Analysis Overview
SHA256
f74f0a97b1e86ebfa6fae4e0fa60952293e0097a5ad79fadffca25b30d95c7d2
Threat Level: Known bad
The file 2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Cobaltstrike
Cobalt Strike reflective loader
Cobaltstrike family
Xmrig family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 17:26
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 17:26
Reported
2024-06-08 17:29
Platform
win7-20240221-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\Dvqqdhf.exe | N/A |
| N/A | N/A | C:\Windows\System\EDWvJaf.exe | N/A |
| N/A | N/A | C:\Windows\System\fZOBlLx.exe | N/A |
| N/A | N/A | C:\Windows\System\GPbBkjg.exe | N/A |
| N/A | N/A | C:\Windows\System\JLZLIlB.exe | N/A |
| N/A | N/A | C:\Windows\System\pqJVxam.exe | N/A |
| N/A | N/A | C:\Windows\System\CLHEVnK.exe | N/A |
| N/A | N/A | C:\Windows\System\ddfmXfw.exe | N/A |
| N/A | N/A | C:\Windows\System\xotMHfV.exe | N/A |
| N/A | N/A | C:\Windows\System\LomkydL.exe | N/A |
| N/A | N/A | C:\Windows\System\OnIkhbd.exe | N/A |
| N/A | N/A | C:\Windows\System\MgDbiLF.exe | N/A |
| N/A | N/A | C:\Windows\System\KXHRRhp.exe | N/A |
| N/A | N/A | C:\Windows\System\idQXdew.exe | N/A |
| N/A | N/A | C:\Windows\System\PtTNCir.exe | N/A |
| N/A | N/A | C:\Windows\System\HqiNHSD.exe | N/A |
| N/A | N/A | C:\Windows\System\mtiQutW.exe | N/A |
| N/A | N/A | C:\Windows\System\hXKoNgq.exe | N/A |
| N/A | N/A | C:\Windows\System\KaLQPTW.exe | N/A |
| N/A | N/A | C:\Windows\System\KTzNjQj.exe | N/A |
| N/A | N/A | C:\Windows\System\AcBQSrx.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\Dvqqdhf.exe
C:\Windows\System\Dvqqdhf.exe
C:\Windows\System\EDWvJaf.exe
C:\Windows\System\EDWvJaf.exe
C:\Windows\System\fZOBlLx.exe
C:\Windows\System\fZOBlLx.exe
C:\Windows\System\GPbBkjg.exe
C:\Windows\System\GPbBkjg.exe
C:\Windows\System\JLZLIlB.exe
C:\Windows\System\JLZLIlB.exe
C:\Windows\System\pqJVxam.exe
C:\Windows\System\pqJVxam.exe
C:\Windows\System\CLHEVnK.exe
C:\Windows\System\CLHEVnK.exe
C:\Windows\System\ddfmXfw.exe
C:\Windows\System\ddfmXfw.exe
C:\Windows\System\xotMHfV.exe
C:\Windows\System\xotMHfV.exe
C:\Windows\System\LomkydL.exe
C:\Windows\System\LomkydL.exe
C:\Windows\System\OnIkhbd.exe
C:\Windows\System\OnIkhbd.exe
C:\Windows\System\MgDbiLF.exe
C:\Windows\System\MgDbiLF.exe
C:\Windows\System\KXHRRhp.exe
C:\Windows\System\KXHRRhp.exe
C:\Windows\System\idQXdew.exe
C:\Windows\System\idQXdew.exe
C:\Windows\System\PtTNCir.exe
C:\Windows\System\PtTNCir.exe
C:\Windows\System\HqiNHSD.exe
C:\Windows\System\HqiNHSD.exe
C:\Windows\System\mtiQutW.exe
C:\Windows\System\mtiQutW.exe
C:\Windows\System\hXKoNgq.exe
C:\Windows\System\hXKoNgq.exe
C:\Windows\System\KaLQPTW.exe
C:\Windows\System\KaLQPTW.exe
C:\Windows\System\KTzNjQj.exe
C:\Windows\System\KTzNjQj.exe
C:\Windows\System\AcBQSrx.exe
C:\Windows\System\AcBQSrx.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1676-0-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1676-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\Dvqqdhf.exe
| MD5 | 5adb7c312bbd554b5fc2687335a45561 |
| SHA1 | 094a035953248a60117690c670d6595c4d49134d |
| SHA256 | 14280bc60a860401a06ba506ca731f3b6683921c456ac3346b9d61df24d03ee3 |
| SHA512 | f0cf3c2450fad8b39283db61b155f705002d2a3c563633e3c485cbfed233e7a6c0774ed88436344e41e85859db8b275c1ec651cd88db50e55768e947ae6d158d |
memory/1676-6-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/1676-11-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/1924-10-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
\Windows\system\EDWvJaf.exe
| MD5 | fc1cc4ed75000d49ac57c15151da9a23 |
| SHA1 | 0831ad3c3a889d7b528cbffc0dd5da8c79f1e76d |
| SHA256 | 1a6858749d414b91c879df867736928b58bc361fc1011b865f722090a5d2115e |
| SHA512 | e8eaa04711cbead7124e0c545101c9945183cc7be39ecd0a5079790d3f5bb8e5be7c01b29b9c88e69b849a838db0ceb0ca38733509c2c4f4756014f37431e5c5 |
memory/2176-15-0x000000013F470000-0x000000013F7C4000-memory.dmp
C:\Windows\system\fZOBlLx.exe
| MD5 | 46a8b3c13dc34e2bb7f2b40b4c817748 |
| SHA1 | 283585ad0308dd424cc7dda8489a9df68855267d |
| SHA256 | 22875e32a1faa1ae240d32cc88d67f6afeb8cbd3c854211220985fb27abad14e |
| SHA512 | c2df1d706e3abd5526d90e38d2219be539994a415a18cd0564ca95b9570efb95f89f6d01c2a7d712138a3492c59ba20d27d10fd095630b8d19d915b9c58ba1b1 |
memory/1788-21-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/1676-20-0x000000013F910000-0x000000013FC64000-memory.dmp
C:\Windows\system\GPbBkjg.exe
| MD5 | 7a81435e6e0e6b16b5eea5d73915ef1b |
| SHA1 | 606a9f41c828b874f74ee5327b1d4ad2659e4545 |
| SHA256 | e07e6b5c667b029a187de9596baae00bccad03798a1c57df21816cb31dc3bfa1 |
| SHA512 | 505289827479b91d1ac3c21bf5894fbccf92871b9b8d19c4710f3f884e3d9723f4e1539a5893bc22a97a91ddf56cdd3d9a2499dbeb978f7b8f2059d7aa55ec97 |
memory/2620-28-0x000000013F510000-0x000000013F864000-memory.dmp
C:\Windows\system\pqJVxam.exe
| MD5 | bcabc0661c8e4045cad152e59c1b0fcb |
| SHA1 | 7cacf781d7aad5622d5c177f6f1bcdf000961cdd |
| SHA256 | 4a7a124f7b322c84b20b831bc8705d5e5140df0fd3b977eb39dc0c9cd9f6ecf1 |
| SHA512 | b0821eaf29ae3b6d03e3406bea187a491c5fef78c50adc67571703e5e4979c329286f006e7742114b74b95236e61f079765edeab3b4b25474f47b2ae14eb65c7 |
memory/1676-54-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2776-56-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1676-70-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/1676-84-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\HqiNHSD.exe
| MD5 | 2054866559794bbe814d99039314ab8f |
| SHA1 | 95a17df510756cf1966691729c53d3db529b2d61 |
| SHA256 | a0f19a183dd0f23ef3bf1b8df2ab82d8bdb8a6538f10c85271b747709145937f |
| SHA512 | e3608d3eb1ee0169be4a5e8458d3a8b4675cb6bbaae56bcb2667e4d2875ca58db94d86f6e3f45d6c4615847c2d5c24739ffab8cf5d758606ec2df5611c224b7f |
memory/1676-108-0x000000013F2F0000-0x000000013F644000-memory.dmp
C:\Windows\system\KaLQPTW.exe
| MD5 | 3dff2c5940d3bcb2b88a60d28d2e652c |
| SHA1 | 3365724c6de8a8d399f0ce1a064634581c78c4e0 |
| SHA256 | 85f293a6baf6289d202612da4c9aa50d5ae7b65e60f551c72e59d62abb5ee50e |
| SHA512 | f626504a84a5770d36ce2e7d4be6261d092ffb02ae9cedba6ccc0112dea648657c58e0759cbc31d16257772bcce99a48da8b2e42f9e0d02d61fc84ec8ce350ef |
C:\Windows\system\hXKoNgq.exe
| MD5 | 4812f37be94445fe12d70136bcc5bd3e |
| SHA1 | 5dc4c9ebd6aa983c714e1affabfb54840772646c |
| SHA256 | 20d6006b6ce6daa0698d56ae175d68ee7f8e3dac4b35feab21c55754f952e5a5 |
| SHA512 | d013463350f3880fe6567d0d8cf6ef34050901aaf860979f1e796be47a6258e44d56dbee264fd7179de57d9bbf7375d10206b7074428a2960e6daff67224991e |
C:\Windows\system\mtiQutW.exe
| MD5 | 670cfd38e51888547b8f902513dfcf72 |
| SHA1 | 5d9030bc6d4160b67849bd6559cf9da0625a3e19 |
| SHA256 | 97e2d75db129b14ea1bf6e24515adaf3542ab15f09b090a772ed62f71aec7f09 |
| SHA512 | 00d590100035d1cda45de730f498f11b62c7d617eef0c1d1c8f22a362f33f60877f0de9b91645567a8aa3323af9c6965d7bdaedcd88a1b4312a6a017943b5435 |
memory/2556-107-0x000000013FA10000-0x000000013FD64000-memory.dmp
C:\Windows\system\PtTNCir.exe
| MD5 | 004a5ab00c72dcf7535767decdfa03e5 |
| SHA1 | 0cf9b393affc1e1a716cef0f83d12b8b2263f4f6 |
| SHA256 | dd58cddf8b9bcb5b65939de2d937060fcd25ad40b906f6090c93c026b8d8acd5 |
| SHA512 | 7f9e05e28924505972074b1018b5f254bc873a6954f1bc177332a91ada30731cde80b369ea79fb563301a9c53c7921c6ed4ca533a5f9150f27da52bc3375099a |
memory/2700-128-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2816-101-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/1676-100-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2796-94-0x000000013FEE0000-0x0000000140234000-memory.dmp
C:\Windows\system\idQXdew.exe
| MD5 | 8c48fab62d51fd0f47605d8c1f9e08bf |
| SHA1 | 1c67a36ed3f399ea3202451271c9c08eb6f8626c |
| SHA256 | 43a7c36503ba20b348157d4aa4aadd7c934e058239df33018f031ef1058a668f |
| SHA512 | a8011cee107c1acc6b76edfbaa30319b68bd76220b8da59e8541a7205839c440468700c334ed735f35f454036d928ac4b8e2aa88467a9b30858b76b574e654d1 |
memory/1676-93-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2620-92-0x000000013F510000-0x000000013F864000-memory.dmp
C:\Windows\system\KXHRRhp.exe
| MD5 | fb31433896d531c21a5601012f8b0859 |
| SHA1 | 05fe7c75eeb7fe627580f37123e8b327d8777675 |
| SHA256 | 3aff103ca0f97ec43f9c2fdbad1d25353b0e8d2cdb094de2baaaed2c21b7480f |
| SHA512 | cbbba40e507c87c5fedf3d31c05955f59c401ac7fb5f760fa5ee9eb3dd7180355f3796fbb506fbdbc161267914c593664c8a702a957a3f1c88a79b9d9dbfd3db |
memory/1800-85-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/1788-83-0x000000013F910000-0x000000013FC64000-memory.dmp
C:\Windows\system\MgDbiLF.exe
| MD5 | 1b0aa373af847254a3ee872034dcb73f |
| SHA1 | c8611410237eade90519cca982b8962147a3bedd |
| SHA256 | ae4cd96154f168dc3c611124c082a8b5ecee6d3c5894c5bf9b7fc85328315c0f |
| SHA512 | d518ff82ad75b797f4af711089b0eff084dbf36f132e128985e25769b557d026046b194375e6b0de79581adaed13dd38d8c9449432a432a10db01ae411b1bc02 |
memory/2380-77-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1676-76-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\OnIkhbd.exe
| MD5 | ddbe9d4a69a2fcc16e707d5b116d91fe |
| SHA1 | eaf72d29acbe1f5f5ea6cd9737864945932e15d6 |
| SHA256 | ed201b0e3634d401a7465e64d221ea0643ecce39b185b9fc7b3b9e7942b249e4 |
| SHA512 | 73f33e57276d793e7d6c91df67e1bbae4ae38894f267c6137a7b0e7420b7e46e765c4fa225ffdb6a3c51d2e4ed9dc0a1742a87cae49cf62c9d2002c78900183b |
memory/2436-71-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2596-64-0x000000013F810000-0x000000013FB64000-memory.dmp
C:\Windows\system\xotMHfV.exe
| MD5 | faae79a1effbfcdf067a0e169362c08f |
| SHA1 | 6d20ac9d7f77504877feb6b14704d9b6d9026c9e |
| SHA256 | bdd397cc8d4e4fe1ad4880b3836b9066ba1168ff487caac9ada302af0ccf9178 |
| SHA512 | 6646101ba79717052383385b31151c387001c57e5523031582041b15572480067d83c8c3d76224db132e82ddaebfca00d586bf1916064f4386adb5167f9f726e |
memory/1924-62-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/1676-61-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
C:\Windows\system\LomkydL.exe
| MD5 | dfa5ad145c822c8b4d88aa180d8ca6ba |
| SHA1 | d0ba3a89d1b3221ff16c6732946fa13fa98205b8 |
| SHA256 | c0670248d67d5bf0b2159a4ceaed04d6fc15b250f69b1192bbb8e5632b74df45 |
| SHA512 | f2a2f0e8a5c66c37988689a72e67fd2f5331b51c5fe233329e316f286a6ac637cb8ef209fe2798b157976764144c80a6179586988ff44d25d478abb145286ab9 |
memory/2776-129-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2700-49-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/1676-48-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\CLHEVnK.exe
| MD5 | 6cc4873f248c6c46da589f5f8f409014 |
| SHA1 | cc6cc61c89954cea4494fade43f1636bbd09be59 |
| SHA256 | 0ec96c8274371ebcf578c67f492edea8405972ef677f5754aeadbe5822e7d645 |
| SHA512 | 68ed936aa36b5e58e9b9c1e45aab548678cc49085ca99f67236861ce323ef6743a04109d49d5d546a84590dca1855d364a80197b840764cc6ad3ae4d37dc60b2 |
C:\Windows\system\ddfmXfw.exe
| MD5 | bb69b1160b35e2b558e654f9352eac97 |
| SHA1 | 7863b013d5e78aa73cb3325cb0e373be5548a886 |
| SHA256 | c9ca11d64615ff11aeffdc8af6cb64c4ee68947ba188bbe668ce19b89431c1c0 |
| SHA512 | e982b38b97ac3fa8f93678888192952880d5af72f35cee02d7c32d83929c32f59d0c6086197da5ef01b70c9d6d6b5cf3f3d516666f8de0acadb66163d2d60b83 |
memory/2556-42-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/1676-41-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2624-35-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/1676-34-0x000000013F8B0000-0x000000013FC04000-memory.dmp
C:\Windows\system\JLZLIlB.exe
| MD5 | 0af336a98182609ea1e21d11b9c56600 |
| SHA1 | 8dcfb8355b585cccbfd18c5f8ec151c4275adbe3 |
| SHA256 | c01809beff3d142a71415e760feb0334509c3592717d148d6c00c96cb317054f |
| SHA512 | 368f0b679ab06d7c2adca36fa9b0645231149d1a66007bcb9e2d8f5a8278a3125fc2d5ddb4d890c058fdc9a598968385ae675614960d53239e3ff7d10f03bb8c |
memory/1676-27-0x000000013F510000-0x000000013F864000-memory.dmp
\Windows\system\AcBQSrx.exe
| MD5 | 3f8b534d8cc1ec5d4c394b832d810913 |
| SHA1 | 0e81d206036c9673ec78b37589e8252056aa3f1d |
| SHA256 | 464fece0ed51b4c7adfdef6b8737a1f77b377c2559204ab19164b3f521deb0a6 |
| SHA512 | f688f21154eded22a46688d59121569aa1e2a148ea73c7e86c0eeadd68d57b462df2d9cf2f3655413082ecb30742e162b2ea4fbf50353229fc1b076adb7d63f5 |
C:\Windows\system\KTzNjQj.exe
| MD5 | 4879daa1f7f125c9926f06890d59047c |
| SHA1 | 78b517266bb0b75fe507f0c946ad9f33ac57d71f |
| SHA256 | 9d9c9712d1df01fddfca2e249e69bf7f52c278fa256e6a8d8ce740b1dfa2e458 |
| SHA512 | 7483f0ab7e622b1bfcc89becefaabf6fe5cc96b019b8de220adf81a19b459b50932bcc58a40bc0da686e494d6e89d493a6ccf6adefd59d1e11379e9b1b295ff5 |
memory/2596-142-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2436-143-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/1676-144-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2380-145-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1800-146-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2796-147-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2816-148-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/1676-149-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2176-150-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/1924-151-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/1788-152-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2620-153-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2556-154-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2776-156-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2700-155-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2596-157-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2436-158-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2380-159-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1800-160-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2796-161-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2816-162-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2624-163-0x000000013F8B0000-0x000000013FC04000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 17:26
Reported
2024-06-08 17:29
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ATWLSHn.exe | N/A |
| N/A | N/A | C:\Windows\System\jMcvHrq.exe | N/A |
| N/A | N/A | C:\Windows\System\whfWcAt.exe | N/A |
| N/A | N/A | C:\Windows\System\fPxqYHu.exe | N/A |
| N/A | N/A | C:\Windows\System\tkcQmEG.exe | N/A |
| N/A | N/A | C:\Windows\System\nZeijsa.exe | N/A |
| N/A | N/A | C:\Windows\System\saKUdxJ.exe | N/A |
| N/A | N/A | C:\Windows\System\KWuqaVb.exe | N/A |
| N/A | N/A | C:\Windows\System\vECpTFb.exe | N/A |
| N/A | N/A | C:\Windows\System\zNUcpYi.exe | N/A |
| N/A | N/A | C:\Windows\System\sTcTugj.exe | N/A |
| N/A | N/A | C:\Windows\System\MGHlCdW.exe | N/A |
| N/A | N/A | C:\Windows\System\EPjFpcw.exe | N/A |
| N/A | N/A | C:\Windows\System\FPCsXzi.exe | N/A |
| N/A | N/A | C:\Windows\System\QNrQHTH.exe | N/A |
| N/A | N/A | C:\Windows\System\yKBJsjA.exe | N/A |
| N/A | N/A | C:\Windows\System\WschQYr.exe | N/A |
| N/A | N/A | C:\Windows\System\kbnoEHd.exe | N/A |
| N/A | N/A | C:\Windows\System\ZALDYBx.exe | N/A |
| N/A | N/A | C:\Windows\System\vjSjnTe.exe | N/A |
| N/A | N/A | C:\Windows\System\pjtBKgg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ATWLSHn.exe
C:\Windows\System\ATWLSHn.exe
C:\Windows\System\jMcvHrq.exe
C:\Windows\System\jMcvHrq.exe
C:\Windows\System\whfWcAt.exe
C:\Windows\System\whfWcAt.exe
C:\Windows\System\fPxqYHu.exe
C:\Windows\System\fPxqYHu.exe
C:\Windows\System\tkcQmEG.exe
C:\Windows\System\tkcQmEG.exe
C:\Windows\System\nZeijsa.exe
C:\Windows\System\nZeijsa.exe
C:\Windows\System\saKUdxJ.exe
C:\Windows\System\saKUdxJ.exe
C:\Windows\System\KWuqaVb.exe
C:\Windows\System\KWuqaVb.exe
C:\Windows\System\vECpTFb.exe
C:\Windows\System\vECpTFb.exe
C:\Windows\System\zNUcpYi.exe
C:\Windows\System\zNUcpYi.exe
C:\Windows\System\sTcTugj.exe
C:\Windows\System\sTcTugj.exe
C:\Windows\System\MGHlCdW.exe
C:\Windows\System\MGHlCdW.exe
C:\Windows\System\EPjFpcw.exe
C:\Windows\System\EPjFpcw.exe
C:\Windows\System\FPCsXzi.exe
C:\Windows\System\FPCsXzi.exe
C:\Windows\System\QNrQHTH.exe
C:\Windows\System\QNrQHTH.exe
C:\Windows\System\yKBJsjA.exe
C:\Windows\System\yKBJsjA.exe
C:\Windows\System\WschQYr.exe
C:\Windows\System\WschQYr.exe
C:\Windows\System\kbnoEHd.exe
C:\Windows\System\kbnoEHd.exe
C:\Windows\System\ZALDYBx.exe
C:\Windows\System\ZALDYBx.exe
C:\Windows\System\vjSjnTe.exe
C:\Windows\System\vjSjnTe.exe
C:\Windows\System\pjtBKgg.exe
C:\Windows\System\pjtBKgg.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
memory/1628-0-0x00007FF638430000-0x00007FF638784000-memory.dmp
memory/1628-1-0x0000023082190000-0x00000230821A0000-memory.dmp
C:\Windows\System\ATWLSHn.exe
| MD5 | df9e2b454aa14e8a4a8bae86253410bb |
| SHA1 | 96f680fcb5ba16a58a86f6c075ebf40f3d432d97 |
| SHA256 | 6e95d19ca2e3f2879a86cef9a02df10dc7ca7aa702ab6086c1e14269c3973330 |
| SHA512 | 486eaef6dc10ac265fa3f409bd7e490683de306a13b6603ee153a20772836a4e5f5784d2719562b533a7c6da9694ceae06ea8ee4a5d7ca74bfa3d55bd936240e |
memory/4332-8-0x00007FF727650000-0x00007FF7279A4000-memory.dmp
C:\Windows\System\jMcvHrq.exe
| MD5 | fa4169d7ea13bc73ca2b61d8de3572a8 |
| SHA1 | 8faa99aa7938d9a44982f6607a650c3dbf9b80dc |
| SHA256 | d04e890d30e1830f1f2701d50e659336a1625789daa2e8da8767c925f3bc71f9 |
| SHA512 | ea3594d5294fe3303d93a2d70a12dcba2076aaeb971c42a4d7c6e365a55626bd1dcbae0dcd3bf0ff3643f5d0587acab80bdd0ec6cd3a6f9e04cef840ac851464 |
C:\Windows\System\whfWcAt.exe
| MD5 | 23fadc2f0d17cc6f452ed1f48089f521 |
| SHA1 | e2a43129b7ae39f0604d76cc60f6775cd390ffd6 |
| SHA256 | 5894c8b7dde947df9ca4aaee8c25bc03fedecf6fd7baee5e067c80fa5f213d32 |
| SHA512 | 6800bea02e5870ab7a5b2c1bd732ba074a0cc325a6bbeef520954a85afdee82a1772ee152af0e76f3019f93dd8b2fec2f7739802153226ecf4857d1265a11e07 |
memory/4068-14-0x00007FF7B1430000-0x00007FF7B1784000-memory.dmp
C:\Windows\System\fPxqYHu.exe
| MD5 | 594adb894b586073dff8c850ce2176ef |
| SHA1 | 68e76dfa9ad2f0aa58ea572aa699f476c5f1546e |
| SHA256 | 39aaff3a0c69a7326575ef887374c384d4a08a851fc93849077688e6f7b1f87a |
| SHA512 | b6de0952c5cac67151e16a4a7acfdce42feed4e98603a4037d4e1dd2b1525aee0a876f59729a832c85824bafb5fc3490d9e128c25fb16f459bd056f3b6028d77 |
memory/4416-20-0x00007FF782D00000-0x00007FF783054000-memory.dmp
memory/2004-26-0x00007FF6753C0000-0x00007FF675714000-memory.dmp
C:\Windows\System\tkcQmEG.exe
| MD5 | 201ea7b37fffa785ccb1deaf0da9fd02 |
| SHA1 | 9221d070cc35b246bb28dc592cd7224d1d2c56da |
| SHA256 | e7b929fa44c5b63a2c53bbd6f4e41f6270b2b9a2cfd1ec980e93a8433810b827 |
| SHA512 | 85efc81e7ab70891465518cf0094c324051cd66ee5095ceb36d02d4fde9475330f4caba258111d69b64855ee90f4f26cce4f6b4ce9600fe53527db3e09e7f7e7 |
C:\Windows\System\nZeijsa.exe
| MD5 | 51453d292f1d276bb9a2cf3420cb8743 |
| SHA1 | dfea8cf05e77906ee81c7bb37cf3a91e79ec65df |
| SHA256 | 75014b13f1918caefca838bdcb95040d831fa3219da1f644ea99b489dab6fdeb |
| SHA512 | b022fdc432bcb929f4fb618286c5ee9c911c2b198a657605c0d39042047d6bccb7a7399b4432b08020637764cee51cf6ee284405ca6bb9552f6c647b74504a68 |
C:\Windows\System\saKUdxJ.exe
| MD5 | f821a4d9cf5aa9e2f8f864a00c9b08cd |
| SHA1 | a489a4b4743b8f91c831dc2e7812967db0f4dbc0 |
| SHA256 | 44407e168f3ddb526d9c90044de3a2ee689b91d10f0e9b11f85b3b0a42988735 |
| SHA512 | ff5f53c6ed656e9f5edcfa8bed6bad4a4a79e21dae03307ad733003591ec55583ff456abce0bc747982230ca19c9ae3e38daecb2f8233efe53a1b5d0127d11aa |
memory/3720-39-0x00007FF72E850000-0x00007FF72EBA4000-memory.dmp
memory/1324-30-0x00007FF7D8D80000-0x00007FF7D90D4000-memory.dmp
memory/2204-44-0x00007FF79C900000-0x00007FF79CC54000-memory.dmp
C:\Windows\System\vECpTFb.exe
| MD5 | 88d5491d3bbcf7a5a8ffa7d886cf3463 |
| SHA1 | 6d0424f0b2f4245b250a677712590d1067c3be0e |
| SHA256 | 24b2df1a6e624d8f1d1fd6a6b2f5ebffa3ed4731b733a5736904d076281df9c0 |
| SHA512 | a7679f7c4b1ee91bf6117af9de6093457d110f02239f0f6059a2fe2e879a6b7cc3b298c1048ce2f6f314a3794df3a6b1129d978c3a5d0cef45994b66ca77bb7e |
memory/1628-60-0x00007FF638430000-0x00007FF638784000-memory.dmp
C:\Windows\System\zNUcpYi.exe
| MD5 | 21d6edf5a1b12df34189e36d713c403c |
| SHA1 | 5f2890118655d1a19feee5687c1f4ed380903e47 |
| SHA256 | f8d8c8914e451d3b146f00e99efa894420b22f4b1b120d3a7fe043bfe60296b3 |
| SHA512 | 99a9d1b40cabe17885681a8829f24d68e2556254a5928f553b2d8cc9493878578609ffecdd44ef3f58c5a16234a0413fcaac15551d6b376a240bdd62b66b4f0c |
C:\Windows\System\EPjFpcw.exe
| MD5 | 487f00b58281e34713959e789cc0dbbb |
| SHA1 | b12a653363784a4282133861c38cf6e74ac81f50 |
| SHA256 | 2b169b9abec9324aeea88dc3dad3c3c26e635063faee45bb1b9eadb242744584 |
| SHA512 | 35823e2647e64d86944d52d06bc13f487f7b86b31cad94544c7366c589e0e072e372ae416b60328c5350122dc0d9858fc08a92b3c0db83795b22c735f7099bfb |
C:\Windows\System\QNrQHTH.exe
| MD5 | 363df6f8611049e0866b2ed629de530f |
| SHA1 | 7b3422fcc28e6ed23978abdb905f6d11ffb9e3a3 |
| SHA256 | 9bcbdc55b0d4d9674aadb438e4f4d8679b8c368dcdde426ae64351482b46358d |
| SHA512 | d9376691bf3a296bd0f062726fff38b5a8a26040e163522a30189719202e58973223ed6b012df1b18138de7f924eea1fe14b4b2e78d183485fb60274520880e1 |
C:\Windows\System\ZALDYBx.exe
| MD5 | ca178b2cd37b8e46c31764825065de55 |
| SHA1 | 0185da1215800f79cbf6d82470b7ba37a9d365bc |
| SHA256 | d373a05aa2eb03d6538b39d29943fc72bef7689566bac049fc1d8d2e44a05eb8 |
| SHA512 | b559f86e04041230ff020830a23ac76dc0480560937c813887b2c85e9321789e3f6370fb61b15649e310cde1c3c79868fd9fbc65a54c1dd7da6dcb50012395d2 |
C:\Windows\System\pjtBKgg.exe
| MD5 | 6b5d5bb71552f25df532fb05efffffc5 |
| SHA1 | e8f5b2453b6ad31eee8fb11133b68912d159ad36 |
| SHA256 | b7b027f10f3f15647da92a2e08fbeffa6171f3a1200ae3b8d78fce8aa91bf0d0 |
| SHA512 | 49f731b281c7e07ce84f2f8bfa1ae63bd9eac03641cd263e12700b80d444458dce898ddc9e32e28523f4581fb6b58ebdc9128e2af22cd9f3037f5c5d89c74a38 |
C:\Windows\System\vjSjnTe.exe
| MD5 | d5cc80fb77008964e4fd9be33dcda866 |
| SHA1 | 2a36db80e4e47f18a8d050a1cce0fee9bf00f02e |
| SHA256 | bb5a6bd37b1e7469927b86f37dc43cbb0dc726bd28646a2e003e15cf9ed4611e |
| SHA512 | 5090ca9587607dc861836df49e4f2781c72c113613db71e0df3170eb9586bfac86c672402f6ba5b31ed228ba77f0c5458abb07a380e45cdf5f98a1db930e2537 |
C:\Windows\System\kbnoEHd.exe
| MD5 | 5647155a286ca724e940723301c14fee |
| SHA1 | ebd2b3b695906753bb16d5bf9c23a36d1c3d44a3 |
| SHA256 | f30e9b7cbb87649a48a65e7f288a2ea47c0d0488d08c07c71c6b2b0b1dfcb351 |
| SHA512 | cdd6cc98ae4a4f4e0bbc69bdd2d25b5dd32ea6022b823d5027993610aae1f02ca766bf09f4e1e6c97da7c8e400128ddc4227af0caff75b55141085fd035f1db2 |
C:\Windows\System\WschQYr.exe
| MD5 | 54098e61b80aa643127816ca175bbcdf |
| SHA1 | 531fe138378c4c89c0800ad2cb5d7657b154d674 |
| SHA256 | 9c0f628b153a57d2758ac7c5d63d32fb5466f5926fd272ef310078aea45624f5 |
| SHA512 | bb75a796d78443fe05b1005edd300ffa80f287a5fef70be643fd8ec0eaa2f14676281c6b8dd2f5b0ccdec0808c23258a7b59f119be60ab70208a97d4f0edcd2f |
C:\Windows\System\yKBJsjA.exe
| MD5 | 1fe95ccd294bf378b510d3fc5fe41787 |
| SHA1 | e8df34296fce78d0f705d1f77e852cb006461974 |
| SHA256 | d97ae65217c160b5fb5ded3d494db1eeeee76150b13d36353f4f55ec5f492676 |
| SHA512 | 247990943bc7c0fbe3d56d816cb7da2823e24fe95626e5750131503bdc5c887b53f95ea1417729e5e1b98a968426cff34884cc5a2736a18b72f9d6491c5f701f |
C:\Windows\System\FPCsXzi.exe
| MD5 | d9fec0e80a0b0aeb977dbc4ef6ce921a |
| SHA1 | 98ce407eaf2b936b785812081e3fb74816e59dee |
| SHA256 | 07146b95b34628bad4cc5ac1d6d83a99b1618a13636ab8ebbcebe6741e8f64e5 |
| SHA512 | 73f3ac66411acf0cb5cee8beee09eecb4316ec49f097039edf572c9a1ff19c6ba734751de0c8672b5f2d09ea292428754a0cc4123cfdc80ed9009434c194d58c |
C:\Windows\System\MGHlCdW.exe
| MD5 | db6c291adcf9a9eeba92c613558cacad |
| SHA1 | f292c5e1ce0f0ae36392f441cba459e0948e1231 |
| SHA256 | c22cd0c4bb5da013188c5c6e0c8f3c439abc2189c1d34ca27ddc5ab21b1b26c7 |
| SHA512 | becb8247761c26c5e8e4129dc75fd87528f68c9e2b09cecb7536365079b93e6152380178365f698e69aae895d6a3aa3b0608eb4ef45b3080fe3ba80d995e1fc5 |
C:\Windows\System\sTcTugj.exe
| MD5 | ef5819f9ef33851585314a49de899a09 |
| SHA1 | 20ace18d281f862367122a0fc71e70fbce9d4086 |
| SHA256 | 35673710990702fd999e36cb4083efba324b29c9b7cbdea7802b0fd9e0c002d4 |
| SHA512 | 632957e08ca4bd39681b7413a594d2f6dd0446176e8c9ca722cc57f775d0cde814cbb5fdf040d1b63e3f86684f81b3e847da4f9f3b289c9a109898fde41161c6 |
memory/3780-64-0x00007FF704F60000-0x00007FF7052B4000-memory.dmp
memory/1664-59-0x00007FF77A840000-0x00007FF77AB94000-memory.dmp
memory/1452-50-0x00007FF7F9530000-0x00007FF7F9884000-memory.dmp
C:\Windows\System\KWuqaVb.exe
| MD5 | 1290a6f31743e908f5f8c57441cd523d |
| SHA1 | 0e6a973fff3ef57dd1e54da7788d6a0a6a3bc39d |
| SHA256 | 7c966ddb463caf713523f3287e087e30e2e8685f5d337680da1a0e1242cfa53a |
| SHA512 | 710dadee325c6922f7fc7fd94aa9d551e362ee787699e720cdd03c575581e8dd91170c6cdb7ad6e53d40f71eb5e01047d993a5041d20509cf07644d8f74aad68 |
memory/4332-118-0x00007FF727650000-0x00007FF7279A4000-memory.dmp
memory/3596-120-0x00007FF6EFA00000-0x00007FF6EFD54000-memory.dmp
memory/2764-119-0x00007FF665DE0000-0x00007FF666134000-memory.dmp
memory/4492-121-0x00007FF7B24B0000-0x00007FF7B2804000-memory.dmp
memory/2544-122-0x00007FF6AA6C0000-0x00007FF6AAA14000-memory.dmp
memory/4552-123-0x00007FF687D70000-0x00007FF6880C4000-memory.dmp
memory/4592-124-0x00007FF77EDA0000-0x00007FF77F0F4000-memory.dmp
memory/4116-125-0x00007FF652050000-0x00007FF6523A4000-memory.dmp
memory/2120-126-0x00007FF755F40000-0x00007FF756294000-memory.dmp
memory/1824-128-0x00007FF63FB80000-0x00007FF63FED4000-memory.dmp
memory/3696-127-0x00007FF669170000-0x00007FF6694C4000-memory.dmp
memory/3140-129-0x00007FF78C760000-0x00007FF78CAB4000-memory.dmp
memory/4068-130-0x00007FF7B1430000-0x00007FF7B1784000-memory.dmp
memory/1324-131-0x00007FF7D8D80000-0x00007FF7D90D4000-memory.dmp
memory/3780-132-0x00007FF704F60000-0x00007FF7052B4000-memory.dmp
memory/4332-133-0x00007FF727650000-0x00007FF7279A4000-memory.dmp
memory/4068-134-0x00007FF7B1430000-0x00007FF7B1784000-memory.dmp
memory/4416-135-0x00007FF782D00000-0x00007FF783054000-memory.dmp
memory/2004-136-0x00007FF6753C0000-0x00007FF675714000-memory.dmp
memory/1324-137-0x00007FF7D8D80000-0x00007FF7D90D4000-memory.dmp
memory/3720-138-0x00007FF72E850000-0x00007FF72EBA4000-memory.dmp
memory/2204-139-0x00007FF79C900000-0x00007FF79CC54000-memory.dmp
memory/1452-140-0x00007FF7F9530000-0x00007FF7F9884000-memory.dmp
memory/1664-141-0x00007FF77A840000-0x00007FF77AB94000-memory.dmp
memory/3780-142-0x00007FF704F60000-0x00007FF7052B4000-memory.dmp
memory/2764-143-0x00007FF665DE0000-0x00007FF666134000-memory.dmp
memory/4492-144-0x00007FF7B24B0000-0x00007FF7B2804000-memory.dmp
memory/3596-145-0x00007FF6EFA00000-0x00007FF6EFD54000-memory.dmp
memory/2544-146-0x00007FF6AA6C0000-0x00007FF6AAA14000-memory.dmp
memory/4592-147-0x00007FF77EDA0000-0x00007FF77F0F4000-memory.dmp
memory/4552-148-0x00007FF687D70000-0x00007FF6880C4000-memory.dmp
memory/1824-150-0x00007FF63FB80000-0x00007FF63FED4000-memory.dmp
memory/3140-149-0x00007FF78C760000-0x00007FF78CAB4000-memory.dmp
memory/2120-151-0x00007FF755F40000-0x00007FF756294000-memory.dmp
memory/3696-152-0x00007FF669170000-0x00007FF6694C4000-memory.dmp
memory/4116-153-0x00007FF652050000-0x00007FF6523A4000-memory.dmp