Analysis Overview
SHA256
d2bd88618e3800133a8d9e0db2c37727a41513cf9bc68122821e6e8f5a316c49
Threat Level: Known bad
The file 2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Detects Reflective DLL injection artifacts
XMRig Miner payload
Xmrig family
Cobaltstrike family
Cobaltstrike
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 03:05
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 03:05
Reported
2024-06-01 03:08
Platform
win7-20240508-en
Max time kernel
124s
Max time network
134s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\hqsbPJp.exe | N/A |
| N/A | N/A | C:\Windows\System\ZMWxDum.exe | N/A |
| N/A | N/A | C:\Windows\System\vOjFUcm.exe | N/A |
| N/A | N/A | C:\Windows\System\UijatYD.exe | N/A |
| N/A | N/A | C:\Windows\System\eWkWWNr.exe | N/A |
| N/A | N/A | C:\Windows\System\MnQAViU.exe | N/A |
| N/A | N/A | C:\Windows\System\kyKpOnA.exe | N/A |
| N/A | N/A | C:\Windows\System\HUbDulp.exe | N/A |
| N/A | N/A | C:\Windows\System\oeZrCBO.exe | N/A |
| N/A | N/A | C:\Windows\System\MegcHRa.exe | N/A |
| N/A | N/A | C:\Windows\System\LELGmTh.exe | N/A |
| N/A | N/A | C:\Windows\System\zCVkuIQ.exe | N/A |
| N/A | N/A | C:\Windows\System\DuGzhJj.exe | N/A |
| N/A | N/A | C:\Windows\System\mncqekz.exe | N/A |
| N/A | N/A | C:\Windows\System\cprRiRJ.exe | N/A |
| N/A | N/A | C:\Windows\System\bDXbqpU.exe | N/A |
| N/A | N/A | C:\Windows\System\eOmLMjR.exe | N/A |
| N/A | N/A | C:\Windows\System\Gialqwe.exe | N/A |
| N/A | N/A | C:\Windows\System\sDOyaWG.exe | N/A |
| N/A | N/A | C:\Windows\System\DkzxflM.exe | N/A |
| N/A | N/A | C:\Windows\System\OGYJVwr.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\hqsbPJp.exe
C:\Windows\System\hqsbPJp.exe
C:\Windows\System\ZMWxDum.exe
C:\Windows\System\ZMWxDum.exe
C:\Windows\System\eWkWWNr.exe
C:\Windows\System\eWkWWNr.exe
C:\Windows\System\vOjFUcm.exe
C:\Windows\System\vOjFUcm.exe
C:\Windows\System\kyKpOnA.exe
C:\Windows\System\kyKpOnA.exe
C:\Windows\System\UijatYD.exe
C:\Windows\System\UijatYD.exe
C:\Windows\System\HUbDulp.exe
C:\Windows\System\HUbDulp.exe
C:\Windows\System\MnQAViU.exe
C:\Windows\System\MnQAViU.exe
C:\Windows\System\oeZrCBO.exe
C:\Windows\System\oeZrCBO.exe
C:\Windows\System\MegcHRa.exe
C:\Windows\System\MegcHRa.exe
C:\Windows\System\LELGmTh.exe
C:\Windows\System\LELGmTh.exe
C:\Windows\System\zCVkuIQ.exe
C:\Windows\System\zCVkuIQ.exe
C:\Windows\System\mncqekz.exe
C:\Windows\System\mncqekz.exe
C:\Windows\System\DuGzhJj.exe
C:\Windows\System\DuGzhJj.exe
C:\Windows\System\cprRiRJ.exe
C:\Windows\System\cprRiRJ.exe
C:\Windows\System\bDXbqpU.exe
C:\Windows\System\bDXbqpU.exe
C:\Windows\System\eOmLMjR.exe
C:\Windows\System\eOmLMjR.exe
C:\Windows\System\Gialqwe.exe
C:\Windows\System\Gialqwe.exe
C:\Windows\System\sDOyaWG.exe
C:\Windows\System\sDOyaWG.exe
C:\Windows\System\DkzxflM.exe
C:\Windows\System\DkzxflM.exe
C:\Windows\System\OGYJVwr.exe
C:\Windows\System\OGYJVwr.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3056-0-0x000000013F040000-0x000000013F394000-memory.dmp
memory/3056-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\hqsbPJp.exe
| MD5 | f99be095413efc891b0c7d8b66f0ea8a |
| SHA1 | 6eb1a153c362562e974c828819ace039ece82f00 |
| SHA256 | 45bd3b1e9a3838b21e59d8a8c5faa20bee4434ebee07758806dc03c737c81569 |
| SHA512 | b1e3f21f8c296e8ac7258d90ff1ecea54d4484e6a1234d028ae48515d2c3fe02e579ff6553a359813eff783f32fa8c79dab1f684d88ecbf5bdba76aff90ce798 |
memory/2456-8-0x000000013F2C0000-0x000000013F614000-memory.dmp
\Windows\system\ZMWxDum.exe
| MD5 | f2d29204e190c8bd6195adae4cf8aecf |
| SHA1 | e4883cbf17e9db51a337d5c8b45dc252743005df |
| SHA256 | fb09bc15fe85bb3643c915e18310f4a9c1c7eadaa1e7b4540335a0c6dd73e31b |
| SHA512 | 9129265047dd9c609b4ea71036ee900befe8a5c442e15cc9930a7302a19be285167c1ea09300218119807e9b7740b1bf0d0013855f16e1c205c6662134fcbb30 |
C:\Windows\system\UijatYD.exe
| MD5 | d68cf579743d307481c0ae2ef727fab7 |
| SHA1 | 6f6b67ce5bfbae3aa14950c9031dece0d3fd9a85 |
| SHA256 | b70171c7d2174fcc43a0714d5995866f9b7132668760fab38741a95cddff89ae |
| SHA512 | 6fe9c9262e246dd683211f04470c88654ea0ede0b96e9ed609295475f2dcee773282f1f4239fbc3074dbe0b87cbdc1b4c4550c76c6f2195917ddd72435ad12e7 |
\Windows\system\eWkWWNr.exe
| MD5 | 702cadc70c16a07fb8ce77a7332d3362 |
| SHA1 | 467a099c1404069805439f59068f474c9389f32c |
| SHA256 | 33d624cc4b5a48c906ad49f2c50bd95cb61ea7e6af049f0931d77f07c4e60a3b |
| SHA512 | 732956c55b85f6a478099a6ece9a2562bb2293bad4079deabb1a9bf40715275234e6ee899c8c14eae91528a772c741c53b24f3d78481cac0ac511bec8d6a71e3 |
memory/3056-50-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2812-52-0x000000013FCC0000-0x0000000140014000-memory.dmp
C:\Windows\system\kyKpOnA.exe
| MD5 | ba0dab4e9bd65b24c3fac4f5d41a2cd6 |
| SHA1 | 03211f423cdbfadbb60a77d029472d8b2e65733c |
| SHA256 | 5b41aee25e125e1a4112dd03e71396be015e6f9e7665e7f98812ae5db4162915 |
| SHA512 | 1a9ca0f92696989a24b2cd255e07e63827812aff9ef9e3e3597d21ad94b8d76d45e032c97dff7f615198b8c9d8a943f7081aa18022f49269d43f36b8d1b219c7 |
memory/3056-39-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2644-72-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2556-63-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/3056-85-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\DuGzhJj.exe
| MD5 | bcb5e2b8e3d128c21b7c74f175fc386d |
| SHA1 | b1c78ddaf7fef9479bf4ade01dc56ceaca0a2afb |
| SHA256 | cf28ba062dd0d4529d17571bb2f40e74113e0adc1e0dcebe721f7aa840b3948d |
| SHA512 | faa96533917d59b29d38dd4e4169b5879b5e3cb5ebd50f114778d43f60bc355d69b2bcba07a95143321a79879badedff57c758060b0106b9fc735ea88c37a995 |
C:\Windows\system\eOmLMjR.exe
| MD5 | bb36f6e0801f7c4ab9a0f11670bd1cf4 |
| SHA1 | 83df28ca5e66d5195ecdc1d1b6edffbfc384c729 |
| SHA256 | 73c917af111f6c51bf7e13765a1f418b987d6fdd2d7cb422bf2f12402ac5be89 |
| SHA512 | 1b97c3a6b55100edf82b558d422f0ecf2a5e223ac199c357388d20b042f3eee439b8fa3d85e87d67182ac3eee7d429c6d4bf8f7f36927ce3d9d1cdfbf28f98ee |
C:\Windows\system\DkzxflM.exe
| MD5 | 6cbbf68e3292c9b7811ce6afc986b0a8 |
| SHA1 | 8c58d4f0ddffa2e789dfea7d6eb18e22b49ef777 |
| SHA256 | ba2ba4e29e87840ebba07407eec4178c37bccf5c8e53082c5cf30d73b474f41c |
| SHA512 | d6030b4ffc94b47faa434adf0336a49e9d93f019f33e7be8a0cf1e2d8ad9532cbd3fc59c6c69da97ba62cad32a0e493a22ce88ec2fb068d7ccbf7b21530bcbff |
\Windows\system\OGYJVwr.exe
| MD5 | f71721f4c4b245614fc8feff4fdb1e3c |
| SHA1 | a9e9bcaec0b915f6b1d5bb5e6559c8a352cd331d |
| SHA256 | ab5ad4c924769195d602d4c3661a2ead70cf4c27ada0b2d409c8163915c6587b |
| SHA512 | 2823354ef33854aa7512256e9c97d7f2680f06648fa6bcf035880fb554354dfa5d47931b8686a6e954722e87d25c35b40e8740b40e35eb81d910a0026a5b6bfe |
C:\Windows\system\sDOyaWG.exe
| MD5 | 2cfdfa2e7e6707ba61c96780c63909f5 |
| SHA1 | 6335567c8231d8b847a7756b14fefa9c46cd7093 |
| SHA256 | 48074380a6321e6b44577c8b2491c5431fd37481955fc1642c679478a44c834e |
| SHA512 | 7ce7ffde91609a96d40eafa4f55bd5eadb0bc58ad59e9d5061e9d30965356396a4b2a603aa48bf318c7c5bf2c8879250a2b3040ff5dc1d8a99bcf2beafe0285f |
C:\Windows\system\Gialqwe.exe
| MD5 | fbf9701ad23581739221a3e01ee13595 |
| SHA1 | e227dd57955a35c359750b7244ba2793f62707db |
| SHA256 | 83e661a39589b5ddda0c61a79f34c639f2304106edb437c0184fa1721b6d8987 |
| SHA512 | 76803e5f3a3fdbd55ae51acb24a5da7d8d364dc2f9f62969f07bc290840dbc8e644d1500cf90d08d68f09ca5719e21c4e6f419c0d5bc9a6ec4200d9b9fa9b1b9 |
C:\Windows\system\bDXbqpU.exe
| MD5 | f38feed12c1e4ca355f61006c8d5fad2 |
| SHA1 | 74b08cd4f40a82513bca3598f8bfc08c1ce10a37 |
| SHA256 | e831ca399d1e0693b2dc0f2f2794c0173388db60f85d884de720e068a9a674a9 |
| SHA512 | 86e5dd625c1385310bf6684075d30bf6b9763994b84b3b6e93d9ac558a6d07986d14a1cc8eef8d6c43b0456ba4680a0713c8306c9e7cd1345d87549843da8a56 |
memory/3056-108-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\cprRiRJ.exe
| MD5 | 9fd24a3b5e3014f72849e3116723ec0a |
| SHA1 | 379ae9bd42d8dadda66601984b40997f5e3bd685 |
| SHA256 | 43679d89aee9cb0eb1ba46bf5b3b040cd13ad7ed42c39f459cab967a502de351 |
| SHA512 | 5c0c74924c57b09961be3d6438435973239ee5e3a0d025f8f488c093995c57f625ee58accc925b8ec9f81a1676db2bc6ef79641cd28f1f6c16d7ac150570ec2f |
memory/3056-92-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2624-91-0x000000013FBC0000-0x000000013FF14000-memory.dmp
\Windows\system\mncqekz.exe
| MD5 | 931f03dc3a3725656f0467c11c38a4c4 |
| SHA1 | cf897f01adb76b0219e82794325e7e8d8fb42eed |
| SHA256 | 78a740d758dae27effdd455a72ddea0a00a54a336bbee904695a43ab43d2ff92 |
| SHA512 | 221cf6e9787b97db09cf76473d8eafaaf26885a4dd1611f19366fa54c55868393532707c97747ed6735f4a48690d5cb9958da5937cae71f36ea5dde8c797c360 |
memory/3008-104-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2988-99-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/3056-98-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2716-97-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2768-86-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2188-84-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2064-78-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2640-140-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2556-142-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2904-141-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/3056-77-0x000000013F520000-0x000000013F874000-memory.dmp
C:\Windows\system\LELGmTh.exe
| MD5 | 07e3184a03033a7c38863bc79e0e484e |
| SHA1 | 8fa956103be5f830335fb0e714e72233be15a61e |
| SHA256 | 1779efba1d2f4d725000f23bd4f11b43caba3a930957b6f7983ca67d58a57c9e |
| SHA512 | c365815598674ab66e9ec7dd22a605b942f4b0d87b0261a875835b94fb196fc57a2487320d936fdb33c001023b87079a92f6a6ddf6c84b6e7fc9a94723998ff3 |
C:\Windows\system\zCVkuIQ.exe
| MD5 | 2dd6facfd1a0046bb866e7544874c2fc |
| SHA1 | 6e7d935dd86a73f5264090eb79d0f386b0357c81 |
| SHA256 | 8d36f1e6d4bfd73d19f7698413e1879fb71e16ddab2ef3c63ba48632f90b27ae |
| SHA512 | 92704936f0770148697b3f082f0365201af633ba4ac488ebbeea327415159c15b2c26998ea13247616466e875a325e5ecce9b22d89770ecbb7b44ec278f9d5bb |
memory/2904-62-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/3056-61-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2640-60-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2456-59-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/3056-143-0x000000013F3B0000-0x000000013F704000-memory.dmp
C:\Windows\system\oeZrCBO.exe
| MD5 | a48dc16c6928fc9558f3d6cde743c6c6 |
| SHA1 | f7edff8357c0316e72d7da4d37cda7a2e4b7c29f |
| SHA256 | c95b703a18019c905d05f48d788af488bfd7530a88360694234236c84b76fbd7 |
| SHA512 | 868555a529bf055584b1a487c64a49ff2654ad425d1acb1777c35cf3aa3e19cca5ca02367f2b5b554768c6c7bea9eb53d088c573808fb026e70f5ed92c06aebd |
C:\Windows\system\HUbDulp.exe
| MD5 | 1b95fd58f1bd66f8f9c410b8629efb17 |
| SHA1 | c3ea004827f24e23c7966545fcbd301e23cc5fdf |
| SHA256 | e5e2b249bb9020ca17150cef50a8c3ad7a7fa9c351fa325528644ce59db9b79c |
| SHA512 | 114ad72f0fc0eb9204e15166f3f44caa4dd36ac0741034919e4c7d72295d4306583a59f3581dafe78ac0d5318b991035b726499d40b208eb299a8e36434c9126 |
memory/3056-71-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2624-28-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/3056-25-0x000000013FBC0000-0x000000013FF14000-memory.dmp
C:\Windows\system\vOjFUcm.exe
| MD5 | a689e74d341def637b55f19071f9436c |
| SHA1 | 43a66cdb41584d022ce168bcb821e5e57077d4c2 |
| SHA256 | 35e843b33fb8d3d3e67d0184049cb2dd7c4ffd35e2ab0b5ddbab052c89aac831 |
| SHA512 | ce59df8d7c55213e529d28b7619aad5b8e59983847b278397fa864ac34397fecddf12a2a1fa59656abec3d77a452f1d2c113d99429e93305b834da1a94c03393 |
memory/2188-17-0x000000013FA30000-0x000000013FD84000-memory.dmp
C:\Windows\system\MegcHRa.exe
| MD5 | 04a8e75080ef989a5567c11d94426da1 |
| SHA1 | dcdaa40c2515469394021762a7e95ccadd86f691 |
| SHA256 | 8a7a76727cc6f558c046abe90a83f49d25ee78aab3fd98b7a86bedfe6416a5ca |
| SHA512 | adbfe5016b20ba9cd8f7452981bc79c7c42a8b26d349d9e5c93061da1413832aff2b0456ec65bbe61fe658f63556022f0ec09960dd7ab0ab1c216e4c56c00e94 |
memory/2064-145-0x000000013F520000-0x000000013F874000-memory.dmp
memory/3056-144-0x000000013F520000-0x000000013F874000-memory.dmp
memory/3040-51-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/3056-47-0x000000013FCC0000-0x0000000140014000-memory.dmp
C:\Windows\system\MnQAViU.exe
| MD5 | ad2870a85eb544848e83663279118d1a |
| SHA1 | 45232f5568750fff0f200f926c7b6767020171f5 |
| SHA256 | eae31ddab68fe23984ccac57bea77b91f326056968a618d6033e6098a5df0f70 |
| SHA512 | 54e021c75cb258c02d534c586702bd272b73c18919f1c3663c0fdb343092265edfb869c8eaa8dfec744f8e5d4facd146e7663de4fd2cbbf0b675dce8346535da |
memory/3056-43-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2716-35-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/3056-32-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/3056-21-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/3056-12-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/3056-146-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2768-147-0x000000013F320000-0x000000013F674000-memory.dmp
memory/3056-148-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/3056-149-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2988-150-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/3056-151-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2456-152-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2188-153-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2624-154-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2716-155-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2812-156-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2904-158-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/3040-157-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2644-162-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2556-161-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2064-160-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2768-159-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2988-163-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/3008-165-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2640-164-0x000000013FEA0000-0x00000001401F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 03:05
Reported
2024-06-01 03:08
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nLglsCa.exe | N/A |
| N/A | N/A | C:\Windows\System\GmJxHMQ.exe | N/A |
| N/A | N/A | C:\Windows\System\wOqiKgR.exe | N/A |
| N/A | N/A | C:\Windows\System\wFngEqy.exe | N/A |
| N/A | N/A | C:\Windows\System\QIEfxux.exe | N/A |
| N/A | N/A | C:\Windows\System\YJsCVnj.exe | N/A |
| N/A | N/A | C:\Windows\System\biNYeJI.exe | N/A |
| N/A | N/A | C:\Windows\System\xJnsPuL.exe | N/A |
| N/A | N/A | C:\Windows\System\syIdOlK.exe | N/A |
| N/A | N/A | C:\Windows\System\rfGtZag.exe | N/A |
| N/A | N/A | C:\Windows\System\DkXwMBW.exe | N/A |
| N/A | N/A | C:\Windows\System\zvMJOZp.exe | N/A |
| N/A | N/A | C:\Windows\System\zEIOTvf.exe | N/A |
| N/A | N/A | C:\Windows\System\HNRItUT.exe | N/A |
| N/A | N/A | C:\Windows\System\atNEhnV.exe | N/A |
| N/A | N/A | C:\Windows\System\tGsrMAS.exe | N/A |
| N/A | N/A | C:\Windows\System\LXxmLac.exe | N/A |
| N/A | N/A | C:\Windows\System\JaksOup.exe | N/A |
| N/A | N/A | C:\Windows\System\OLOXPIo.exe | N/A |
| N/A | N/A | C:\Windows\System\iFPEQeO.exe | N/A |
| N/A | N/A | C:\Windows\System\ltovcSg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\nLglsCa.exe
C:\Windows\System\nLglsCa.exe
C:\Windows\System\GmJxHMQ.exe
C:\Windows\System\GmJxHMQ.exe
C:\Windows\System\wFngEqy.exe
C:\Windows\System\wFngEqy.exe
C:\Windows\System\wOqiKgR.exe
C:\Windows\System\wOqiKgR.exe
C:\Windows\System\QIEfxux.exe
C:\Windows\System\QIEfxux.exe
C:\Windows\System\YJsCVnj.exe
C:\Windows\System\YJsCVnj.exe
C:\Windows\System\biNYeJI.exe
C:\Windows\System\biNYeJI.exe
C:\Windows\System\xJnsPuL.exe
C:\Windows\System\xJnsPuL.exe
C:\Windows\System\syIdOlK.exe
C:\Windows\System\syIdOlK.exe
C:\Windows\System\rfGtZag.exe
C:\Windows\System\rfGtZag.exe
C:\Windows\System\DkXwMBW.exe
C:\Windows\System\DkXwMBW.exe
C:\Windows\System\zvMJOZp.exe
C:\Windows\System\zvMJOZp.exe
C:\Windows\System\zEIOTvf.exe
C:\Windows\System\zEIOTvf.exe
C:\Windows\System\HNRItUT.exe
C:\Windows\System\HNRItUT.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
C:\Windows\System\atNEhnV.exe
C:\Windows\System\atNEhnV.exe
C:\Windows\System\tGsrMAS.exe
C:\Windows\System\tGsrMAS.exe
C:\Windows\System\LXxmLac.exe
C:\Windows\System\LXxmLac.exe
C:\Windows\System\JaksOup.exe
C:\Windows\System\JaksOup.exe
C:\Windows\System\OLOXPIo.exe
C:\Windows\System\OLOXPIo.exe
C:\Windows\System\iFPEQeO.exe
C:\Windows\System\iFPEQeO.exe
C:\Windows\System\ltovcSg.exe
C:\Windows\System\ltovcSg.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4004-0-0x00007FF6BD500000-0x00007FF6BD854000-memory.dmp
memory/4004-1-0x000002C014B00000-0x000002C014B10000-memory.dmp
C:\Windows\System\nLglsCa.exe
| MD5 | a9c250398820e7fb5f71ac5036fbf35a |
| SHA1 | 898a3d25cade88a4e29323b03f86661c6e5019c1 |
| SHA256 | c71df6e37e0d669acdcb516499f7974ccfa5dc4cb3b0c88a7756e3211ffd006a |
| SHA512 | b7f8a6671cae8438a65b2597610048ffaf306d73023882b9686712d6ca20b629ddcd9a8c9f6fed2de7141ca24e97f873761e9f3157077dc3962ae24fbc237d7f |
C:\Windows\System\GmJxHMQ.exe
| MD5 | 60ba4cf6e4eed3fb5d7cdddc0a38c42b |
| SHA1 | 0ac3c92d8ee2df597199ac66e0876a7be8ea7f4a |
| SHA256 | 79b6d9c381c56559782d148040adc73cb8f20db3a83673f52abf49d39366f500 |
| SHA512 | a1d6df5dfa9cff153f01082b51ba3ec5ca385cb6703fd4b450a6c2c25e941be4a41e79fc2386abce41fc7f35a0f163f8a96ab515cd15c1c657fc48d3192e056a |
memory/3292-12-0x00007FF6E9510000-0x00007FF6E9864000-memory.dmp
C:\Windows\System\wFngEqy.exe
| MD5 | 09157b269f26173045213b5963fbdf13 |
| SHA1 | 54f3dfa740b9378bb2871bf7a463ee4e85d1ff78 |
| SHA256 | 585e5fb9128b39af98c06676f8f3c3daf456498d09ce5ee1a272acfbe8e3ffe5 |
| SHA512 | 75a35ffeedb360f1dbff11ff8e428594bd87d3281355727ac8db9777928bca2d2613206eec2a872ba675baf5a829ba1615593f315d0922b80ebc664bf50b8821 |
memory/1408-19-0x00007FF6DE820000-0x00007FF6DEB74000-memory.dmp
C:\Windows\System\wOqiKgR.exe
| MD5 | 7a2232e256d1a82ad04689424b7b6115 |
| SHA1 | 8475661d1345ea8fc454f68a5054796433b144ef |
| SHA256 | 48f2d9bfbc8ce0b5bc862ce388cc17dad7b4a4dd24566b8f86c3a3a2d71ca56e |
| SHA512 | 2ddf77340ebca55b4494f7b5e32a4eecba4bb03cf6b408ef29afcbfa2d91805384a940443c322bd1591890692277054184a1360e491ed864226c29bf16278303 |
C:\Windows\System\QIEfxux.exe
| MD5 | 1414d29170192d4b7fe1ed24fff110db |
| SHA1 | 67dc2a8b4615fdacd5a5289f12093262d6222974 |
| SHA256 | bb3daa5dabc772bff0256ea7ec50b488b077b2a43b87807f6eefec4dd9b52efd |
| SHA512 | 0875fb0e34900868b84d1a806a046f466c0f90b4f391a7dc9b19c559c7da517bf15b385b15c2b55e968fb01041cd44407efd0b483d849f59131eb81ebb50b3b8 |
C:\Windows\System\YJsCVnj.exe
| MD5 | 2869812ffd95b73c4626c5cebcddd39d |
| SHA1 | 4c21e999e36d61f7fb33ba85daeb38efbdc634c7 |
| SHA256 | b3bdd40dad6af69ddb99bedf1b691e39e8d21c4a173ac80d709991a4c60573b1 |
| SHA512 | 1e6ab99c897826e3210db8d86599a935164b7975d05b4a8bacad146bb33e0b78a7d609b54233845696813a02e1be383eab7e22c0dbd2f436f4dd1855ca109f46 |
memory/3340-34-0x00007FF6B1530000-0x00007FF6B1884000-memory.dmp
C:\Windows\System\xJnsPuL.exe
| MD5 | 2ffc301ce0cf3cbb499546e523a4c042 |
| SHA1 | f09f01eb92f03233425cb82a71b50730ee794e0f |
| SHA256 | dc24e63f222ecc4a25b3eee88471fa5eb2b87f37be9edf0bfb0efcfabeaab981 |
| SHA512 | 12660f1bbb67351cc8f27b17f4e9877fd667de085bcb3c06630086b5c54f7e57623429a4bcb4c2fdf0a9b5ecd8fcbcac816ec1ff9f3f668b37351cb7b4f8bf2c |
C:\Windows\System\syIdOlK.exe
| MD5 | 5ddc4d7ec98e9af443c5f64dde0e1f4f |
| SHA1 | ad1ac4730272cde4ae527697c565edd898ad945d |
| SHA256 | f33d68c149cb99c29ca7f202b489c0ab4d69c1f71ca7e208e1468393588ff9e5 |
| SHA512 | 3e23e8729c95899231e7decbe426fd9d681fdbfe4e979a9ddd4c4cb4fa526cfef0ad95792391d300ecc0ba395466f8158f6c4d902cea5420ee60fd4821619a99 |
memory/3964-56-0x00007FF621930000-0x00007FF621C84000-memory.dmp
C:\Windows\System\rfGtZag.exe
| MD5 | db3c6adeaa577e56a7359cea29cb5272 |
| SHA1 | 8e3654aa290240a97608d91f31ed6c862e0afa26 |
| SHA256 | e09f664e41e6866cedd369f2224d343b988ff02ed279d5c8d02f4895f17af2a7 |
| SHA512 | 846cd65207da8d0308f1711c8e4e364e888d9756221a617d8ade342dd0786912787daf78443d7c886cd287acf764bce8ec34947db8f5a9b012546e504f729223 |
C:\Windows\System\DkXwMBW.exe
| MD5 | 380089aaa26b03cd1ff5dd6846378a5a |
| SHA1 | 9046ba530a1e3c434ec201e84f3b59077ca1bb91 |
| SHA256 | 7209e84c85d4dce254623e68f59891990204da1304689537b180013ad9945da2 |
| SHA512 | de2d55675a0ca93ac20e9667e4ef91a8c4184d73db3c1ba09f2addf805f4921590bc059195806cc1fcae80472bd032ac850a9e36367e9b0f3aeaff2a5e44d17b |
memory/2096-75-0x00007FF63CD40000-0x00007FF63D094000-memory.dmp
C:\Windows\System\zEIOTvf.exe
| MD5 | 705193cce9c2e2e679412ec5d9f79fa1 |
| SHA1 | c2527f2c01d1d18c938ead1e7b61690bb3859c94 |
| SHA256 | a901f29849f9895ba9f6d06d25bbd4925ad204d4abccbf2b79e00387b8105087 |
| SHA512 | 31600835494bce8db4db977f6cff77a6ed25663df96a627f38f7eca7621a7bdd59eb284938c437f02882ebf9d8e81fb85534930d08f7401726179355b5934b5d |
C:\Windows\System\zvMJOZp.exe
| MD5 | 6c9dbb545d12f4e93e7ddcf3e6c1dace |
| SHA1 | 065ac670badeb352b3e72059ef1e183cbe4009ad |
| SHA256 | f0402b8e31705dd1df23937c1df0007b64d501c4d95ac0357001c69485c4902c |
| SHA512 | 5f5f087d733f44eca8757e0d3325dd29c32132e55b5ad8d863116ec46a44819a1f1e0105bafc36efe6ab829c7bf002ca729b646aad4582d27390a2877407c346 |
memory/1256-76-0x00007FF6B7280000-0x00007FF6B75D4000-memory.dmp
memory/1248-74-0x00007FF7B48A0000-0x00007FF7B4BF4000-memory.dmp
memory/4552-62-0x00007FF78A780000-0x00007FF78AAD4000-memory.dmp
memory/4856-59-0x00007FF6F88B0000-0x00007FF6F8C04000-memory.dmp
memory/1060-53-0x00007FF741760000-0x00007FF741AB4000-memory.dmp
C:\Windows\System\biNYeJI.exe
| MD5 | 17fcede09fc258c0f5c2eac27d76f14f |
| SHA1 | 3fe7ae2054352939ae7df3f91a250a6e1a8ad69c |
| SHA256 | daa78b62cfe48358bf1d1d6538b7bf17ac295a8bae7fa7686ff53f08c919cbe9 |
| SHA512 | 0c1b31493a490412865006589387efbd5c41ad14f7adf79f3420cb55b5a4b3d4211eac3177e6a16aaf18234ceb97029363c1d22fa71a6a8a53f2ebda8fe6ca71 |
memory/4580-40-0x00007FF6E11D0000-0x00007FF6E1524000-memory.dmp
memory/4960-35-0x00007FF7A8D00000-0x00007FF7A9054000-memory.dmp
memory/924-28-0x00007FF722C70000-0x00007FF722FC4000-memory.dmp
C:\Windows\System\HNRItUT.exe
| MD5 | fec09651b6a6d3cb866713208078013f |
| SHA1 | 5940923df968737cf7e376e69182dedbbad7d6b2 |
| SHA256 | 2b172963959dade069fe32b7ca6f937dc3c1ecc20ab5321b4ba0ef0a345b16bb |
| SHA512 | 57c475bcb10d8f5e124fe5ee8a8144adb0b9631fc7302b8a7711f5db1d11b13124419894a39cf77f6d6790254d19e153f87c99c997a5c124e0326f65d393cabc |
C:\Windows\System\atNEhnV.exe
| MD5 | 9325f6caa79fea7f718aa71180f1f77e |
| SHA1 | 47065a4aa5d63ba7a19cb377d1a738d0e1ba95f7 |
| SHA256 | f6715522b9f1e0f59694dbf018a5985e95ae0c0bc4f3d656a11efd6eb39cafe5 |
| SHA512 | 91b9bb382eb4cb07d45a865aaddbbec36ab8c81d42322b6111f899b625a6fd58082b482e37e77ce29083638f2951799f6da6e18f8565d21b2e8e69ce6b13548e |
C:\Windows\System\tGsrMAS.exe
| MD5 | a59528b4cfda13d59b9c401994c99698 |
| SHA1 | 7daef62b330688c7707ade4d26560ce7d500cd7b |
| SHA256 | a241649fdc1a23be222e39343ba80ec1a3a130fd91111768ee627eb3da0c87c5 |
| SHA512 | 4774a574dda118a4dd69217acf08e32f801b1e5f361dd1088bed931720133ebde886035e96ae2a8e8327f1e1bb56e7f66a7751c84f42f0b4cb7da994fa0635c7 |
C:\Windows\System\LXxmLac.exe
| MD5 | 03099c99018f087f8bba98477d41e451 |
| SHA1 | 5be1528adbe391110415c2c1d78102cf2bc40097 |
| SHA256 | 47f3848970986708b1ff60384ab7f0db9de649c88dcbeb9f3894b6012ab5dc52 |
| SHA512 | eb0ce13843a48d8bc2f9949fb3b3830dada2b8dd04cf13fccac0ecd447de65252d5865edcf4f87ce7a0755693604bebff9d946bcac652a1484eea625a8bc36a7 |
memory/3044-101-0x00007FF7320A0000-0x00007FF7323F4000-memory.dmp
C:\Windows\System\OLOXPIo.exe
| MD5 | c17114702e09e9b4206b5aff4740c72b |
| SHA1 | 2bfe4e0933b8d0cbcd636c3500ca842332b8d4e8 |
| SHA256 | b92fa8b587c55ddc1800cc0b2ccda599453d6d8f7ed3f7fb4b91daa21ce0d9b0 |
| SHA512 | be8a6deb8664b923f4ef329c93b1b4b99bfe5320f5be52fef8200f97ad9857ab482c5344c1f21effefbcbd965b2fcda0ce945f98179d832f488c445e09e0293a |
memory/3340-116-0x00007FF6B1530000-0x00007FF6B1884000-memory.dmp
C:\Windows\System\iFPEQeO.exe
| MD5 | dfe4ee1e438a1542e42a2a0878259fbc |
| SHA1 | d5b4319f19fd5cb40ca20770c828dae9b10ef75c |
| SHA256 | 2762c5ab69510bf08846f13974af806dbce38f466cd9d13be553044f13a52956 |
| SHA512 | d1a31ff8facab4bb2c16da619f8528777b74589504359b25eb231081ed8322bdc7db7b16a7e7a01bf7d75236c528cda4202bb5b0b0f34737fbff5a71bee2fde5 |
C:\Windows\System\ltovcSg.exe
| MD5 | 98375e225e25626db2a93457f7220d20 |
| SHA1 | 8c5c2d8ad981163b99e77962c233f0c6a630880d |
| SHA256 | 7f078ebdc6c157d70437d0713caa9fd7282d5f5d7900c3e5334340bd995063b3 |
| SHA512 | 001ffe0992a0a34422dd9733903a4b3ba82417ba9f57eefd50e4773a5fa0be43dc5144b8a1c710fd1616c2b6c73500b8a6ce6a27a6766ac82c138ac3e0219021 |
memory/4980-129-0x00007FF6A64A0000-0x00007FF6A67F4000-memory.dmp
memory/4856-130-0x00007FF6F88B0000-0x00007FF6F8C04000-memory.dmp
memory/2204-128-0x00007FF6CB9A0000-0x00007FF6CBCF4000-memory.dmp
memory/1060-126-0x00007FF741760000-0x00007FF741AB4000-memory.dmp
memory/4580-125-0x00007FF6E11D0000-0x00007FF6E1524000-memory.dmp
memory/4648-123-0x00007FF7DB3B0000-0x00007FF7DB704000-memory.dmp
C:\Windows\System\JaksOup.exe
| MD5 | 5b84d32e340f86db8105240f52c523c9 |
| SHA1 | e6743eee630d82a97fb239d190d9c0c7953413e9 |
| SHA256 | e70118f4f0abe77400b85ce4310dafd35b44dcecefa92152e0236fa1f1766dd5 |
| SHA512 | efceb69098a8094f7040867cbda3bfb066d63a3f105f68d8294635eb05f514daeac6b3de05d284c590e1fab4131acb0ec42d4d0dccf49d8104693689bf150b77 |
memory/924-118-0x00007FF722C70000-0x00007FF722FC4000-memory.dmp
memory/2640-113-0x00007FF71EA60000-0x00007FF71EDB4000-memory.dmp
memory/1416-109-0x00007FF702300000-0x00007FF702654000-memory.dmp
memory/1408-106-0x00007FF6DE820000-0x00007FF6DEB74000-memory.dmp
memory/1820-94-0x00007FF7625C0000-0x00007FF762914000-memory.dmp
memory/4004-92-0x00007FF6BD500000-0x00007FF6BD854000-memory.dmp
memory/528-86-0x00007FF629DF0000-0x00007FF62A144000-memory.dmp
memory/4552-135-0x00007FF78A780000-0x00007FF78AAD4000-memory.dmp
memory/2096-136-0x00007FF63CD40000-0x00007FF63D094000-memory.dmp
memory/528-138-0x00007FF629DF0000-0x00007FF62A144000-memory.dmp
memory/1256-137-0x00007FF6B7280000-0x00007FF6B75D4000-memory.dmp
memory/1820-139-0x00007FF7625C0000-0x00007FF762914000-memory.dmp
memory/3044-140-0x00007FF7320A0000-0x00007FF7323F4000-memory.dmp
memory/1416-141-0x00007FF702300000-0x00007FF702654000-memory.dmp
memory/2640-142-0x00007FF71EA60000-0x00007FF71EDB4000-memory.dmp
memory/4648-143-0x00007FF7DB3B0000-0x00007FF7DB704000-memory.dmp
memory/2204-144-0x00007FF6CB9A0000-0x00007FF6CBCF4000-memory.dmp
memory/4980-145-0x00007FF6A64A0000-0x00007FF6A67F4000-memory.dmp
memory/3292-146-0x00007FF6E9510000-0x00007FF6E9864000-memory.dmp
memory/1408-147-0x00007FF6DE820000-0x00007FF6DEB74000-memory.dmp
memory/924-148-0x00007FF722C70000-0x00007FF722FC4000-memory.dmp
memory/4960-149-0x00007FF7A8D00000-0x00007FF7A9054000-memory.dmp
memory/3340-150-0x00007FF6B1530000-0x00007FF6B1884000-memory.dmp
memory/4580-151-0x00007FF6E11D0000-0x00007FF6E1524000-memory.dmp
memory/3964-152-0x00007FF621930000-0x00007FF621C84000-memory.dmp
memory/1060-153-0x00007FF741760000-0x00007FF741AB4000-memory.dmp
memory/4856-154-0x00007FF6F88B0000-0x00007FF6F8C04000-memory.dmp
memory/4552-155-0x00007FF78A780000-0x00007FF78AAD4000-memory.dmp
memory/1248-156-0x00007FF7B48A0000-0x00007FF7B4BF4000-memory.dmp
memory/1256-157-0x00007FF6B7280000-0x00007FF6B75D4000-memory.dmp
memory/2096-158-0x00007FF63CD40000-0x00007FF63D094000-memory.dmp
memory/528-159-0x00007FF629DF0000-0x00007FF62A144000-memory.dmp
memory/1820-160-0x00007FF7625C0000-0x00007FF762914000-memory.dmp
memory/3044-161-0x00007FF7320A0000-0x00007FF7323F4000-memory.dmp
memory/1416-162-0x00007FF702300000-0x00007FF702654000-memory.dmp
memory/4648-164-0x00007FF7DB3B0000-0x00007FF7DB704000-memory.dmp
memory/2640-163-0x00007FF71EA60000-0x00007FF71EDB4000-memory.dmp
memory/4980-165-0x00007FF6A64A0000-0x00007FF6A67F4000-memory.dmp
memory/2204-166-0x00007FF6CB9A0000-0x00007FF6CBCF4000-memory.dmp