Analysis Overview
SHA256
a09fca934447ed0d9adfb3dce7c09b977eea76b545693e59c8147cc02fdcf5bc
Threat Level: Known bad
The file 2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Xmrig family
Cobalt Strike reflective loader
xmrig
Cobaltstrike
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 17:09
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 17:09
Reported
2024-06-01 17:11
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BpdIlWS.exe | N/A |
| N/A | N/A | C:\Windows\System\SHBpDsT.exe | N/A |
| N/A | N/A | C:\Windows\System\jiLeNRV.exe | N/A |
| N/A | N/A | C:\Windows\System\IvhpLsv.exe | N/A |
| N/A | N/A | C:\Windows\System\yarXqBo.exe | N/A |
| N/A | N/A | C:\Windows\System\ReNIctR.exe | N/A |
| N/A | N/A | C:\Windows\System\EkEAEat.exe | N/A |
| N/A | N/A | C:\Windows\System\xtEsFQk.exe | N/A |
| N/A | N/A | C:\Windows\System\HFpVRTm.exe | N/A |
| N/A | N/A | C:\Windows\System\ZQHyMPR.exe | N/A |
| N/A | N/A | C:\Windows\System\pHGdVcQ.exe | N/A |
| N/A | N/A | C:\Windows\System\FnvzmZW.exe | N/A |
| N/A | N/A | C:\Windows\System\HXDZKRa.exe | N/A |
| N/A | N/A | C:\Windows\System\kswGPrY.exe | N/A |
| N/A | N/A | C:\Windows\System\RnKMBxP.exe | N/A |
| N/A | N/A | C:\Windows\System\SgSyKvL.exe | N/A |
| N/A | N/A | C:\Windows\System\HuPKthf.exe | N/A |
| N/A | N/A | C:\Windows\System\RfTeOaB.exe | N/A |
| N/A | N/A | C:\Windows\System\ODSlFrK.exe | N/A |
| N/A | N/A | C:\Windows\System\rNJttqv.exe | N/A |
| N/A | N/A | C:\Windows\System\EwmWNpc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\BpdIlWS.exe
C:\Windows\System\BpdIlWS.exe
C:\Windows\System\SHBpDsT.exe
C:\Windows\System\SHBpDsT.exe
C:\Windows\System\jiLeNRV.exe
C:\Windows\System\jiLeNRV.exe
C:\Windows\System\IvhpLsv.exe
C:\Windows\System\IvhpLsv.exe
C:\Windows\System\yarXqBo.exe
C:\Windows\System\yarXqBo.exe
C:\Windows\System\ReNIctR.exe
C:\Windows\System\ReNIctR.exe
C:\Windows\System\EkEAEat.exe
C:\Windows\System\EkEAEat.exe
C:\Windows\System\xtEsFQk.exe
C:\Windows\System\xtEsFQk.exe
C:\Windows\System\HFpVRTm.exe
C:\Windows\System\HFpVRTm.exe
C:\Windows\System\ZQHyMPR.exe
C:\Windows\System\ZQHyMPR.exe
C:\Windows\System\pHGdVcQ.exe
C:\Windows\System\pHGdVcQ.exe
C:\Windows\System\FnvzmZW.exe
C:\Windows\System\FnvzmZW.exe
C:\Windows\System\HXDZKRa.exe
C:\Windows\System\HXDZKRa.exe
C:\Windows\System\kswGPrY.exe
C:\Windows\System\kswGPrY.exe
C:\Windows\System\SgSyKvL.exe
C:\Windows\System\SgSyKvL.exe
C:\Windows\System\RnKMBxP.exe
C:\Windows\System\RnKMBxP.exe
C:\Windows\System\HuPKthf.exe
C:\Windows\System\HuPKthf.exe
C:\Windows\System\RfTeOaB.exe
C:\Windows\System\RfTeOaB.exe
C:\Windows\System\ODSlFrK.exe
C:\Windows\System\ODSlFrK.exe
C:\Windows\System\rNJttqv.exe
C:\Windows\System\rNJttqv.exe
C:\Windows\System\EwmWNpc.exe
C:\Windows\System\EwmWNpc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5104-0-0x00007FF6789F0000-0x00007FF678D44000-memory.dmp
memory/5104-1-0x000001342B110000-0x000001342B120000-memory.dmp
C:\Windows\System\BpdIlWS.exe
| MD5 | 8f6a7ac86f06960154e48f5e177c6a55 |
| SHA1 | ff95d64bafe9f38d40dd6254bc2a8ab59883279e |
| SHA256 | 58daee94056043ca2759d85580fe82d242117a773706d1f1df3d6bdfc02666b9 |
| SHA512 | 3e1678f629490944ef6e83714a72f5f8dd4f81d5adcab68c9c0954da9716c94894340f5a2737ab51d1537943d73b38f76152e8287550d31a61d14f09a63839d3 |
memory/2292-7-0x00007FF7627F0000-0x00007FF762B44000-memory.dmp
C:\Windows\System\SHBpDsT.exe
| MD5 | 200db842ac6216b0ea2c9f16211837f6 |
| SHA1 | fdd5837fb2c55d3dfde87b5d2d0323177c88366a |
| SHA256 | 168ae97a3eaafbd9b9749d2ae05046ad53f398f5488baaf081694d80b7291dcc |
| SHA512 | 815a7bf6e3fb01f64f1c3c03e04e914f95d4b53b5a81821f6bf1ef8fa03facdc6a74b287c5d3d2cb61ce95860f924c290a8205717c16be517126b60b39ceb604 |
C:\Windows\System\jiLeNRV.exe
| MD5 | bf79a61b266fd196acd20a1afbb2afa1 |
| SHA1 | caeb716a4e95b4249da0b84fe894a8878f9c4a20 |
| SHA256 | e6af57f514dae907ff55d60ce468f231db8f82dbb341153de56e0554c899b7b9 |
| SHA512 | d37c0417098759069796fe608331c1b290312fa8fec86f83fee35db521eb9ac1f6ee524467a38f92db2654b57fcb6082f6fdceceee02af67e147f35ab5b6e62a |
memory/3184-14-0x00007FF619910000-0x00007FF619C64000-memory.dmp
C:\Windows\System\IvhpLsv.exe
| MD5 | 97dc7505412aa64e7f3e6b8414684019 |
| SHA1 | fb6dd04517084ecdcd605b92a00763c8a1566385 |
| SHA256 | 5903f02897682c1fe4e5dd7c1ba782b36f578e681e669c6adda34f0a0fd966ed |
| SHA512 | 992e86916c02e596e8c7edfb397e9d7b392e2a4871af19b4f079203caf32a1e35e97b537ac38700d9dd3e9de17b25cfcfc256f173c00b4022453595302874f9a |
memory/1636-25-0x00007FF76A7D0000-0x00007FF76AB24000-memory.dmp
memory/4876-26-0x00007FF671010000-0x00007FF671364000-memory.dmp
C:\Windows\System\yarXqBo.exe
| MD5 | 9e4695cdde22e061ef21d1056429b2b5 |
| SHA1 | 08587a4ca569f2209e3538addd485b59e903ef00 |
| SHA256 | 59d2dc18960da61f805fb6793652502468cdd4395c92429f211cc9b5353c4401 |
| SHA512 | 9f2580341355e1ee5cac2eae48f21c84f7a3996d41c19d3d2386c4959b3ca0097c28c12a603e85c94ee5d24bec4168a0eff2424bf10c95227e25d034e6cb4455 |
memory/3956-30-0x00007FF68FC90000-0x00007FF68FFE4000-memory.dmp
C:\Windows\System\ReNIctR.exe
| MD5 | 569b269c61dd5da7560b7ce0b7619c92 |
| SHA1 | e1536de90aa4c34f1b2a309643e4aaae01cf6d4f |
| SHA256 | 84c7af10794d04b24719aaa3f80e6d38423ae6a8234fd786ffd65a41be34d457 |
| SHA512 | 40bb7dfe1f80b1811f6be1e69cfdb3edf2d729249fde5f46be2227b0694039887449cac40197af76ff02d3f1e6a4663caa33971ebad4e33b3537c3d0b3f426ef |
memory/3856-38-0x00007FF6D9ED0000-0x00007FF6DA224000-memory.dmp
C:\Windows\System\EkEAEat.exe
| MD5 | 1a10f2315f69600d8eaabda22fd403a3 |
| SHA1 | 1bad39087fb571f74f913fd70d811052dfc469ef |
| SHA256 | 86a4128057140310c4f710834070818ec31c9414ccee15dd731d24e00678daeb |
| SHA512 | 1db4ace24984ee0ecb9fd5c3e754b8b71b47a7a21f173eab01e00280bcd0b6a0d872be71eabda7e142227b577bcf4216a9de0a3c436a3b5a82931c58f655cfb8 |
memory/2088-42-0x00007FF6E9FB0000-0x00007FF6EA304000-memory.dmp
C:\Windows\System\xtEsFQk.exe
| MD5 | 475cbb6ba3cd5257258607e06ad2ceba |
| SHA1 | 6ad0da43aaa7fa8cb91230b220ae011c8097ca8a |
| SHA256 | 9d383803842536c9b219c133ba8610d08881106db416b008a19a7794a8010a4e |
| SHA512 | 24ecf7180506da0f2cc3a7c7e72d7c29fd0950c967cd4246684cc48e8eae7a1418cc697b0e0a9565cb4c788686540fefd0c39f34d4d6a79a940fc6c7514b9b82 |
C:\Windows\System\HFpVRTm.exe
| MD5 | 0aa701792f597b6c1c10575f3e6c740b |
| SHA1 | ec5ebe0c8e369f903aa64b721c5a3d2df4eeccaa |
| SHA256 | 2720ed4582c534e796c8cc62c15c7b05fc320bfecb76aa10f21c046d7ccb354d |
| SHA512 | e3e36faa0f3d87c0d6e98e280725b02f8d9502e2a74f3a2265a1b77e735b25d31164bf7c88107bbf3103fe1a16601ece6bf456f2a683c7e11e9b2df230b92878 |
memory/2384-54-0x00007FF7BDCE0000-0x00007FF7BE034000-memory.dmp
memory/1404-50-0x00007FF614170000-0x00007FF6144C4000-memory.dmp
C:\Windows\System\ZQHyMPR.exe
| MD5 | 37688faa72d84feb57ec28b5e1d7bd7e |
| SHA1 | b102a0b4562a67d45e4f3ba74ac7ab9974aaa47b |
| SHA256 | 318809eaa84f7caec5499ae2c4bcf32387b8b6d4e96e3e753d6885fdeb0f0271 |
| SHA512 | 0b380381bf33edbff6f4e85ea0af8d7c9084077f01bf06a383e48cf1ab6be1ec0f427231c916fd95f2a539dfda1909171b6e6727ac8a0c973ea76c3ac9bd9a8f |
memory/4508-72-0x00007FF71FDE0000-0x00007FF720134000-memory.dmp
C:\Windows\System\HXDZKRa.exe
| MD5 | 2bf0204f23edfd3b3685d4db3094c064 |
| SHA1 | 2fd9df8f030cfa98a914bfebd8d04e23899fa27e |
| SHA256 | 8df38f2fe389cac88fe21eaaed054f3763c9c7e019425a93f804e89db60f900b |
| SHA512 | 5cd3bfd632a17cc6a47a806abaafd8f551b3f9c24f9661441aab2f26eb911d30d570ef29a5f7a5991371c98953c1ff98300edbc178908071b54612972cd91b8f |
C:\Windows\System\pHGdVcQ.exe
| MD5 | c20760546402bdf70870324055792388 |
| SHA1 | d8972859a01e3f9071740ec79739b5f6d899bb45 |
| SHA256 | b27edb74f6fdc2ddaf0ab349e73f29c6d972d5aac7e64c119a5328c9c5d1ab4b |
| SHA512 | d1ea25aa72dfd92173c8ce3fcb914ea1caa07929c2f2bec2cc87c42860bd5884537ddd56baa84d0f7f213728909b9e143de9fe90de5db69dde38395ca8354867 |
memory/3888-82-0x00007FF6F2840000-0x00007FF6F2B94000-memory.dmp
C:\Windows\System\SgSyKvL.exe
| MD5 | 10bcfb675a578a936d7937f7c6ee542d |
| SHA1 | 75dafeff18bfd69d3638ffd33d9335f7d66bbadf |
| SHA256 | e8632a3c1053ff507f90318c632f7d1a9e2f94a04b48f78cdcfed29c94f6bd54 |
| SHA512 | 249f19884720602902815864d290d05854d1f7d93aa52e9eb0fac7a059a23253059c6ef9a8bb4c56a1b0a30db0282b19ec205e335c9d29971202682eed2ddf7d |
C:\Windows\System\RnKMBxP.exe
| MD5 | 42b02aaf49ccbe7fb97dfdadc37365ba |
| SHA1 | 1c016e35145a85b553ccff634445dc18b30451b8 |
| SHA256 | aed6990d278c3eae86f2ed7be84710b14e0c71d77e43c825e8ce35b3282b6c3d |
| SHA512 | 8f956a45f0d9e90c5fac66504fd803f363ab389b52900a2155ccd2529bded78cc5755f7fe444aa6a1cd46826bde3f9d8b9154850477701ddcade4c60647f23f7 |
memory/3956-99-0x00007FF68FC90000-0x00007FF68FFE4000-memory.dmp
memory/1380-98-0x00007FF6DC0C0000-0x00007FF6DC414000-memory.dmp
C:\Windows\System\kswGPrY.exe
| MD5 | 7a7cf50bd1706482030d6086903cad41 |
| SHA1 | fd1b9000aa352ea70836d97c7b1a9277f35ebabc |
| SHA256 | 2ee543f9b069a02b44a672f32d063dae443ae77d1382f6ecf9d1016a85e349e3 |
| SHA512 | 772cb2b8a360a97ca5a05599b028b9ac6ada4577013ce9aa77614171a0c3243be0dfe7392aeda9b5c89ae30f4bae6254448848d3cb38b3f6a27a18a89b99f2bc |
memory/2072-93-0x00007FF77C4F0000-0x00007FF77C844000-memory.dmp
memory/4140-91-0x00007FF770910000-0x00007FF770C64000-memory.dmp
memory/3184-86-0x00007FF619910000-0x00007FF619C64000-memory.dmp
C:\Windows\System\FnvzmZW.exe
| MD5 | 885ac89e9baa687282ba1eb8fa598fc8 |
| SHA1 | a39be646a6f4ae69936e2c77588573ec21427df1 |
| SHA256 | 0e72bf4d5d32063cc70b6e542608bbeb2256eaebd88239ad5dbe5dd65866d815 |
| SHA512 | b0066d2f531d4a1753f8828d7d16a14cf107f28d2aaa883f888f56b1640487a328f126eec335b1d47b3f6435c43b89cfb7110f927d1acd87f729d0aaf2699611 |
memory/3260-77-0x00007FF624F30000-0x00007FF625284000-memory.dmp
memory/2292-74-0x00007FF7627F0000-0x00007FF762B44000-memory.dmp
memory/2388-69-0x00007FF74FAF0000-0x00007FF74FE44000-memory.dmp
memory/5104-64-0x00007FF6789F0000-0x00007FF678D44000-memory.dmp
C:\Windows\System\HuPKthf.exe
| MD5 | d469877ab18e136e55e3c87d997a33bc |
| SHA1 | 9a640c4dc2ee351d43b67d563bfb4ea97b25b105 |
| SHA256 | cf1f5eff33e71565a581b2194ebffd6603a852048ea8e9ad6237ff83a4c54b7c |
| SHA512 | 91916822636c79c6f29e36f04b53aef14ca590f1156bb303eb1ec7b8498e2613ceb2affce65813aac0c04a2d998bd9f436a507983bdd927f07f2fa089703f68b |
memory/4816-110-0x00007FF7DD9E0000-0x00007FF7DDD34000-memory.dmp
C:\Windows\System\RfTeOaB.exe
| MD5 | de36c2cacff944ca0d243afd78b4582a |
| SHA1 | e9eda7c4dc09b72bae36f514a12f97c671ccd678 |
| SHA256 | eba5963aa5be215d7750e2634c74c2468aa2397430d445559c3773733a0b4e28 |
| SHA512 | 52e900963e19de1ba9d97a0566a59a01c4e86d436d4168e29db621d71c9fe00fb9fdc3ccf3a46510ec1edaa83ebe6739df320de14a0977c066ccb2bfd7f9f6ce |
memory/4176-113-0x00007FF7FD8F0000-0x00007FF7FDC44000-memory.dmp
memory/2088-112-0x00007FF6E9FB0000-0x00007FF6EA304000-memory.dmp
C:\Windows\System\ODSlFrK.exe
| MD5 | c30e52a6e5fa0eb40548dbd42d97e4eb |
| SHA1 | 83678a65cbb44fa7b1cd77179c50af7530457f67 |
| SHA256 | 5dfbc738d1a2e486147a45f5f30357bda342720d071a979f1e6f3d1f9fbbb809 |
| SHA512 | 8d8c84169b05e7f093d9457abdc04a69a2acc3761aebe6149fb9c1357746afb250fac10e37ff286f3c690be9319f891a5e08ed8ff1a0612735e98a0ac7bd4ca0 |
memory/2384-125-0x00007FF7BDCE0000-0x00007FF7BE034000-memory.dmp
C:\Windows\System\rNJttqv.exe
| MD5 | 7a4cc78b65f18106a0605a0b6880fe9b |
| SHA1 | 2dd6c0e25ae638ffc83c730c3c41790997b2605c |
| SHA256 | 6615cbf5148c1e5a0f81da604d1428d23aa74bdf15f48449079da585916b644d |
| SHA512 | 246bf7d6630b0c6b900021d33867d1a2d6b237dc2dcc2fb14d9e264985c1dc4df87f643ece25f632efb61dab1ce940870bbbbc924d6febbdafb1a52051d16e5f |
memory/4064-126-0x00007FF7A8FC0000-0x00007FF7A9314000-memory.dmp
memory/4708-119-0x00007FF603AB0000-0x00007FF603E04000-memory.dmp
C:\Windows\System\EwmWNpc.exe
| MD5 | 3078c2f366ee72ffd1546f85bcb0d083 |
| SHA1 | eb729bbd5ff3ab9d8acbf246255915be9ad1170b |
| SHA256 | ebf903e5b63cbf7d503363de5b9446f535ea73065cba1bc3a10f6b2aa59c0451 |
| SHA512 | a61516c7d20753eeb61c01daf299cf4f0154ebba4cec3d602cefac0605d211bbc6e909f41384663ed8afd64c0f3bf47c689021751cc97aa873e72935ec7ac722 |
memory/1220-134-0x00007FF6DAE10000-0x00007FF6DB164000-memory.dmp
memory/4508-133-0x00007FF71FDE0000-0x00007FF720134000-memory.dmp
memory/3260-135-0x00007FF624F30000-0x00007FF625284000-memory.dmp
memory/3888-136-0x00007FF6F2840000-0x00007FF6F2B94000-memory.dmp
memory/4140-137-0x00007FF770910000-0x00007FF770C64000-memory.dmp
memory/2072-138-0x00007FF77C4F0000-0x00007FF77C844000-memory.dmp
memory/1380-139-0x00007FF6DC0C0000-0x00007FF6DC414000-memory.dmp
memory/4176-140-0x00007FF7FD8F0000-0x00007FF7FDC44000-memory.dmp
memory/4708-141-0x00007FF603AB0000-0x00007FF603E04000-memory.dmp
memory/4064-142-0x00007FF7A8FC0000-0x00007FF7A9314000-memory.dmp
memory/2292-143-0x00007FF7627F0000-0x00007FF762B44000-memory.dmp
memory/3184-144-0x00007FF619910000-0x00007FF619C64000-memory.dmp
memory/1636-145-0x00007FF76A7D0000-0x00007FF76AB24000-memory.dmp
memory/4876-146-0x00007FF671010000-0x00007FF671364000-memory.dmp
memory/3956-147-0x00007FF68FC90000-0x00007FF68FFE4000-memory.dmp
memory/3856-148-0x00007FF6D9ED0000-0x00007FF6DA224000-memory.dmp
memory/2088-149-0x00007FF6E9FB0000-0x00007FF6EA304000-memory.dmp
memory/1404-150-0x00007FF614170000-0x00007FF6144C4000-memory.dmp
memory/2384-151-0x00007FF7BDCE0000-0x00007FF7BE034000-memory.dmp
memory/2388-152-0x00007FF74FAF0000-0x00007FF74FE44000-memory.dmp
memory/3260-153-0x00007FF624F30000-0x00007FF625284000-memory.dmp
memory/3888-154-0x00007FF6F2840000-0x00007FF6F2B94000-memory.dmp
memory/4508-155-0x00007FF71FDE0000-0x00007FF720134000-memory.dmp
memory/1380-156-0x00007FF6DC0C0000-0x00007FF6DC414000-memory.dmp
memory/2072-158-0x00007FF77C4F0000-0x00007FF77C844000-memory.dmp
memory/4140-157-0x00007FF770910000-0x00007FF770C64000-memory.dmp
memory/4816-159-0x00007FF7DD9E0000-0x00007FF7DDD34000-memory.dmp
memory/4176-160-0x00007FF7FD8F0000-0x00007FF7FDC44000-memory.dmp
memory/4708-161-0x00007FF603AB0000-0x00007FF603E04000-memory.dmp
memory/4064-162-0x00007FF7A8FC0000-0x00007FF7A9314000-memory.dmp
memory/1220-163-0x00007FF6DAE10000-0x00007FF6DB164000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 17:09
Reported
2024-06-01 17:11
Platform
win7-20240419-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yEBdTvZ.exe | N/A |
| N/A | N/A | C:\Windows\System\GQHpBJe.exe | N/A |
| N/A | N/A | C:\Windows\System\AqkzwGR.exe | N/A |
| N/A | N/A | C:\Windows\System\inveqQK.exe | N/A |
| N/A | N/A | C:\Windows\System\PNjUGME.exe | N/A |
| N/A | N/A | C:\Windows\System\hzucUUt.exe | N/A |
| N/A | N/A | C:\Windows\System\uHHXMkk.exe | N/A |
| N/A | N/A | C:\Windows\System\emTwIOH.exe | N/A |
| N/A | N/A | C:\Windows\System\FUxGlBk.exe | N/A |
| N/A | N/A | C:\Windows\System\NqqpDLo.exe | N/A |
| N/A | N/A | C:\Windows\System\TnaNihV.exe | N/A |
| N/A | N/A | C:\Windows\System\FNAIGrf.exe | N/A |
| N/A | N/A | C:\Windows\System\BOnFqMo.exe | N/A |
| N/A | N/A | C:\Windows\System\IfqbJUJ.exe | N/A |
| N/A | N/A | C:\Windows\System\IHWIuOM.exe | N/A |
| N/A | N/A | C:\Windows\System\TIhBHok.exe | N/A |
| N/A | N/A | C:\Windows\System\qtJbXMs.exe | N/A |
| N/A | N/A | C:\Windows\System\UiofGBv.exe | N/A |
| N/A | N/A | C:\Windows\System\deaYOZt.exe | N/A |
| N/A | N/A | C:\Windows\System\cVbPxtq.exe | N/A |
| N/A | N/A | C:\Windows\System\sCfHGeL.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\yEBdTvZ.exe
C:\Windows\System\yEBdTvZ.exe
C:\Windows\System\GQHpBJe.exe
C:\Windows\System\GQHpBJe.exe
C:\Windows\System\AqkzwGR.exe
C:\Windows\System\AqkzwGR.exe
C:\Windows\System\inveqQK.exe
C:\Windows\System\inveqQK.exe
C:\Windows\System\hzucUUt.exe
C:\Windows\System\hzucUUt.exe
C:\Windows\System\PNjUGME.exe
C:\Windows\System\PNjUGME.exe
C:\Windows\System\uHHXMkk.exe
C:\Windows\System\uHHXMkk.exe
C:\Windows\System\emTwIOH.exe
C:\Windows\System\emTwIOH.exe
C:\Windows\System\FUxGlBk.exe
C:\Windows\System\FUxGlBk.exe
C:\Windows\System\NqqpDLo.exe
C:\Windows\System\NqqpDLo.exe
C:\Windows\System\TnaNihV.exe
C:\Windows\System\TnaNihV.exe
C:\Windows\System\FNAIGrf.exe
C:\Windows\System\FNAIGrf.exe
C:\Windows\System\BOnFqMo.exe
C:\Windows\System\BOnFqMo.exe
C:\Windows\System\IfqbJUJ.exe
C:\Windows\System\IfqbJUJ.exe
C:\Windows\System\TIhBHok.exe
C:\Windows\System\TIhBHok.exe
C:\Windows\System\IHWIuOM.exe
C:\Windows\System\IHWIuOM.exe
C:\Windows\System\qtJbXMs.exe
C:\Windows\System\qtJbXMs.exe
C:\Windows\System\UiofGBv.exe
C:\Windows\System\UiofGBv.exe
C:\Windows\System\deaYOZt.exe
C:\Windows\System\deaYOZt.exe
C:\Windows\System\cVbPxtq.exe
C:\Windows\System\cVbPxtq.exe
C:\Windows\System\sCfHGeL.exe
C:\Windows\System\sCfHGeL.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2392-0-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2392-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\yEBdTvZ.exe
| MD5 | 5b3865a54a4ca480e3829b07b8a68501 |
| SHA1 | 1c9d92040f2fe9ac75d0fb1769334ac49f0f5f05 |
| SHA256 | d9d2224298804aaf3388c3f7fff2849a72fc7b50dea47df9d3cc38166b950608 |
| SHA512 | 43d89acc3f9654deac9fdda3e9c3d98ebeba0dc1b5f85089b60dddc5a31f7285acd1acd4ff35d2b411345f1eaa22ff3ab3ddbe4602bc36d6d6390b68f5a354da |
memory/2392-6-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2916-8-0x000000013F890000-0x000000013FBE4000-memory.dmp
\Windows\system\GQHpBJe.exe
| MD5 | b8d5092547c508b15bb8b479cff26ca6 |
| SHA1 | e045a72b70ab95b55de760e3ba43f3acfce9467e |
| SHA256 | f2e161338b3f77281f423842ac927de872acb304ca45a61d40afc6beec297df0 |
| SHA512 | 6fa59ca660860e3bbd12c147405e3d52ad24211da76c95e0079b06f3ef79597c7ff57d58e358f9c85da883fac08fff58cd8a771d65f0e895eba953931bc708f8 |
C:\Windows\system\AqkzwGR.exe
| MD5 | 2651f7f050c6471c4f0b4c7a27170e44 |
| SHA1 | 80fb018a51127573b2dcc671b64b5d8b69d6c5f0 |
| SHA256 | 854acbad4e7d479d74a82bef4a79b0a17ece850a8152e28aed05b4630619e6e7 |
| SHA512 | e4646774777a420ecf0c032292cc31c829044fe0321d646fcd28778757576c72c7f0a995ed49c95d3f5f52c6f7b38a520db1e10a136dea97584c2456b8a0b3a8 |
memory/2820-21-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2392-18-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2224-15-0x000000013F080000-0x000000013F3D4000-memory.dmp
\Windows\system\inveqQK.exe
| MD5 | 03f2bebcf1c7d01b5bd98086634227c6 |
| SHA1 | 248d72d5ec200b385468f0d17d04382c9fcbf075 |
| SHA256 | 00e025132ea4c7e9bdab43d4c10558f4a78b6e5aedea7b8d62ecc89f6d2b56ab |
| SHA512 | f1d3cdde7a935816defec748438a4faade6629cab85dd3fd8d24fc1bb7a8804915b7319ba456f018748c1f0343951b323cd15ba2627f398b25df8a965f31017c |
memory/2440-29-0x000000013F310000-0x000000013F664000-memory.dmp
\Windows\system\PNjUGME.exe
| MD5 | a4169c281672c6961baa0217fdcd0d3c |
| SHA1 | b911f7d1ecdc5266c47cc0a96d50bcc108b0f9af |
| SHA256 | 89f28dcaf22396a9095e66385229b06eae81bb0c5f6233cffc89876634318ffe |
| SHA512 | 9f2e1c9deae1d8c0227f052456783a10975e1df5a9e64832e89b9da6ceb8f784d3fd7fb98566cbfd160154a87fa116679fa7415557a25fab0d3b2ff5808c4896 |
C:\Windows\system\hzucUUt.exe
| MD5 | 42082cf725da57120c1019273c180f25 |
| SHA1 | bc7e373cb4c3fef77bbb3d550d51abbc92e139db |
| SHA256 | 96a2606bbc6e8580085a977fb850235c95a81c4f053fe08d3852ee406571f916 |
| SHA512 | d1f350b3e606941311a193a204a8a2d7bb5ce23933895e28ea7b465d3b4cd24fae368c31c74d04d345438487a3c91a73f4b03453b9b2c40a0769c0d3ece09f77 |
memory/2700-42-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2392-41-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2928-38-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2392-36-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2392-26-0x000000013F310000-0x000000013F664000-memory.dmp
\Windows\system\uHHXMkk.exe
| MD5 | 6cc7f8f70e1a81401eb4c537711d0920 |
| SHA1 | 689bb07d68d1aba589b327b420f23fef8813111b |
| SHA256 | 91b7bf78d4919e37d7a3913e6b37dea58f0090aa6d849821c9703c3a64ae6e8c |
| SHA512 | 6988315e29d4f4658d31989b3b1d7cef16fb04dac78a731881bdd60936a7a77d0529ffe119b0809b74a59619b3cf2c4dbb14b58e9bb5ca41b5eb773f81f29356 |
C:\Windows\system\emTwIOH.exe
| MD5 | 7f3a3ed48161dbb546a02f2a3434665d |
| SHA1 | 3099d39e39016d5517bb0a8b6dd0a98ee5df718c |
| SHA256 | a5bdd064a2e861ab19e37f39ffcd5f90f90ab8f2c1287bf72715a8de39a6fe95 |
| SHA512 | ffe7390ae46a1510def6bb27e7170cf49773b9f457b6697e6d67e57260e6d527964e2aa793a48b83ce4db23ca81f0d2cc6b1be47bdfb8f130ea2646230e21066 |
memory/2392-56-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/1292-57-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2916-54-0x000000013F890000-0x000000013FBE4000-memory.dmp
\Windows\system\FUxGlBk.exe
| MD5 | d289691f541edb11a1fe33cc158ea855 |
| SHA1 | 1656e4f1cf097b3d3ecff70f96e6dc42afc47d9b |
| SHA256 | ff53b61affb21fb209b049759c53385898823ed49b7ab74ed9ae9c71f290e288 |
| SHA512 | 7819e25081dfbbd2ecd7f9c05c3cd6cf10be51339c001cc46a7520240ec27464e21044333f40ba511213bd7392729adddabbecf3199062b2cc52081e369ec9ce |
memory/2720-65-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2392-64-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2224-63-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2392-62-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2688-49-0x000000013F680000-0x000000013F9D4000-memory.dmp
C:\Windows\system\NqqpDLo.exe
| MD5 | 6fe3c0972bea98cad9763fca2bef21b1 |
| SHA1 | be7dee314157ba2b25723e47c9c7ebf1f4dc1672 |
| SHA256 | 6c99ceb70b98f9e9ab024b824d205950e36c13c35d2e02d3f9031b9cf82f99d6 |
| SHA512 | 210da21e15f16a536c5cb3bab9e31d07889f95b72471c84e91d7eb05ac11ba1e24e0e800a1feb6a6833ebecfff48b24ea1c369eb4e9459388ce6d758264ec14e |
memory/2572-73-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2392-86-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/1900-87-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2600-94-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
C:\Windows\system\UiofGBv.exe
| MD5 | fbb556d207dbe07b8450fddddaeeb153 |
| SHA1 | 677ece9e5e9f604719a849e7436c04314a6717b6 |
| SHA256 | 2f3a0b15027dda00b64abe525000c11920076a6562403319301175c0ab333cfd |
| SHA512 | 3d292e44e17ab6d1c2a22f7c7106217416091305fd17dc14bb6868fabcd22306b33a6baddf19ba0a61c22ceb9c95ec8cb47f5426153b4873811e3936affac0b9 |
C:\Windows\system\cVbPxtq.exe
| MD5 | 5a7b06ea90e40c66c09b5700497ef10b |
| SHA1 | a3c804cc46c5751b9eb2df64b4a00371e6870e82 |
| SHA256 | e215b6a37985fbcb94939768d5d9bdebc0d2ee860245dfc428b6e33572e22101 |
| SHA512 | 5813a62190dfc522c67f5e7fc48ab2ac2ff82a36ab89adaf200889522d024144ac2eae08e24755c11853bef03d4bb3100c936f76dccbc9ed227c437b83f9de0f |
\Windows\system\sCfHGeL.exe
| MD5 | a6360e9d2baa05f81ffb79e85a2e66b5 |
| SHA1 | 22cf3a4ede6095cf40b833885ce4af16de85c51b |
| SHA256 | 8a53103405b6fc77631b374cd2307acfd0788fca011ab88f541e793f6daa746e |
| SHA512 | 218c6fa79cc69528cea7ce1dafe9ae243a849ca5a4f8a552d797d77203755b2975291ad50646ea3a2db57d5be0da9d0f272645955962c0d2cf50bd6d728cacc7 |
C:\Windows\system\deaYOZt.exe
| MD5 | de09e567ee757e98301edd6b16fa4c1c |
| SHA1 | 7b6142f381204df12bcf7f83954133cb32a7cd28 |
| SHA256 | ee086d6ea81f842c17a51c3907d0cf9838f8d5e334598f4a6fe8fcf2c32f4a4a |
| SHA512 | 2ce532a78ba2553185d564fb1700786ba4a5cafc1b672320499ac1dc99b83980f70b3ce0c2ca1a2ca33fd84e2239790ca9ef88a77ba0b5ffc1a4c079605fcd25 |
C:\Windows\system\qtJbXMs.exe
| MD5 | d0a7911cd0b43264250a19776df042f8 |
| SHA1 | 802b3475051cffb22e9ffc74c4ee79d3a2ea1b61 |
| SHA256 | 4b712480a3d4765f3123f4423c6857b01eac1e4100978730e8f13859fc2d9f84 |
| SHA512 | e6b167ffd3a54d83005b232862fc1495440ab71c6ff5c48d9181ce895b2fcd08d261c52f7fa196f354fa0ffb46c9fbe3e7b5018b097c464c2c698edb48b46849 |
memory/2392-108-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2928-107-0x000000013FED0000-0x0000000140224000-memory.dmp
\Windows\system\TIhBHok.exe
| MD5 | db5759122ba99f4fb3e4b04e62c013d9 |
| SHA1 | ab726921e99c65e4ed308d726732cde69f5fb372 |
| SHA256 | 77647a037a88e6806c20483ad92e901f7219d8ee29e6a61594637fbde7710835 |
| SHA512 | b0b2ee36ea5e0429c441947cf39bbc4dc33d5a3d72c5202bcc71dfa6e1e705a037332842078d9f55d2c3d8928efa192f4f65dd7ec2ffd569787269a3057ea811 |
C:\Windows\system\IHWIuOM.exe
| MD5 | 31675ae8ed63288d5fce9ffe7b02c5f7 |
| SHA1 | 56f8019d69df29e24c0852f9c8e0db6cb1a2e994 |
| SHA256 | 5c31348fd780fe160db3dfc97ca9eeedfb5c4a5bb08e70e66fd2b7ee20085bcc |
| SHA512 | 8a653e0c092093a0462424edceaf0bdbcad8cac7e5a4ad1eedf27b3f9d6a3596daa8ca339ae8d34528bcd41e03ce4492b263dff93f800b72cb1bea9fc3d39cfb |
memory/2700-140-0x000000013F400000-0x000000013F754000-memory.dmp
memory/3004-103-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2392-102-0x0000000002480000-0x00000000027D4000-memory.dmp
C:\Windows\system\IfqbJUJ.exe
| MD5 | ddba4687134e6f87ab1c7fb245397851 |
| SHA1 | cc21a3d9ffe63df2a6e847be47598f11d18ae6f4 |
| SHA256 | e9b9e7883763be3475d18781f190fd7e74872ecfc07dd2571223c1fa4a7d1b4b |
| SHA512 | 07adb57c2da213c3efc918d58c4bb956e7b393e848a447fba51b0e2c19641a23fb7701cbc5d9f20a86fb346e55631db6cab039ba0dba85c0b9cc2d494ce03dd2 |
memory/2392-93-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2440-92-0x000000013F310000-0x000000013F664000-memory.dmp
C:\Windows\system\BOnFqMo.exe
| MD5 | a8b4fc6e078f3d21f6fd7add901be330 |
| SHA1 | f328301e5988bbd54de4b3f923532f85cfc72ccb |
| SHA256 | b4790020771d810f02aa6ae5406902fc9237fe2c19aa11ca17e82dad1a8953cd |
| SHA512 | 950fc00fcf77fd2ad944fad3e31ef46052ea744733b4f14eca2aac206a3e103665ca9521313cb967306cb69beda5bf5583044c6952125494502bd833b6ec32dc |
memory/2820-85-0x000000013F840000-0x000000013FB94000-memory.dmp
C:\Windows\system\FNAIGrf.exe
| MD5 | 6b343e6c6f054f0f699dfefd01c43350 |
| SHA1 | ad318d5ea9105c8848716d5879ded0ecfd613d60 |
| SHA256 | 66921312c6387105d05ffb288b4b5b979e39d088b2ca55192776105e2473d148 |
| SHA512 | 3e8346c9d242d0ef3d0bdeff7f6a58944b3a53c70032ac4e92f9f1f021c7dad6b144ee3e0a08c57eaa5e4875ad3b6ad06588d3a44e867dc79e880e524ac5a4e3 |
memory/3024-79-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2392-78-0x0000000002480000-0x00000000027D4000-memory.dmp
C:\Windows\system\TnaNihV.exe
| MD5 | 5c3a718550083d03ecb109f5ecd267b4 |
| SHA1 | a52a62b4aa17463f1fe956d480529dc5e412d759 |
| SHA256 | 7d110be7e5ece8fa137454aa75112e419417d9974ae8173bd4fab610916edb92 |
| SHA512 | 0311ee36544aaab9700ee4b3e568b2ed9d7b6e98bb8d6c9d38b68236b8010bd12e1764ebaff6f496c65aac858cda17f63cbb17074cb543a26cc4947075f49b2d |
memory/2392-72-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2392-141-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2392-142-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2720-143-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2392-144-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/3024-145-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/1900-146-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2392-147-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2600-148-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2916-149-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2224-150-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2820-151-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2440-152-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2928-153-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2700-154-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2688-155-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1292-156-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2720-157-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2572-158-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/3024-159-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/1900-160-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2600-161-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/3004-162-0x000000013F770000-0x000000013FAC4000-memory.dmp