Analysis Overview
SHA256
5cd071240d2ca96865c1f783d5147572d98aafc4a5c8f4e76dfad2691e6b92c6
Threat Level: Known bad
The file 2024-06-09_c44f8dc1e257c49c5b63cbf2ec00a7da_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
xmrig
Xmrig family
Detects Reflective DLL injection artifacts
Cobaltstrike family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 04:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 04:47
Reported
2024-06-09 04:51
Platform
win7-20240221-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AhrdpMK.exe | N/A |
| N/A | N/A | C:\Windows\System\AphuthR.exe | N/A |
| N/A | N/A | C:\Windows\System\xEYaBFr.exe | N/A |
| N/A | N/A | C:\Windows\System\HYKiqoW.exe | N/A |
| N/A | N/A | C:\Windows\System\yItSxcF.exe | N/A |
| N/A | N/A | C:\Windows\System\ePyZvdN.exe | N/A |
| N/A | N/A | C:\Windows\System\GOwsfsW.exe | N/A |
| N/A | N/A | C:\Windows\System\Rgwazwo.exe | N/A |
| N/A | N/A | C:\Windows\System\gwrJKyL.exe | N/A |
| N/A | N/A | C:\Windows\System\amcIDeg.exe | N/A |
| N/A | N/A | C:\Windows\System\BKGUdMM.exe | N/A |
| N/A | N/A | C:\Windows\System\tcJIilu.exe | N/A |
| N/A | N/A | C:\Windows\System\RXipuXw.exe | N/A |
| N/A | N/A | C:\Windows\System\DjDulcI.exe | N/A |
| N/A | N/A | C:\Windows\System\TmUmfmy.exe | N/A |
| N/A | N/A | C:\Windows\System\TJgkiSM.exe | N/A |
| N/A | N/A | C:\Windows\System\iefdUnF.exe | N/A |
| N/A | N/A | C:\Windows\System\JDgVRiT.exe | N/A |
| N/A | N/A | C:\Windows\System\AYyQxdI.exe | N/A |
| N/A | N/A | C:\Windows\System\oETXpjv.exe | N/A |
| N/A | N/A | C:\Windows\System\NrwUBMp.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_c44f8dc1e257c49c5b63cbf2ec00a7da_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_c44f8dc1e257c49c5b63cbf2ec00a7da_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_c44f8dc1e257c49c5b63cbf2ec00a7da_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_c44f8dc1e257c49c5b63cbf2ec00a7da_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\AhrdpMK.exe
C:\Windows\System\AhrdpMK.exe
C:\Windows\System\AphuthR.exe
C:\Windows\System\AphuthR.exe
C:\Windows\System\xEYaBFr.exe
C:\Windows\System\xEYaBFr.exe
C:\Windows\System\HYKiqoW.exe
C:\Windows\System\HYKiqoW.exe
C:\Windows\System\yItSxcF.exe
C:\Windows\System\yItSxcF.exe
C:\Windows\System\GOwsfsW.exe
C:\Windows\System\GOwsfsW.exe
C:\Windows\System\ePyZvdN.exe
C:\Windows\System\ePyZvdN.exe
C:\Windows\System\DjDulcI.exe
C:\Windows\System\DjDulcI.exe
C:\Windows\System\Rgwazwo.exe
C:\Windows\System\Rgwazwo.exe
C:\Windows\System\TmUmfmy.exe
C:\Windows\System\TmUmfmy.exe
C:\Windows\System\gwrJKyL.exe
C:\Windows\System\gwrJKyL.exe
C:\Windows\System\TJgkiSM.exe
C:\Windows\System\TJgkiSM.exe
C:\Windows\System\amcIDeg.exe
C:\Windows\System\amcIDeg.exe
C:\Windows\System\iefdUnF.exe
C:\Windows\System\iefdUnF.exe
C:\Windows\System\BKGUdMM.exe
C:\Windows\System\BKGUdMM.exe
C:\Windows\System\JDgVRiT.exe
C:\Windows\System\JDgVRiT.exe
C:\Windows\System\tcJIilu.exe
C:\Windows\System\tcJIilu.exe
C:\Windows\System\AYyQxdI.exe
C:\Windows\System\AYyQxdI.exe
C:\Windows\System\RXipuXw.exe
C:\Windows\System\RXipuXw.exe
C:\Windows\System\oETXpjv.exe
C:\Windows\System\oETXpjv.exe
C:\Windows\System\NrwUBMp.exe
C:\Windows\System\NrwUBMp.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3016-0-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/3016-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\AhrdpMK.exe
| MD5 | a0bda1d0d5b11456285eb40c2fab79d5 |
| SHA1 | 666abc329f14f81ec1a104f43d44e3ad2c2b5e6e |
| SHA256 | 0c7df7b9dd7061facee240d14e8dd706fbbb7af4444660bc3278caedb9d5fb52 |
| SHA512 | e8b550b5941b16193404aad921490e058be7ed2f2d9f0b7950685d6720cf5d89ee30ca84f789d5e6a076cccebaa75e821df7bc6e075fc2ade7aa4f90ba5138f1 |
\Windows\system\AphuthR.exe
| MD5 | 71fb90d1aa0bcd0743ff53e5ed24e51e |
| SHA1 | ffdb50c15a1139fabb0a8bcf8f595521185c54a0 |
| SHA256 | 162fc23343505bc342a7112ecf918f0a47703231bd9973600c88078ca2df9064 |
| SHA512 | f70f716a3350270886bd4fd39f459d3066e39fc4c14b57570c248bda440c682b7f5d8dd0009ff6cc8b701c597122118cea94b6dfcfec8b6db9a1fbe49d413d8d |
memory/3016-14-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/3016-10-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/2968-16-0x000000013FD70000-0x00000001400C4000-memory.dmp
C:\Windows\system\xEYaBFr.exe
| MD5 | 265179020810a682f7b5c2ddcb911eda |
| SHA1 | c6618649410858f66ad073fad044d7ce85ae0b48 |
| SHA256 | 3683c5713706f626e387b98b350118fff51aeefa482b32297d5b28f54df8a24e |
| SHA512 | 9d04e7f240930939cf9a138a325627f76ffdac2302350fb806949e0c1b6fe4351f90f31caa001cbc21bb45b83fc813f93b2850a2adc375bc8919bc5f46e1839b |
C:\Windows\system\HYKiqoW.exe
| MD5 | 9c405f71f8f1bb87fa26b5dd7605c4e5 |
| SHA1 | 1e56ec488526a1b927232415f3fa7eb740c9dcc0 |
| SHA256 | 99d992a34fc1f5f96baa9eb1d4f1176aae8b1230853d0bdef2e5e76d5676121d |
| SHA512 | 1202d2eeeba831bd7a568865c743ddbde9606888f184569404779a60822037b2c01398e34af6d820894a37dac6ad175bd69c657c373d2469350be9ff56bef8ea |
\Windows\system\yItSxcF.exe
| MD5 | 3dd3dcd306f0efc9bbfa800cbd31ae40 |
| SHA1 | d052cb1858658159c0105a89f05e8ea0bb515259 |
| SHA256 | 7c369ff01d831de8701c05e89e10baafecae898266eb16442fd298ec3ac4b304 |
| SHA512 | 59ad00f536a0bf367e7ffc9ae8487c3c876b694bdbdc9cbc067ae6fe30b5ea1fb628f6dff517baa30ac39f6a2825197d0473cb1892c86bc9e668a42a7b74d6a3 |
memory/2144-106-0x000000013FAD0000-0x000000013FE24000-memory.dmp
C:\Windows\system\Rgwazwo.exe
| MD5 | a213a921639142a4eafa2d2121688c3e |
| SHA1 | 7feadccc6591e883807f85de6124bae843342c89 |
| SHA256 | f23eb736220a3e9000c1af73fb54765f435d27733d2be73c17f738f1ae268162 |
| SHA512 | 64641772d027309cb5ee6ff7f757476a854b7a09f98ab319bf1da8e149cd0921c1d14d0f4c32819c703f2f7d1010548e52c3113fadd64c4252b520e2e844c478 |
C:\Windows\system\NrwUBMp.exe
| MD5 | 9dc030972032715c3a4b701c9169aa52 |
| SHA1 | 86720a6ed24505d28117deb592d75bed5e7c3d27 |
| SHA256 | 707d97fb7435a71a6fc3de9903c58d08d4b91c3cf1eb55e8bba6477fb39a4544 |
| SHA512 | df8d1279451e8cddc5282f2bad55b262e03f490007aa5293f05b8d6fd3b95dde842419c02e88aad815743c62430e6d86f003f6ce93f38581b9a6ebe2a8412d0f |
C:\Windows\system\oETXpjv.exe
| MD5 | 2ddf459b3166c48e3f2ff2dded254ede |
| SHA1 | a86d4c2298853b8670c0ab34132aff47d8e98115 |
| SHA256 | 1a2ede107bbe4128e8e68411091ab018b83478dc8e70e5f670d083c4442c2bac |
| SHA512 | 18889ef67e54f46183719cd7d90736a0350e3cf55f35fc11d2313fe0b7cd4b389c1aa78176f7a0384766f87daddfce9f658e2d96193a4ccc185e8d720ca7b681 |
C:\Windows\system\AYyQxdI.exe
| MD5 | 7576f538cb758669eab5a4d1c52bf9e6 |
| SHA1 | 406fdb17396a87d881541b38f8d63329f1a372bd |
| SHA256 | 37a88f59e1b249eb62c8b0a2ad9757e6f515e5a8a847e3115b0385a58244ded1 |
| SHA512 | 19660d3b1f603e42e68e51d90e8f6a59faee0204b62691c981388c1c2ec7e2fd2d834c5e47924762006344fd8179c22c8abf1eb3e9e908f1eb9a7f31e6a58a77 |
C:\Windows\system\tcJIilu.exe
| MD5 | a1240d5711d533f09de74358c05577f0 |
| SHA1 | 39cbc6e495ed7b5d35209323193906f8a70c0255 |
| SHA256 | 58674a52ab6aab8b9f79c4d127bb596651a5037416a1781eb2a1bd5b5c51b866 |
| SHA512 | 52d0326e6d37119bca040526a8747e7d2e21d8b5a09ad5af13e9a4bd274eaf873c45640202ed76cf74cffd59b95659576019e3f02d8e45f18206fbf95078d278 |
memory/3016-102-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/3016-94-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/1016-91-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2856-90-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/3016-89-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/3016-88-0x00000000022E0000-0x0000000002634000-memory.dmp
C:\Windows\system\BKGUdMM.exe
| MD5 | a3c925b09b431b3587d338cc0df462c5 |
| SHA1 | eac899b16789885648f4df2e840d0c08efc667e6 |
| SHA256 | 602263dd8429408cfb11ea95a8a0d89547156cea699290e16b56a1126d5108d3 |
| SHA512 | 525f70f51c2730dda5b83e0c8766b70f0cda8436e8a0506c44561dcdc0600fcbc23bce3e1defb39f284f384b870fef1849943e0908fcc60ce7b7fe6001c27ab2 |
\Windows\system\JDgVRiT.exe
| MD5 | 64286d7855069572dd960570514dd2df |
| SHA1 | 6a6ba34d3b37e53f56041e96beb1cedd42b5dd53 |
| SHA256 | 65d5bc00ef5bbea5a55d5879cbfcd8cc9b69f224cfe39567e9dc1ae85d2dcd57 |
| SHA512 | 18b8ef600715100c8faed619f9bd225cb2eccbad85b3c6abf3061b9e792e2bdb2abfd3424fabb6c16feeeeef2731c561def6064b55055e3ebb5776be2f87b85a |
\Windows\system\iefdUnF.exe
| MD5 | 32041569ce29a5ef50883ca4e87e40ae |
| SHA1 | 62752d482ea7fbac09b013a4fe013fc0d3df3abe |
| SHA256 | 2e3378fbc771dcf65b54c5f4fc3d8b2f4d91a4c0824d0dd8ab6cf9cad9802f08 |
| SHA512 | f73e85b6685b7d4ce370cfab3ac9dd8c2d17fe49cb93ecb85f5f1ba15be35390697e7a824474b95109c653c60fc79b37d0e3c8a6792ee455c62ff2a12d3837b4 |
memory/3016-71-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/2552-70-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/3016-66-0x000000013F4C0000-0x000000013F814000-memory.dmp
\Windows\system\TJgkiSM.exe
| MD5 | 75f5b1209ec2922a38fa350435ebeadc |
| SHA1 | 0f7e0c3236b8184a7466c0517117e821e5bbb6aa |
| SHA256 | 5da855cd28b4d19d7b466fa1340e45628e6af16143ecd76f4f58661a92ab4ac4 |
| SHA512 | e7dbdb69f290209a0d033f6e5235a759fd34b5822cada77a7a62d29f58048da51ace10f84fe799eab71b29a51d1d94d0ea8071abba0684f0140de77da6278263 |
memory/3016-56-0x000000013FB50000-0x000000013FEA4000-memory.dmp
\Windows\system\TmUmfmy.exe
| MD5 | bcb3b0cebab9788621a3c032217eb234 |
| SHA1 | ddfcd0aa3832b2be1be7af774d420be6cc999705 |
| SHA256 | eaef21b308c3e8bf0e4929e343e990b36d2fbad127af401bff739a2ec86e9979 |
| SHA512 | 766c7943483dee7e038005bf9c35bd47e4ff6f0e5ba05c4ce95ecb1c9334e76fe6347d865c6d292da68ba3428a940e4ced633d1f6b77c7b0fed79e075638add0 |
C:\Windows\system\GOwsfsW.exe
| MD5 | eb8795c056dc322726fb9a21ef73ee54 |
| SHA1 | 279d2f0fc5952db2cd31c5d5578fcf90179c318b |
| SHA256 | 938360b71af974616df377f2399453b814036ae25b14ee96e7b35749a127cdaf |
| SHA512 | 4c4f8cb4774018e8e76ae319f7f624be38131e5fe6a7fac8724e70ecba4b5e3275b8fb32b207e6b72cd25efcdef4777285dc3ad57c6f4cfb3615daeafdcea4e8 |
\Windows\system\DjDulcI.exe
| MD5 | 49f5b99fa619fa61c00d9d7a0ee5addb |
| SHA1 | c035d229372eef7eae2de075b281c70d0c51c3ad |
| SHA256 | 1b01739ae6a9235fb63b5110af98a024b3a5b82a8cd83e75f6b8df63ad0c3205 |
| SHA512 | 9324c155d0064f42c3a19ab34c53dfc74877f8eb0dd235f8a365f5bda8cbca75c04147bc9a0e81b3d4c0f00aa98d119f1b29b7d83daad37eeb0cd1ae3e414f65 |
memory/2548-124-0x000000013FF80000-0x00000001402D4000-memory.dmp
C:\Windows\system\iefdUnF.exe
| MD5 | 8f45bed710b4215a2f102ba123751dbb |
| SHA1 | a416310d33a7dd56d3cc5847d91a51032afed198 |
| SHA256 | 0357e6eaf9664935bfec0c3636dcdabe88d30c4efba72cac06942b945bba7b72 |
| SHA512 | 8876911c747ef6cc777167517fda2049d8163eb110e6c9443616db95c233c1053de77ecd6782d535c11e4d6849ebfa50869c922df69dc23a354bf250231e8a34 |
C:\Windows\system\RXipuXw.exe
| MD5 | 3841d3131bdc70a1cf74942213460680 |
| SHA1 | e066ede4ce1cfdb2ea8111ae73f718eb8b157bd9 |
| SHA256 | b4d269eec56539100336c47edcf07ade25ee028ddd2f468b5ccafc2495eaa0a4 |
| SHA512 | 77b6c9843e542c6ef34515300b738e90e6b505a929acee13a482482161e043ddee1028dddba920c8c9ca07a42160a603ae89b3ec75270ab6e028949695a5b7fe |
memory/3016-107-0x000000013F630000-0x000000013F984000-memory.dmp
\Windows\system\RXipuXw.exe
| MD5 | 884c16f22ff3d4aede758bb5145aef8f |
| SHA1 | 7d4e05d3211d034fcd234e0cff954fe46071635f |
| SHA256 | 48f3819d27864f20941fac52e762dfd28e0b7c307480f5b44f13917ac0525bb6 |
| SHA512 | f0623cbdbfcf4f0e5e602c29940e2b9c919a085591b0f609cce116dc8469aff42426329b52569af370d4719d23ac80b37b566d097498f0a311a003681427ec38 |
memory/3016-97-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/3016-96-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/2436-85-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2712-125-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2708-78-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2456-77-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\amcIDeg.exe
| MD5 | cd668a2002dfa54ab5d59a68c94ac151 |
| SHA1 | 53879bc95a11c8186495b87f1bb609393c677868 |
| SHA256 | a1568cace9d171fb99e12d1dcaee84e61aa5ac61548781611a3229e6608d7a45 |
| SHA512 | 2ddfea45a3b9a8009f4dd50acea3ba1355e263e5afca0516733bcf861b6f3e346a809f588e214a84ddca5a7f8e2a5c69152edba00814012a435fe99fe1a3b486 |
memory/3016-75-0x000000013F300000-0x000000013F654000-memory.dmp
memory/3016-39-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/2712-36-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/3016-63-0x000000013F560000-0x000000013F8B4000-memory.dmp
C:\Windows\system\gwrJKyL.exe
| MD5 | 4711a8ad0cd38ac839e7e7c470d5ecad |
| SHA1 | 8cf8f189e51cfca4aedfd542be46c6fd4aa26e50 |
| SHA256 | a8671b77c3a6196294036158c6f863d2feeb6012adf762b107fc4e6beb20ddbe |
| SHA512 | 6970f51727cafba9913ecc8b9639df157ec2129badf150f5a2412f4f972d78a236d75ed867088e45eecc5092afd74a14ec50e73973ccfc4d017a87e8a89b73ce |
C:\Windows\system\ePyZvdN.exe
| MD5 | b12f50740eef66714200750b921dca91 |
| SHA1 | 8373966e5ed792f21420a1f96bf3bbb6923ce01a |
| SHA256 | 719552d5e050d5b6103aeabc2599e37e66f0dc2dc083f0cf409b7b43085c6d59 |
| SHA512 | 7a4e91a3c8d86a2c7d2864f022b2bc699138cd2829346c866cd8c934865e794d9cf66725904fe7973648c3a72b48057f93b8dc315697f02e4e9bbb78689e94d8 |
\Windows\system\ePyZvdN.exe
| MD5 | b2f538258649b2cdb00803d5a5c97353 |
| SHA1 | 9c5789eb9a636c4ac6e8dd594a0ea60d23e14d2a |
| SHA256 | 0c70856f6f373b775e036a90dc5c27e4b348146a3e531e06da167a6935d2b3f4 |
| SHA512 | f5df5d92f6df278fa6cc63a88bd5b7ce54f95cc46722719be97834b52ea7c8b088814a3dc60036fb0518feeed251b96d104cf929d5167fc64cb2d68d4a7af68e |
C:\Windows\system\yItSxcF.exe
| MD5 | f5b6b12278e7a9bba6be34f8725957fa |
| SHA1 | ae81bf7708815b803603ee2e39d523c01b991be8 |
| SHA256 | 1358f9fb44e357ff7d7e8bcea3c8aaad194b105ea38b9505ea6eeddbd451bb9a |
| SHA512 | 0961aa38fa7df744748b1d813e20866eac6b0e1c8a8a4c04f0beb56b3b77dee898112a177012af8be9972ea9717ac3a8506562642875b9588de25049a9f559d9 |
memory/3016-33-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/2548-28-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/3016-26-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2144-22-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/1612-15-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/3016-138-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/3016-139-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/3016-140-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/1016-142-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2856-141-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/3016-143-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/3016-144-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2968-145-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1612-146-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2144-147-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2548-148-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2712-149-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2552-151-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2436-152-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2456-153-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2708-150-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/1016-155-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2856-154-0x000000013F160000-0x000000013F4B4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 04:47
Reported
2024-06-09 04:51
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rkbftko.exe | N/A |
| N/A | N/A | C:\Windows\System\ygBmmoy.exe | N/A |
| N/A | N/A | C:\Windows\System\FcmlKZi.exe | N/A |
| N/A | N/A | C:\Windows\System\RQQugJF.exe | N/A |
| N/A | N/A | C:\Windows\System\uXChlnN.exe | N/A |
| N/A | N/A | C:\Windows\System\rWIdpvm.exe | N/A |
| N/A | N/A | C:\Windows\System\AQHVbQt.exe | N/A |
| N/A | N/A | C:\Windows\System\rxnGmGo.exe | N/A |
| N/A | N/A | C:\Windows\System\TjNgGnq.exe | N/A |
| N/A | N/A | C:\Windows\System\UCUEMRP.exe | N/A |
| N/A | N/A | C:\Windows\System\REzvpVa.exe | N/A |
| N/A | N/A | C:\Windows\System\crtVicF.exe | N/A |
| N/A | N/A | C:\Windows\System\PNYZmFO.exe | N/A |
| N/A | N/A | C:\Windows\System\JGOpuyG.exe | N/A |
| N/A | N/A | C:\Windows\System\MZAjkcQ.exe | N/A |
| N/A | N/A | C:\Windows\System\acWIngT.exe | N/A |
| N/A | N/A | C:\Windows\System\vakqNZw.exe | N/A |
| N/A | N/A | C:\Windows\System\AjRIYOj.exe | N/A |
| N/A | N/A | C:\Windows\System\KjpDPTo.exe | N/A |
| N/A | N/A | C:\Windows\System\vrVmItp.exe | N/A |
| N/A | N/A | C:\Windows\System\fKgLmfj.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_c44f8dc1e257c49c5b63cbf2ec00a7da_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_c44f8dc1e257c49c5b63cbf2ec00a7da_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_c44f8dc1e257c49c5b63cbf2ec00a7da_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_c44f8dc1e257c49c5b63cbf2ec00a7da_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\rkbftko.exe
C:\Windows\System\rkbftko.exe
C:\Windows\System\ygBmmoy.exe
C:\Windows\System\ygBmmoy.exe
C:\Windows\System\FcmlKZi.exe
C:\Windows\System\FcmlKZi.exe
C:\Windows\System\RQQugJF.exe
C:\Windows\System\RQQugJF.exe
C:\Windows\System\uXChlnN.exe
C:\Windows\System\uXChlnN.exe
C:\Windows\System\rWIdpvm.exe
C:\Windows\System\rWIdpvm.exe
C:\Windows\System\AQHVbQt.exe
C:\Windows\System\AQHVbQt.exe
C:\Windows\System\rxnGmGo.exe
C:\Windows\System\rxnGmGo.exe
C:\Windows\System\TjNgGnq.exe
C:\Windows\System\TjNgGnq.exe
C:\Windows\System\UCUEMRP.exe
C:\Windows\System\UCUEMRP.exe
C:\Windows\System\REzvpVa.exe
C:\Windows\System\REzvpVa.exe
C:\Windows\System\crtVicF.exe
C:\Windows\System\crtVicF.exe
C:\Windows\System\PNYZmFO.exe
C:\Windows\System\PNYZmFO.exe
C:\Windows\System\JGOpuyG.exe
C:\Windows\System\JGOpuyG.exe
C:\Windows\System\MZAjkcQ.exe
C:\Windows\System\MZAjkcQ.exe
C:\Windows\System\acWIngT.exe
C:\Windows\System\acWIngT.exe
C:\Windows\System\vakqNZw.exe
C:\Windows\System\vakqNZw.exe
C:\Windows\System\AjRIYOj.exe
C:\Windows\System\AjRIYOj.exe
C:\Windows\System\KjpDPTo.exe
C:\Windows\System\KjpDPTo.exe
C:\Windows\System\vrVmItp.exe
C:\Windows\System\vrVmItp.exe
C:\Windows\System\fKgLmfj.exe
C:\Windows\System\fKgLmfj.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/2504-0-0x00007FF69AFC0000-0x00007FF69B314000-memory.dmp
memory/2504-1-0x000001A0C0110000-0x000001A0C0120000-memory.dmp
C:\Windows\System\rkbftko.exe
| MD5 | c50b236a3e4b54953b51aa6d38320f8d |
| SHA1 | 1ea64dd444e33d94c782ab92cd9f29d5070c0eca |
| SHA256 | 36a9a319253b3851deec84b559424897a173cad684832dbc8dba9f1be2094afb |
| SHA512 | 4e01571d255aad005fe86997c2c07e6df2a38f04f8c20819b3b1d33f932b65d81155b460b6e25d19336fa0e00109d1ecda0285838992e07ee839180937d6f0d3 |
memory/1796-8-0x00007FF797C70000-0x00007FF797FC4000-memory.dmp
C:\Windows\System\ygBmmoy.exe
| MD5 | c6f25da4500b3bf9672485cd8cb0f8a9 |
| SHA1 | 5003085cd74f87b2149e477ec774e9673b438c2c |
| SHA256 | eb2eea2f0ccca2648f7db9ad922b9181fcb2de60ac291238351d1bf2ca6589a2 |
| SHA512 | 89d61dcab3554d8c9c68fb0be9ea19ca2215d088be97545be51aa836f3a3b11779b5d6d1d0df4e65e5efb45b2b24a5d3fd7adbde9430a7bbbd77b08b59bf0628 |
C:\Windows\System\FcmlKZi.exe
| MD5 | 45801cf179211b73c1a5b8d47b40568d |
| SHA1 | 94faba9d9353febbdba8bda6c04754493184eda1 |
| SHA256 | f1f1995623a9c9e02472bec1212a5890ab4bd444701268d7a9a0a3e1a162a6ad |
| SHA512 | d14129364ede3f322975ced7f25942258a6ca12772581dc200f66fd4ae8ef9d9364a0db16d43829d6f3bcfda27b98f119649b37eaba31ac325df194390174262 |
C:\Windows\System\RQQugJF.exe
| MD5 | 8281fc42c7e266d7782165676f9f0f70 |
| SHA1 | 19846b86d4f7d274a3a41c825c5956189f05ed31 |
| SHA256 | db617af3c779b65f71d089aaef66a366d11859d80b040f07eadcd98eb8d5c711 |
| SHA512 | 981246f99f18fb8bc28c828f1a6f3fb1c82f652d03ee7279b7defda2f41214d06923198a77080890e8e38f1d7445af295b82a3824e59bc0d0f94611d4b7e4a5c |
C:\Windows\System\uXChlnN.exe
| MD5 | 3c699b5da7b9f9b3b70726381beac868 |
| SHA1 | ad86dbd9308b15306816af3df3bfe5a37c9d5502 |
| SHA256 | 6316817af701871fc71c6a2c778cde10629dccf64e1314691870ba10574ee89d |
| SHA512 | 468afd75139c056a857654acc80d574f3b17586333bbea91c90c6e233fb091f6d4686f71f4bdc9829601a7148d5835d9454173b2c4b4a43ea05089529345ddb5 |
memory/396-32-0x00007FF750100000-0x00007FF750454000-memory.dmp
C:\Windows\System\rxnGmGo.exe
| MD5 | 1177a5b33ca05a8f625bcea083fd761b |
| SHA1 | 7e0645ad203096729f73890fe74138996a58587c |
| SHA256 | bf6039c61382f79829f7c7a22fc69a8eca871e01ce24329dd977650138ac911b |
| SHA512 | d7723f7dbfb7ed49e1e3556e9372308e6fcb7ec12e90650cea160c237b484e63df7fd1a26e156b688999f38c3c2c3c5780441faf6d69f05ec62c49c2bf27fdba |
C:\Windows\System\AQHVbQt.exe
| MD5 | 468a20b07335c8db1a3de3ff41e283fc |
| SHA1 | dac526cf789d4c0cf255cf33b7dc80fbbe18cdae |
| SHA256 | c80c8334e0f65372db5f902100087c38d65a32e482234f1e187d0a6c507040aa |
| SHA512 | e0531f17f64de3319a7f42cffaf366311afa09b8d55002f21f260cfd8cea76978f7a491e17fa6725e5cb1200a4ae483c8a7acb51f124d396fce0f470f2ef8604 |
C:\Windows\System\TjNgGnq.exe
| MD5 | bb963965e8a7c34d019844e73170e7a3 |
| SHA1 | a704522489bc56cad62d0bcff0ae2d40ad47c96d |
| SHA256 | 35ce244775e7aba21eb9535bdfbc08b0c4299f3aa1bbc549b8e4c5254234043a |
| SHA512 | 52a2238af18043a8e7dec0a95844d7e0f3dbe86c8add25cff1e15ba9431f43c2cc2dd318e169fb52963691586d45db2957f988041af58bb153449c5ff7f0f48d |
C:\Windows\System\UCUEMRP.exe
| MD5 | feccba3a410c1744cb6c4453aaf2326f |
| SHA1 | d920ef1e78917fd26814a02ad45d7887ac777a36 |
| SHA256 | 0a16eff8c4b193a2804c9164f174401938b71c986bfb9377a8fd7497e4a49cac |
| SHA512 | 06b5e646ff4f83315bdb79c9160cc445bec49e2d25b67262b56fc24d5433a1f9e365f2164b6f1e0ea62963575c1035ff27ec02fd068f83b2091ad0ea5667aca3 |
C:\Windows\System\crtVicF.exe
| MD5 | 2bf86677a864e52f51f82751885984d0 |
| SHA1 | 27385bc266b3882a98a969c5cf56095aa0c3526c |
| SHA256 | 7122fdf67fe96f1e3263e2c0a9f0a3cda2bbf8f6b1bfa3b58eb02281e3905e25 |
| SHA512 | e4ccf8ee58f5c16bbd40dfda1c689ca062d29a5e6b375aded91b1b47284311abc766d34a4c93130663ea1f5fd19839756db720d09dab08102b38e6321c48982a |
C:\Windows\System\PNYZmFO.exe
| MD5 | 1a93f91ff7a653037910cb7b5094b1b9 |
| SHA1 | 5d1e627d2c493efbbfacc046001d4b7e0a9d040d |
| SHA256 | dd2b5c93c7923d6cd98e229d872e118e0ddb43e6bbfab6343456e3872a079342 |
| SHA512 | 9e990b485c6abb80bbfe7502bf68b4cdb47f6bd11eed0581ffc2544dda69a6605c1c7c7e32f3c65c708af23fb6e8d8bcd35346e1d6ab1ec38aee44978cf199cc |
memory/64-82-0x00007FF7F5180000-0x00007FF7F54D4000-memory.dmp
memory/4712-85-0x00007FF756B70000-0x00007FF756EC4000-memory.dmp
memory/4616-86-0x00007FF693820000-0x00007FF693B74000-memory.dmp
memory/1460-84-0x00007FF74CDD0000-0x00007FF74D124000-memory.dmp
memory/864-83-0x00007FF6EF600000-0x00007FF6EF954000-memory.dmp
C:\Windows\System\JGOpuyG.exe
| MD5 | 866ace554dfa7366eb2ab45700320631 |
| SHA1 | 97baa62601a58988a26c0c8f3c0a34e7142e92bf |
| SHA256 | b9698a4e0b64950d1fd201fe114979a54a1218527e18015a68b9c9693b50310e |
| SHA512 | 4bef824ce8a3d77f0173e596dac6f2218e312c48a43488a56cecf5c4baf41e298d900b792fee3c7faf9537c54f046c6d4f3ad380d682c858b5b2565232546646 |
memory/2536-77-0x00007FF74BAE0000-0x00007FF74BE34000-memory.dmp
C:\Windows\System\REzvpVa.exe
| MD5 | 5e5a3088a6d665ec8c217cca4516ad3d |
| SHA1 | 41a519bc62ba1f67a211d00d047e74a46492b17b |
| SHA256 | dd10926a0b8ddb5357c14d076a810dbd6b0eaec74c098cba7d6b8e794cb46d0a |
| SHA512 | 8878782305d159ee0a3e491f07405fad407970573ec5d4dc84ec8c1d999e1cecc71957ce36f8746c0e84d6110b347a857fae3bcb6989b4b318114b0ba82c3055 |
memory/1792-49-0x00007FF7D8540000-0x00007FF7D8894000-memory.dmp
memory/5116-47-0x00007FF795990000-0x00007FF795CE4000-memory.dmp
memory/3648-44-0x00007FF7F4040000-0x00007FF7F4394000-memory.dmp
memory/5048-42-0x00007FF74C170000-0x00007FF74C4C4000-memory.dmp
C:\Windows\System\rWIdpvm.exe
| MD5 | 7765a01749b9571e26c48d851aacdd5f |
| SHA1 | 3fd27aa2efdc5737e6b7ff0d627a779f178de682 |
| SHA256 | 5c73dc07c8df959e8a63be75bd06a07c57cc54b68a312b986f7eaae055ed47b1 |
| SHA512 | 9ab29e696c543f2de46294175f7594d108bbfec638ec6ba6daaa7f05bf5c184d96396d943dc16905499d40a2824d55ef00a9f37aeb8c4cf4f0859ce95c5b63d7 |
memory/868-28-0x00007FF669F80000-0x00007FF66A2D4000-memory.dmp
memory/4412-23-0x00007FF68E530000-0x00007FF68E884000-memory.dmp
C:\Windows\System\MZAjkcQ.exe
| MD5 | 7b9ac1d6811b3d001ca462c6da123b5c |
| SHA1 | f2ffe9c455159ecbac89d8a9b270289ffd4aa086 |
| SHA256 | 9767578972455bac840ec87226c45492ff9830e59808eadce85cc12b0e39c6b7 |
| SHA512 | 3fc183da8e933a56d15b29a357bd18d507bc8175958cb2a95712cfbdccff869dba5fc5c1c08dc454fa4e7c6b4f613d850b2cdcbd8cad5c5eb07c05b4d11f0880 |
memory/4896-90-0x00007FF737350000-0x00007FF7376A4000-memory.dmp
C:\Windows\System\acWIngT.exe
| MD5 | a8515e90f6b5c1a5205080c894fe9c2c |
| SHA1 | 9765328e79a8413ac45c4e918d7c06655ace8e22 |
| SHA256 | f6f9075fce28d11f42598b40e0a43d35e152965c710fd9882d6e9f1a703028e3 |
| SHA512 | 6a44c8fa159edcf075cbb91526e8f4606f5bc5809c5fb7268c87a226fc4d8739c06514856dc35e8a77827c0924c14bb0f931d6a4334e219cfb92f4cb79969459 |
memory/2236-98-0x00007FF718390000-0x00007FF7186E4000-memory.dmp
C:\Windows\System\vakqNZw.exe
| MD5 | 506e6f444d7fd621180f6b0313eaa423 |
| SHA1 | 07dde9841e3fd1551040a0919cd8ae4fd26084f3 |
| SHA256 | f1868109d1f879890d38e1f8647dabb015a3cf75db1015e90183dfaf6d4452dc |
| SHA512 | bdeb146b63f8b4158e88004aee8c832922e199472434857d6ccc5c1bacdccf4ab79b0f451a5f823641fe146d550fab0505c162cc22d9d2b10e57f94ef46533b6 |
C:\Windows\System\AjRIYOj.exe
| MD5 | 5eaf4cd529e222dfb85d012a4fb6905e |
| SHA1 | 8684e953b173bd05a08d876b6527bd0e2ae423b5 |
| SHA256 | 62bb15c1c9c3567b845bd0da42eab1a00cfb0d3b2a739d3139922d74054e7f93 |
| SHA512 | 3c57f3dc69eb77d73e60d500a3c4afeb5b9ebafa725d01ca2dac971ebffc479988a15d7c69b4792eff2c77891bcdad3b85d586c1e6d5cc99aaae04216ba99ea0 |
C:\Windows\System\KjpDPTo.exe
| MD5 | 576587be90b96c94adf862472cd7a5e7 |
| SHA1 | b7fa90d818992dde4f2dffc4b4432ba4f7bcf775 |
| SHA256 | 0c501a9ccf3897abd8149a846a91824e2103460eb4d04bf9d88040cf6816a23b |
| SHA512 | b41685f469b030a304ab949f48d85d7cc74167c416128425ae7ad5c71c57a3c6ea7447df8ae72771d5f82a79a7811c7683be166624e704f84e7a37505b3673a5 |
memory/4744-106-0x00007FF6AD5A0000-0x00007FF6AD8F4000-memory.dmp
memory/2864-113-0x00007FF60D800000-0x00007FF60DB54000-memory.dmp
memory/1060-116-0x00007FF675030000-0x00007FF675384000-memory.dmp
C:\Windows\System\fKgLmfj.exe
| MD5 | 082f00c768d056868d3582fdd5a25b4b |
| SHA1 | 6d30e4341d14291b0ea56f8f30b2318fff114666 |
| SHA256 | 63215835c51586c2975727de93a24ceb25c8fa3daa6c1e65e1bca264e19c1a50 |
| SHA512 | a7309746fb9e5d1a5878ce0b3ca32092639fde961c46e11f4aa2dc58c3dd65a91f961bcec3e072b9496a70f5bafc6329ed8590cc0c9548b5de329da22b581cd3 |
memory/4628-123-0x00007FF73BB30000-0x00007FF73BE84000-memory.dmp
memory/1796-128-0x00007FF797C70000-0x00007FF797FC4000-memory.dmp
memory/1328-130-0x00007FF6F4C00000-0x00007FF6F4F54000-memory.dmp
memory/868-129-0x00007FF669F80000-0x00007FF66A2D4000-memory.dmp
C:\Windows\System\vrVmItp.exe
| MD5 | ee802b16632bd0d9940af2436e0bdf6e |
| SHA1 | bf47c70eeb2b70a9922361ea13387e28654a0f7f |
| SHA256 | 205b8f5313f523e956df2ce6006b8199c0b7ce6ea22eb6a81946836b26a50814 |
| SHA512 | 37e3ad463bec1ae6ee1b93941d96e6f8ddc42432e8e7317ae5b5dcbd8caa511febf10d5b1a888bb1a6eb2cc330fe0a5bc3dd0399b00f04808fd62c7626467a38 |
memory/2504-120-0x00007FF69AFC0000-0x00007FF69B314000-memory.dmp
memory/5048-131-0x00007FF74C170000-0x00007FF74C4C4000-memory.dmp
memory/3648-132-0x00007FF7F4040000-0x00007FF7F4394000-memory.dmp
memory/4896-133-0x00007FF737350000-0x00007FF7376A4000-memory.dmp
memory/2864-134-0x00007FF60D800000-0x00007FF60DB54000-memory.dmp
memory/4628-135-0x00007FF73BB30000-0x00007FF73BE84000-memory.dmp
memory/1796-136-0x00007FF797C70000-0x00007FF797FC4000-memory.dmp
memory/4412-137-0x00007FF68E530000-0x00007FF68E884000-memory.dmp
memory/396-138-0x00007FF750100000-0x00007FF750454000-memory.dmp
memory/868-139-0x00007FF669F80000-0x00007FF66A2D4000-memory.dmp
memory/5116-140-0x00007FF795990000-0x00007FF795CE4000-memory.dmp
memory/5048-141-0x00007FF74C170000-0x00007FF74C4C4000-memory.dmp
memory/1792-142-0x00007FF7D8540000-0x00007FF7D8894000-memory.dmp
memory/3648-143-0x00007FF7F4040000-0x00007FF7F4394000-memory.dmp
memory/2536-144-0x00007FF74BAE0000-0x00007FF74BE34000-memory.dmp
memory/64-145-0x00007FF7F5180000-0x00007FF7F54D4000-memory.dmp
memory/1460-147-0x00007FF74CDD0000-0x00007FF74D124000-memory.dmp
memory/864-146-0x00007FF6EF600000-0x00007FF6EF954000-memory.dmp
memory/4712-149-0x00007FF756B70000-0x00007FF756EC4000-memory.dmp
memory/4616-148-0x00007FF693820000-0x00007FF693B74000-memory.dmp
memory/4896-150-0x00007FF737350000-0x00007FF7376A4000-memory.dmp
memory/2236-151-0x00007FF718390000-0x00007FF7186E4000-memory.dmp
memory/4744-152-0x00007FF6AD5A0000-0x00007FF6AD8F4000-memory.dmp
memory/1060-153-0x00007FF675030000-0x00007FF675384000-memory.dmp
memory/2864-154-0x00007FF60D800000-0x00007FF60DB54000-memory.dmp
memory/4628-155-0x00007FF73BB30000-0x00007FF73BE84000-memory.dmp
memory/1328-156-0x00007FF6F4C00000-0x00007FF6F4F54000-memory.dmp