Analysis Overview
SHA256
6f6057c04cd85dfb29863ed15cd66d2a6100f782f112725f6bada081205bf223
Threat Level: Known bad
The file 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
xmrig
Detects Reflective DLL injection artifacts
Xmrig family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 12:32
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 12:32
Reported
2024-06-06 12:35
Platform
win7-20240221-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WNPfmgp.exe | N/A |
| N/A | N/A | C:\Windows\System\BsVBgbg.exe | N/A |
| N/A | N/A | C:\Windows\System\NhQlQDM.exe | N/A |
| N/A | N/A | C:\Windows\System\fQwrjUV.exe | N/A |
| N/A | N/A | C:\Windows\System\tEkHrYg.exe | N/A |
| N/A | N/A | C:\Windows\System\uUqupNF.exe | N/A |
| N/A | N/A | C:\Windows\System\bKnIcIL.exe | N/A |
| N/A | N/A | C:\Windows\System\oCvrJZR.exe | N/A |
| N/A | N/A | C:\Windows\System\NnXnYLN.exe | N/A |
| N/A | N/A | C:\Windows\System\FQwoNMK.exe | N/A |
| N/A | N/A | C:\Windows\System\MEYimLq.exe | N/A |
| N/A | N/A | C:\Windows\System\cIExyMK.exe | N/A |
| N/A | N/A | C:\Windows\System\vfapkHh.exe | N/A |
| N/A | N/A | C:\Windows\System\TsmUOCw.exe | N/A |
| N/A | N/A | C:\Windows\System\qkruryb.exe | N/A |
| N/A | N/A | C:\Windows\System\ynFooWL.exe | N/A |
| N/A | N/A | C:\Windows\System\NauGehs.exe | N/A |
| N/A | N/A | C:\Windows\System\bObNrGU.exe | N/A |
| N/A | N/A | C:\Windows\System\XnGOrxn.exe | N/A |
| N/A | N/A | C:\Windows\System\AsswDPL.exe | N/A |
| N/A | N/A | C:\Windows\System\nooleCK.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\WNPfmgp.exe
C:\Windows\System\WNPfmgp.exe
C:\Windows\System\BsVBgbg.exe
C:\Windows\System\BsVBgbg.exe
C:\Windows\System\NhQlQDM.exe
C:\Windows\System\NhQlQDM.exe
C:\Windows\System\fQwrjUV.exe
C:\Windows\System\fQwrjUV.exe
C:\Windows\System\tEkHrYg.exe
C:\Windows\System\tEkHrYg.exe
C:\Windows\System\uUqupNF.exe
C:\Windows\System\uUqupNF.exe
C:\Windows\System\bKnIcIL.exe
C:\Windows\System\bKnIcIL.exe
C:\Windows\System\oCvrJZR.exe
C:\Windows\System\oCvrJZR.exe
C:\Windows\System\NnXnYLN.exe
C:\Windows\System\NnXnYLN.exe
C:\Windows\System\FQwoNMK.exe
C:\Windows\System\FQwoNMK.exe
C:\Windows\System\MEYimLq.exe
C:\Windows\System\MEYimLq.exe
C:\Windows\System\cIExyMK.exe
C:\Windows\System\cIExyMK.exe
C:\Windows\System\vfapkHh.exe
C:\Windows\System\vfapkHh.exe
C:\Windows\System\TsmUOCw.exe
C:\Windows\System\TsmUOCw.exe
C:\Windows\System\ynFooWL.exe
C:\Windows\System\ynFooWL.exe
C:\Windows\System\qkruryb.exe
C:\Windows\System\qkruryb.exe
C:\Windows\System\NauGehs.exe
C:\Windows\System\NauGehs.exe
C:\Windows\System\bObNrGU.exe
C:\Windows\System\bObNrGU.exe
C:\Windows\System\XnGOrxn.exe
C:\Windows\System\XnGOrxn.exe
C:\Windows\System\AsswDPL.exe
C:\Windows\System\AsswDPL.exe
C:\Windows\System\nooleCK.exe
C:\Windows\System\nooleCK.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1152-0-0x000000013F410000-0x000000013F764000-memory.dmp
memory/1152-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\WNPfmgp.exe
| MD5 | d92fa9bcbaedcbfded5783fc4bdfbc2e |
| SHA1 | 05ef28d4c60e81ceaf4d131e20272b9cc25420c9 |
| SHA256 | bb6fa71e0c2e3ce539682c212d960bb541199b86fde22b486e234f6dee6935e6 |
| SHA512 | 68e472c4a1d6d878bd7ff3ddf1edf7570ef639120c26248b381664d3b4b5f67b6fcb2d701c9dd00346138ae180e579bb3eaf01331e4511d7cddb89bc7466268c |
\Windows\system\BsVBgbg.exe
| MD5 | 9b40f6a112b19fbb6f704f1c53e90131 |
| SHA1 | a614a8fc93f63ee5da20b23bbda9791fb8cc6163 |
| SHA256 | bfbdb0a042283833be5ec1b0b2719a25b563e010647da8cdf55dbff13b62df1d |
| SHA512 | dc255a65fb43adbfe0e5b179f8e71d01d70ef848212450e5076c8485946dc2e28da51d3b8d435d069e69fc21930c5f9c17bb5a85388935b1d578401177163545 |
memory/2228-7-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2236-15-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
C:\Windows\system\NhQlQDM.exe
| MD5 | 328a92ba49457b65ef0bb14872325016 |
| SHA1 | c0b80f3c243d95a328c90ebc716b486599fbe9ec |
| SHA256 | 9fe79c4a391cc0c9c2ef4c2607c08c1c2abad986ded942007933468ba605418f |
| SHA512 | bda0311d4d09b84b34a5cc70ec542a7a4cae9025c4a0e0d4156449e06dc15df73c61c6e295efcbd576125d48f56182be033953b5115d8f75b6d5932e830d2ed5 |
memory/1152-13-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
C:\Windows\system\fQwrjUV.exe
| MD5 | 45f822d6ec91d3553fb9400d446d0d38 |
| SHA1 | e629229565e0fe80c2c5144993fa13dcaf097d2c |
| SHA256 | b3ec9c86e357e0c45c989134a25e2ec0a89e036b2a3a88b1a327da0d9ef8c8a7 |
| SHA512 | 192b41b3c26ea2e401efee1954c2c715edb6acfa6e4171d61a4a22a219d7b5c28e3b969ff7ea36b966ea35a7f6a95feb6f8be294ea4c282a0d827c55ddc879d9 |
memory/1152-26-0x0000000002340000-0x0000000002694000-memory.dmp
memory/1704-27-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2824-21-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/1152-20-0x0000000002340000-0x0000000002694000-memory.dmp
\Windows\system\tEkHrYg.exe
| MD5 | 114f59a9f1b9eadc83d66f62fa57813b |
| SHA1 | 54aa2e1f2fac300a619fc32fe3d8692c081fa867 |
| SHA256 | 60f53ed3d77bbb33e25c08f1eea6808e543e1ce1fb4edb87b99541b72fac9b0d |
| SHA512 | 05ae925bed4979f9b69ac483c47ce41fe462f2f84782cc3c3672db880340530a8c0a45a03c3bac8e6027604ccb3ee673b810bda8004120db8504b6b99f08733e |
C:\Windows\system\uUqupNF.exe
| MD5 | 4072b2722dbdbe570270bfeadb687843 |
| SHA1 | c9d3e5200ff09561d70b384ae8af814790661da1 |
| SHA256 | 5c9931db5fdf67dcd4eb9894387f63d28853cb868e10d778b260d356d59f09fe |
| SHA512 | 94140072e8cc88f4e0def3be8c652529856dedaaa5b82f202d0b8ba932cc45f9426014b59caff2099ffc33aa5496f1a787dd5960d8f957e9a0f848cc88c2138e |
memory/1744-37-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/3000-39-0x000000013F500000-0x000000013F854000-memory.dmp
memory/1152-38-0x0000000002340000-0x0000000002694000-memory.dmp
\Windows\system\oCvrJZR.exe
| MD5 | fd9a69cc7a173ad45c07375c985e1312 |
| SHA1 | aa31a8335edccad3bfcb51e7b590561c8205c6a4 |
| SHA256 | c52459493704014669ecd7c0b0ba143ec4b845032f26d1a5420f90a16d55f29c |
| SHA512 | 1a280e06dce28cb814a222af10b0be35dff56fc51af7a47c3d980febe41bcf1085fa63c0a9e24ce617937ea2a1401fcafde426d9a54a00d33570a296a42a8df2 |
memory/2908-49-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1152-52-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2228-55-0x000000013FDF0000-0x0000000140144000-memory.dmp
\Windows\system\bKnIcIL.exe
| MD5 | 9ce0cf392d9b20526655f5f46ab32a6c |
| SHA1 | 717b7192a7032c96e276074d7d046567d03113fe |
| SHA256 | 022b2ccd27d0277e101f9124e4378fe691998eb42acfd0bb808d88e78b7ada44 |
| SHA512 | 7efdd1649d23539b37c07065a5c084466ad0351ead2dbff205b3496dee871fea09c0389156757a2c4b78946ea54f3d67035567266cc371838081de61d2b849cd |
memory/1152-57-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
\Windows\system\NnXnYLN.exe
| MD5 | eb16ca9547e0ffd436dd572f93ef0b23 |
| SHA1 | c350ebd05aad6bffcf7c4f8a8160070eaacb26a2 |
| SHA256 | 627b5ae722eef39f3b1990a0dc02d971a63918fa58534012b55eede8981a5a6e |
| SHA512 | e2ec5fdf7c1af81f6882d115e95a6ed02d02453d0ba1a646f16fdead3725bb405bddd7b6506ccd0d4b5a0be3a01fb867b1c56e72a30335f108d7cd1a2c01529c |
memory/1152-47-0x000000013F410000-0x000000013F764000-memory.dmp
C:\Windows\system\FQwoNMK.exe
| MD5 | 6e00893f49a13d3ca604073671c04f6a |
| SHA1 | 941d19b5a5824260b4ebdc4085c87c9900655f5c |
| SHA256 | 23a9378ffe9de4a1349c1ae9426bb2bfda57fe9a9ebb65e20e8faf83a0d347ac |
| SHA512 | dc088b8d0254a01ab4c3febf8e9edb3ecba57758767059a821d15bd5aba086a0ce5bbdb5f0ff6624e5a41f324516f5b43d6cbcc279b2fff89151b011ce3b530c |
memory/2508-68-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1152-69-0x000000013FE10000-0x0000000140164000-memory.dmp
C:\Windows\system\MEYimLq.exe
| MD5 | c127e49e2c95bb5a192e0942639914e3 |
| SHA1 | c85315b5dc672bfb1b57079832957303bca93408 |
| SHA256 | f99a4599b6d16ce2ad48787d3f77e2676226e13a408f75617ce7168dd308ee7c |
| SHA512 | 0070b7eb0393d338c9b81ad7db672a8be507c63bd0b78d184196e82e1e36983ae52543f04b4aa0ede6124cdd38387f00a250461a1ab317e97c14b6b0baeea8c4 |
memory/2644-77-0x000000013F850000-0x000000013FBA4000-memory.dmp
C:\Windows\system\cIExyMK.exe
| MD5 | fd37c645b8712e0b77d1b45ed0ffa396 |
| SHA1 | 9ebdb304922adad9586fc2f62b234b3a858325e5 |
| SHA256 | de1c6734590022d9a6cfbc6586f1af38e29bccf5530f3945fd70b21137f54628 |
| SHA512 | c93a1c64170ed474a5d0383b48fd625943056e9a5a0a8972bf926b913960ab05755cf0b0517d43b19712cdb32d7f5678c7ad33630245072b8e0ba458428902f3 |
memory/1152-86-0x0000000002340000-0x0000000002694000-memory.dmp
memory/2480-87-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2824-88-0x000000013F2B0000-0x000000013F604000-memory.dmp
\Windows\system\vfapkHh.exe
| MD5 | 5ac8ef9a4bde56328bd60c6b7ad817b8 |
| SHA1 | 89928c568f378ac9ade10289d8342924ff8031cc |
| SHA256 | a52fde297510c91312b431257918f98af451c6760e286497d55cc2fd81292a06 |
| SHA512 | 579bb04deef102434dcd2e70800b3a1dded8631fc40d8d7b519f5f8537170ef4ccddaacec3a90342bdc2639c5756dffa6834015b92e92450b4b66a106129a67f |
memory/2376-95-0x000000013F630000-0x000000013F984000-memory.dmp
memory/1152-93-0x0000000002340000-0x0000000002694000-memory.dmp
memory/1704-92-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2540-83-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2236-80-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/1152-78-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/1152-76-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2636-73-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/1152-96-0x0000000002340000-0x0000000002694000-memory.dmp
\Windows\system\TsmUOCw.exe
| MD5 | 8764008bc634101d27d021a827c56ffd |
| SHA1 | 4b323694d65a01b91bb698aa00b3a078049295e6 |
| SHA256 | eb5c0e258558c7ae680bf6939486dc680168a05bc059ce2025ffbae323666a95 |
| SHA512 | a6165d832a1f6d848195a5b71273da80499dce33c655d40a1259d2bc7217da6278cf55c8dc45e6ef9c714778bf17e517af39e8dad3030e5bbea2231ab6f918ba |
\Windows\system\qkruryb.exe
| MD5 | 8ff5f30cf3e9b62cccab561f5d931683 |
| SHA1 | 998673c496a4bbb1f6addf55e1f226b8a8bf78f1 |
| SHA256 | 95fcbf4fee3259603f8876f55f424d89c8db514f5ac6aa76efc96ef1244a1954 |
| SHA512 | 964716b8549c90299951473cbc54b7f2e418072a392df54aa978c65e4626b0a8dac1e5388d4018a77b1ee5ed70fc528bc787db5a741e4d9acba147ca3b15a73d |
\Windows\system\NauGehs.exe
| MD5 | 0d123aab921caaaa6a6e0d6d55810a2b |
| SHA1 | ba2122b0818af4ad8803ea3e2e60fff90d85b966 |
| SHA256 | c227093c69de2a053decbd8d32f8884f58f2cbb12b2d09c83fd806f411f6b55b |
| SHA512 | 59f360180b95c3b0a7a3a74ef1d568c05d00814fcccdae8ca1aa0f65c82db8180a8194be17ea9925568b99c8ca9cb572b7cc8a25a047d4e750366717a4d53cec |
memory/1152-123-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2848-124-0x000000013FE90000-0x00000001401E4000-memory.dmp
C:\Windows\system\XnGOrxn.exe
| MD5 | cb042f2fbb042e25d4c462a318bbc00f |
| SHA1 | 403694ee324a1577a05973bc2b5a79c27b24b7f0 |
| SHA256 | 237ecc918d5bf4726e7ee6f1c5928d2d7d0f24b0a651e84e8e70ac661fb0409d |
| SHA512 | c26bcd051a70755aaa3ef5bdd4ed46c8823718a420ca71dca91b416653f8a8c15668289c6099aeed556546621376ee4615dd8b6c33377902334ce94623ec7569 |
\Windows\system\nooleCK.exe
| MD5 | 6859c00ce6523af6efb69de2f42d30a9 |
| SHA1 | a3e61a3d3692889c44ebe4b524e1351d375ada33 |
| SHA256 | 4aa2f50fdad802530876abf60c56eb0ec844f09106c25b6c1dc0a6a38d558ac5 |
| SHA512 | 8f21986ba3b865bc5420b944f666788760af1ce1f7b241af06758c36fb871a0d042920a1bd4610c73e76347f1096059389631256362725a402b420c87f150ac3 |
C:\Windows\system\AsswDPL.exe
| MD5 | 0609fab9c695eb18e501461fcdd7fd5b |
| SHA1 | c4432e2288496c803cf1974e7226b4a7f1878a62 |
| SHA256 | 64efbb391992c4cad0ce8ff3b969d83fb90bda9d127e19f4929ec7e9a6a13a36 |
| SHA512 | 6dab5fd426e6f6914d8ff9c817b4e98a347b9fcc286371aa4b295968509f1f489601c76b5f211d024d93be3da098bf42931d9d8f7154aa6dfb2963b86457e31c |
C:\Windows\system\bObNrGU.exe
| MD5 | f0b29fdf636876b882108cd662c12019 |
| SHA1 | c91c739380772a30c94816387a4e27834678c9b3 |
| SHA256 | 1c939acc3e46560a689d1a15e5ecb43ab330d96cdaabd51a8310d089b8ea4357 |
| SHA512 | d711939384cdba94a7303247505875607d787782e288ea5030f375418171de9a7f69223f00f374321a84f0bce4e3116c1ec4c0a65d73beba033962988db94e70 |
memory/1152-125-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2908-115-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1152-121-0x0000000002340000-0x0000000002694000-memory.dmp
C:\Windows\system\ynFooWL.exe
| MD5 | 9c59a74c603aaffaa840242242d0a8b9 |
| SHA1 | 765dd9571bc6d2dda9c276e651182745fdf2dd01 |
| SHA256 | 1ec3ae2f2dde71128b5951b47b7f14c2b24e2de56756af6e93b301d550625120 |
| SHA512 | bc4984c7bbcaa7ffa1088055a4ac56afe2e90c767795896a7462d0b048c466e277b780f5ebed5d9f603326d1db3fb4738826d62d6ae8e0897c8309b38ffb7517 |
memory/3000-102-0x000000013F500000-0x000000013F854000-memory.dmp
memory/1744-98-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/1152-144-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/1152-145-0x0000000002340000-0x0000000002694000-memory.dmp
memory/2376-146-0x000000013F630000-0x000000013F984000-memory.dmp
memory/1152-147-0x0000000002340000-0x0000000002694000-memory.dmp
memory/2228-148-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2236-149-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/1704-150-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2824-151-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/3000-152-0x000000013F500000-0x000000013F854000-memory.dmp
memory/1744-153-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2508-154-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2908-155-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2636-156-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2644-157-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2540-158-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2480-159-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2376-160-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2848-161-0x000000013FE90000-0x00000001401E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 12:32
Reported
2024-06-06 12:35
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MQzhqEM.exe | N/A |
| N/A | N/A | C:\Windows\System\zjptahN.exe | N/A |
| N/A | N/A | C:\Windows\System\UFWwZPD.exe | N/A |
| N/A | N/A | C:\Windows\System\wIKDZpF.exe | N/A |
| N/A | N/A | C:\Windows\System\pTtWfjo.exe | N/A |
| N/A | N/A | C:\Windows\System\fkCfrYU.exe | N/A |
| N/A | N/A | C:\Windows\System\xLDDAvr.exe | N/A |
| N/A | N/A | C:\Windows\System\kZfvKCw.exe | N/A |
| N/A | N/A | C:\Windows\System\HqouYBP.exe | N/A |
| N/A | N/A | C:\Windows\System\GgFGtAb.exe | N/A |
| N/A | N/A | C:\Windows\System\pNYcRiF.exe | N/A |
| N/A | N/A | C:\Windows\System\cqRiyVD.exe | N/A |
| N/A | N/A | C:\Windows\System\kGVGcjP.exe | N/A |
| N/A | N/A | C:\Windows\System\uUVgoVx.exe | N/A |
| N/A | N/A | C:\Windows\System\BDHDmeP.exe | N/A |
| N/A | N/A | C:\Windows\System\PJihGwb.exe | N/A |
| N/A | N/A | C:\Windows\System\XQUxJVC.exe | N/A |
| N/A | N/A | C:\Windows\System\IyNkLtg.exe | N/A |
| N/A | N/A | C:\Windows\System\bZvOLkv.exe | N/A |
| N/A | N/A | C:\Windows\System\PfvKVSE.exe | N/A |
| N/A | N/A | C:\Windows\System\FHZkPdE.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\MQzhqEM.exe
C:\Windows\System\MQzhqEM.exe
C:\Windows\System\zjptahN.exe
C:\Windows\System\zjptahN.exe
C:\Windows\System\UFWwZPD.exe
C:\Windows\System\UFWwZPD.exe
C:\Windows\System\wIKDZpF.exe
C:\Windows\System\wIKDZpF.exe
C:\Windows\System\pTtWfjo.exe
C:\Windows\System\pTtWfjo.exe
C:\Windows\System\fkCfrYU.exe
C:\Windows\System\fkCfrYU.exe
C:\Windows\System\xLDDAvr.exe
C:\Windows\System\xLDDAvr.exe
C:\Windows\System\kZfvKCw.exe
C:\Windows\System\kZfvKCw.exe
C:\Windows\System\HqouYBP.exe
C:\Windows\System\HqouYBP.exe
C:\Windows\System\GgFGtAb.exe
C:\Windows\System\GgFGtAb.exe
C:\Windows\System\pNYcRiF.exe
C:\Windows\System\pNYcRiF.exe
C:\Windows\System\cqRiyVD.exe
C:\Windows\System\cqRiyVD.exe
C:\Windows\System\kGVGcjP.exe
C:\Windows\System\kGVGcjP.exe
C:\Windows\System\uUVgoVx.exe
C:\Windows\System\uUVgoVx.exe
C:\Windows\System\BDHDmeP.exe
C:\Windows\System\BDHDmeP.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8
C:\Windows\System\PJihGwb.exe
C:\Windows\System\PJihGwb.exe
C:\Windows\System\XQUxJVC.exe
C:\Windows\System\XQUxJVC.exe
C:\Windows\System\bZvOLkv.exe
C:\Windows\System\bZvOLkv.exe
C:\Windows\System\IyNkLtg.exe
C:\Windows\System\IyNkLtg.exe
C:\Windows\System\PfvKVSE.exe
C:\Windows\System\PfvKVSE.exe
C:\Windows\System\FHZkPdE.exe
C:\Windows\System\FHZkPdE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1108-0-0x00007FF78F3A0000-0x00007FF78F6F4000-memory.dmp
memory/1108-1-0x00000221A5FD0000-0x00000221A5FE0000-memory.dmp
C:\Windows\System\MQzhqEM.exe
| MD5 | c1a3282377cb82b098504514594e7b43 |
| SHA1 | 271ad2dad4f9d8e418172e74bc99a41623daacac |
| SHA256 | 61f25f5fced1a67677ae58548b41ff4f12e65cfc08c27d5d2b18501cc41351fa |
| SHA512 | dc92a36160eefadc40a483c82f1a692df8592a338a134f4be0a91edc44acb1863e6b0ea64f6a7e6c6debdcf307bd29ec56445eeb105c61dbec25655d5cd8ff5b |
C:\Windows\System\zjptahN.exe
| MD5 | ed34ec9c9e37632c5b693959106c9140 |
| SHA1 | e1741e9c07cf026e678c0e229914e504d43e8d19 |
| SHA256 | 557586d64eb33d42384d6840f5ceedc356b518f301a23c9c37d4ab758dc07c04 |
| SHA512 | 1abe4c1cb603e6c80027419b6c7a101398717a5220aeaa00b1e388fe7616c70771d9a4534bac555255090e346c9f42af3ced84e6d73c873a47e545eddb48a7a6 |
C:\Windows\System\UFWwZPD.exe
| MD5 | bddfe9926862cf33dc2f98c828c7097f |
| SHA1 | ef092d26f23571f81d6e4bd50779045232bdb509 |
| SHA256 | 011e117044d88cc031d49b8e19d5e7d7aba4bc79f2e52caadc4d36766ed91e5a |
| SHA512 | 3a48405ea2a5dc5da6bd0862a22829dda13a3478dc8c7df6b9d6a44e49ea6f93782caa8522b594b0cd624581a0a1435b0d833ce6c12ff73dcc1f27ae1ad93a9b |
memory/2328-8-0x00007FF67EC20000-0x00007FF67EF74000-memory.dmp
memory/3864-19-0x00007FF73B3D0000-0x00007FF73B724000-memory.dmp
C:\Windows\System\wIKDZpF.exe
| MD5 | d8400061133f489eaf9973073f70ee8b |
| SHA1 | d862dc995022c4725a5a5ed5acdfbea0753b944d |
| SHA256 | 494a922d1015cae3363664c84149479bab4f6e72d20ce45680bcfbf86c8cc9d8 |
| SHA512 | 8ef4e334599c487e63c8fe22a929dc1407aecf9ee7fddd393b631af0f051b0638c5961f716b3d35722b5f4658313b3d5bddbcbd85454e5a4cad5312c1479b432 |
memory/896-26-0x00007FF694C40000-0x00007FF694F94000-memory.dmp
memory/1396-17-0x00007FF74C8C0000-0x00007FF74CC14000-memory.dmp
C:\Windows\System\pTtWfjo.exe
| MD5 | 9a340f66cbbcf59ef4cbc66245c703ee |
| SHA1 | 23983279481c10bb4dd0aeb39cac01001718be3e |
| SHA256 | 5818b75d0d99885ad62aeeec608f25c884e3e7482fb6d0138047da3e77a03318 |
| SHA512 | 38f41fd0b06d015c70ca35df8c49fe49a616a1429dcb8ccc94e68473812092b20d01552b37e00e9bc9075e0a95e0934370c6d8a81a5ca522ca6c0d8d23d0ab16 |
memory/2288-32-0x00007FF7F1720000-0x00007FF7F1A74000-memory.dmp
C:\Windows\System\fkCfrYU.exe
| MD5 | 4cb2b26e484f3678bbe69c168a815129 |
| SHA1 | bc50afc39c329e520a83b25aa53ba4fc955afa40 |
| SHA256 | a128df34fa8ffcc58f3c86c6db0635490f9df43680e33b86429c70760ef2cecc |
| SHA512 | 50b907b472b6e62f2f5f12327358a5f69f73febb58a7b6d987b0e05c6e4900e8cb32a00af4fa97884c99f8187bef0ffbab4d6091bf9f4db0a8f486115efa16e5 |
memory/3940-37-0x00007FF6CEF40000-0x00007FF6CF294000-memory.dmp
C:\Windows\System\xLDDAvr.exe
| MD5 | 09e80afbaba58650bf99d2959d66555f |
| SHA1 | e12cb8cd726c03a24194ff504071e1a20b496aeb |
| SHA256 | f43d486bedbf06a51cb2f5f19ae6c9f7e857d7ae35c9b94797d3fbc60c5147c5 |
| SHA512 | e2a68df2cbbfbe8f5bc82b34c5041eab55e54a969c1123440924d6bc70c6282c1ded364c5b15a1ba357d8f55b538ae4c55e864ae491840f40d4d95a6c66487a7 |
memory/2056-42-0x00007FF69DB30000-0x00007FF69DE84000-memory.dmp
C:\Windows\System\kZfvKCw.exe
| MD5 | 3e51d58bbceb2ee1f85d2bec36f074c1 |
| SHA1 | 6b131fccd20c16b3ec04c64b3f55b74a38d928f1 |
| SHA256 | 20ef1762c10a483f5f2ce3fa1c872fdfdb2d18895d9ed169f858c1ec0a1ecf08 |
| SHA512 | f79f51e448e9ac7860b7dbbfc96994611f38bfe6da588fe279224f84a11d25163e6a78026aecf5b12f01d6632e2874428a5911e2ab5c1ff42da4e93b84ec7b41 |
memory/1644-49-0x00007FF631FD0000-0x00007FF632324000-memory.dmp
C:\Windows\System\HqouYBP.exe
| MD5 | 97080e0d48dcbafdbd1aa5b3b4fe19ea |
| SHA1 | 4c351c4c5324d7f73f4c4cde24110e881e4dc154 |
| SHA256 | d2463923841a5d588216e69d36661310c79792fbaaca02cec8da8f8ec7652c51 |
| SHA512 | 7e1edfeecfa5730a49f0cba53041044987214ae9f5fb91a2ba7259b485e344f5ad16d5c71aa1f9a05e2a587c73d2e805a87959b589a9cd8016d7fd3771f1dc9d |
C:\Windows\System\pNYcRiF.exe
| MD5 | 8ba52077a740076ac3c33630be9b25c2 |
| SHA1 | b03e788db166230432b1b57d6ad5cb0c2f3808e9 |
| SHA256 | 938fd61db48b6ad1f8c1715ec9064a66e39d98f1615469141ef9ce44fe0b7a9a |
| SHA512 | 987104135f85dd5d9ddfea2864d3af43d0a5347659cfbf032df89e8b3ff4ffe4886e4d0954f76788ee58523a887243b64d0d60ce53810b85587d77c4f98d6243 |
memory/1108-62-0x00007FF78F3A0000-0x00007FF78F6F4000-memory.dmp
C:\Windows\System\cqRiyVD.exe
| MD5 | 9dc5db0391f057deaf335e8841d8b698 |
| SHA1 | ebe602f5bc3121dd73bffe8b543ac0fc2aaf9f6d |
| SHA256 | a4fd8b3ced243a30fa7beab225738cc46a46377d91db0a8b66614601f87da6ed |
| SHA512 | d91c413401ac6dea48790e843ca4ce8146651b86ca8b9a473f37e07fb46ed40b2ceba8d3f406d7e4533109267799aaf8a358f4e170025ddbb45b7af4b81dc915 |
C:\Windows\System\uUVgoVx.exe
| MD5 | 208a7d200de09d5f3bd8c5c41f281b0f |
| SHA1 | fe2c0b97fad4814eff23fdd6acebda1fcf7ababf |
| SHA256 | 6c21822cd43caf0c1dcf7de5a0e2f9fd341cdbadc70d093dd292816d6322ae96 |
| SHA512 | a82ae0641fd8a59f82c99ab21511d428a6b9ba787d8ef870c025757a534f279efa60b034d6e7a9619d1bcaa329d8b375139fb98a24f8e86915ccb0c9fbcddc67 |
C:\Windows\System\kGVGcjP.exe
| MD5 | 999a8becd52f2c9b169e563640b63825 |
| SHA1 | 15651e2f1c7a9076fc85457cc327d31a14719e04 |
| SHA256 | 8a139fd9518283a2d9e7d065b7e9b0c46c10c5a6605b4f222ad697a102efeefe |
| SHA512 | 279bc224aaad15bad1d171a18fbec237201865fb8e5b0a979c3afeb052b591a2278551dc5325e43c0d0a107897ac859235fb1a1ff0e4d7f39c7105104c3a9cd6 |
memory/1292-85-0x00007FF64DAE0000-0x00007FF64DE34000-memory.dmp
memory/2328-87-0x00007FF67EC20000-0x00007FF67EF74000-memory.dmp
memory/640-88-0x00007FF768320000-0x00007FF768674000-memory.dmp
memory/4676-86-0x00007FF6038A0000-0x00007FF603BF4000-memory.dmp
memory/3604-82-0x00007FF7C4AB0000-0x00007FF7C4E04000-memory.dmp
memory/4984-79-0x00007FF6154B0000-0x00007FF615804000-memory.dmp
memory/4148-60-0x00007FF7E1000000-0x00007FF7E1354000-memory.dmp
C:\Windows\System\GgFGtAb.exe
| MD5 | f1d8da22fb824fbfc9c65316f31dfe74 |
| SHA1 | 6e77d49c00b568d9731b1a9775317bc7daef5a28 |
| SHA256 | 11f40b182ad36125445f8d61005acc9e71ec9c5903504c3bbbbea88e3e248a96 |
| SHA512 | 2cff13c834bca0dfe0fc0d9d8ccfba004d577ef273a197c20c36d67621a86a370d15fe6e48a976c3081b668b1db0258b516ea9352d070dc94e8a3bbe0b6c9830 |
C:\Windows\System\BDHDmeP.exe
| MD5 | 7713eb7c743271347693c3aed397ba97 |
| SHA1 | d92d59dfbd2bfe28ab08958416ae8b59e12e70c9 |
| SHA256 | c4f277cbf3f1b9c8cb25ddbd181bfeb188918ac532fae1658c9cb756330f9de0 |
| SHA512 | d371ba868ed40c35911a5ef82c0caace34335476d3e018c55af73bddea7354190441c47ceb4bcd809ddf1f8cfbd396e44acc4dde9b934bf999b894ffc4d09c12 |
memory/384-92-0x00007FF6568C0000-0x00007FF656C14000-memory.dmp
C:\Windows\System\PJihGwb.exe
| MD5 | 35765bb01bba34d5fb3af92f4e617f1d |
| SHA1 | 41dcafd5dcee0d3b444dee20ef6ec57dc1780363 |
| SHA256 | e0d0aebdfc2b50f3da3e4f0a66f1d9fd631d2f6289ae915fc9b2cb7a5dd145e9 |
| SHA512 | 8397e812fb206066a859c913d4bf465d5b8fedf370b12c4bdca3b7edfed98a41b13d4ec082e9f124e97ccb6abf29062f1be725e03b776fcc9d10f232e953847e |
memory/4308-101-0x00007FF74F800000-0x00007FF74FB54000-memory.dmp
memory/3864-100-0x00007FF73B3D0000-0x00007FF73B724000-memory.dmp
C:\Windows\System\XQUxJVC.exe
| MD5 | ade896e0734f2240bf34ba181db3f306 |
| SHA1 | a3ea6ca29ade5e0afac65e5aeebc3c4806ca421f |
| SHA256 | 7faec22642a94b0eca6033b5e41f92fe2901725f0f2be4bddd7acc92c793e25d |
| SHA512 | 045275ffb8a75b85ce7d0b6898548a6620ee9b0b68440e5bafeaff235949c0d78071107c155a67fc2b252d00af2a6ee62f05f2646e6b40c9a34c7402d21671b9 |
memory/896-107-0x00007FF694C40000-0x00007FF694F94000-memory.dmp
memory/3544-112-0x00007FF664010000-0x00007FF664364000-memory.dmp
C:\Windows\System\IyNkLtg.exe
| MD5 | 14a6d63ca8a083384d9cde9c3f02819a |
| SHA1 | 521a7d61910a1d1ba5b850146451297fde4c81a5 |
| SHA256 | 9cf67080b2972a66bbda2e9778f9cc7458bc261a0d99eebc6ae32569d7f24779 |
| SHA512 | ef172ec2b4627db00c8706fe132e4afae3b9a68a2c27ccc58fe10af31c5589a3533efffa353fde7cbbfa0b754f97817e69405f29df733d30701dc473ed17f382 |
memory/3652-122-0x00007FF65E190000-0x00007FF65E4E4000-memory.dmp
C:\Windows\System\bZvOLkv.exe
| MD5 | c0ef00cd4cd6c6f14766a260707afec9 |
| SHA1 | 07a178942bba515440891acd01f684ad7222e885 |
| SHA256 | cf19c3269d9a2f08a0cba37226bbbc01713e7d9740c9c807ba5deb3400c5ffe6 |
| SHA512 | 80f3858230f9c1a085546f5d82b09dabf46c603154fa777126829ec341d3a662f1b27db10ebf74b568dd3fe40db5c3e9163d4df4fcc7a2779f929a9fa3161335 |
C:\Windows\System\FHZkPdE.exe
| MD5 | 4d9afdab21f017c3f0f23f34f63b18c7 |
| SHA1 | a26e7227cf889b596e06f6bea741141e1c24372b |
| SHA256 | d9b8a438b3d23cbec59225f6142428b89dea3d0a80a9f9a9fc44e8692204201c |
| SHA512 | b6b03b9c27824a811cbe72446f5b199a5f80e497c3c408736600274e9b4934624fdf2a7ff021cc465bf34648c0b63240967aaa12fd28e692cb27849dac8738a5 |
memory/3940-125-0x00007FF6CEF40000-0x00007FF6CF294000-memory.dmp
memory/4704-123-0x00007FF7C97F0000-0x00007FF7C9B44000-memory.dmp
C:\Windows\System\PfvKVSE.exe
| MD5 | 2e4038fd3ec1245b3eb7964d76ecb341 |
| SHA1 | f5f4c13b519cb5ba882e9d61e21242d0a5a6ab31 |
| SHA256 | eee736eb9d6ecf88818ce208723f57eb6d251feccfed7916c37401ad1ab0d1c9 |
| SHA512 | 16730f55357764b536853cc6879a4b7d53f256156793623813f68119e9e12c0117df279942f65c9be9e3a4db571321b3d58c9f7f539bfb9a3c13b5a1a937eca8 |
memory/2056-132-0x00007FF69DB30000-0x00007FF69DE84000-memory.dmp
memory/4540-133-0x00007FF7BB610000-0x00007FF7BB964000-memory.dmp
memory/2868-131-0x00007FF6B0480000-0x00007FF6B07D4000-memory.dmp
memory/384-134-0x00007FF6568C0000-0x00007FF656C14000-memory.dmp
memory/3652-135-0x00007FF65E190000-0x00007FF65E4E4000-memory.dmp
memory/4704-136-0x00007FF7C97F0000-0x00007FF7C9B44000-memory.dmp
memory/2328-137-0x00007FF67EC20000-0x00007FF67EF74000-memory.dmp
memory/1396-138-0x00007FF74C8C0000-0x00007FF74CC14000-memory.dmp
memory/3864-139-0x00007FF73B3D0000-0x00007FF73B724000-memory.dmp
memory/896-140-0x00007FF694C40000-0x00007FF694F94000-memory.dmp
memory/2288-141-0x00007FF7F1720000-0x00007FF7F1A74000-memory.dmp
memory/3940-142-0x00007FF6CEF40000-0x00007FF6CF294000-memory.dmp
memory/2056-143-0x00007FF69DB30000-0x00007FF69DE84000-memory.dmp
memory/4148-145-0x00007FF7E1000000-0x00007FF7E1354000-memory.dmp
memory/1644-144-0x00007FF631FD0000-0x00007FF632324000-memory.dmp
memory/4984-146-0x00007FF6154B0000-0x00007FF615804000-memory.dmp
memory/4676-147-0x00007FF6038A0000-0x00007FF603BF4000-memory.dmp
memory/3604-148-0x00007FF7C4AB0000-0x00007FF7C4E04000-memory.dmp
memory/1292-149-0x00007FF64DAE0000-0x00007FF64DE34000-memory.dmp
memory/640-150-0x00007FF768320000-0x00007FF768674000-memory.dmp
memory/384-151-0x00007FF6568C0000-0x00007FF656C14000-memory.dmp
memory/4308-152-0x00007FF74F800000-0x00007FF74FB54000-memory.dmp
memory/3544-153-0x00007FF664010000-0x00007FF664364000-memory.dmp
memory/2868-154-0x00007FF6B0480000-0x00007FF6B07D4000-memory.dmp
memory/3652-155-0x00007FF65E190000-0x00007FF65E4E4000-memory.dmp
memory/4704-156-0x00007FF7C97F0000-0x00007FF7C9B44000-memory.dmp
memory/4540-157-0x00007FF7BB610000-0x00007FF7BB964000-memory.dmp