Analysis Overview
SHA256
5d2443d6e03976b3f794987eafaf9941133cd73eae794a7d9a8d722ad101668d
Threat Level: Known bad
The file 2024-06-11_2bb52a383da9620012103e8949bbd5e8_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
XMRig Miner payload
Cobalt Strike reflective loader
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike family
UPX dump on OEP (original entry point)
Xmrig family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 15:49
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 15:49
Reported
2024-06-11 15:52
Platform
win7-20240508-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XOcAtUv.exe | N/A |
| N/A | N/A | C:\Windows\System\yBpnRKl.exe | N/A |
| N/A | N/A | C:\Windows\System\MAQTVpH.exe | N/A |
| N/A | N/A | C:\Windows\System\qBWUToL.exe | N/A |
| N/A | N/A | C:\Windows\System\vyojzzQ.exe | N/A |
| N/A | N/A | C:\Windows\System\OTRFpRd.exe | N/A |
| N/A | N/A | C:\Windows\System\bVXSAPF.exe | N/A |
| N/A | N/A | C:\Windows\System\VOJuDvE.exe | N/A |
| N/A | N/A | C:\Windows\System\LGbAhib.exe | N/A |
| N/A | N/A | C:\Windows\System\XXqBSIS.exe | N/A |
| N/A | N/A | C:\Windows\System\VzFZfAP.exe | N/A |
| N/A | N/A | C:\Windows\System\amOLgER.exe | N/A |
| N/A | N/A | C:\Windows\System\IqUOIJt.exe | N/A |
| N/A | N/A | C:\Windows\System\ROAJfWK.exe | N/A |
| N/A | N/A | C:\Windows\System\SmbRdIO.exe | N/A |
| N/A | N/A | C:\Windows\System\ycEnnkr.exe | N/A |
| N/A | N/A | C:\Windows\System\biXNKlV.exe | N/A |
| N/A | N/A | C:\Windows\System\tuSwrSJ.exe | N/A |
| N/A | N/A | C:\Windows\System\WyhzIuM.exe | N/A |
| N/A | N/A | C:\Windows\System\aAtbyxb.exe | N/A |
| N/A | N/A | C:\Windows\System\qlEgKQd.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_2bb52a383da9620012103e8949bbd5e8_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_2bb52a383da9620012103e8949bbd5e8_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_2bb52a383da9620012103e8949bbd5e8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_2bb52a383da9620012103e8949bbd5e8_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\XOcAtUv.exe
C:\Windows\System\XOcAtUv.exe
C:\Windows\System\yBpnRKl.exe
C:\Windows\System\yBpnRKl.exe
C:\Windows\System\MAQTVpH.exe
C:\Windows\System\MAQTVpH.exe
C:\Windows\System\qBWUToL.exe
C:\Windows\System\qBWUToL.exe
C:\Windows\System\vyojzzQ.exe
C:\Windows\System\vyojzzQ.exe
C:\Windows\System\OTRFpRd.exe
C:\Windows\System\OTRFpRd.exe
C:\Windows\System\bVXSAPF.exe
C:\Windows\System\bVXSAPF.exe
C:\Windows\System\VOJuDvE.exe
C:\Windows\System\VOJuDvE.exe
C:\Windows\System\LGbAhib.exe
C:\Windows\System\LGbAhib.exe
C:\Windows\System\XXqBSIS.exe
C:\Windows\System\XXqBSIS.exe
C:\Windows\System\VzFZfAP.exe
C:\Windows\System\VzFZfAP.exe
C:\Windows\System\amOLgER.exe
C:\Windows\System\amOLgER.exe
C:\Windows\System\IqUOIJt.exe
C:\Windows\System\IqUOIJt.exe
C:\Windows\System\ROAJfWK.exe
C:\Windows\System\ROAJfWK.exe
C:\Windows\System\SmbRdIO.exe
C:\Windows\System\SmbRdIO.exe
C:\Windows\System\ycEnnkr.exe
C:\Windows\System\ycEnnkr.exe
C:\Windows\System\biXNKlV.exe
C:\Windows\System\biXNKlV.exe
C:\Windows\System\tuSwrSJ.exe
C:\Windows\System\tuSwrSJ.exe
C:\Windows\System\WyhzIuM.exe
C:\Windows\System\WyhzIuM.exe
C:\Windows\System\aAtbyxb.exe
C:\Windows\System\aAtbyxb.exe
C:\Windows\System\qlEgKQd.exe
C:\Windows\System\qlEgKQd.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2416-0-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2416-1-0x0000000000100000-0x0000000000110000-memory.dmp
\Windows\system\XOcAtUv.exe
| MD5 | 01ea4477220c8ea13ff16e2ff3891d20 |
| SHA1 | a90754df0c2650b68b7800066597da47e082ed68 |
| SHA256 | 364dc26285bd978f46fd85f2fd8ca858f9eefeb3ee88acf49eceb2adb3f24018 |
| SHA512 | 382d25640839e2fa212c5100fd09094362cfb59c09e7bb172ba4009e646e0844f79f3223bdf998d97d218b8f063f0530c2a675f8fb247dc2e03e3311223b68f6 |
memory/2416-6-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2060-11-0x000000013F330000-0x000000013F684000-memory.dmp
C:\Windows\system\yBpnRKl.exe
| MD5 | 50c379403194e2e9bee84e992a67538e |
| SHA1 | 138766f24e6d7535a23a47d1433d450b300dc1c3 |
| SHA256 | 7f5dccf3a815eeeb7a9c93752451dc1b8e9a99ef43511296a46dda885143f545 |
| SHA512 | 45029d3bc5d4c65649eddc4f4c510c0abd994428031638b46b9d0bb83c0c6fe86187288ba23ad0e02cd89e808d0b24174c133bb15aa43a6f2866c861b001c142 |
memory/2416-9-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/1824-15-0x000000013FF50000-0x00000001402A4000-memory.dmp
C:\Windows\system\MAQTVpH.exe
| MD5 | a66a7e171e420ea9540d162a8cfc58b5 |
| SHA1 | 950a42b0faf74b2275a581588eb7e50dc4109a0f |
| SHA256 | b264261aec532c1c49982905fa677e2f46a82ab16203c00936759ed60e070c8b |
| SHA512 | 8353155f141b85cbeac8df1089fc0b287ca808df5fd34fbf48e938b17e396d5e07c81bf3a9c0aa922a401dde1a870f9ee17174d9b541d36288745d895171dcbd |
memory/2656-22-0x000000013F5F0000-0x000000013F944000-memory.dmp
C:\Windows\system\qBWUToL.exe
| MD5 | 8239d5a4f39ea9eb1f8801ff9855574d |
| SHA1 | 7b858636e037a6d50b37cd8ac1c9596667a439b3 |
| SHA256 | 2631f2b6f70104bc0181cd908b5d30ac971912b775db2b52b3071cb9784f5dcd |
| SHA512 | 1ceaedbd2c4fc96c059258d11f7ada34a65c8d1e480a8889f38636cd42c90e9868a3807799e8ce525e5b98e04a71017fdfdc7caea6ce21ae27e5f15c075ab16b |
memory/2416-27-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2736-28-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\vyojzzQ.exe
| MD5 | 131e71b5f1d1d23957a7af163d1e4275 |
| SHA1 | eff3a16ae12df7cacdc14194fa8ef41c1d668c7a |
| SHA256 | 6bb1933f837506bef431f669a54a4e0da74c73656c007e01dbc7f2aff4f9b00a |
| SHA512 | 49e3cf4beba5b402919e3cca0efe8473be549b4ae6083902ebc998f1fb94178e3b482a9cbaa6304e3291d44517524ec21a8528282757d71fdc2cfb1c7af0d313 |
C:\Windows\system\OTRFpRd.exe
| MD5 | cd6dd3707efbbe1516e10e9b356ae5f5 |
| SHA1 | 9f5acfd1d4287c89d61c56dc5c2b3db924cc1d05 |
| SHA256 | 9400422026f8149e1bf5bcc6539b822a5abc8d66c82c78f46ce85f69a16b55fc |
| SHA512 | 3766e948613fefbe6972183f98e78573c8d4e44898c33bba7736d68956cd50741190927e92c801ba529b14973fc14621ee0e4e61e5e2b86168585204285d01e7 |
memory/2648-39-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2416-38-0x000000013F730000-0x000000013FA84000-memory.dmp
C:\Windows\system\bVXSAPF.exe
| MD5 | 1c6df5a48771ce290b3e8a0ceefdc488 |
| SHA1 | 12165407e4c201c572dabc087c495038d7887bc5 |
| SHA256 | 35bbaa5089cea2a9759cc546d64ca87f1404d6c77393e14e72c3083f1603aae4 |
| SHA512 | 2070879605ac37590434c88ea42a92549f135d7ff3b4dc1d5ce48e61773ac8242de60d5ebecc0b706421e63fea0ffed00ca01b1f34fb16c32929b57355fccfee |
memory/2540-53-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2656-86-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1776-88-0x000000013F9E0000-0x000000013FD34000-memory.dmp
C:\Windows\system\ROAJfWK.exe
| MD5 | 384b714ac8a2d74debd534f94e755f97 |
| SHA1 | f88f60f74f437ef6badfd922344d43454c7214ad |
| SHA256 | d917370222a0b4eca462e8bd3f0d4e0ffbddcc4e000298a23de2e69f86530ca8 |
| SHA512 | 3d0d318d8cf857abdbd9d919ad221dcbe10f813e2f18583e91c85d00f8cd5249b2004bb9a52344d175cda909750e1333fe9a28ec0d7b1cb5981862891d8c3586 |
memory/2996-103-0x000000013F870000-0x000000013FBC4000-memory.dmp
C:\Windows\system\WyhzIuM.exe
| MD5 | cb0f2ada9705335ec152adcc209c658e |
| SHA1 | c1b087aa53525b6f3beb8e0a254c8ba8a5dce30d |
| SHA256 | 3bbd1968ffc84262473d2971aed4f30d2b88b4c65e739289c1adf4e296e4c0a1 |
| SHA512 | cd0350643b76392e2765793554769a55cf45119521663e38d60860e2d4b4fbacee9c7d8be7876f080937c6408c3b67bbe4562f72334701e9c2ad7e31a2f231ca |
\Windows\system\qlEgKQd.exe
| MD5 | 0dd2da2b61bcda8a36a21f2e00e56c3f |
| SHA1 | 31b231c3964c2e3710510eb494693dca6d7e77fa |
| SHA256 | 39e2eb7591d3a93bec63ccc8216b99e49a6f082ed0841d93cc92004a8b46653b |
| SHA512 | 83d2041515d44c0cd0432cda7cdb958f0bca1d0ee4457c784ec77b183b1073cf5e058514bdfe9b3a634f94025ab3674790f4205006a9ebc710eb151edffabd4c |
C:\Windows\system\aAtbyxb.exe
| MD5 | 722925ddda9527f82130ed7ae4977220 |
| SHA1 | b3737a00bdebeaf6df6cffd2262803c0d8287b1c |
| SHA256 | 85dd316d78dc676907009f39b00048f0b1372abf78fc427f7ff244017bf2a067 |
| SHA512 | 06e0d7b430413858d4cbba26912125ecaf05b0301acfcc0ce92a1399cf78ec74c56e4548db85cc9f18fc07fed2e40676d8bf90e6cf3265527e7c99a29537aea7 |
C:\Windows\system\tuSwrSJ.exe
| MD5 | 998a169902678fb3ed7eddabbb88910f |
| SHA1 | 6dd116696f15fb97988b184e205a7269a06e0c58 |
| SHA256 | 04366aed942fb30426112984e7267d4887e3dde2d5f4b05fb17b93ece73a3f44 |
| SHA512 | 3b7ad48be2ecd4173de1e7252d191c3dce85504b8132f777a80509758dcf767e93cca0644ff600004cdcf295078284a04aa8950a4fc19e4827a6af8d082f8fb7 |
C:\Windows\system\biXNKlV.exe
| MD5 | 28abfef298fac691759b794de7f7127b |
| SHA1 | 168ad2ef4289cb48814af69fb3b4928a28770979 |
| SHA256 | 3e60dbc2885483e748c70d2527dcd62a7a4ef3bb37e0200f29a3ab42c44cb2b1 |
| SHA512 | 51a989b448f55d0bef41da232e98f96c735fefbe0132e0cadbf0fd2b03a20a9d7bcc1e6bc265056f5eb96b8c653170c6b46333d25ad0c520283fd78e52968faf |
C:\Windows\system\ycEnnkr.exe
| MD5 | 30a6b5828f78db15dfc5286c1411c175 |
| SHA1 | d12377b146db7a707092983261c850b463d412d3 |
| SHA256 | 2549dc18f50ecce165603433ca2c5250f71e51d46ddd1fa4b4b695650545bbfc |
| SHA512 | c3e1aac8ed32c12f52a915cc2507a77e3bb4805b78df5ab343f9de15b9a9ba30d180bc802bc74cbefe19a587397944b578636c66576b6d749fd270fd1c0986de |
C:\Windows\system\SmbRdIO.exe
| MD5 | 59b00c12c380e9fc0f34e9f829baaeee |
| SHA1 | 6616b6f0372084ede26089b63f05c3a542866486 |
| SHA256 | a8c161b913c89c743e7519209b00978b6bc2a6f550493dfbe2d7ea152d200aaa |
| SHA512 | f56d5af53a3e22f7b7b2e8da74282620d8ad1af6563d6db2e3c879429ee5ff63a921e463f6d3389bc7563ace97a5d0f001af386c115123ce666377d2dc2df1af |
memory/2416-108-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2648-107-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2416-102-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2788-101-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2756-96-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2416-95-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2736-94-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\IqUOIJt.exe
| MD5 | 243a66e4be44df7e58c2d9b3b132aca2 |
| SHA1 | e71e86f659b8fb1e19eee3c3e414d18c2e13fd9e |
| SHA256 | 16bb7336a5efcab9de2a454f8d1001e8b4e8369f6ac9a56165e236bfdc5f9840 |
| SHA512 | abff6a24a59d2d2b687c0d73d971859a69b1d5192dbfcec1a816e542466ed7c143ec9a2862246c7da02f3da0dae89dfc205bc27d6230a4b435eaa6ff23501d48 |
memory/2416-87-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\amOLgER.exe
| MD5 | e1a468a7c7a1de2bcc02d8a4d2d64166 |
| SHA1 | 875dd3535740714e8b5f312e73a00080a13bc5be |
| SHA256 | 68235c91ee75ce24d0cd416623c61c44ce2e3048d139e73554e5ccd65d87343c |
| SHA512 | 6c5db500e55806c57e4e9b42a8552f817027896d59504fc813a550e2245b1667d2e1bba12b4b4f381d2673eed0c78f7184e803350e876c0d50d0998e04ac19ff |
memory/1800-81-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2416-80-0x000000013F250000-0x000000013F5A4000-memory.dmp
C:\Windows\system\VzFZfAP.exe
| MD5 | 05d5a3c4232d02d3576b996cbb4450f0 |
| SHA1 | 2de0d6e186e70ecf902afde4956c4e6a8370aa92 |
| SHA256 | e95883572f1ab533bfaaedea7ea8f48135372c9689e9bc81de6fe9b01d53b50e |
| SHA512 | a911c541a4980013a7574e9fe07db456225c13f17dbee942292fd02d9dd12ffcad91d690b0797439ace9b901607b4c696ab4faf1f24d8b74198a0dedeef63f57 |
memory/2560-71-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2416-70-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1824-69-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2628-62-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2416-61-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\LGbAhib.exe
| MD5 | 5801f4fcdefb0a14c008b94798415678 |
| SHA1 | faafa859134dd115e6d1c09d58c5c76daabb7716 |
| SHA256 | f7a1fe557f59808d2fed81ce4b4f042c1040a7e58376d79b0815b65f1ab00f79 |
| SHA512 | 827344dfed9b82acfc3fcaebf96493f3dda4dc627c093da56cb499b645c998959996302ce546e629283d99f0949a17bf3eef8484b350196464e44df04e9fb9ba |
memory/2632-142-0x000000013F6D0000-0x000000013FA24000-memory.dmp
C:\Windows\system\XXqBSIS.exe
| MD5 | 5b6ca0a0fc4371a8261532136521daa6 |
| SHA1 | 9fb007abf04fa306efc266e79a4e65677334816e |
| SHA256 | 1eabff30eb1e28fc94dae90b93f888c6f57ae0939596d0bf692959d73416aafa |
| SHA512 | c1fb683fadf9a07e36a52e65e8eac226425a9bab8b21eee7c525828607b667322c9b9356878243255cb09a4d042ca15f399dff1ff62f70d173b5b0db350c1320 |
memory/2416-52-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2632-47-0x000000013F6D0000-0x000000013FA24000-memory.dmp
C:\Windows\system\VOJuDvE.exe
| MD5 | 8c297eb6a4c893144247465c30f9c59b |
| SHA1 | 6681cf43361a608dcc34025ae17c86e3837e9e53 |
| SHA256 | 6b4198e1e17a494ddf5895b5c69cde7fb9f2a5eff3718daafa4e825c7905fbd1 |
| SHA512 | 535e67a4aa60c2c32a8c02a09044817a738a17f1d11d38690b1fadd73dd0a5b378ae4ffa02aba1e853b279186a003b2f61d8467319987a6219aa437c6483aabc |
memory/2416-45-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2416-44-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2788-34-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2416-33-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2416-20-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2540-143-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2628-145-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2416-144-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2416-146-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2560-147-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2416-148-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1776-149-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2416-150-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2756-151-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2416-152-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2996-153-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2060-154-0x000000013F330000-0x000000013F684000-memory.dmp
memory/1824-155-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2736-156-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2648-157-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2540-158-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2656-159-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2788-160-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2560-161-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2632-162-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2628-163-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/1800-164-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1776-165-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2756-166-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2996-167-0x000000013F870000-0x000000013FBC4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 15:49
Reported
2024-06-11 15:52
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XOcAtUv.exe | N/A |
| N/A | N/A | C:\Windows\System\yBpnRKl.exe | N/A |
| N/A | N/A | C:\Windows\System\MAQTVpH.exe | N/A |
| N/A | N/A | C:\Windows\System\qBWUToL.exe | N/A |
| N/A | N/A | C:\Windows\System\vyojzzQ.exe | N/A |
| N/A | N/A | C:\Windows\System\OTRFpRd.exe | N/A |
| N/A | N/A | C:\Windows\System\bVXSAPF.exe | N/A |
| N/A | N/A | C:\Windows\System\VOJuDvE.exe | N/A |
| N/A | N/A | C:\Windows\System\LGbAhib.exe | N/A |
| N/A | N/A | C:\Windows\System\XXqBSIS.exe | N/A |
| N/A | N/A | C:\Windows\System\VzFZfAP.exe | N/A |
| N/A | N/A | C:\Windows\System\amOLgER.exe | N/A |
| N/A | N/A | C:\Windows\System\IqUOIJt.exe | N/A |
| N/A | N/A | C:\Windows\System\ROAJfWK.exe | N/A |
| N/A | N/A | C:\Windows\System\SmbRdIO.exe | N/A |
| N/A | N/A | C:\Windows\System\ycEnnkr.exe | N/A |
| N/A | N/A | C:\Windows\System\biXNKlV.exe | N/A |
| N/A | N/A | C:\Windows\System\tuSwrSJ.exe | N/A |
| N/A | N/A | C:\Windows\System\WyhzIuM.exe | N/A |
| N/A | N/A | C:\Windows\System\aAtbyxb.exe | N/A |
| N/A | N/A | C:\Windows\System\qlEgKQd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_2bb52a383da9620012103e8949bbd5e8_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_2bb52a383da9620012103e8949bbd5e8_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_2bb52a383da9620012103e8949bbd5e8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_2bb52a383da9620012103e8949bbd5e8_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\XOcAtUv.exe
C:\Windows\System\XOcAtUv.exe
C:\Windows\System\yBpnRKl.exe
C:\Windows\System\yBpnRKl.exe
C:\Windows\System\MAQTVpH.exe
C:\Windows\System\MAQTVpH.exe
C:\Windows\System\qBWUToL.exe
C:\Windows\System\qBWUToL.exe
C:\Windows\System\vyojzzQ.exe
C:\Windows\System\vyojzzQ.exe
C:\Windows\System\OTRFpRd.exe
C:\Windows\System\OTRFpRd.exe
C:\Windows\System\bVXSAPF.exe
C:\Windows\System\bVXSAPF.exe
C:\Windows\System\VOJuDvE.exe
C:\Windows\System\VOJuDvE.exe
C:\Windows\System\LGbAhib.exe
C:\Windows\System\LGbAhib.exe
C:\Windows\System\XXqBSIS.exe
C:\Windows\System\XXqBSIS.exe
C:\Windows\System\VzFZfAP.exe
C:\Windows\System\VzFZfAP.exe
C:\Windows\System\amOLgER.exe
C:\Windows\System\amOLgER.exe
C:\Windows\System\IqUOIJt.exe
C:\Windows\System\IqUOIJt.exe
C:\Windows\System\ROAJfWK.exe
C:\Windows\System\ROAJfWK.exe
C:\Windows\System\SmbRdIO.exe
C:\Windows\System\SmbRdIO.exe
C:\Windows\System\ycEnnkr.exe
C:\Windows\System\ycEnnkr.exe
C:\Windows\System\biXNKlV.exe
C:\Windows\System\biXNKlV.exe
C:\Windows\System\tuSwrSJ.exe
C:\Windows\System\tuSwrSJ.exe
C:\Windows\System\WyhzIuM.exe
C:\Windows\System\WyhzIuM.exe
C:\Windows\System\aAtbyxb.exe
C:\Windows\System\aAtbyxb.exe
C:\Windows\System\qlEgKQd.exe
C:\Windows\System\qlEgKQd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 80.14.97.104.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 129.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3892-0-0x00007FF755000000-0x00007FF755354000-memory.dmp
memory/3892-1-0x000001428A000000-0x000001428A010000-memory.dmp
C:\Windows\System\XOcAtUv.exe
| MD5 | 01ea4477220c8ea13ff16e2ff3891d20 |
| SHA1 | a90754df0c2650b68b7800066597da47e082ed68 |
| SHA256 | 364dc26285bd978f46fd85f2fd8ca858f9eefeb3ee88acf49eceb2adb3f24018 |
| SHA512 | 382d25640839e2fa212c5100fd09094362cfb59c09e7bb172ba4009e646e0844f79f3223bdf998d97d218b8f063f0530c2a675f8fb247dc2e03e3311223b68f6 |
C:\Windows\System\yBpnRKl.exe
| MD5 | 50c379403194e2e9bee84e992a67538e |
| SHA1 | 138766f24e6d7535a23a47d1433d450b300dc1c3 |
| SHA256 | 7f5dccf3a815eeeb7a9c93752451dc1b8e9a99ef43511296a46dda885143f545 |
| SHA512 | 45029d3bc5d4c65649eddc4f4c510c0abd994428031638b46b9d0bb83c0c6fe86187288ba23ad0e02cd89e808d0b24174c133bb15aa43a6f2866c861b001c142 |
C:\Windows\System\MAQTVpH.exe
| MD5 | a66a7e171e420ea9540d162a8cfc58b5 |
| SHA1 | 950a42b0faf74b2275a581588eb7e50dc4109a0f |
| SHA256 | b264261aec532c1c49982905fa677e2f46a82ab16203c00936759ed60e070c8b |
| SHA512 | 8353155f141b85cbeac8df1089fc0b287ca808df5fd34fbf48e938b17e396d5e07c81bf3a9c0aa922a401dde1a870f9ee17174d9b541d36288745d895171dcbd |
C:\Windows\System\vyojzzQ.exe
| MD5 | 131e71b5f1d1d23957a7af163d1e4275 |
| SHA1 | eff3a16ae12df7cacdc14194fa8ef41c1d668c7a |
| SHA256 | 6bb1933f837506bef431f669a54a4e0da74c73656c007e01dbc7f2aff4f9b00a |
| SHA512 | 49e3cf4beba5b402919e3cca0efe8473be549b4ae6083902ebc998f1fb94178e3b482a9cbaa6304e3291d44517524ec21a8528282757d71fdc2cfb1c7af0d313 |
C:\Windows\System\OTRFpRd.exe
| MD5 | cd6dd3707efbbe1516e10e9b356ae5f5 |
| SHA1 | 9f5acfd1d4287c89d61c56dc5c2b3db924cc1d05 |
| SHA256 | 9400422026f8149e1bf5bcc6539b822a5abc8d66c82c78f46ce85f69a16b55fc |
| SHA512 | 3766e948613fefbe6972183f98e78573c8d4e44898c33bba7736d68956cd50741190927e92c801ba529b14973fc14621ee0e4e61e5e2b86168585204285d01e7 |
C:\Windows\System\VOJuDvE.exe
| MD5 | 8c297eb6a4c893144247465c30f9c59b |
| SHA1 | 6681cf43361a608dcc34025ae17c86e3837e9e53 |
| SHA256 | 6b4198e1e17a494ddf5895b5c69cde7fb9f2a5eff3718daafa4e825c7905fbd1 |
| SHA512 | 535e67a4aa60c2c32a8c02a09044817a738a17f1d11d38690b1fadd73dd0a5b378ae4ffa02aba1e853b279186a003b2f61d8467319987a6219aa437c6483aabc |
C:\Windows\System\LGbAhib.exe
| MD5 | 5801f4fcdefb0a14c008b94798415678 |
| SHA1 | faafa859134dd115e6d1c09d58c5c76daabb7716 |
| SHA256 | f7a1fe557f59808d2fed81ce4b4f042c1040a7e58376d79b0815b65f1ab00f79 |
| SHA512 | 827344dfed9b82acfc3fcaebf96493f3dda4dc627c093da56cb499b645c998959996302ce546e629283d99f0949a17bf3eef8484b350196464e44df04e9fb9ba |
C:\Windows\System\XXqBSIS.exe
| MD5 | 5b6ca0a0fc4371a8261532136521daa6 |
| SHA1 | 9fb007abf04fa306efc266e79a4e65677334816e |
| SHA256 | 1eabff30eb1e28fc94dae90b93f888c6f57ae0939596d0bf692959d73416aafa |
| SHA512 | c1fb683fadf9a07e36a52e65e8eac226425a9bab8b21eee7c525828607b667322c9b9356878243255cb09a4d042ca15f399dff1ff62f70d173b5b0db350c1320 |
memory/6120-64-0x00007FF6C0350000-0x00007FF6C06A4000-memory.dmp
memory/2992-70-0x00007FF764F90000-0x00007FF7652E4000-memory.dmp
C:\Windows\System\amOLgER.exe
| MD5 | e1a468a7c7a1de2bcc02d8a4d2d64166 |
| SHA1 | 875dd3535740714e8b5f312e73a00080a13bc5be |
| SHA256 | 68235c91ee75ce24d0cd416623c61c44ce2e3048d139e73554e5ccd65d87343c |
| SHA512 | 6c5db500e55806c57e4e9b42a8552f817027896d59504fc813a550e2245b1667d2e1bba12b4b4f381d2673eed0c78f7184e803350e876c0d50d0998e04ac19ff |
memory/1192-74-0x00007FF6671E0000-0x00007FF667534000-memory.dmp
memory/3996-85-0x00007FF7A6B50000-0x00007FF7A6EA4000-memory.dmp
C:\Windows\System\ROAJfWK.exe
| MD5 | 384b714ac8a2d74debd534f94e755f97 |
| SHA1 | f88f60f74f437ef6badfd922344d43454c7214ad |
| SHA256 | d917370222a0b4eca462e8bd3f0d4e0ffbddcc4e000298a23de2e69f86530ca8 |
| SHA512 | 3d0d318d8cf857abdbd9d919ad221dcbe10f813e2f18583e91c85d00f8cd5249b2004bb9a52344d175cda909750e1333fe9a28ec0d7b1cb5981862891d8c3586 |
C:\Windows\System\IqUOIJt.exe
| MD5 | 243a66e4be44df7e58c2d9b3b132aca2 |
| SHA1 | e71e86f659b8fb1e19eee3c3e414d18c2e13fd9e |
| SHA256 | 16bb7336a5efcab9de2a454f8d1001e8b4e8369f6ac9a56165e236bfdc5f9840 |
| SHA512 | abff6a24a59d2d2b687c0d73d971859a69b1d5192dbfcec1a816e542466ed7c143ec9a2862246c7da02f3da0dae89dfc205bc27d6230a4b435eaa6ff23501d48 |
memory/5724-87-0x00007FF74CBD0000-0x00007FF74CF24000-memory.dmp
memory/1480-86-0x00007FF7F51C0000-0x00007FF7F5514000-memory.dmp
memory/4772-84-0x00007FF68BE10000-0x00007FF68C164000-memory.dmp
C:\Windows\System\VzFZfAP.exe
| MD5 | 05d5a3c4232d02d3576b996cbb4450f0 |
| SHA1 | 2de0d6e186e70ecf902afde4956c4e6a8370aa92 |
| SHA256 | e95883572f1ab533bfaaedea7ea8f48135372c9689e9bc81de6fe9b01d53b50e |
| SHA512 | a911c541a4980013a7574e9fe07db456225c13f17dbee942292fd02d9dd12ffcad91d690b0797439ace9b901607b4c696ab4faf1f24d8b74198a0dedeef63f57 |
memory/2936-71-0x00007FF7C5000000-0x00007FF7C5354000-memory.dmp
memory/2504-69-0x00007FF6C5760000-0x00007FF6C5AB4000-memory.dmp
memory/3892-65-0x00007FF755000000-0x00007FF755354000-memory.dmp
memory/2772-59-0x00007FF6D6580000-0x00007FF6D68D4000-memory.dmp
memory/540-55-0x00007FF607E90000-0x00007FF6081E4000-memory.dmp
memory/1100-51-0x00007FF777D00000-0x00007FF778054000-memory.dmp
C:\Windows\System\bVXSAPF.exe
| MD5 | 1c6df5a48771ce290b3e8a0ceefdc488 |
| SHA1 | 12165407e4c201c572dabc087c495038d7887bc5 |
| SHA256 | 35bbaa5089cea2a9759cc546d64ca87f1404d6c77393e14e72c3083f1603aae4 |
| SHA512 | 2070879605ac37590434c88ea42a92549f135d7ff3b4dc1d5ce48e61773ac8242de60d5ebecc0b706421e63fea0ffed00ca01b1f34fb16c32929b57355fccfee |
memory/4996-34-0x00007FF688DA0000-0x00007FF6890F4000-memory.dmp
memory/4716-30-0x00007FF63F130000-0x00007FF63F484000-memory.dmp
memory/3996-29-0x00007FF7A6B50000-0x00007FF7A6EA4000-memory.dmp
memory/4772-21-0x00007FF68BE10000-0x00007FF68C164000-memory.dmp
memory/2992-20-0x00007FF764F90000-0x00007FF7652E4000-memory.dmp
C:\Windows\System\qBWUToL.exe
| MD5 | 8239d5a4f39ea9eb1f8801ff9855574d |
| SHA1 | 7b858636e037a6d50b37cd8ac1c9596667a439b3 |
| SHA256 | 2631f2b6f70104bc0181cd908b5d30ac971912b775db2b52b3071cb9784f5dcd |
| SHA512 | 1ceaedbd2c4fc96c059258d11f7ada34a65c8d1e480a8889f38636cd42c90e9868a3807799e8ce525e5b98e04a71017fdfdc7caea6ce21ae27e5f15c075ab16b |
memory/2936-9-0x00007FF7C5000000-0x00007FF7C5354000-memory.dmp
C:\Windows\System\SmbRdIO.exe
| MD5 | 59b00c12c380e9fc0f34e9f829baaeee |
| SHA1 | 6616b6f0372084ede26089b63f05c3a542866486 |
| SHA256 | a8c161b913c89c743e7519209b00978b6bc2a6f550493dfbe2d7ea152d200aaa |
| SHA512 | f56d5af53a3e22f7b7b2e8da74282620d8ad1af6563d6db2e3c879429ee5ff63a921e463f6d3389bc7563ace97a5d0f001af386c115123ce666377d2dc2df1af |
C:\Windows\System\ycEnnkr.exe
| MD5 | 30a6b5828f78db15dfc5286c1411c175 |
| SHA1 | d12377b146db7a707092983261c850b463d412d3 |
| SHA256 | 2549dc18f50ecce165603433ca2c5250f71e51d46ddd1fa4b4b695650545bbfc |
| SHA512 | c3e1aac8ed32c12f52a915cc2507a77e3bb4805b78df5ab343f9de15b9a9ba30d180bc802bc74cbefe19a587397944b578636c66576b6d749fd270fd1c0986de |
memory/4716-99-0x00007FF63F130000-0x00007FF63F484000-memory.dmp
C:\Windows\System\biXNKlV.exe
| MD5 | 28abfef298fac691759b794de7f7127b |
| SHA1 | 168ad2ef4289cb48814af69fb3b4928a28770979 |
| SHA256 | 3e60dbc2885483e748c70d2527dcd62a7a4ef3bb37e0200f29a3ab42c44cb2b1 |
| SHA512 | 51a989b448f55d0bef41da232e98f96c735fefbe0132e0cadbf0fd2b03a20a9d7bcc1e6bc265056f5eb96b8c653170c6b46333d25ad0c520283fd78e52968faf |
memory/2644-104-0x00007FF66AE20000-0x00007FF66B174000-memory.dmp
memory/5748-98-0x00007FF6124D0000-0x00007FF612824000-memory.dmp
C:\Windows\System\tuSwrSJ.exe
| MD5 | 998a169902678fb3ed7eddabbb88910f |
| SHA1 | 6dd116696f15fb97988b184e205a7269a06e0c58 |
| SHA256 | 04366aed942fb30426112984e7267d4887e3dde2d5f4b05fb17b93ece73a3f44 |
| SHA512 | 3b7ad48be2ecd4173de1e7252d191c3dce85504b8132f777a80509758dcf767e93cca0644ff600004cdcf295078284a04aa8950a4fc19e4827a6af8d082f8fb7 |
C:\Windows\System\WyhzIuM.exe
| MD5 | cb0f2ada9705335ec152adcc209c658e |
| SHA1 | c1b087aa53525b6f3beb8e0a254c8ba8a5dce30d |
| SHA256 | 3bbd1968ffc84262473d2971aed4f30d2b88b4c65e739289c1adf4e296e4c0a1 |
| SHA512 | cd0350643b76392e2765793554769a55cf45119521663e38d60860e2d4b4fbacee9c7d8be7876f080937c6408c3b67bbe4562f72334701e9c2ad7e31a2f231ca |
memory/2152-120-0x00007FF601430000-0x00007FF601784000-memory.dmp
memory/1820-123-0x00007FF6275D0000-0x00007FF627924000-memory.dmp
memory/2772-122-0x00007FF6D6580000-0x00007FF6D68D4000-memory.dmp
memory/3900-114-0x00007FF680100000-0x00007FF680454000-memory.dmp
memory/1100-111-0x00007FF777D00000-0x00007FF778054000-memory.dmp
memory/4996-110-0x00007FF688DA0000-0x00007FF6890F4000-memory.dmp
C:\Windows\System\aAtbyxb.exe
| MD5 | 722925ddda9527f82130ed7ae4977220 |
| SHA1 | b3737a00bdebeaf6df6cffd2262803c0d8287b1c |
| SHA256 | 85dd316d78dc676907009f39b00048f0b1372abf78fc427f7ff244017bf2a067 |
| SHA512 | 06e0d7b430413858d4cbba26912125ecaf05b0301acfcc0ce92a1399cf78ec74c56e4548db85cc9f18fc07fed2e40676d8bf90e6cf3265527e7c99a29537aea7 |
memory/2504-132-0x00007FF6C5760000-0x00007FF6C5AB4000-memory.dmp
memory/5316-135-0x00007FF782150000-0x00007FF7824A4000-memory.dmp
C:\Windows\System\qlEgKQd.exe
| MD5 | 0dd2da2b61bcda8a36a21f2e00e56c3f |
| SHA1 | 31b231c3964c2e3710510eb494693dca6d7e77fa |
| SHA256 | 39e2eb7591d3a93bec63ccc8216b99e49a6f082ed0841d93cc92004a8b46653b |
| SHA512 | 83d2041515d44c0cd0432cda7cdb958f0bca1d0ee4457c784ec77b183b1073cf5e058514bdfe9b3a634f94025ab3674790f4205006a9ebc710eb151edffabd4c |
memory/6120-131-0x00007FF6C0350000-0x00007FF6C06A4000-memory.dmp
memory/3708-137-0x00007FF600CE0000-0x00007FF601034000-memory.dmp
memory/1192-139-0x00007FF6671E0000-0x00007FF667534000-memory.dmp
memory/1480-140-0x00007FF7F51C0000-0x00007FF7F5514000-memory.dmp
memory/5724-141-0x00007FF74CBD0000-0x00007FF74CF24000-memory.dmp
memory/5748-142-0x00007FF6124D0000-0x00007FF612824000-memory.dmp
memory/2644-143-0x00007FF66AE20000-0x00007FF66B174000-memory.dmp
memory/1820-144-0x00007FF6275D0000-0x00007FF627924000-memory.dmp
memory/3708-145-0x00007FF600CE0000-0x00007FF601034000-memory.dmp
memory/2936-146-0x00007FF7C5000000-0x00007FF7C5354000-memory.dmp
memory/2992-147-0x00007FF764F90000-0x00007FF7652E4000-memory.dmp
memory/4772-149-0x00007FF68BE10000-0x00007FF68C164000-memory.dmp
memory/3996-148-0x00007FF7A6B50000-0x00007FF7A6EA4000-memory.dmp
memory/1100-150-0x00007FF777D00000-0x00007FF778054000-memory.dmp
memory/4996-153-0x00007FF688DA0000-0x00007FF6890F4000-memory.dmp
memory/540-152-0x00007FF607E90000-0x00007FF6081E4000-memory.dmp
memory/4716-151-0x00007FF63F130000-0x00007FF63F484000-memory.dmp
memory/1192-155-0x00007FF6671E0000-0x00007FF667534000-memory.dmp
memory/2504-154-0x00007FF6C5760000-0x00007FF6C5AB4000-memory.dmp
memory/5724-157-0x00007FF74CBD0000-0x00007FF74CF24000-memory.dmp
memory/1480-158-0x00007FF7F51C0000-0x00007FF7F5514000-memory.dmp
memory/2772-156-0x00007FF6D6580000-0x00007FF6D68D4000-memory.dmp
memory/6120-159-0x00007FF6C0350000-0x00007FF6C06A4000-memory.dmp
memory/5748-160-0x00007FF6124D0000-0x00007FF612824000-memory.dmp
memory/3900-162-0x00007FF680100000-0x00007FF680454000-memory.dmp
memory/2644-161-0x00007FF66AE20000-0x00007FF66B174000-memory.dmp
memory/2152-163-0x00007FF601430000-0x00007FF601784000-memory.dmp
memory/1820-164-0x00007FF6275D0000-0x00007FF627924000-memory.dmp
memory/5316-165-0x00007FF782150000-0x00007FF7824A4000-memory.dmp
memory/3708-166-0x00007FF600CE0000-0x00007FF601034000-memory.dmp