4349c1a2301eeff2a805fb57cbc29a01bf980 |
| SHA512 | ee2480e8207079e6c7ef41b095a2ce6e666dff2801f0a06fead8ba730f247b4c1648373f9ab71a418def693b989606448a2c4331c24c34a36cbb90635ffe6112 |
memory/2000-56-0x00007FF66BAE0000-0x00007FF66BE34000-memory.dmp
C:\Windows\System\KimlEJS.exe
| MD5 | 5b8c66a4dd8de77e2f215b1d2e45891c |
| SHA1 | 36f4199a28eda1832821e5f61bbfd925a05edecc |
| SHA256 | 4a35d2acb2241de69995d1f4c02174702bc4b179aad2ed4a5410142e2a282fb8 |
| SHA512 | 21dfe98239f846d8afedff3eae246c4fc32e5e3501e4b5b437fad53a638cde8489d8d890098fccabccfd0ae82401d431c437c64a11fdfb26348dd13ef410185d |
C:\Windows\System\iYFJGaJ.exe
| MD5 | 2ce54f363e0ba97dc03f8e104fa6cc47 |
| SHA1 | 80205c2fdfd22adec7d12325aae0d16e4aaf6f5f |
| SHA256 | c5784c43fb0546e8e6029da3678c317e41a30c9d454a1bbc3984944c63970be0 |
| SHA512 | 0c0a7a2849bc0460158481699f6c214f09a896addbc96e3dde3cfbf6e2be6dfb67c025f59962b169a10c3e05e6e14faac4841042d926aca9ac9aae95d6e34c3a |
memory/4140-65-0x00007FF7B2600000-0x00007FF7B2954000-memory.dmp
memory/1432-64-0x00007FF705EE0000-0x00007FF706234000-memory.dmp
memory/1640-73-0x00007FF7EF460000-0x00007FF7EF7B4000-memory.dmp
memory/3840-74-0x00007FF668FA0000-0x00007FF6692F4000-memory.dmp
C:\Windows\System\aiICmOd.exe
| MD5 | f4e7a0dbd713d2313d1ac7d17c3ad250 |
| SHA1 | 2ec902fe906ce18457c07d3273881c2e173ed106 |
| SHA256 | be6c2a732cbcc7a9dcef060e619082359d0b860b8cce03dfa7c6f31a38bad13d |
| SHA512 | 35351b821a08147b07ba7c63d0c08a706624002168dc4a8615b2b265390b2af01958130449aebb5d1b04bf86902165258aee7f69f54ab2cf526ac7170c11ff88 |
memory/424-77-0x00007FF629C60000-0x00007FF629FB4000-memory.dmp
C:\Windows\System\ZxdhkaF.exe
| MD5 | 1d1a8f9a1508203e225c9ba22cc59f71 |
| SHA1 | 04153775780ca42487810eb1afb78ceb4fda2be6 |
| SHA256 | 036b9fcb07d4c2a643ae145a855da2fc59a7a9e8028bf77bc86ffbda1f726663 |
| SHA512 | 85e4e346c4881039fcccac4b2046a9914339a76f41c9bc706a29358aee01ddc404513e561acb652f6c4b14366bb7d5ad06cb81847d0bc3aee4f0089eea0f3d2e |
memory/4104-69-0x00007FF608A50000-0x00007FF608DA4000-memory.dmp
memory/1016-84-0x00007FF7F6A90000-0x00007FF7F6DE4000-memory.dmp
memory/2976-83-0x00007FF609800000-0x00007FF609B54000-memory.dmp
C:\Windows\System\sPkMotd.exe
| MD5 | 25f2d33aca28cf72a90949ecd85ad57c |
| SHA1 | ce7908d3a7effd8e92c2485fc7d470514a3f9801 |
| SHA256 | bb999d2d297636a4545b37479f789306696c4c41c596951893a1c1839715ec81 |
| SHA512 | dda86d3142c549eaea25c0f71f624d7ffcb1b54413b04d3eaae9033916b89a40aeb20d0d86e907ddc302e363c03fbcd6157d01b5d94d2ffe4057d92fdfff08af |
C:\Windows\System\FaWIcQp.exe
| MD5 | d9d1c19817137b732101d533841ba96d |
| SHA1 | ce753982f616949e3fd4a6ed9124262f7c5dbc7e |
| SHA256 | 99b70dddae434166d6ab0e8bd0dc0ba0d701aba49533c93804b58f3beda70b69 |
| SHA512 | 4a370ddc010e888adacc56ecba8bec52dabd8131148afa704da2adcf59d51fe624d909f2cdeaefe9ea1c3497bbdc4dd67ce01a22855d0aac72a314a30ac7be3d |
memory/5036-94-0x00007FF7A3D80000-0x00007FF7A40D4000-memory.dmp
memory/1260-90-0x00007FF7CF500000-0x00007FF7CF854000-memory.dmp
C:\Windows\System\RtehfYk.exe
| MD5 | 3611e2c4831d9e5583de06d7222c9723 |
| SHA1 | a026fb005d4923edaa374c3df3b2bb0dca7466cd |
| SHA256 | a3be59286aee0e7fbb2739f3379b900e3530dda4806225430c0caacadd2668ec |
| SHA512 | 1bbaf80e7811876b67a09ea48db1d371f3461932cefa2a7e9cd95dc18d916e2e3041d472e1d0f95ed4a85508eba23b1c86baa9793b562b2331861b2302f58af0 |
memory/1700-102-0x00007FF7D3950000-0x00007FF7D3CA4000-memory.dmp
C:\Windows\System\tpXWOHg.exe
| MD5 | 2b2ca285e9c99f57ec688186ac610b69 |
| SHA1 | 692edadc9a120729cafabddca37cbd9ba596d4c4 |
| SHA256 | 63ef00941db9253251f2c51fcb978623e5aac9eb01fe0fc9f9aa35f73d74a787 |
| SHA512 | 28cb3589ec26b12cc4b3e4683066d4f19cbbc30d86c56ca5fccfb9810ecd373c8c9dc5c65bcc787c5b03ad1206c2873ee0e171edf7f4841228b359bb6af965ea |
C:\Windows\System\HoVwlnn.exe
| MD5 | c5161d9c7e77c71d94aceda7c3ba8d31 |
| SHA1 | ccc62e756ea14bb94704adb9f845916f17ac4b53 |
| SHA256 | 6a977669dfea8705f84a08a4b4318f1589938c644b88ee6a38ee0fa7fe07abfd |
| SHA512 | 1c3b0143b1d5702851a31aa1b516ef7e828042d8b545ece309ac46e7a51b322e45736096bb4b7a2792e33c5007e200f95e08f056f3119dc4e854a3890a43e9f8 |
memory/748-111-0x00007FF7CC680000-0x00007FF7CC9D4000-memory.dmp
C:\Windows\System\hBqkqfj.exe
| MD5 | d432db5f0269b3b18b060714b81eb3f8 |
| SHA1 | 2b44b51495e64299ff78e5b45f6b7de25f48b7dd |
| SHA256 | dbf595ca56162f118123852b1445b29693ef2f744fa6851b23509017d29f1b17 |
| SHA512 | 7acd76d70acc8d18659e2a12ef6f3160b6ba47eb5654ddb481eb9ab0f76ec097db6656e4b8a786fa44330aeaa00a0f4daaa4ead6c48726c48de0613986b23b22 |
memory/4372-110-0x00007FF7C06B0000-0x00007FF7C0A04000-memory.dmp
memory/5092-120-0x00007FF6AF730000-0x00007FF6AFA84000-memory.dmp
C:\Windows\System\vCALUvX.exe
| MD5 | 3bf7e2ccfe1e8a93050b0b3151c47a82 |
| SHA1 | bf6d52b5a84b60ad3ad817f5a3a6885bc996fe83 |
| SHA256 | 8ae8ad8a5f7cfae88512947af7333eb7de916a6b6e43f97c853c0a2c1dec53e3 |
| SHA512 | 68b8689e0f8de99535ca1b0686f45c0bc039fb2462cc60c5573d296f0a1d23e74f9d9514e5daf79dbed0c2dfe435b906a51d084d0e9c9fb61f4852c2b70df70f |
memory/3372-132-0x00007FF7FDF00000-0x00007FF7FE254000-memory.dmp
C:\Windows\System\yzIByfT.exe
| MD5 | 744e35eb8677208a7f443e14d250e89f |
| SHA1 | 8f51257952d31f43ad1ce6a2aef3131d747d5579 |
| SHA256 | 7fbbbd0b01e48bb122c1cd794dd72c48acc2d93c7ceb5211f0a675d16a3d78e6 |
| SHA512 | f0ae1042bac54b09eb03924fdb471c44317757e5e137cc52d6176802c4734a1ffc89caf7a1c19f0cb5fb022c3f699bfd1589e13c5061f83dbe2ba257e69db82c |
memory/1128-127-0x00007FF6B7860000-0x00007FF6B7BB4000-memory.dmp
memory/1640-126-0x00007FF7EF460000-0x00007FF7EF7B4000-memory.dmp
memory/5036-133-0x00007FF7A3D80000-0x00007FF7A40D4000-memory.dmp
memory/748-134-0x00007FF7CC680000-0x00007FF7CC9D4000-memory.dmp
memory/4104-135-0x00007FF608A50000-0x00007FF608DA4000-memory.dmp
memory/3840-136-0x00007FF668FA0000-0x00007FF6692F4000-memory.dmp
memory/2976-137-0x00007FF609800000-0x00007FF609B54000-memory.dmp
memory/2168-138-0x00007FF619300000-0x00007FF619654000-memory.dmp
memory/2460-139-0x00007FF7CC240000-0x00007FF7CC594000-memory.dmp
memory/2904-140-0x00007FF765C40000-0x00007FF765F94000-memory.dmp
memory/1424-141-0x00007FF64E1E0000-0x00007FF64E534000-memory.dmp
memory/3248-142-0x00007FF601FD0000-0x00007FF602324000-memory.dmp
memory/2000-143-0x00007FF66BAE0000-0x00007FF66BE34000-memory.dmp
memory/4140-144-0x00007FF7B2600000-0x00007FF7B2954000-memory.dmp
memory/424-145-0x00007FF629C60000-0x00007FF629FB4000-memory.dmp
memory/1640-146-0x00007FF7EF460000-0x00007FF7EF7B4000-memory.dmp
memory/1016-147-0x00007FF7F6A90000-0x00007FF7F6DE4000-memory.dmp
memory/1260-148-0x00007FF7CF500000-0x00007FF7CF854000-memory.dmp
memory/5036-149-0x00007FF7A3D80000-0x00007FF7A40D4000-memory.dmp
memory/1700-150-0x00007FF7D3950000-0x00007FF7D3CA4000-memory.dmp
memory/4372-151-0x00007FF7C06B0000-0x00007FF7C0A04000-memory.dmp
memory/748-152-0x00007FF7CC680000-0x00007FF7CC9D4000-memory.dmp
memory/5092-153-0x00007FF6AF730000-0x00007FF6AFA84000-memory.dmp
memory/1128-154-0x00007FF6B7860000-0x00007FF6B7BB4000-memory.dmp
memory/3372-155-0x00007FF7FDF00000-0x00007FF7FE254000-memory.dmp