Analysis Overview
SHA256
3cf4f77c79384f3e1361035911f8ab7d43f3460dbfffd3470d018b689a5d1b8f
Threat Level: Known bad
The file 2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Xmrig family
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike family
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 10:08
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 10:08
Reported
2024-05-30 10:10
Platform
win7-20240221-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UOOWrwe.exe | N/A |
| N/A | N/A | C:\Windows\System\gQNCKhL.exe | N/A |
| N/A | N/A | C:\Windows\System\pyMYmdH.exe | N/A |
| N/A | N/A | C:\Windows\System\bhREUZL.exe | N/A |
| N/A | N/A | C:\Windows\System\PFzrQhT.exe | N/A |
| N/A | N/A | C:\Windows\System\aKDiwYx.exe | N/A |
| N/A | N/A | C:\Windows\System\HowbUBN.exe | N/A |
| N/A | N/A | C:\Windows\System\JqtoSHv.exe | N/A |
| N/A | N/A | C:\Windows\System\Qjkfwqb.exe | N/A |
| N/A | N/A | C:\Windows\System\bRKwjIi.exe | N/A |
| N/A | N/A | C:\Windows\System\bCnjVAi.exe | N/A |
| N/A | N/A | C:\Windows\System\lcLKFqj.exe | N/A |
| N/A | N/A | C:\Windows\System\vgskgtR.exe | N/A |
| N/A | N/A | C:\Windows\System\tJXdxVE.exe | N/A |
| N/A | N/A | C:\Windows\System\prJbugS.exe | N/A |
| N/A | N/A | C:\Windows\System\bWWgvcf.exe | N/A |
| N/A | N/A | C:\Windows\System\vFgYBMD.exe | N/A |
| N/A | N/A | C:\Windows\System\wASbZHD.exe | N/A |
| N/A | N/A | C:\Windows\System\pCXZxAZ.exe | N/A |
| N/A | N/A | C:\Windows\System\FAKJbhW.exe | N/A |
| N/A | N/A | C:\Windows\System\dkdGzTS.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UOOWrwe.exe
C:\Windows\System\UOOWrwe.exe
C:\Windows\System\gQNCKhL.exe
C:\Windows\System\gQNCKhL.exe
C:\Windows\System\pyMYmdH.exe
C:\Windows\System\pyMYmdH.exe
C:\Windows\System\bhREUZL.exe
C:\Windows\System\bhREUZL.exe
C:\Windows\System\aKDiwYx.exe
C:\Windows\System\aKDiwYx.exe
C:\Windows\System\PFzrQhT.exe
C:\Windows\System\PFzrQhT.exe
C:\Windows\System\JqtoSHv.exe
C:\Windows\System\JqtoSHv.exe
C:\Windows\System\HowbUBN.exe
C:\Windows\System\HowbUBN.exe
C:\Windows\System\bRKwjIi.exe
C:\Windows\System\bRKwjIi.exe
C:\Windows\System\Qjkfwqb.exe
C:\Windows\System\Qjkfwqb.exe
C:\Windows\System\bCnjVAi.exe
C:\Windows\System\bCnjVAi.exe
C:\Windows\System\lcLKFqj.exe
C:\Windows\System\lcLKFqj.exe
C:\Windows\System\vgskgtR.exe
C:\Windows\System\vgskgtR.exe
C:\Windows\System\tJXdxVE.exe
C:\Windows\System\tJXdxVE.exe
C:\Windows\System\prJbugS.exe
C:\Windows\System\prJbugS.exe
C:\Windows\System\bWWgvcf.exe
C:\Windows\System\bWWgvcf.exe
C:\Windows\System\vFgYBMD.exe
C:\Windows\System\vFgYBMD.exe
C:\Windows\System\wASbZHD.exe
C:\Windows\System\wASbZHD.exe
C:\Windows\System\pCXZxAZ.exe
C:\Windows\System\pCXZxAZ.exe
C:\Windows\System\FAKJbhW.exe
C:\Windows\System\FAKJbhW.exe
C:\Windows\System\dkdGzTS.exe
C:\Windows\System\dkdGzTS.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2076-0-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2076-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\UOOWrwe.exe
| MD5 | ac800244d52b83366a65b8ec250a1b5d |
| SHA1 | fc657f7b4d6b7ee334bdf77821b8cd8e489eb87a |
| SHA256 | 2e3093313dd5169755d7291923c8492694e4a284d62245bb4a7d095f95693dbd |
| SHA512 | 1cdf011b2ac8bcaddce472ad9414bd345d415b93783f536b6071ae6035901da0637cb16d00d9ab151921b46a86fbef6d16d74cc5090b120986d625fd8d18260d |
memory/1448-9-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2076-8-0x000000013FA60000-0x000000013FDB4000-memory.dmp
\Windows\system\gQNCKhL.exe
| MD5 | f5e323da8a2a8a1814482fa16723ec21 |
| SHA1 | 613a4f3ea4a5543bed8b82d2d7c00397eb9cb0df |
| SHA256 | afb114edc939ae87619fa52e61a26f3e6f5665a9853c89f8dc25f6ea819ec6e8 |
| SHA512 | cad36c66c4b3ec65fb5e8439e6835cb765a9f9d93fcf4c82cabb82db80dd691a7cd82c0a1bc3ecabced708cabbf3946fb684f3ee8aff92042201ff86d078b0c6 |
memory/2076-15-0x000000013FAD0000-0x000000013FE24000-memory.dmp
C:\Windows\system\pyMYmdH.exe
| MD5 | 6c3ba9c16b9b80e7d04c894cd7c4c5f2 |
| SHA1 | 7979df1b91c2f2b1f5e5a02c93bc3fe30a9cad0d |
| SHA256 | 7d575f93b53e812b62b19b409f770043cd64c47cef3a795ba1b380f728f26413 |
| SHA512 | 814e6f1a370d16836a57d62ab155ffd177aa8d54fb336c4a48398b1cb259278b07592753a995b199b3f5d5c71e412fdb0b00c1f9ec59202def73c401d8b571e4 |
memory/2460-25-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2076-34-0x000000013F990000-0x000000013FCE4000-memory.dmp
C:\Windows\system\PFzrQhT.exe
| MD5 | 93f27a8e0598b3a5e7397c8f537879b6 |
| SHA1 | 8fee760abecdd5772de6e0b4c03d88519afd3704 |
| SHA256 | 9921c75aeed4bfd87f07a27485a2e6514cca57fccc6d1bf31c489fc10101732a |
| SHA512 | 6114562a0788d98e7bf48716dbe8a9fdecad46c8478bbbef4938442dfb80dc1b8eabc3d306bbe2760f84598d54a60c67da4b072bf845fb111d9f3bd97efea3ce |
memory/2076-38-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2572-40-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\aKDiwYx.exe
| MD5 | 083118b379b6f992a3bdee9e5d760376 |
| SHA1 | f4667ad557a7dd199059ad328c7ea6d7238d4b86 |
| SHA256 | 9a3088728eb5be5321ab67807e098d59fb8f3b3299f10f01328a152f738a6bdc |
| SHA512 | 31bc55f2597ddfc9504c491971f7e0159dec99c9b233b488db56bfdc65c4730c13e7ba8deea56150fd33d532cdf85ea303f7fc68f829c1cea7c1746f555bd170 |
memory/2860-32-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2900-43-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2076-28-0x000000013F940000-0x000000013FC94000-memory.dmp
C:\Windows\system\bhREUZL.exe
| MD5 | 8f3d0ddd36710c5f9fff1de3b2202e27 |
| SHA1 | 7c1959763ca65336700144be1b9361dbf67f77fe |
| SHA256 | 656ddfef9648a66cdb78704234cf443ce2e8a9885a98f87db5af930b9c53042d |
| SHA512 | 81ae9dcd24a1b2b786b34fac9c6bbca0ecc803c5eeaac9f5daa3b4093b8f04ace6d7a2d3726890ec5b2c1219aa8b9516cf8bfcfefc02ccfdddd5a45c153f133e |
memory/2076-42-0x000000013F140000-0x000000013F494000-memory.dmp
memory/1740-18-0x000000013FAD0000-0x000000013FE24000-memory.dmp
C:\Windows\system\HowbUBN.exe
| MD5 | e659c6db3de80055beb5facba480845d |
| SHA1 | 5d91ecda266a1347653d3d98bd875665e544a7a4 |
| SHA256 | 4d6df361e4f190e9c03b23f17c3934a3aef5d1ec559ceeb684f20ad434fc2569 |
| SHA512 | d2b0accc1d546ef7318972c2421f6d9f4bb426166df6c59121659916561fab22b1fd43e51addf1ece2caf0c9e0e957dcdcd71c8f5d78e76cdcd44f368aa65511 |
\Windows\system\JqtoSHv.exe
| MD5 | 6cde515b20ef3645433ad15c1ecf2876 |
| SHA1 | fdec5c77f9891303af0a8cf32c25c74aed600872 |
| SHA256 | 1ee4b0cb7761736f0d5c89f0b90f29e4ef3196510b6603c3004dfcfd9d75957e |
| SHA512 | 67b3cbd5f4888d5a75a52cfd397ca1570f98a4ff09a938e6dfbc17c04ea7fc1544adf2b002284fc2d3cb132d35e062f0641a0c670eb0dcdadb256c5fa0aa8c5f |
\Windows\system\Qjkfwqb.exe
| MD5 | fa4a899a230e1388e2d5c0ebe92fa593 |
| SHA1 | 8160ba5dbded5682825f2348e59700cd18505972 |
| SHA256 | e7a38c51e4c86daf975c1d2f45206cb36315702b0f9ad1f7e7753183d51b26ca |
| SHA512 | 7dc69da7b44483b42ca5dab10fddee34e4853977166eed791a83459c5496c8c976fce23a31e4673ff8d18321fc8371d76c7f52fe6d098123e499a612d10fb470 |
memory/2076-61-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2076-71-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2708-58-0x000000013F0B0000-0x000000013F404000-memory.dmp
\Windows\system\lcLKFqj.exe
| MD5 | cc97d2268af2c6b5d3abe07e2808c6c0 |
| SHA1 | e1ab240913ffed334e018cf793514cb6167cfeae |
| SHA256 | b25de339d1e59b67ae1e711c93372e5b1c2d0586cd17359c64c382a78d354d9c |
| SHA512 | c51cedde3190004f525e5e1f704f207e8c33e2ab02f8635992fff101fa6a44761ecb68d8c864534bd43cb2296c671e0971df45c77c7af48fab8e396ee8d4ae4d |
memory/2396-85-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2076-86-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2788-89-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2548-76-0x000000013F7F0000-0x000000013FB44000-memory.dmp
C:\Windows\system\tJXdxVE.exe
| MD5 | cc5e14829b3b1dfbc0014976c5b7b0b7 |
| SHA1 | 4223b78096d5b18e9bbded6b634f27f3b365842a |
| SHA256 | d8ab7ded4a5c9346a09f71272c7c0babee4e572ae3378abe27bed36f080c582f |
| SHA512 | b9f09dfbe14315f7032e27d4585219d2f196c583d556c4fccc2f0d40b90f7f4424a15beb70abac8f8cae1fbf003c84d953cd0e90bfd9f85ae589c1feac895c47 |
memory/2900-107-0x000000013F990000-0x000000013FCE4000-memory.dmp
C:\Windows\system\wASbZHD.exe
| MD5 | 8d77c814e42fb7fae56218cbfb6f6315 |
| SHA1 | 224fb1f8ef5c9f7327b11e9948933e216a913ad1 |
| SHA256 | 8983892b024e8c292090ed98e5b4b4f48d56c6d074e8cdb46c7853c9476ce1e8 |
| SHA512 | 7e70f8a14ebd82c000ab2a681abcaf26f53e578b4700d43cd7b00c3ea495ccffacec5eaadc5bbac2c856bd406becd9880311577aaeb16b7621815106eaa59841 |
C:\Windows\system\vFgYBMD.exe
| MD5 | 88ce6abebef73de5ae7a0d4294b1bcc8 |
| SHA1 | 5a757a4f1847380f381bac71ce6a89b98db0e758 |
| SHA256 | e290949bdec1069511091e25243a006b256f6e586899c23ded68f3a834efada8 |
| SHA512 | bd894a3039f0f3b6c3a3d8b6195a41345bac677eb18ff7277e0dd39da3f3bed9ffe0120bab51564a106a9b8a292fda585f0c2861cce8dce71baf2764c31d27bf |
C:\Windows\system\FAKJbhW.exe
| MD5 | c47e7c3a73a7bca0801b9ab3a9941e16 |
| SHA1 | 133e8f73342bfbf4166a083c9571b1c9d9e5504b |
| SHA256 | f6396009fb520a09b45b025d9aecbf7be917bf7bb96f87418699224a6afebbcc |
| SHA512 | 07fa32a130e8cfa8d486ed5f50c0ad91687c0642783d0d212fa33259c70b13ab817e8fd242db567a4281fac40ab10b3fb492028f479ed296e53ea872d104d058 |
\Windows\system\dkdGzTS.exe
| MD5 | e68d570bcb1186b31969d75fc4a7fcfb |
| SHA1 | 88072c9744d13f1e661c74b55e3b0903ebffa451 |
| SHA256 | 1134b7db985557ac17aa4dad8016aa074db6f59623defc46bb0d491cf45342a7 |
| SHA512 | 850b8fca4d8b9a3ee51bdd654d75bd95b3f8e8b3b6317aaba60fed9c85e90530702f580b64fbf9c14ba83dc334fe21dd44ae3e33c4cf46d0204ea603c5347e09 |
C:\Windows\system\pCXZxAZ.exe
| MD5 | fad367bf24506ebeec035c2c8b367328 |
| SHA1 | 087250cb9c704845d9723f6e05a9acf074ec89a9 |
| SHA256 | d035287c078c729fc22012f53179f0f83241119f651b99b4ace3ea1a885c8e28 |
| SHA512 | e9d0382aeaaff55513f0299d7da7da49c8a8e9268fb4513dfadc2e87d7102de3304615717de01efe70a89d2fe7802d40fb252039c74ea59980dc815470aa1b28 |
memory/2708-138-0x000000013F0B0000-0x000000013F404000-memory.dmp
\Windows\system\vFgYBMD.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
C:\Windows\system\prJbugS.exe
| MD5 | ae2d75dfdacee0a1a1e94576de63b7e9 |
| SHA1 | a49e92858b37706a7f56fa34de4ceee5ba04c552 |
| SHA256 | 71c6ce3d6f8ca1777416fac62a7597b095bf4b213599359389c713830b5f96c9 |
| SHA512 | fcc9cc82a0b2ecbaf101f5513a6457900517e2e3df03259a0aca72b92aa8919edd5a28700ef355af970da40d6c82c033664ecd043bbcc3ecbbafea8001adacf1 |
C:\Windows\system\bWWgvcf.exe
| MD5 | aa7e1139afb439c92f6ce11919f6ee97 |
| SHA1 | b3f38c64f65a38f63c074315a663ac68799954c7 |
| SHA256 | b0a18a6bfa0f85d6e8df2917df79440b78bacb509600b5061cd5c6dfe8b7eb70 |
| SHA512 | 01b9a9b0a26d48d523416f88cdd6e02678c85f95da29d4df75107fdac974e4f2c51130de78c0b87d8fcfe9dd6f01bfa7890d1105c65548235c152c065c2a77b2 |
memory/676-100-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2076-99-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2304-94-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2076-93-0x0000000002370000-0x00000000026C4000-memory.dmp
C:\Windows\system\vgskgtR.exe
| MD5 | 90348cf666f88e62a8112bbab36375c9 |
| SHA1 | 1eab0025c4244974cb1f490a7a6b4ab4b352a01e |
| SHA256 | 09da4a6752ad85d18e0bca4fde8070c1b826db80bff3c50295689a9d22a114a5 |
| SHA512 | c7b5e3d81049ee5b768a85a9389e322b31ef8f68786a4d3f7b942f53e4c52732164dcd2777c78e05a25436fb8338f23c9d1c96f5e013ac05701bcc30d15b44ef |
C:\Windows\system\bCnjVAi.exe
| MD5 | e8619c62d864d51832d8864cfa8da213 |
| SHA1 | bb5125bba20c9f315a0dc71d7675fa795efd7862 |
| SHA256 | a3c936fdee8c29924fc7cb9f0b814b658f9e34aab968cc767869633d3e865a16 |
| SHA512 | 06a035f37a11a06330ce1391abaca49501ce0035b234d2a69b2d45ba49f382cd7c33e8fae85f87aa1677b17028cd779ca94a1ef8e6a5588f706ee2eb50f07dd0 |
memory/2076-78-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2400-77-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2076-139-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2860-81-0x000000013F940000-0x000000013FC94000-memory.dmp
\Windows\system\bRKwjIi.exe
| MD5 | 344a818e29aef3d5295fe4b6787bdf1f |
| SHA1 | 45662062bb0380349dace45690151e6a8df1d307 |
| SHA256 | 9039a390a12ac41b0bde23dc3561364ae329bf25f866b3aa3ae487d0d873102d |
| SHA512 | 27bcbfb69b89c5677b24dbc8c90ff96c06eeb7d7a57250070df1e2593a76b95ab7766d155a8cf84ba14b6a3bce3b8b067e90edd78b34a21e81ab37e2313d6edb |
memory/2076-70-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2076-68-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/1892-65-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2076-47-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2076-55-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2076-140-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2076-141-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2396-142-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2304-145-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2076-144-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/676-146-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2076-147-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/1448-148-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/1740-149-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2460-150-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2860-151-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2572-152-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/1892-154-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2900-153-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2708-155-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2548-156-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2400-157-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2788-158-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2396-159-0x000000013F230000-0x000000013F584000-memory.dmp
memory/676-160-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2304-161-0x000000013F160000-0x000000013F4B4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 10:08
Reported
2024-05-30 10:10
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bbKodxP.exe | N/A |
| N/A | N/A | C:\Windows\System\NqACPsp.exe | N/A |
| N/A | N/A | C:\Windows\System\HhPiUyN.exe | N/A |
| N/A | N/A | C:\Windows\System\jpZZCci.exe | N/A |
| N/A | N/A | C:\Windows\System\GUxYnfn.exe | N/A |
| N/A | N/A | C:\Windows\System\bgITswr.exe | N/A |
| N/A | N/A | C:\Windows\System\dEnICeO.exe | N/A |
| N/A | N/A | C:\Windows\System\sDaTOWM.exe | N/A |
| N/A | N/A | C:\Windows\System\flBawAm.exe | N/A |
| N/A | N/A | C:\Windows\System\wsTwOyh.exe | N/A |
| N/A | N/A | C:\Windows\System\UizYDiY.exe | N/A |
| N/A | N/A | C:\Windows\System\lcCjZzI.exe | N/A |
| N/A | N/A | C:\Windows\System\IxgPcMp.exe | N/A |
| N/A | N/A | C:\Windows\System\qbimJYp.exe | N/A |
| N/A | N/A | C:\Windows\System\nwXXsJd.exe | N/A |
| N/A | N/A | C:\Windows\System\tZzoSvc.exe | N/A |
| N/A | N/A | C:\Windows\System\cOAyBKV.exe | N/A |
| N/A | N/A | C:\Windows\System\qtbjpxW.exe | N/A |
| N/A | N/A | C:\Windows\System\TJXrmtH.exe | N/A |
| N/A | N/A | C:\Windows\System\jUaQUaX.exe | N/A |
| N/A | N/A | C:\Windows\System\AXtsGhz.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\bbKodxP.exe
C:\Windows\System\bbKodxP.exe
C:\Windows\System\NqACPsp.exe
C:\Windows\System\NqACPsp.exe
C:\Windows\System\HhPiUyN.exe
C:\Windows\System\HhPiUyN.exe
C:\Windows\System\jpZZCci.exe
C:\Windows\System\jpZZCci.exe
C:\Windows\System\GUxYnfn.exe
C:\Windows\System\GUxYnfn.exe
C:\Windows\System\bgITswr.exe
C:\Windows\System\bgITswr.exe
C:\Windows\System\dEnICeO.exe
C:\Windows\System\dEnICeO.exe
C:\Windows\System\sDaTOWM.exe
C:\Windows\System\sDaTOWM.exe
C:\Windows\System\flBawAm.exe
C:\Windows\System\flBawAm.exe
C:\Windows\System\wsTwOyh.exe
C:\Windows\System\wsTwOyh.exe
C:\Windows\System\UizYDiY.exe
C:\Windows\System\UizYDiY.exe
C:\Windows\System\lcCjZzI.exe
C:\Windows\System\lcCjZzI.exe
C:\Windows\System\IxgPcMp.exe
C:\Windows\System\IxgPcMp.exe
C:\Windows\System\qbimJYp.exe
C:\Windows\System\qbimJYp.exe
C:\Windows\System\nwXXsJd.exe
C:\Windows\System\nwXXsJd.exe
C:\Windows\System\tZzoSvc.exe
C:\Windows\System\tZzoSvc.exe
C:\Windows\System\cOAyBKV.exe
C:\Windows\System\cOAyBKV.exe
C:\Windows\System\qtbjpxW.exe
C:\Windows\System\qtbjpxW.exe
C:\Windows\System\TJXrmtH.exe
C:\Windows\System\TJXrmtH.exe
C:\Windows\System\jUaQUaX.exe
C:\Windows\System\jUaQUaX.exe
C:\Windows\System\AXtsGhz.exe
C:\Windows\System\AXtsGhz.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| BE | 2.17.196.170:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 170.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
memory/3172-0-0x00007FF6B0BD0000-0x00007FF6B0F24000-memory.dmp
memory/3172-1-0x0000022F96620000-0x0000022F96630000-memory.dmp
C:\Windows\System\bbKodxP.exe
| MD5 | 40bcbe39f295f29201c17c940359762c |
| SHA1 | f08ad1070eae6bcc1bc32f496870c37563c5f966 |
| SHA256 | f5605bc2f4651e2bdcab129a940c86ff8555804fb60d64e3d337dd1bd9676c62 |
| SHA512 | 4274c30ba59ca2c90b6e4f89d982174643fb54c3e5b552ef0fc5246dcf8d9ba723de0b0920d74cc59bd085bece4cc6d0ecc21949fc94c630bd61edda3deaaa2b |
memory/4920-8-0x00007FF7EB340000-0x00007FF7EB694000-memory.dmp
C:\Windows\System\NqACPsp.exe
| MD5 | b01fc97147579a911c2b0074fb4f22f5 |
| SHA1 | ace031722bafdb74db8df3d4b48358b1eed35677 |
| SHA256 | 8a36eb3a6a129c807334fde1d31fb312d7637375ec14ff7d153186becae2e60e |
| SHA512 | e6a1de64d17724ee92c30daad5b58e73d157fa1ae9890d48383e047abc57d98de9946c26557ac2702ccb4cbd66913e78228009b441aaeaec7f13f90c0a6d3ce7 |
memory/3352-14-0x00007FF754C40000-0x00007FF754F94000-memory.dmp
C:\Windows\System\HhPiUyN.exe
| MD5 | 749febe6f6778917a0b09963e2211604 |
| SHA1 | 534d8cbbcb22eb0f93afecfe0b8ccdd320252c99 |
| SHA256 | a9438cd4e147333c80ee5fc2fefbed939173c0c9e9db483d0455525eccdd14bf |
| SHA512 | 9f452d8288b2f5b669ed1c519afe8ac85262aced7f80ec55363efc160cb808efa370f766bdfdad37219ef5491eb77c699074642e5a6db3a969fff66a1985262e |
memory/3492-19-0x00007FF72E8C0000-0x00007FF72EC14000-memory.dmp
C:\Windows\System\jpZZCci.exe
| MD5 | 7859d03b168486300154652f1c18812a |
| SHA1 | 2ad358d94ae23e279c7d1498fc3754d93a460b31 |
| SHA256 | 8784b0028659dd6802108515a69ba5e384eded4b21dc56a81b0e31b95742d59d |
| SHA512 | 47373d2f559906299e92a85df86770cd74d9e6667530bcc4b0a673a2f6c41d0199c02d129567f7587d60e3409f66bf96b9bd8b3c951bad162d0f52b93d952eaa |
C:\Windows\System\GUxYnfn.exe
| MD5 | 55db93c6da49b777865efa4258b0bb5c |
| SHA1 | 4ae080661899e9e4ac9b8a1f7f7fb1a70cc6efd4 |
| SHA256 | 350b1714e377315aca6718582de8d7f47f422e1d86371be247548866cd1f4e6b |
| SHA512 | d508b4175ba664e9e668f378d13095ddf7d27fa9bef0a625b2daac6ef5c6cf629e79feb22046f92ef2eaf4a64bc914d2aa0d08d02e375608f145a95ffc59dfce |
C:\Windows\System\bgITswr.exe
| MD5 | b07531bfeab0985a169ad74048e88d5b |
| SHA1 | 7955eb247168845e61ae3a61c596d1873818a9f7 |
| SHA256 | 49335cb00d0b9d045c0fcf0f7aa313c176f54c99410f51bf42ec765f38271dd9 |
| SHA512 | de4318ef14454738d56f396c31a78da3b67a12e5cc3310abf6d0638e60675a90032940e1c09f012ea010142a8b62f5f47f35e9a520f43fd73d0176db2a7cd8de |
C:\Windows\System\dEnICeO.exe
| MD5 | d48034fca1f737ec49ed5e36232efadd |
| SHA1 | cf874fd31b3c1a7343793b65a3b6c291ed68e40c |
| SHA256 | a3ac9fefc659878cee66b4ad61a616bf058e10197e336eee777ba3cf7b898ea4 |
| SHA512 | dd22cbe1bbff9c72d09fbb1893191ec16d56940fa37fc08da61f3309d142d0b490b7ce321391fce1435723501b9d5a4fd95cedd4eefbdc6f0c683c36b6eb7ec0 |
memory/2444-42-0x00007FF7FC970000-0x00007FF7FCCC4000-memory.dmp
memory/4100-38-0x00007FF757A80000-0x00007FF757DD4000-memory.dmp
memory/4044-32-0x00007FF642C00000-0x00007FF642F54000-memory.dmp
memory/1880-27-0x00007FF771E80000-0x00007FF7721D4000-memory.dmp
C:\Windows\System\sDaTOWM.exe
| MD5 | d2b7071acb4aef4c9754b7fd1662dc54 |
| SHA1 | 5038e906ec19a5fa95890d5836a1f4e26747d4f0 |
| SHA256 | a59075a653786a5d08336bc7b30deca2efe0141d3cfcc5f6ca1eaa51d28a3d2d |
| SHA512 | a4c7d131d95cac313bf5e17a07e2eb87a5ee48aa0b6ff86518973dd6fbe032999277208074b50517576f5ab39c6e224accd503cff73df625bd4da5bdb01c8109 |
memory/2928-50-0x00007FF659B50000-0x00007FF659EA4000-memory.dmp
C:\Windows\System\flBawAm.exe
| MD5 | 6475d4faf52977c590a6a39973b72b5c |
| SHA1 | 65440200cabbc91284b70a606044944a3250d3af |
| SHA256 | 2f700889f04be0a18dd311375cfcd24b88f3325bb14ddfaa44677fd4adf06a7e |
| SHA512 | 651ece66490a92f161d759bca0e17eefdc814bbb956a01b2e069caf2dc3f20387f487c511570556fe4457268ebb638bf3a9f8190dc527cb44c03722655d293b9 |
memory/4980-56-0x00007FF7E7180000-0x00007FF7E74D4000-memory.dmp
C:\Windows\System\wsTwOyh.exe
| MD5 | 40392ed3eafe452b1cde33070dc1ac14 |
| SHA1 | 07911dbf76b58c4412ea74fcc846925b3d979c09 |
| SHA256 | e5a033e65e07826c7da44663bfd884da9af36c088e6f9d9f71e16df0e113f2f0 |
| SHA512 | 94a99916623302047ca56ed228f1bc354f24d2db24b1b168ab73cdd60b1e3411697ed86ac59b44ad30211cd2b799ff64fa4e3437dc398eaf0445d6f7f8cb017b |
C:\Windows\System\UizYDiY.exe
| MD5 | 3983d47249c7988fba32548584036300 |
| SHA1 | ef9ace1ee6237a9f30f39cd59860f68969b893eb |
| SHA256 | 556530f5028383a911a38d0a8a65c84b8b73b1cf27aee9088a7cb8f933ac06da |
| SHA512 | bc7644c5d0a394e58e66fc176b71de8d35a2d1c56c6cd69d4a595f2f0706bea451cdb0473a4ad4b58042aeec89752c8f4f2293fe23bc785825a59f9b97ed398d |
C:\Windows\System\lcCjZzI.exe
| MD5 | 433b845823c3d3d79ffd1adc65fb7080 |
| SHA1 | 3c3cf184e3b0d5baeb8c9a86f52df033642d94fa |
| SHA256 | e599b9cf4be748b24e42ede46fd4ae030ead8e6468c1320e7a69d403c6854fc5 |
| SHA512 | 0236dcdac0ff8ce635aeb99217587ae2d7fb40afed140eb3c8bd84e854ab16a6e96482e16179333049dc72ab0799331455ca0a77e2a7eacdc4dcf31a3070d605 |
memory/1064-71-0x00007FF735280000-0x00007FF7355D4000-memory.dmp
memory/4852-68-0x00007FF6F5300000-0x00007FF6F5654000-memory.dmp
memory/3172-63-0x00007FF6B0BD0000-0x00007FF6B0F24000-memory.dmp
memory/2412-75-0x00007FF702E00000-0x00007FF703154000-memory.dmp
C:\Windows\System\qbimJYp.exe
| MD5 | afcd9a96b7281dd67b88eefac8a1ec1e |
| SHA1 | 3714279fc541208667445ecf5664dc04cebe6319 |
| SHA256 | 8562edbc16fbfcdade90779a36e6faee5dee10da7757a80bd11a248e3084c6f9 |
| SHA512 | 050e0a2688066025f8ac5e377913eb389885dbf01f6d0bb8785b84f0cc710a46e6f380616dd3426d7e3633b4e2a6b772612283e497362af259b4b610fd0ab2be |
memory/4048-83-0x00007FF757340000-0x00007FF757694000-memory.dmp
memory/2060-85-0x00007FF6EC640000-0x00007FF6EC994000-memory.dmp
C:\Windows\System\tZzoSvc.exe
| MD5 | 90813efd2902baa2e06dbb80f1c2e6c6 |
| SHA1 | 7aecd6675b64a9fd3a8d97fdb3654deb3d8d9482 |
| SHA256 | 8fa2bfb4bde3fd2ce797be8fd144a8b13b84bc236c43d1adee380cdf93b4b2c2 |
| SHA512 | 5b9e84d9ff51f504473c8ecbf9b9b11e2082f12954813a80b43655fc169a41b2b2ca8af46dd5c4e4c9854b2e90dbf2b3c4aa5527b16df3f0012646472f826274 |
memory/1804-94-0x00007FF7AD4C0000-0x00007FF7AD814000-memory.dmp
C:\Windows\System\nwXXsJd.exe
| MD5 | d870cdb51ddbceed433bf72210df0b43 |
| SHA1 | 41a71ebabf017c71dd928fa5d853696c7f457778 |
| SHA256 | 8907c32e365793065d36539de234a9843e62fed16d9a2f60ac8f32d47fbd8d86 |
| SHA512 | f5f71e4198c59b749e554b9242ea910f90219de86aee7d98c5b66a130abfbc6cdc00c6086ac8143563633bbb2a5e7e9303ceaf5a1b8c80a30e436c963d1b4990 |
memory/1800-95-0x00007FF78E700000-0x00007FF78EA54000-memory.dmp
C:\Windows\System\IxgPcMp.exe
| MD5 | 523347c5b0d39daf8649a6efeb4ce2a1 |
| SHA1 | 25b776db69d4a6d76dc389360af36e03dd2ea8c3 |
| SHA256 | 13689654d31b5ddf532f38f3f7b45eb594f4d90e6846259cbc5afc5e774880c4 |
| SHA512 | 077d8382c27ea11c05053b345cd36cb6bf14d147841e08f58caa6dd93745889beb6f52d97dec23ff1cdc9ffa7099c53cdcd8d53a29b78d213874051f683a7c98 |
C:\Windows\System\cOAyBKV.exe
| MD5 | 7716eec0926b22e7caeb97e88af29f8d |
| SHA1 | 4c19d45b7681b9d85c064fca4f26c68444b15ac8 |
| SHA256 | 59b05a0c5281d15938946f5b05ce5fe1379fa53dc9c38d39c5bc433df9b6496d |
| SHA512 | 28aa807610a399d3ee9ceaa06895b5d114db01e53d4e12a81e413f2ad53409e66f1d2daee9b9f3abe61bb110e42abe5402d5d5684137120579db6909c7cdd882 |
C:\Windows\System\TJXrmtH.exe
| MD5 | ac2d061f892774bbfc6e22bbe20d9e58 |
| SHA1 | b799d58164b338a2dfd4216b34f34ccb75e7dcd3 |
| SHA256 | e511693ccfb574b713e25832fffcbbccf2d94ee9bac8b83852d215bea8ad0bac |
| SHA512 | 4655337f81b9543875ba1fc6001db2c0220c1a0eaec564d02e5bed073332265a8942a591ef5acb992603ce24f9b8d44e865633b2fda23687210f9b04864e7e2b |
memory/4556-124-0x00007FF6981B0000-0x00007FF698504000-memory.dmp
memory/3472-125-0x00007FF7BEF00000-0x00007FF7BF254000-memory.dmp
memory/2028-130-0x00007FF7F73E0000-0x00007FF7F7734000-memory.dmp
C:\Windows\System\jUaQUaX.exe
| MD5 | ea039885855ee5b41ce00e7db51d74ad |
| SHA1 | fb88149530c1147353751110f7acc64208060d0f |
| SHA256 | 043a315ec6ca5e13504b04de7448c885fcf99adf846de148cf8d5383b622f97a |
| SHA512 | 005f58aeec8d239b662e654be54c130b6033503938fe2ac3d028d2a81b9ff5e0fbc47324527f32d1d5cecbbfe793c9dc5c9a45b04268ce59e3e94da9e5920d9c |
C:\Windows\System\AXtsGhz.exe
| MD5 | d49c5f98e061980a29e4eb5d9cd83369 |
| SHA1 | 0b525dd772f64ace428433dfb55e4b96ff3fe5e0 |
| SHA256 | 83da504b65b3783bb453309d2fd3d0d6ef40b60c01d62525f5a41b1a897cfaf9 |
| SHA512 | fb64e2db3c74af021fba7421982e79743279026ed164ea6816fd281fcadf50a3b7c24c4dd4f3b8096a79a218f423ce75c3c6b71d8e476f53cd539985de26b0c3 |
memory/4880-121-0x00007FF61A3B0000-0x00007FF61A704000-memory.dmp
memory/2928-116-0x00007FF659B50000-0x00007FF659EA4000-memory.dmp
memory/2444-115-0x00007FF7FC970000-0x00007FF7FCCC4000-memory.dmp
C:\Windows\System\qtbjpxW.exe
| MD5 | 677459433634cd69cb7b4998d25bdf65 |
| SHA1 | c00e52d25f5f3dabe8b387ca004c784606aea07e |
| SHA256 | 37f6515c5339847612fefba56438bb06fad292414d8a918f26ade7fb0c7b6d27 |
| SHA512 | 1780f0e9e413d689be9e9de102d6a0ef6f92ed52182a97cd7183ef49177cf7eb2245fb3e853616cdf7a0093dd7586bfa5f9ecb60a9be54a380b141f5a7f2ec7c |
memory/3312-105-0x00007FF62A240000-0x00007FF62A594000-memory.dmp
memory/1064-131-0x00007FF735280000-0x00007FF7355D4000-memory.dmp
memory/2412-132-0x00007FF702E00000-0x00007FF703154000-memory.dmp
memory/4048-133-0x00007FF757340000-0x00007FF757694000-memory.dmp
memory/2060-134-0x00007FF6EC640000-0x00007FF6EC994000-memory.dmp
memory/1804-135-0x00007FF7AD4C0000-0x00007FF7AD814000-memory.dmp
memory/1800-136-0x00007FF78E700000-0x00007FF78EA54000-memory.dmp
memory/4556-137-0x00007FF6981B0000-0x00007FF698504000-memory.dmp
memory/2028-138-0x00007FF7F73E0000-0x00007FF7F7734000-memory.dmp
memory/4920-139-0x00007FF7EB340000-0x00007FF7EB694000-memory.dmp
memory/3352-140-0x00007FF754C40000-0x00007FF754F94000-memory.dmp
memory/3492-141-0x00007FF72E8C0000-0x00007FF72EC14000-memory.dmp
memory/1880-142-0x00007FF771E80000-0x00007FF7721D4000-memory.dmp
memory/4044-143-0x00007FF642C00000-0x00007FF642F54000-memory.dmp
memory/4100-144-0x00007FF757A80000-0x00007FF757DD4000-memory.dmp
memory/2444-145-0x00007FF7FC970000-0x00007FF7FCCC4000-memory.dmp
memory/2928-146-0x00007FF659B50000-0x00007FF659EA4000-memory.dmp
memory/4980-147-0x00007FF7E7180000-0x00007FF7E74D4000-memory.dmp
memory/4852-148-0x00007FF6F5300000-0x00007FF6F5654000-memory.dmp
memory/1064-149-0x00007FF735280000-0x00007FF7355D4000-memory.dmp
memory/2412-150-0x00007FF702E00000-0x00007FF703154000-memory.dmp
memory/4048-151-0x00007FF757340000-0x00007FF757694000-memory.dmp
memory/2060-152-0x00007FF6EC640000-0x00007FF6EC994000-memory.dmp
memory/1800-153-0x00007FF78E700000-0x00007FF78EA54000-memory.dmp
memory/1804-154-0x00007FF7AD4C0000-0x00007FF7AD814000-memory.dmp
memory/3312-155-0x00007FF62A240000-0x00007FF62A594000-memory.dmp
memory/4880-156-0x00007FF61A3B0000-0x00007FF61A704000-memory.dmp
memory/3472-157-0x00007FF7BEF00000-0x00007FF7BF254000-memory.dmp
memory/4556-159-0x00007FF6981B0000-0x00007FF698504000-memory.dmp
memory/2028-158-0x00007FF7F73E0000-0x00007FF7F7734000-memory.dmp