Analysis Overview
SHA256
2df4d1207fada40a7ffad4aadcc125e32b53c9d7227362c8e9c2df1fe5800574
Threat Level: Known bad
The file 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 10:55
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 10:55
Reported
2024-06-06 10:58
Platform
win7-20240221-en
Max time kernel
125s
Max time network
139s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OvXmhpr.exe | N/A |
| N/A | N/A | C:\Windows\System\CRxoaFL.exe | N/A |
| N/A | N/A | C:\Windows\System\TUjvsmz.exe | N/A |
| N/A | N/A | C:\Windows\System\CZbrKaJ.exe | N/A |
| N/A | N/A | C:\Windows\System\cqXJusk.exe | N/A |
| N/A | N/A | C:\Windows\System\eiqSDIu.exe | N/A |
| N/A | N/A | C:\Windows\System\fXEoEBJ.exe | N/A |
| N/A | N/A | C:\Windows\System\PgTRvjW.exe | N/A |
| N/A | N/A | C:\Windows\System\INRCsTh.exe | N/A |
| N/A | N/A | C:\Windows\System\rhsBbqo.exe | N/A |
| N/A | N/A | C:\Windows\System\KfqfpOc.exe | N/A |
| N/A | N/A | C:\Windows\System\AlqlEaR.exe | N/A |
| N/A | N/A | C:\Windows\System\yfbLJoO.exe | N/A |
| N/A | N/A | C:\Windows\System\voiihyW.exe | N/A |
| N/A | N/A | C:\Windows\System\grcrHtm.exe | N/A |
| N/A | N/A | C:\Windows\System\jvZQYrD.exe | N/A |
| N/A | N/A | C:\Windows\System\drdFtTG.exe | N/A |
| N/A | N/A | C:\Windows\System\mCdjUTk.exe | N/A |
| N/A | N/A | C:\Windows\System\rYSVvzs.exe | N/A |
| N/A | N/A | C:\Windows\System\BkDawcq.exe | N/A |
| N/A | N/A | C:\Windows\System\GCNDGwx.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\OvXmhpr.exe
C:\Windows\System\OvXmhpr.exe
C:\Windows\System\CRxoaFL.exe
C:\Windows\System\CRxoaFL.exe
C:\Windows\System\CZbrKaJ.exe
C:\Windows\System\CZbrKaJ.exe
C:\Windows\System\TUjvsmz.exe
C:\Windows\System\TUjvsmz.exe
C:\Windows\System\cqXJusk.exe
C:\Windows\System\cqXJusk.exe
C:\Windows\System\eiqSDIu.exe
C:\Windows\System\eiqSDIu.exe
C:\Windows\System\fXEoEBJ.exe
C:\Windows\System\fXEoEBJ.exe
C:\Windows\System\PgTRvjW.exe
C:\Windows\System\PgTRvjW.exe
C:\Windows\System\KfqfpOc.exe
C:\Windows\System\KfqfpOc.exe
C:\Windows\System\INRCsTh.exe
C:\Windows\System\INRCsTh.exe
C:\Windows\System\AlqlEaR.exe
C:\Windows\System\AlqlEaR.exe
C:\Windows\System\rhsBbqo.exe
C:\Windows\System\rhsBbqo.exe
C:\Windows\System\yfbLJoO.exe
C:\Windows\System\yfbLJoO.exe
C:\Windows\System\voiihyW.exe
C:\Windows\System\voiihyW.exe
C:\Windows\System\grcrHtm.exe
C:\Windows\System\grcrHtm.exe
C:\Windows\System\jvZQYrD.exe
C:\Windows\System\jvZQYrD.exe
C:\Windows\System\drdFtTG.exe
C:\Windows\System\drdFtTG.exe
C:\Windows\System\mCdjUTk.exe
C:\Windows\System\mCdjUTk.exe
C:\Windows\System\rYSVvzs.exe
C:\Windows\System\rYSVvzs.exe
C:\Windows\System\BkDawcq.exe
C:\Windows\System\BkDawcq.exe
C:\Windows\System\GCNDGwx.exe
C:\Windows\System\GCNDGwx.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1412-0-0x000000013F610000-0x000000013F964000-memory.dmp
memory/1412-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\OvXmhpr.exe
| MD5 | 25f84d6328fef7c2621c5eb5156f0a2d |
| SHA1 | 2567e48d4cf57062911072bc4b8770f9a183fa53 |
| SHA256 | 5831aecc1bc4d6c9447f119b81fafda76b22fd5ab29896a94b706d172d6861e7 |
| SHA512 | 8b245d5c079311db7e50e454a211b8bda7613dde4e35ac9a2ddcdd69683da7e26b0e460144d731bfc370e11cd3945b56bae7e6dae8f7b4e82f36f4ec59db2b5f |
C:\Windows\system\CRxoaFL.exe
| MD5 | 5b0ed9c91e5b836bc347412d70750200 |
| SHA1 | ed0d3e931c5edcc4f03a7d9a5aef81eeeaa7f077 |
| SHA256 | cddd879fa1a968f4e2efe4a53c23496b4aa1741acf8c20fdaaab1bec7c72451a |
| SHA512 | 7ef95b3202e02bb82c22b4db0532d3ac02f591da3f8afc92bf6e2ca53838216b55c7f98ab5f3bdd32942c1774a0efb587cb737f115664e1583e2a1e950485f98 |
memory/1412-14-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\TUjvsmz.exe
| MD5 | 1c38ebc0b657edee6e470908a29323f5 |
| SHA1 | effc3b6095f5fd56ca6c426ff4458e0af57fa36b |
| SHA256 | c226b6c6440d30f469deace3ee1988233bb356f8955efccb123f3a55f9b547c6 |
| SHA512 | 107524ebb5c0033b49c2709465e4a6e2fc5f18b436eba3caac497ab299e432e62962f0911bd52a4f9fe16b408cf5bda2caadc9ada48c6d11b666f954c1d95697 |
memory/1412-21-0x000000013F020000-0x000000013F374000-memory.dmp
C:\Windows\system\CZbrKaJ.exe
| MD5 | c0de85e2248bc547d98022faa3d4b0e5 |
| SHA1 | 2ce13abb32a9494ddc45bfd93bd397a3fb99b614 |
| SHA256 | e7fba8a79adcee0db38fd72361cc854b1aa78934a5ce3b2aac30d5c8d22cab74 |
| SHA512 | 15038e11a8e192f09315e3ed94bac210debceb80def488aae383cf3c4105c31ccb4317dd2b0d2e899c963414c45ae3874e7a63d8fdc94121826166a82109814c |
memory/2812-18-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2884-26-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2464-24-0x000000013FCB0000-0x0000000140004000-memory.dmp
C:\Windows\system\eiqSDIu.exe
| MD5 | ac8f99bcc10ae6225b78f8cf14303cc3 |
| SHA1 | 7c4f9dfea109a8c23bb339a11cebf328e1bed3c7 |
| SHA256 | d4acb18b624a221f882af4dfc3563fe8a6e9293ff2d4d24397ec1be3be38fbfa |
| SHA512 | a041459e70f8abcc3f246523d167f598f4c903641cd188d5a73e1278e754782228f28127c7185175418aed4eb0a7b5c3c05fa3fb6d5d50049588718263ab6c3e |
memory/2204-40-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/1412-41-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2896-42-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/1412-39-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2952-34-0x000000013FB20000-0x000000013FE74000-memory.dmp
C:\Windows\system\cqXJusk.exe
| MD5 | ae01b604f1e7cde70c5eebbc5c4738a7 |
| SHA1 | a62ee48c03056f5ee4c02be1567d73b881f947be |
| SHA256 | 279566450106fbd1a94feda9b5b6f18d7fc3a7d530786f39e2ab23b201da906f |
| SHA512 | 0e31dfc3f830e107c4410472918229b7779e985b0053393db1c693612289bc545d0f7102eeef19391b1aee4988b1ddaac565a98d68b9e51579c8242b6c2ea997 |
memory/1412-30-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2204-10-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
\Windows\system\fXEoEBJ.exe
| MD5 | 4c88008f6a09a809b962435ca625d80b |
| SHA1 | d25ce86922236f598c0e32263345a0f11275d6c3 |
| SHA256 | 2429b5580baea3df7d4e6cd67bc7500017ff152582209e7600884d7ac376a11d |
| SHA512 | b5151fa03a0c20f22e0c81d754f1dcf0583f6b7b61dbde53ba0985c070ad15a9efeb42039b5323fcfbf0c19ced03a30fba48b880d2e1e4927ed55aa2ba37f1ab |
memory/1412-50-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2600-51-0x000000013F9E0000-0x000000013FD34000-memory.dmp
\Windows\system\PgTRvjW.exe
| MD5 | 37fa8a9423a32dfad4eb24e6e0053bcd |
| SHA1 | 760039481d1ba1f7dbd1c62aeb4b3affbadce3d2 |
| SHA256 | 3f26515c5c4cddf94fae2e787c6b788f41a724d04bbff9b32cdd1fda56ef8e8c |
| SHA512 | 73225c5fc6533be0500e74a27998ce36287cb6387b4d4f4039307fbadb4da81afd523308f0cf58fd2a4cd57a6c0563dd212035743cf4c4ed1d52a0e2f543c0c7 |
memory/1412-56-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\INRCsTh.exe
| MD5 | fe3c6e8be76005c1def20a17eecbe629 |
| SHA1 | acabab3a607cb98f9d02a05b7c49b90114fb7f0c |
| SHA256 | 80a504b3be380f8523ea3d8123aff9ec6b0980f2c06b1df94f2c2633abb40165 |
| SHA512 | e4f0ddcc7a729d78bcb9869570931aec6b7e77991382b03c77b49f5b29ad64e5438c9a4d4d3523ca44eb9928930ec18c4ec67a06460374c42598157784ec4054 |
memory/2772-66-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1412-68-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2464-77-0x000000013FCB0000-0x0000000140004000-memory.dmp
\Windows\system\rhsBbqo.exe
| MD5 | 59eecd6988ba2ca1260a163bfa129cd3 |
| SHA1 | 7c833daa4cc7480e1f4ec3c351d54631c0ff3d61 |
| SHA256 | 3fb38dfcd1e7f746aca25743df993af06aeef01e6244063698914937ec0218e5 |
| SHA512 | c36f834e70ea6d9b537412e22b997b4ef51a498217c463e96c41000c41c70521e144779b4be2312fbe2b09a4dc9ff751e9199604d4c2346e58208d9e8a51087a |
memory/1412-62-0x000000013FD70000-0x00000001400C4000-memory.dmp
\Windows\system\KfqfpOc.exe
| MD5 | 04eafb1e1ba1d1727bac3b8161f39aad |
| SHA1 | 41c8f541cbeaa6d8ea66d99210bbed97f4b81c70 |
| SHA256 | d78216f68e623991b6fe09d7f51b5cf4a32e0ecb850831657df66edd5c15f1e5 |
| SHA512 | 85d5c86ef70a8df456d72d298252d2c5d2f08431a0ec5f068a09e4cd432478a712ada47b5270d7df736cc6dee3b859137087576cfe9e12cf04b039e82093544c |
C:\Windows\system\voiihyW.exe
| MD5 | ff3de1d087afe6e0d5e5c4e6e5088586 |
| SHA1 | af5154b7a8dbc99410c8dbeb95b8fc9d84a35899 |
| SHA256 | 5d7dc3d35cc066a37f40bdd0b5187388522c6012b9f13afeb3f1f26590b3a884 |
| SHA512 | ea36130d3d8023e69eb4794738b56ac7205058d17659522eb193c33f868aa17623bb90eba1912a756a98f7e98a3d676ab97a5fa7ba420e0fd1937b7cc6c1a47b |
memory/2896-102-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2856-103-0x000000013F5B0000-0x000000013F904000-memory.dmp
\Windows\system\yfbLJoO.exe
| MD5 | 72987b61e2b94e4b24f7e4c3a7f23e43 |
| SHA1 | 66a91fe5a649694f92a7a8b48526d06c732ccc1c |
| SHA256 | 8c8e7b225333d7c893edaf7222aa07f2d84007b47bf3bcf2a1e036c7ab441566 |
| SHA512 | d45e96a9bc753c6df142eab9a74c20ff0c599e46f170856fb61ccde8c04af628e591ca20dad49e77eb3368366c667c63ba8475a411ffc71cfa4397367f6141ca |
\Windows\system\BkDawcq.exe
| MD5 | ce44f5ac688a7428a39434df7da8e668 |
| SHA1 | 82f6ce58a73198dd256f46057a709e4f3bccc63c |
| SHA256 | 9839bf59d52cd0272c24d949bcc6c8baafe4164c02abade613a804d738afbd08 |
| SHA512 | 3e66336c67fc67352437ce9930ebcb8f7c29608041545225c31f72431f9d433e6e0bb557d7c61371d371a957b2e63eb53a4e0e873a6f19c7f7cf3cb478564dad |
C:\Windows\system\rYSVvzs.exe
| MD5 | 083693a7d2ea5a951a812c2454e70334 |
| SHA1 | 0f5019ae92b5a6866839b24761ed56fc606a6dfd |
| SHA256 | 928e76bae14ea04437681999fb9666bf9ea622e163d684c9611cc7bda81d31e2 |
| SHA512 | 3eab3964ae71296d8abcfaaf3503760c8b1d8d48d53f7f1155b85a4791d59e2420b1dcd5e14896c39bddfd019c64f85944d3c61caf6a19ad662f84d12bbf963e |
\Windows\system\GCNDGwx.exe
| MD5 | 35ea136d4b9d82e3516b3f238c7fbacd |
| SHA1 | 0a0aa2f4c242a8389436650cf35a303eb7a66c1b |
| SHA256 | 20f32631ee8f7147f1ecf99e6e25e60648a6fdd9b0807a8f20bf09842c60c924 |
| SHA512 | 11757d45bb7dc6384557548ba8b2d10c990b3e18776a6108f918fbfc2282beed72455d1bda7de634fb6838a4b0d421c72ba541e915c0b357eef2705e7e280a86 |
C:\Windows\system\mCdjUTk.exe
| MD5 | 3b827321aa9e5ed67528aca860c2a8b3 |
| SHA1 | 7679531fe85d64cf67e8778f143a86fb931b5da2 |
| SHA256 | bfdca2fa2c4eefe0e685f7e2d9097ca4a78e8ec324ddf4e5d75a0148ab79825d |
| SHA512 | c9326e19b493f09553a22175a386c49ed40aa391b2a603e357c6af82b42e8fe75c091345a4bdcc5eb19f0f923b7d87f14ce462b71c007e7caad9687a278492ed |
C:\Windows\system\drdFtTG.exe
| MD5 | 767bc3cf02b9a4437e2624a9a7d50a90 |
| SHA1 | 4002540378662709a7efcbec96496b4806ab6e26 |
| SHA256 | 3218ad760840d8b120ba2b356331c3bdb1669bc1efc2b875d364bf766ba0aca9 |
| SHA512 | b294775df66da2a22c26c956e59d689596d75dd600148a7d7b81a2f11e9dcce54c2b22485e99cb40af28bcdeb4aa51872e99dcdcdb98827d390faa7aa7ac3504 |
memory/1412-141-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1412-140-0x000000013F9E0000-0x000000013FD34000-memory.dmp
C:\Windows\system\jvZQYrD.exe
| MD5 | a00a24748da48dd6a7a1eb0d5d273585 |
| SHA1 | b3ca01f4214ca8ec4c9900fb0df2d3a4cf081bd9 |
| SHA256 | acf28d986e47570f7fdff5ee13991c6c55397f880a0c5aaed7e535515901ad47 |
| SHA512 | 2cc7380e7e9e20b302446de7e6a5910de0e65472a6ed0ee00972a0b41e4a74ea93b87038470e45aa633cd5c784884fecd68ca146694d93d5bc7703369454554c |
C:\Windows\system\grcrHtm.exe
| MD5 | a553ec7ab38bbd1abf397fb047eeba17 |
| SHA1 | 551f4ed9e84ad8341d24d6e15f733beb806bc7e8 |
| SHA256 | 1fe4a9e4804d57da29624f371239ae214ceb40858b9eb343a7643546fe7a934b |
| SHA512 | d085ee80c01f712c653d18bd9e4b09d2ed79b764fea67b6d45e0f525c50001c3adb026ce0aea758ed1c25222f2b43b47e000dd72d14258042e0cfde6f40c11c0 |
memory/1412-108-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2576-94-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2404-93-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2952-92-0x000000013FB20000-0x000000013FE74000-memory.dmp
C:\Windows\system\AlqlEaR.exe
| MD5 | a49cfd3a0cfdc332e98c1ead234234e5 |
| SHA1 | 3f7054ce5a14caa31bef0164ab1045824310aa1d |
| SHA256 | 894b5a2ddc9d0480ccc01d097ddaea1d70cec81173eeee8f6e9ba06877c7891d |
| SHA512 | fd9ead27ab1df5b515637bbfc508bfe36303c75c06d204d95f2aafe86ea8e588e74b687a73cb3d965598dccfc2ff7444755fe37ecb61802bc717d90c250ac07c |
memory/2616-89-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/1412-85-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2884-84-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2556-83-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1412-82-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1412-101-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/1412-73-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2620-72-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1412-142-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/1412-143-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2556-144-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1412-145-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2616-146-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2404-147-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2576-148-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/1412-149-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2856-150-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/1412-151-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2204-152-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2812-153-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2464-154-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2884-155-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2952-156-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2896-157-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2600-158-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2772-159-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2620-160-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2556-161-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2404-163-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2616-162-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2576-164-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2856-165-0x000000013F5B0000-0x000000013F904000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 10:55
Reported
2024-06-06 10:58
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\EyHomMN.exe | N/A |
| N/A | N/A | C:\Windows\System\BIRgULs.exe | N/A |
| N/A | N/A | C:\Windows\System\KFiCTuA.exe | N/A |
| N/A | N/A | C:\Windows\System\lNqHhHi.exe | N/A |
| N/A | N/A | C:\Windows\System\YFoYiDs.exe | N/A |
| N/A | N/A | C:\Windows\System\PqDCFUJ.exe | N/A |
| N/A | N/A | C:\Windows\System\BYVrcop.exe | N/A |
| N/A | N/A | C:\Windows\System\DCDdwNC.exe | N/A |
| N/A | N/A | C:\Windows\System\LiHeoEW.exe | N/A |
| N/A | N/A | C:\Windows\System\IdaVRHy.exe | N/A |
| N/A | N/A | C:\Windows\System\dtyXrxg.exe | N/A |
| N/A | N/A | C:\Windows\System\rOFlbzg.exe | N/A |
| N/A | N/A | C:\Windows\System\fOXbtPw.exe | N/A |
| N/A | N/A | C:\Windows\System\OQSuPJX.exe | N/A |
| N/A | N/A | C:\Windows\System\rGezFBr.exe | N/A |
| N/A | N/A | C:\Windows\System\AUQwuxC.exe | N/A |
| N/A | N/A | C:\Windows\System\fgEwXzI.exe | N/A |
| N/A | N/A | C:\Windows\System\mNxbnxT.exe | N/A |
| N/A | N/A | C:\Windows\System\bsZjPnl.exe | N/A |
| N/A | N/A | C:\Windows\System\PXGoOfj.exe | N/A |
| N/A | N/A | C:\Windows\System\YOxurXq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\EyHomMN.exe
C:\Windows\System\EyHomMN.exe
C:\Windows\System\BIRgULs.exe
C:\Windows\System\BIRgULs.exe
C:\Windows\System\KFiCTuA.exe
C:\Windows\System\KFiCTuA.exe
C:\Windows\System\lNqHhHi.exe
C:\Windows\System\lNqHhHi.exe
C:\Windows\System\YFoYiDs.exe
C:\Windows\System\YFoYiDs.exe
C:\Windows\System\PqDCFUJ.exe
C:\Windows\System\PqDCFUJ.exe
C:\Windows\System\BYVrcop.exe
C:\Windows\System\BYVrcop.exe
C:\Windows\System\DCDdwNC.exe
C:\Windows\System\DCDdwNC.exe
C:\Windows\System\LiHeoEW.exe
C:\Windows\System\LiHeoEW.exe
C:\Windows\System\IdaVRHy.exe
C:\Windows\System\IdaVRHy.exe
C:\Windows\System\dtyXrxg.exe
C:\Windows\System\dtyXrxg.exe
C:\Windows\System\rOFlbzg.exe
C:\Windows\System\rOFlbzg.exe
C:\Windows\System\fOXbtPw.exe
C:\Windows\System\fOXbtPw.exe
C:\Windows\System\OQSuPJX.exe
C:\Windows\System\OQSuPJX.exe
C:\Windows\System\rGezFBr.exe
C:\Windows\System\rGezFBr.exe
C:\Windows\System\AUQwuxC.exe
C:\Windows\System\AUQwuxC.exe
C:\Windows\System\fgEwXzI.exe
C:\Windows\System\fgEwXzI.exe
C:\Windows\System\mNxbnxT.exe
C:\Windows\System\mNxbnxT.exe
C:\Windows\System\bsZjPnl.exe
C:\Windows\System\bsZjPnl.exe
C:\Windows\System\PXGoOfj.exe
C:\Windows\System\PXGoOfj.exe
C:\Windows\System\YOxurXq.exe
C:\Windows\System\YOxurXq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2768-0-0x00007FF6F0520000-0x00007FF6F0874000-memory.dmp
memory/2768-1-0x00000195A30B0000-0x00000195A30C0000-memory.dmp
C:\Windows\System\EyHomMN.exe
| MD5 | 050cc991ead7eb57a6d2648945a49a40 |
| SHA1 | 3b7387354dfe3254f38c3959f236d34b99517de5 |
| SHA256 | cc4981abf0294d9e18ab15e4b212f05d035716aff35cc63172d31527fbd15519 |
| SHA512 | 92cba0bed07185469d08f206a457f97f10ed4d4573c747e622ff1d70ea8428bf8f947045e5fc0e90faef6cbe8dda77ed66f8229f3521c2b2496571effa9ea07b |
memory/4428-6-0x00007FF6A3660000-0x00007FF6A39B4000-memory.dmp
C:\Windows\System\BIRgULs.exe
| MD5 | 8b8851d64083d09ec301cb451ed67d74 |
| SHA1 | ac6da72e3e5c06263ef5dc36b38404ebe86cee43 |
| SHA256 | f2ea08fcab48b37f4fab8ebb495d5f9d05d55aecdeeb2a82a8d07eabbbf37a8a |
| SHA512 | 64715824b01c2dc8c35916b9b2ba97d50bcd8a4672abe48e509439048ed640f0c3f57ec08fc76fb45ac2451d8db29fd8843e88fcd4251faed7b5a8a46f606906 |
memory/1584-20-0x00007FF7C4C00000-0x00007FF7C4F54000-memory.dmp
memory/1128-17-0x00007FF7EE2F0000-0x00007FF7EE644000-memory.dmp
C:\Windows\System\KFiCTuA.exe
| MD5 | 2c02a11e362a93d85194f64471ada9e9 |
| SHA1 | d3097e0500f78c247a29e55b77c8df1eb5edb051 |
| SHA256 | d0034cada7eef20aad6727562f874b219059a4e9f35c554db5f7c885ff43bbaa |
| SHA512 | dac1ba9f7994fef1201c0eafcf5f978631ea9774b3c90966d94a8716eb978130fe3a4fa9b15e210789d073a5b960c5148fe504ea001d5c1937a518035d316566 |
C:\Windows\System\lNqHhHi.exe
| MD5 | ce1c899fe0a0efce6b3836e6b0006b6d |
| SHA1 | b5a2f89e5f67149d7df57fa6232ff3c4d7437046 |
| SHA256 | aaff66a506fa33ec67663da3b07580fd91b0958eb15078e1dbbd5782deda6ef5 |
| SHA512 | 0ce00ca1b0857637e0b9303531952666a298072052a54513272eec896b88f9f051b518cb882d8e6a70aca0dfaeb7f184a1f566038da357cb7af56a8bcfe7e68f |
C:\Windows\System\PqDCFUJ.exe
| MD5 | e8dbddb77b83a054d7df6ebad3e55d86 |
| SHA1 | c67580957544a29e37f69913a5796079a73b40df |
| SHA256 | dabf797bb2348a3c0b99bbf81c0742aae1a513232c42c121506984f83aa89f6a |
| SHA512 | 926270c26949f9496e6cbc45723eeb18449c2c0c57e650dbe57632689c647b7ed8f651225bdfcda1526c43c228556cd21e6371f715b75fc452be7248bc342635 |
C:\Windows\System\LiHeoEW.exe
| MD5 | e3f7040f4243fa836ff954ba114c2150 |
| SHA1 | f6ff7f95a44bf302cfcd8b29498f5157788dd578 |
| SHA256 | 5585ac182b1abe3a05a06a6bc2564f73a800e603c6316b9448b9b0f425ca3a87 |
| SHA512 | dba7717b8b2077e27bba46340f5524aba7ead2695c126c2651e539223bb992d79fb97d05114dc4b22796ae3c74129d3999b9c801e47d0303418d41d89e0aadeb |
C:\Windows\System\IdaVRHy.exe
| MD5 | 9b8c81707ea3ccb89f8d42fd1d7afa03 |
| SHA1 | a24aa609d3f213c51f1112a57b0395f1ebdf52c8 |
| SHA256 | 34c13dfc7513d1c76e9e2f01988d8f161a170b6195945d4d98e2db0df3e12724 |
| SHA512 | 92974943b75abd9d7f6b8221cc948ac79a4b8eb08cb02ea6c1f4ff07ba84c1050d56aaa49c4b9755b0e0bfa8d8c083e78691271a6c39023b5945801f4e12d29f |
C:\Windows\System\rOFlbzg.exe
| MD5 | b28c9d595e6cb962c5fe6f622d146d0a |
| SHA1 | ed7fc4e28d6216ce459785aaea8f4bf85d829e67 |
| SHA256 | d24115f36bcacf470b0d32c3463efd9a1c02f2db055d690f5686ab5c09f0f0e6 |
| SHA512 | d460c6b0a0fc339f05299740b02a767a8b3ed2e0a9774a129fbd79d0e9994518f0b09c0da7cc04a505bb7ddba2c716b1a7448e16b77d0700d267945e71a83d87 |
C:\Windows\System\rGezFBr.exe
| MD5 | 58bd93ecd841b35399318b857664bcd1 |
| SHA1 | e50fdd3baea92f09df50108e4499e186928ec190 |
| SHA256 | 48752b617dd3516637c840c5a4f7418e5f34d0a448ca450eb23f99e6e0cf7e63 |
| SHA512 | 498183eb975e9492511dcfa396eca1ca99a7162377c7c631dcd7d8ae789349ee1b9a3e524206b117f04f713b56c780303964ecf24631a0dcbc93a066b856b480 |
C:\Windows\System\fgEwXzI.exe
| MD5 | f993d7cfaf9ab7b663f1c45bcd38b0bb |
| SHA1 | 26e218db906638eb0ea47dc57ac5de35f349d512 |
| SHA256 | 406139f5fb063688800ae12a3d593cad59f533256c14d509c9cdcc5e19156b5c |
| SHA512 | dfffd8bd1218cc9e72d7757854b7efe9ae120178b2adc51df85d364471fa8d608e8df079aa02d2c963aee039dd4c984bc48be75bf117c6aef7ab80ddc1d97ba7 |
C:\Windows\System\mNxbnxT.exe
| MD5 | b88928d32ae7f2fb2b0c540c8b18af4c |
| SHA1 | 16995ee861395c2be83d3fb0989c0c4dddb27782 |
| SHA256 | b2419343c35647a9c1af74eb0d8e6de713ba5c5fb160d10ec89355a70f3c5e19 |
| SHA512 | 1385496a253f43c77942cfd571f8204ef0414f869c075fe34e4f260e7b89bcc757cf1315b59cd3dba196097f6869e1c327d492aeafe306402faa905c28625980 |
C:\Windows\System\YOxurXq.exe
| MD5 | 4957a3bfdfd934d1afae4347656aec1e |
| SHA1 | 196c0af0f8543bbe481b1a8062720ea0e4ef50c7 |
| SHA256 | 5b40c0c5763c719e623218b26399bcb034346d1a17a192de1730b760e6b2a603 |
| SHA512 | 066472b8813585f9479e5f248a585cc0db1faf399af025573de18945a54ac49f04bda647a1b204970cd819fcc5ff3997f967701ba380f43991857479471a9ded |
C:\Windows\System\PXGoOfj.exe
| MD5 | a070fc74c043ad53a5638fe551338da9 |
| SHA1 | 4ea24ea15f1033a7d2f55cad5ec58dfbd35ed256 |
| SHA256 | b13d5c1f238f97aa5d5c84c69e41166eb6cd0e62bcb8d82cc31eccb78b080b91 |
| SHA512 | 97a377ed37ee903ac723852af4aef1f45b4cf4da608f47b3e8a63419d2f2c1147e7b32fa258bd66c577ed5d7324dc98431b3fdf1134be436ef751343ad9de72e |
C:\Windows\System\bsZjPnl.exe
| MD5 | bfc3f723b9870e1fa563ce911a9ad468 |
| SHA1 | c168bf7b3a00fe7e4e8c5f35fbd6572d6b307409 |
| SHA256 | 136dc6ab26db40d1e4884d0ba063fc6def206b78cd92f140332e8b8646c9af6f |
| SHA512 | f3c4a88630272e9e9d6bcbb697749add4a03731e6e3eb8cd446594bfa36ab1a4ff06dcefb766a55738e4ea140a754d73e41c86af7c9394b41f556bd17113191f |
C:\Windows\System\AUQwuxC.exe
| MD5 | 220c2e3759c7feea12bfdf55351aa66f |
| SHA1 | 022cc350de84d5227c8cd96d071a4dff1e07c2e1 |
| SHA256 | 23c2cedfe3dfd8da1c1c4f3cdef67cd05306f8f68b591c3364b92c879656e291 |
| SHA512 | f4b327ff0b433a05aaccfa71b40d16b313c537d0445bded3d073ae3c408e6aa41575c197f11ae75db8de48fbe4c4bab3fc6cc00292d68bebebdd667257d03c97 |
C:\Windows\System\OQSuPJX.exe
| MD5 | 0c8d984441355ab453f1e5e51d15bfe3 |
| SHA1 | 1ac96bf6668165629dd75b17d1f33fec134f8582 |
| SHA256 | b45f6c45fe19109633618ffae447d42c1ab299c7c96bf9e2b75915b10f80fadb |
| SHA512 | 124e1bbe61c003b7431dc206ec4a70d20e0d82df00841f543afc7399244959f8ed5ad499dfd732449689b0af3de6fc474638c5499acede83fc1b87aa3beff33e |
C:\Windows\System\fOXbtPw.exe
| MD5 | c75377bcc894fc0a90f27a875a5406ab |
| SHA1 | 53501799980108c855cd280a7c1a7f7d144ad6e0 |
| SHA256 | 67de7210d813c25ce847ef5c28fe1ae8ddf9e01793a3d6f17332f2068f05b2d1 |
| SHA512 | 9cff48aab80a430932006be3b07240893157c45f7e4f45efd7c58b89093f3caf9d7ab822f3c5835be611dfa19ca17fcef939dcdf6c9e5b4c60e5b262e441eb41 |
C:\Windows\System\dtyXrxg.exe
| MD5 | e8f0792581326459550e0bc9348d574f |
| SHA1 | d349a95a47b2659738e7bcfeb105786204c5f084 |
| SHA256 | a7461b2f2e872fca2725664eeac619c17e1d7c3d547f4d64796f198325206ce3 |
| SHA512 | 3a32453783ffce83318fde92cf0ba36e4ed45fdce9a070e6d70820f3370f48c860f08fc69911b2d98d15fcaecad986219f9ba534a64b0063c86a83c82084081c |
C:\Windows\System\DCDdwNC.exe
| MD5 | 4a99efa2d305b318e7cd05cf16ce9499 |
| SHA1 | 931812d48d65442b978d3c122480a8977836d002 |
| SHA256 | 9b4fdb2f6b75b81f349710f87aba3c8e327f8a24ee38ec1651b38590716ca3e2 |
| SHA512 | 34bf9e29be9b4a074bf914d2392fa690b61f7cc62ea001a9ea53ba45702d643daebc476b03e5fdac65ffc45b20272ea493ffcb56edc801851caa659528528f68 |
C:\Windows\System\BYVrcop.exe
| MD5 | 689849c586da5af0bb0b5c777ba6f772 |
| SHA1 | 9af2208e1347e4a2ea97e136ff9730962ac44c96 |
| SHA256 | 763205e949861adfd3a2a54e2cc1000fe6996e06cf57f68d2732e48b92674cba |
| SHA512 | 02bf7ca8a59a4b1f388e8cdab604aedc2e4aa600f9428b63c1be19ba32d4683cedf9ce76cd8c7bf599f6cb25fbd396f0c25ecbb28548a425c95f1fd1ba9d1a58 |
memory/3056-33-0x00007FF727680000-0x00007FF7279D4000-memory.dmp
memory/332-28-0x00007FF6FA310000-0x00007FF6FA664000-memory.dmp
C:\Windows\System\YFoYiDs.exe
| MD5 | 00c3ea7739900681f71ac1fb37e02a28 |
| SHA1 | 5753a5ad01fdc49855cf2978e5a3594ef7b86798 |
| SHA256 | 61719cca946bb4c28f1388115c2685238dacc018a3fc0ed70c18ab66b9d72de2 |
| SHA512 | 05d30f82a842fa2fd4877524ae925f38ac7ad7b29ddcc11af4f9e79203098585d83f484d2534c9f282f9865250d709798c17dacdf7cb308554c804bbb3a55c1c |
memory/4864-112-0x00007FF620D40000-0x00007FF621094000-memory.dmp
memory/3892-113-0x00007FF6F46D0000-0x00007FF6F4A24000-memory.dmp
memory/3504-114-0x00007FF77BDA0000-0x00007FF77C0F4000-memory.dmp
memory/4540-115-0x00007FF6FD6C0000-0x00007FF6FDA14000-memory.dmp
memory/2660-116-0x00007FF6EA870000-0x00007FF6EABC4000-memory.dmp
memory/2852-117-0x00007FF78C030000-0x00007FF78C384000-memory.dmp
memory/1660-119-0x00007FF7DB7E0000-0x00007FF7DBB34000-memory.dmp
memory/4736-120-0x00007FF6FB300000-0x00007FF6FB654000-memory.dmp
memory/4284-121-0x00007FF6659C0000-0x00007FF665D14000-memory.dmp
memory/372-118-0x00007FF642680000-0x00007FF6429D4000-memory.dmp
memory/1632-122-0x00007FF648DD0000-0x00007FF649124000-memory.dmp
memory/3948-123-0x00007FF725CF0000-0x00007FF726044000-memory.dmp
memory/1720-125-0x00007FF70A150000-0x00007FF70A4A4000-memory.dmp
memory/4784-124-0x00007FF6F8F50000-0x00007FF6F92A4000-memory.dmp
memory/1968-127-0x00007FF7D3590000-0x00007FF7D38E4000-memory.dmp
memory/3196-126-0x00007FF62FA40000-0x00007FF62FD94000-memory.dmp
memory/2768-128-0x00007FF6F0520000-0x00007FF6F0874000-memory.dmp
memory/4428-129-0x00007FF6A3660000-0x00007FF6A39B4000-memory.dmp
memory/1128-130-0x00007FF7EE2F0000-0x00007FF7EE644000-memory.dmp
memory/332-131-0x00007FF6FA310000-0x00007FF6FA664000-memory.dmp
memory/4428-132-0x00007FF6A3660000-0x00007FF6A39B4000-memory.dmp
memory/1584-133-0x00007FF7C4C00000-0x00007FF7C4F54000-memory.dmp
memory/1128-134-0x00007FF7EE2F0000-0x00007FF7EE644000-memory.dmp
memory/3056-135-0x00007FF727680000-0x00007FF7279D4000-memory.dmp
memory/332-136-0x00007FF6FA310000-0x00007FF6FA664000-memory.dmp
memory/1968-138-0x00007FF7D3590000-0x00007FF7D38E4000-memory.dmp
memory/4864-137-0x00007FF620D40000-0x00007FF621094000-memory.dmp
memory/3504-140-0x00007FF77BDA0000-0x00007FF77C0F4000-memory.dmp
memory/3892-139-0x00007FF6F46D0000-0x00007FF6F4A24000-memory.dmp
memory/2660-142-0x00007FF6EA870000-0x00007FF6EABC4000-memory.dmp
memory/4540-144-0x00007FF6FD6C0000-0x00007FF6FDA14000-memory.dmp
memory/1660-145-0x00007FF7DB7E0000-0x00007FF7DBB34000-memory.dmp
memory/372-143-0x00007FF642680000-0x00007FF6429D4000-memory.dmp
memory/2852-141-0x00007FF78C030000-0x00007FF78C384000-memory.dmp
memory/1632-150-0x00007FF648DD0000-0x00007FF649124000-memory.dmp
memory/3948-149-0x00007FF725CF0000-0x00007FF726044000-memory.dmp
memory/4284-152-0x00007FF6659C0000-0x00007FF665D14000-memory.dmp
memory/4736-151-0x00007FF6FB300000-0x00007FF6FB654000-memory.dmp
memory/4784-148-0x00007FF6F8F50000-0x00007FF6F92A4000-memory.dmp
memory/1720-147-0x00007FF70A150000-0x00007FF70A4A4000-memory.dmp
memory/3196-146-0x00007FF62FA40000-0x00007FF62FD94000-memory.dmp