Analysis Overview
SHA256
0a15b947e4ed61d9423c4b12dffacdcc9a8986ab81bde3c5c5139492f7dee13c
Threat Level: Known bad
The file 2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
XMRig Miner payload
Cobaltstrike family
Cobalt Strike reflective loader
Xmrig family
UPX dump on OEP (original entry point)
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 06:31
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 06:31
Reported
2024-06-01 06:34
Platform
win7-20240215-en
Max time kernel
138s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MCCFhLA.exe | N/A |
| N/A | N/A | C:\Windows\System\mLUFjJL.exe | N/A |
| N/A | N/A | C:\Windows\System\fMajKWJ.exe | N/A |
| N/A | N/A | C:\Windows\System\kcoljJB.exe | N/A |
| N/A | N/A | C:\Windows\System\wWsPmDt.exe | N/A |
| N/A | N/A | C:\Windows\System\AtFxwTL.exe | N/A |
| N/A | N/A | C:\Windows\System\egaGxxC.exe | N/A |
| N/A | N/A | C:\Windows\System\JbXMqiV.exe | N/A |
| N/A | N/A | C:\Windows\System\zAfHTJW.exe | N/A |
| N/A | N/A | C:\Windows\System\AFcAXsJ.exe | N/A |
| N/A | N/A | C:\Windows\System\WGBByrj.exe | N/A |
| N/A | N/A | C:\Windows\System\PkiaoRS.exe | N/A |
| N/A | N/A | C:\Windows\System\jLBZAbf.exe | N/A |
| N/A | N/A | C:\Windows\System\zqJmKNO.exe | N/A |
| N/A | N/A | C:\Windows\System\VltwIsd.exe | N/A |
| N/A | N/A | C:\Windows\System\COyUvAp.exe | N/A |
| N/A | N/A | C:\Windows\System\mQpyXyJ.exe | N/A |
| N/A | N/A | C:\Windows\System\GsRoPSp.exe | N/A |
| N/A | N/A | C:\Windows\System\fwayesi.exe | N/A |
| N/A | N/A | C:\Windows\System\nDHVUrR.exe | N/A |
| N/A | N/A | C:\Windows\System\EvfDDYX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\MCCFhLA.exe
C:\Windows\System\MCCFhLA.exe
C:\Windows\System\mLUFjJL.exe
C:\Windows\System\mLUFjJL.exe
C:\Windows\System\fMajKWJ.exe
C:\Windows\System\fMajKWJ.exe
C:\Windows\System\kcoljJB.exe
C:\Windows\System\kcoljJB.exe
C:\Windows\System\wWsPmDt.exe
C:\Windows\System\wWsPmDt.exe
C:\Windows\System\AtFxwTL.exe
C:\Windows\System\AtFxwTL.exe
C:\Windows\System\egaGxxC.exe
C:\Windows\System\egaGxxC.exe
C:\Windows\System\JbXMqiV.exe
C:\Windows\System\JbXMqiV.exe
C:\Windows\System\zAfHTJW.exe
C:\Windows\System\zAfHTJW.exe
C:\Windows\System\AFcAXsJ.exe
C:\Windows\System\AFcAXsJ.exe
C:\Windows\System\WGBByrj.exe
C:\Windows\System\WGBByrj.exe
C:\Windows\System\PkiaoRS.exe
C:\Windows\System\PkiaoRS.exe
C:\Windows\System\jLBZAbf.exe
C:\Windows\System\jLBZAbf.exe
C:\Windows\System\zqJmKNO.exe
C:\Windows\System\zqJmKNO.exe
C:\Windows\System\VltwIsd.exe
C:\Windows\System\VltwIsd.exe
C:\Windows\System\COyUvAp.exe
C:\Windows\System\COyUvAp.exe
C:\Windows\System\mQpyXyJ.exe
C:\Windows\System\mQpyXyJ.exe
C:\Windows\System\GsRoPSp.exe
C:\Windows\System\GsRoPSp.exe
C:\Windows\System\fwayesi.exe
C:\Windows\System\fwayesi.exe
C:\Windows\System\nDHVUrR.exe
C:\Windows\System\nDHVUrR.exe
C:\Windows\System\EvfDDYX.exe
C:\Windows\System\EvfDDYX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1260-0-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/1260-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\MCCFhLA.exe
| MD5 | 238783ce8d69888ef9dc5f3b2625558e |
| SHA1 | 347ca866cd40062ec3b20849a289fa2846f47eeb |
| SHA256 | 60fec2792f694a42ed26ef9d1bb70f0dc926c28c1cecccd4bc8308e9febb6143 |
| SHA512 | 13e8933dd89b92a46362c4db398e4093f1610179562dd4a5e99210656320dfb7ef3fdf10ce4a46f4bce86766f2f043f1a4725db4380bfd1d3765fa3f9eb8800b |
memory/1456-7-0x000000013F9D0000-0x000000013FD24000-memory.dmp
C:\Windows\system\mLUFjJL.exe
| MD5 | af95a10a17c22862de3556f022497c79 |
| SHA1 | d0447f5680d02bbb1301e9f31e0dd99aa53377f1 |
| SHA256 | e6de42d02974d3fce6cf488356e7923f7b974c48d6a713afc7e646de8a23c5ca |
| SHA512 | 00229ad23c32a05c9807a849e197a355b3b4bebd9fd821d136f1b6ce849e254cd2869b83930f58e53c25b4f17dac2b14a161626044233867940972fbd0966ce2 |
memory/1260-11-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/1504-14-0x000000013FB00000-0x000000013FE54000-memory.dmp
C:\Windows\system\fMajKWJ.exe
| MD5 | 6c35866a412f3b4fa7ae2b0373ab7426 |
| SHA1 | decc6f5e4267d81e6286f8aed1bb5e4a95f1bc0b |
| SHA256 | d145becbecd832e86f6d86728fa5c59e69c07c333f8dcb91c5d400c4f8b43cbc |
| SHA512 | 40d5adfab4be7ec30ac8b91c663258b858c5b1e64fbff2f7c7764e62d6a1ac2759583b225a261826533306a22bd55b98af7ab2e806e80aa8f3b41c510588dfa7 |
memory/2640-22-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/1260-21-0x000000013F860000-0x000000013FBB4000-memory.dmp
C:\Windows\system\kcoljJB.exe
| MD5 | 557d6ed12e9a08b286286825f97cfe9d |
| SHA1 | a9090c73374fea6cb7055baa492f0d7a9a873737 |
| SHA256 | 4cbe30d9eb19db1f9fc4c3caafa2970e12981452bb1aa16b73105bd4ad5cab3f |
| SHA512 | fbc7c8e5e2f911a53e2934b6d01affee5bc6729afb908353d704f43613f8cc7434d95bea5fe06bcfaa341c1163dd7cd6d059dfd0cbc3db58d4a559439ef7aac8 |
memory/2504-29-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1260-28-0x000000013F620000-0x000000013F974000-memory.dmp
\Windows\system\wWsPmDt.exe
| MD5 | 04659049b407fb9682154778a29571c0 |
| SHA1 | adb7e6682242b73e559ee1eaa354e271cef3fbb5 |
| SHA256 | 082e9905c1b90baeb13f53afd069f6838cd5801cf8aba6c0fde38277aa7492a3 |
| SHA512 | ef1c57037976a0b0045dfe358f2a7eb5c18ad4ef8ca3a1d3382e658c17c7868c32e5af5ac1c66b55115dc3f867d8bb0c3deda33aa756b90e7eee553a0b087cd4 |
memory/1260-34-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2672-36-0x000000013F7B0000-0x000000013FB04000-memory.dmp
C:\Windows\system\AtFxwTL.exe
| MD5 | 62ba83386b5fcae691265e3302a7ebf1 |
| SHA1 | 09de0ad103730163c61a43853228d0c4d25eb498 |
| SHA256 | f316ca5f956e3efe17a4dacc84c0957bcfdf93a985397afb3ee6d1243abb3ae7 |
| SHA512 | 468f75a09257252fb3e42b0388065f7044a4f91c3fe09e40b551c3eac607ff811e8fbd21204a87f690bcdb554377fdd5b994d236a3c54ee0cc38e56490d90a73 |
memory/1260-42-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2564-49-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2580-47-0x000000013FAF0000-0x000000013FE44000-memory.dmp
C:\Windows\system\egaGxxC.exe
| MD5 | c48ddff0dbcb4ebb22800bca0daab83c |
| SHA1 | 4d99da47d86e594253fc611a4ea806090789ac0c |
| SHA256 | a1d784fd34b35192a4cb7c9a1d8257965656e837c1ad5aa27e227cbf361ac126 |
| SHA512 | 1bc74a92040e032e63f1877630b435d03498366115a8c3cb55e24db3d09f12d2ef38aceb94fc8dace9113a2447ae3fedfbb29bb017be94bc0602957c0658d47b |
memory/1260-50-0x000000013F5B0000-0x000000013F904000-memory.dmp
\Windows\system\JbXMqiV.exe
| MD5 | a1c85605d5971ec06de5d2c72f2cf962 |
| SHA1 | 734846292150608c8c05d716bacf5c10c1bb35d4 |
| SHA256 | 8d94edf6e3d9bb09d8574320131e6608cc33e67c351a453be454cfe40f2cb961 |
| SHA512 | 43d438c781f66ff36456af9fd6272133282dfd28d13da34a156ef374017f3011672e983a543d5bfc4dbe2f7b6bd2605767c0cecc740e799e16a9c2f35db3766b |
memory/1260-56-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/2396-60-0x000000013F030000-0x000000013F384000-memory.dmp
memory/1456-59-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/1260-57-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/1260-52-0x000000013F160000-0x000000013F4B4000-memory.dmp
C:\Windows\system\zAfHTJW.exe
| MD5 | 3bad4e003d792f5013408aac86fb4c4d |
| SHA1 | 72e000912bb2613e7437a41fc5057a88f405592b |
| SHA256 | 2c53cfea07a591c0cbd6b45e2fa63a080e62161b23ed6a6a87ef7837202fa424 |
| SHA512 | 8a9875a3f7e9ed1a25115c48a5ac2dfeb6cd5be6c3e2f302fbf6d8309ae4f5987c1b0b5685132b3bbd8d80e1b76bdb8174c01e92788df1448f5c80dd8f61dfef |
memory/1016-68-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1260-66-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1504-74-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2696-76-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
C:\Windows\system\PkiaoRS.exe
| MD5 | 9a23860257750fcf01f14df4cd84bc1c |
| SHA1 | bd6409bd87d5b1c288b4882bc166e2b9f543d641 |
| SHA256 | 16db69a5b7cd27d01b4c2814dff229e19d70216221518d8f5bb7a0e1f02ac702 |
| SHA512 | 9196ce2c6b52c5edb646d26f20aebf867f5c60c2594d95a49f3ed68d7076b3104ebe11967e1292680895b39708665f7bf4d2af151f239757676a715a7f302c5c |
memory/2812-89-0x000000013F720000-0x000000013FA74000-memory.dmp
C:\Windows\system\zqJmKNO.exe
| MD5 | 3904eb651d362cee650ab6a7a66a9442 |
| SHA1 | 1a3e63d02e38dde7247dea9a48e1553ffc2697e7 |
| SHA256 | 615e6c15ef86bcbdbf1853a66808ce02a38f6f0d553dab19fba274ced5a6664d |
| SHA512 | 7893d303c931fc63a91b40fcdd60d6cbcd8ccba40b16adc89b7759291570ca74257def845ffcbee50e25ca019f03ca0cb3152599864e3a6a787232ff90f7b67a |
memory/2284-101-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2784-82-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2672-93-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2828-105-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/1260-103-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2564-102-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/1260-100-0x00000000023E0000-0x0000000002734000-memory.dmp
C:\Windows\system\jLBZAbf.exe
| MD5 | c3bd61aad3fdd490de0dbe267fd4c6d9 |
| SHA1 | 0f3089cc28aa9d0172c8b7fadceaddc0a77e77f8 |
| SHA256 | 7ad51368cac07025a59762901d8597e208861dab3528a75bcb06f6294831f7e6 |
| SHA512 | 1b9a5df56bcb39b6faac9094cf7a814696bc11688d6519a18a939f580790b1a80bf2b691d30e0471346497300a10c50f2fda363dc6270cda868b95fb6decad4b |
\Windows\system\mQpyXyJ.exe
| MD5 | d540dfdd8e44eac02ee69e29e2c83d30 |
| SHA1 | 3ff7b4f32d48c71b7a5173b36a50dcb05df60ba2 |
| SHA256 | 8246d8218b0399437d922f5fb1e4bd44dae91b0f7894c8113cd983a7e3421a42 |
| SHA512 | b6148011ffd462d3adb3f75c8899a9b2045d626bd1e39b2af2f3bd2cc28e216a55818167ea72339fdac4a02ee55b2b0af299c788307f7953fc2bfc2c0e6ed690 |
C:\Windows\system\fwayesi.exe
| MD5 | 66caf0e4d0ed99ed29d527102d350f2f |
| SHA1 | 0f5b26f8f0dd592a31d6177f6e457ba2d02a8ac7 |
| SHA256 | af8d8d7538d09c09dd3fbdc30a9944ef239070af1774e17ee1d12a273b876be0 |
| SHA512 | 538252d9d5b63f4e3b57ddf84345fe4334235d57b45c96b81ef4d818895f1452e2a8adacc1739e19b1481075fab16117867f2660f7f7e3c573f141bc1d21d9c1 |
\Windows\system\EvfDDYX.exe
| MD5 | e491ca6b5e0cb8015c3d8fc3c6d77934 |
| SHA1 | a414763324f841b78c57c7b58af3cbffd1e5a504 |
| SHA256 | d6f821c20caa2587fe207f04e498d125d4224df43c14b4d811a5e18f2b7f498e |
| SHA512 | bc6a6d98c5f6bc8fa3ecfdc4d4215a43a0a7d8df96d6685eb88e0291b4387486aaf7ff12e72cf69b3313ad24391503238ab7abe96dcbe10e3447d0e015f7699f |
C:\Windows\system\nDHVUrR.exe
| MD5 | 67ece22b76b9de3af39a22124c3542ea |
| SHA1 | b31b6210f32c2aef300d8fdcac72fa409ab76ce5 |
| SHA256 | 59bdfd387dab08f3941a7f4d3d020d8b36f25921f63d8291c3d330e7c8643622 |
| SHA512 | 75e6b5e035ae9695bf555a58c96a06ed1c11d9c5fe0fbebce076c2a0c8e8a03fe31bc350b48954c13ab6d951a048822ad26c21a24c313b5c825412f6934e39df |
C:\Windows\system\GsRoPSp.exe
| MD5 | 17bfdf77c347472310a1f77c940d9bba |
| SHA1 | 6f213ccfaf419cc3b9ce06d2aba562d4573805d1 |
| SHA256 | 472f48f925ad849b205901f257372e9fcb1b3c0ac73d053de8da742c79b0564b |
| SHA512 | 1ec557ed964a1e57ab01275ff54ebbe5df4e1848598284d1cb8476212f4135583794082d52041d2434520810bae5a9b6e151231f7e07ea10cb066612a4c17308 |
C:\Windows\system\COyUvAp.exe
| MD5 | 7fba4f5468845f67f215bc2a77e00194 |
| SHA1 | 0db7c5ce833aefbb5162971811eeffdd1dd74401 |
| SHA256 | 96ee36fbae7e4b48f2cd20a39ba5a08ecb02c456ffdfc50b1a3f4095ed8798e3 |
| SHA512 | d02ac84a381c16554680e23a7054eda6ca64d98bf4fb1c462c012d6f31bc7ff82db609c908c7eb9581165db64f69cc90d577d8b60f25ceeb9a8072ef54f2ed1f |
C:\Windows\system\VltwIsd.exe
| MD5 | 55765fc8a4339f5e4137d7f132b9e83e |
| SHA1 | 2ff23acd8b5071c923c6b4e49911d30c09f39c4f |
| SHA256 | 468c937cdd53fc055e007ffdca646b8bd2337dc54c92424cffba4c08369184e5 |
| SHA512 | d17b9a544ab62658db11020f4c0b1a90cb6e5cfa6b3d3d40cc51fd46293fc3e221a617e2aee946d239e426007f161a14d9ee6267d79c5e23159e3d5efe8d5120 |
C:\Windows\system\WGBByrj.exe
| MD5 | b29131ccfcc675a371aa0cedf976d1dd |
| SHA1 | 7993a95a50caa2a54f0a71c7b93a0c92708827ed |
| SHA256 | e445cce95b047809eed5f2e91e196108a9e95c523de3e850ce05bdc927c3ec2b |
| SHA512 | 8d8fd310e1d4ec568bb31d8ceb3bf9890a63ae618960545934cbceab16b2572b2836a9fdf1ee84d56c3b8476dbe68df897a3c154ac97246c478cd586eb881a8f |
memory/1260-78-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/1260-88-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/1260-75-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
C:\Windows\system\AFcAXsJ.exe
| MD5 | c2ce2857e21f9852d6ea624a60859a35 |
| SHA1 | cbce8edbb92a9223865d3f6a9902fa45235507b9 |
| SHA256 | ff6985237d5b01961bf82a0b68338d84bdb7eae400e839b991e1a4da72d8e8c8 |
| SHA512 | 082807d0c3b83970caaf770ece3d995d743fd7d952c974183f8628320d048b00e757c2256ff810ba284623a19e78ad3915e182a21173d985dd38e454ae9f8dd6 |
memory/1260-65-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/1260-141-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1016-142-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1260-143-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/1260-144-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/2784-145-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2812-146-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2284-147-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2828-148-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/1260-149-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1260-150-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/1456-151-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/1504-152-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2640-153-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2504-154-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2672-155-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2580-156-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2564-157-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2396-158-0x000000013F030000-0x000000013F384000-memory.dmp
memory/1016-159-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2696-160-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2784-161-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2812-162-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2284-163-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2828-164-0x000000013F380000-0x000000013F6D4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 06:31
Reported
2024-06-01 06:34
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JahaOkI.exe | N/A |
| N/A | N/A | C:\Windows\System\ZcaFgiW.exe | N/A |
| N/A | N/A | C:\Windows\System\wUzEtMG.exe | N/A |
| N/A | N/A | C:\Windows\System\KcDSOiP.exe | N/A |
| N/A | N/A | C:\Windows\System\gvvUQVy.exe | N/A |
| N/A | N/A | C:\Windows\System\ykbJimy.exe | N/A |
| N/A | N/A | C:\Windows\System\VDdWFHB.exe | N/A |
| N/A | N/A | C:\Windows\System\qUmItfs.exe | N/A |
| N/A | N/A | C:\Windows\System\FQosnjc.exe | N/A |
| N/A | N/A | C:\Windows\System\oeLsNog.exe | N/A |
| N/A | N/A | C:\Windows\System\zmVlLEo.exe | N/A |
| N/A | N/A | C:\Windows\System\PKnkIjk.exe | N/A |
| N/A | N/A | C:\Windows\System\cDlNYVt.exe | N/A |
| N/A | N/A | C:\Windows\System\WdEIEhz.exe | N/A |
| N/A | N/A | C:\Windows\System\WFIzFet.exe | N/A |
| N/A | N/A | C:\Windows\System\tiKQgZu.exe | N/A |
| N/A | N/A | C:\Windows\System\VPbHtce.exe | N/A |
| N/A | N/A | C:\Windows\System\JvmozBk.exe | N/A |
| N/A | N/A | C:\Windows\System\uWaloaR.exe | N/A |
| N/A | N/A | C:\Windows\System\gLZrYvN.exe | N/A |
| N/A | N/A | C:\Windows\System\sCfgwVG.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\JahaOkI.exe
C:\Windows\System\JahaOkI.exe
C:\Windows\System\ZcaFgiW.exe
C:\Windows\System\ZcaFgiW.exe
C:\Windows\System\wUzEtMG.exe
C:\Windows\System\wUzEtMG.exe
C:\Windows\System\KcDSOiP.exe
C:\Windows\System\KcDSOiP.exe
C:\Windows\System\gvvUQVy.exe
C:\Windows\System\gvvUQVy.exe
C:\Windows\System\ykbJimy.exe
C:\Windows\System\ykbJimy.exe
C:\Windows\System\VDdWFHB.exe
C:\Windows\System\VDdWFHB.exe
C:\Windows\System\qUmItfs.exe
C:\Windows\System\qUmItfs.exe
C:\Windows\System\FQosnjc.exe
C:\Windows\System\FQosnjc.exe
C:\Windows\System\oeLsNog.exe
C:\Windows\System\oeLsNog.exe
C:\Windows\System\zmVlLEo.exe
C:\Windows\System\zmVlLEo.exe
C:\Windows\System\PKnkIjk.exe
C:\Windows\System\PKnkIjk.exe
C:\Windows\System\cDlNYVt.exe
C:\Windows\System\cDlNYVt.exe
C:\Windows\System\WdEIEhz.exe
C:\Windows\System\WdEIEhz.exe
C:\Windows\System\WFIzFet.exe
C:\Windows\System\WFIzFet.exe
C:\Windows\System\tiKQgZu.exe
C:\Windows\System\tiKQgZu.exe
C:\Windows\System\VPbHtce.exe
C:\Windows\System\VPbHtce.exe
C:\Windows\System\JvmozBk.exe
C:\Windows\System\JvmozBk.exe
C:\Windows\System\uWaloaR.exe
C:\Windows\System\uWaloaR.exe
C:\Windows\System\gLZrYvN.exe
C:\Windows\System\gLZrYvN.exe
C:\Windows\System\sCfgwVG.exe
C:\Windows\System\sCfgwVG.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
memory/4764-0-0x00007FF672A70000-0x00007FF672DC4000-memory.dmp
memory/4764-1-0x000001BEDD630000-0x000001BEDD640000-memory.dmp
C:\Windows\System\JahaOkI.exe
| MD5 | 3c3558be81fae556737cc7106ccf0898 |
| SHA1 | bdf72edaffdebb0d3f1a4f6b19d5b2b017442b9d |
| SHA256 | 875cacf25c146eed5259e728f0bf5a8fb9eea7708ace32587dfaf482ec540137 |
| SHA512 | dd9166b538f2a00d6922e4702b0b50c7e3a4a53a52f54edff3c74363b5844dda1e9e19eb305e29dde0cc19886e79b0e6ccc2822ded879241cae7d70c50ce2446 |
memory/3160-6-0x00007FF792A20000-0x00007FF792D74000-memory.dmp
C:\Windows\System\wUzEtMG.exe
| MD5 | f8b916e8b0b751ce3a7bf280d47d5627 |
| SHA1 | 875f60134834f4f3ef8afa815fdc6e0c09c5af64 |
| SHA256 | afb745220aa93071dd830a6145951a4b65afefbb6625ea8290a4a35384be30bc |
| SHA512 | 139d29869b18548f70a978133a9ad4bb5b00d238f36fa0e61a2f7bc6240c1c82cf9003401f8049b741e0fe6307c9425ddf0b3bd7639c2f80ca4362934db0e40a |
C:\Windows\System\ZcaFgiW.exe
| MD5 | b59559ccb8eac36a69b858f0b979a422 |
| SHA1 | 447deaf5262734a436d18d02d57b7e73b6541297 |
| SHA256 | 4a5a4eb715fe761daa382abfd6ff114df736a3204ecd731f51658988ea847ce1 |
| SHA512 | ad3f27a05c1e1c98e6b2da2ed3b37b1fe7e5af387649cc4dd44d36817616224842fd7f2c5c68eb84ca10dc2595325602219a9d3ab59897fed64e251316d862e1 |
memory/5080-12-0x00007FF6F2A60000-0x00007FF6F2DB4000-memory.dmp
memory/2448-20-0x00007FF701D70000-0x00007FF7020C4000-memory.dmp
C:\Windows\System\KcDSOiP.exe
| MD5 | 2c430b8a5496adda938d1ec65375c0c4 |
| SHA1 | 2f70baf586fbb6dee77ed8f85ed669fd0439f121 |
| SHA256 | a1e01530af30bb1df66f0a6e922ee24799d9fa44c15ec3b922c0dfc4d3ae5f78 |
| SHA512 | 86c41b6afd150200cbd4e08438f69f2c56e439c283fcf3f2d7c1c8e795e2cbb574308a8df2ae663cf66ce295c808c21d1102b81e9474aa119213d91fd6d0ac60 |
memory/1892-26-0x00007FF62D3C0000-0x00007FF62D714000-memory.dmp
C:\Windows\System\gvvUQVy.exe
| MD5 | 1a036a2290e41e29a28daa979e57b2cb |
| SHA1 | 9984dd46dac8a774c3f6ceac41a06324931af3e5 |
| SHA256 | fd082fa0dcff1c9ab8165ea1c9a018fa8e5d166dfeff9c03251e012d44643946 |
| SHA512 | 63a8a269f848ba6eec3f5f3e2c09f3f0bd37b5980c5f289d945d6cdd420d2539207e58dcddf7405306f0c9a2d798ab171565473748a64ba944b6a7ae49740acd |
C:\Windows\System\ykbJimy.exe
| MD5 | 9b236ae5724c1d3b076f1eadbb089ead |
| SHA1 | aab42b401b4f907b483a467d63a606fd1ff1b519 |
| SHA256 | 446ce9e02f8259ae7387e5472fbb7ad6aebc85ca793560ba5cedfdd2aeb1068b |
| SHA512 | 49b1ea8d51ccdf8dec0e95f18e119e4aab949f01077e8e5e7c3ddd23e2e0ef6fbc23d6fbb072fee04a9a406667d7fbac755e650f0336a7b854563725a71519b5 |
memory/2208-30-0x00007FF658FB0000-0x00007FF659304000-memory.dmp
memory/3292-34-0x00007FF79BA50000-0x00007FF79BDA4000-memory.dmp
C:\Windows\System\VDdWFHB.exe
| MD5 | 3cee6eeab0531d63cd3caefeeed0d50b |
| SHA1 | dc6ed42d5e62adc27fc2cacd8ec5373818a62187 |
| SHA256 | ba6f9fb25305cf4b102adfc7d90bed4cb0b51d3ab570aa4de4e9a590bcb23ab6 |
| SHA512 | 1f41611dc328bf28efde43e379924468fb37c95f453c21a418084275b13b4a747341c47c45a5ea85f260eaefe7a287f9865f2cc54d6ffb5365c8884773ed10b3 |
memory/1688-44-0x00007FF6841A0000-0x00007FF6844F4000-memory.dmp
C:\Windows\System\qUmItfs.exe
| MD5 | b2b41b3108f620ce742be82356dc3200 |
| SHA1 | b69eaf4f9efaa80dcefff85dfdadca3d0ca036f1 |
| SHA256 | d30d972300b7a9c68f7feebea136e3f8dd377e3a2b978ea611a0574a1a0691f7 |
| SHA512 | 8329affdd2a0db63d83d2876cd24ed477ddc30a38816f890c2a83443a458a2087014c540019f8138a5d8afd5be896574e907afc7e51e41d9e41e2dd39f7b957b |
memory/3668-51-0x00007FF6D18B0000-0x00007FF6D1C04000-memory.dmp
C:\Windows\System\FQosnjc.exe
| MD5 | bddd1caf25b1351c8a60adc2c2b857ba |
| SHA1 | 1149a48e3c943f9541536688284d84d976265437 |
| SHA256 | 42aeb914469ad8d15811a8df2f31a0e15ca81401bacd1eedfdbbff991a2a980d |
| SHA512 | 3b7e5029c7ea025a6900ab6c94c15cfb373cc76afbff28fccdec37b1aac645dd258274e3498f2a1cd3dc6b0cfec720baa1c01b6726270619dde0cf43ec9e3424 |
memory/1476-56-0x00007FF6485A0000-0x00007FF6488F4000-memory.dmp
C:\Windows\System\oeLsNog.exe
| MD5 | e646a5da4b1b90330be7506af99fcca8 |
| SHA1 | 461ec22e85bbb2e626a8fe69a3125dc884d0df3b |
| SHA256 | 4d7b418d78f9079a436031e117e04d5e5a250c5420369d2775685514f4611bb3 |
| SHA512 | 09e47f9e776f54d440ec081b88f2b5b7ace576b7727fa98484d3e58258ba3e9e531db24d2bffd9c24104c937e60ff6d35be0d793630d6e102c6702f875726859 |
memory/4764-62-0x00007FF672A70000-0x00007FF672DC4000-memory.dmp
memory/4488-65-0x00007FF7EE960000-0x00007FF7EECB4000-memory.dmp
memory/3160-67-0x00007FF792A20000-0x00007FF792D74000-memory.dmp
memory/3088-69-0x00007FF602E00000-0x00007FF603154000-memory.dmp
C:\Windows\System\zmVlLEo.exe
| MD5 | 040fb509f2433ed2f17e026b428fb2b1 |
| SHA1 | 00a1d807d282b25f65ca3b477d1ac10d05fe1fbf |
| SHA256 | a9d0b277a410b6183d42b49ace742cdb0dfb7b3db2778d537e7a20980aa6cf66 |
| SHA512 | d3a1ef966b72d92488ce6588395cbccc43d4df02c7928cd07fcf553cf0e77aa3c106ff6163bb18ffe7f3d134afd883d5222b59a9a06701e47be096d242a314c1 |
C:\Windows\System\PKnkIjk.exe
| MD5 | 8c220408711ce556178f9211b04f8514 |
| SHA1 | 4013be397707ba2ee0b183c49e6e3ef7c791c55c |
| SHA256 | c42e3c62a3de8ebe85238fa86086e55a0e0dd0f40ccb324a5300800076ef7c17 |
| SHA512 | 757eb6630c0412cc65401571d61b2ffb5423166815048e7ccf909e5e5fdbe7491f2f177a297ad3923c12b396325b96f9af1b5e33288e2f759b76005b7432ab4d |
C:\Windows\System\cDlNYVt.exe
| MD5 | b527bb58377654e2655b98e8e81fe9b0 |
| SHA1 | f1851fbff8eae8fef05fb96c67c132e25bdb89be |
| SHA256 | ec7b99c490fe6f9ba3a1f774b927cbdcb259d8b5ef0f359f11760755eb66a8e4 |
| SHA512 | 12a92dfde0f31f91cbc21fe8cda39b3691016ec3267e8127583212790cedf3b621c17bdfd02ffdd935c68a869f1ad7b182bae344afdea38e907a2736f162bfa7 |
C:\Windows\System\WFIzFet.exe
| MD5 | 11bdb73ace3d05164a445f55588f400a |
| SHA1 | 1c8f885b0226022f7b92849fac0efc83acf40381 |
| SHA256 | 373843b1d51a1f0a6a6306bd30a480eb34089a2d7c0c91cecd4a373aeb3e8353 |
| SHA512 | 4918decd23d1e1de9a24946c8dd5fe062cfeb33013a4054a653d91c878f2bab90a37ca2012c1b5b537c836b84dcf77f89a9e151111f4905703e83eed64ca2141 |
memory/4616-90-0x00007FF6556D0000-0x00007FF655A24000-memory.dmp
memory/880-93-0x00007FF687CF0000-0x00007FF688044000-memory.dmp
memory/2944-95-0x00007FF625400000-0x00007FF625754000-memory.dmp
memory/1544-94-0x00007FF62D410000-0x00007FF62D764000-memory.dmp
memory/5080-89-0x00007FF6F2A60000-0x00007FF6F2DB4000-memory.dmp
C:\Windows\System\WdEIEhz.exe
| MD5 | 19a966103fe1c85b92f7bcec8e4031da |
| SHA1 | ea5ab6022ed7022300320afb408ef9abc2b7af8c |
| SHA256 | d7b9df5107a9b01372664df492b5962d38b46f103f2fae6687e0dfea56cc1984 |
| SHA512 | 89545cb7e395786517c5d12189f4d23049da949c2fa2ccc7fd4b292b0438c128e58113fa002199fa2dc3c40b3bb6180bd4a4db36bc4ad1c7bce5b82189867651 |
C:\Windows\System\tiKQgZu.exe
| MD5 | 0fce27b1fe415bcabc743d39c1b582ee |
| SHA1 | b953cc4ba5101cc9009daa4145ee4e964ee09c24 |
| SHA256 | 2521b2d195c230e3cd91150a5193e12419b68ed06868df0d8c3329225f52107e |
| SHA512 | b8a15850c5f890117adaad500e43e1ef7cc00fa25a94508a3c427cb803c0c142445f8817ebc96e67029651e9b5b73e4fe6eba4fb8c2b222e104ea2561cb89dad |
C:\Windows\System\VPbHtce.exe
| MD5 | c54b8c837fe4a4f2e6baa6107595b281 |
| SHA1 | 7663ffbc921999fefdd8cddcb1d77ba87659cb74 |
| SHA256 | 7921555d17a77adeb0f43712db83cbe80aae1985eaba3e67ea16ea973a07cc1a |
| SHA512 | dc0d4884c59a46cea16f925de54ea5b8b5639e84a3028352272322e553aeef557c40bd168bce2eb3b126d3f0bd7c23c41ab7f596375f21bd22b60d738c640dab |
memory/4552-116-0x00007FF7513E0000-0x00007FF751734000-memory.dmp
memory/2912-117-0x00007FF72EAF0000-0x00007FF72EE44000-memory.dmp
C:\Windows\System\JvmozBk.exe
| MD5 | 4be23d5d6d4d94d532cac2712ce012ff |
| SHA1 | 3c61047c1026e030fc783059cb8e5354eb99514d |
| SHA256 | 59a542e3259ae6019f3b55092dd16f54b9cb173330aed252d896f6d4c059deb5 |
| SHA512 | 89f5ae5611b557af9a73bcc92d001b1b3953900630a1a65403f175adfc0b4e086b96ad275e37a449685206430a6b344ad006a0377dd67826ef472da0ebd250d2 |
C:\Windows\System\gLZrYvN.exe
| MD5 | a3952a6713abcbfebbbf7b4181e36441 |
| SHA1 | 189a2ea744499c8a51cb4fdb3a52468f4cae68fc |
| SHA256 | de76ba0e58be9b71ccd2b981062fe3cd14f1c9dc337324e4eee406edb192818a |
| SHA512 | d08fdb14662eef9a73b7b0925e196512a3116b6ca2076b5ed686e707f6f3335e383aeed7366586af2a8f4958fbb9604dde2f16d330e96d01b5f5b351af1f9a72 |
C:\Windows\System\sCfgwVG.exe
| MD5 | 7cbe016468e6187b82007c87510ae4b2 |
| SHA1 | 3eb028ed9bc98665bc37d353b1565b5912f0b0c8 |
| SHA256 | 2ebb70c285429b8d55b971f5dcfd073f7c6e588023da6ba8526cb8104d78221c |
| SHA512 | 2a72f82e79bbe8a702f2c88d37469add28ef116d5e039ccc63c093957a476a742bc792eae7f8feb078d40f16ead14c03350fc4e39f0a107af49ac1f69444f3d0 |
C:\Windows\System\uWaloaR.exe
| MD5 | a185f4099016090674edd21f2ac4762e |
| SHA1 | 1793b27aba33bf13392f760c206628cfd38c1dc9 |
| SHA256 | 73f27f943afc011adc5ea09a65ce152ee1e515dffd20a89eae1ccb6ff44eac14 |
| SHA512 | a272e0b897423053c428cae1686d6077158f335f6628d3d863ec233467da244686c3f73363b7bb8ce400096796fcf2f6787abc03e2cd3e935ecce2e374302db4 |
memory/2208-113-0x00007FF658FB0000-0x00007FF659304000-memory.dmp
memory/1468-107-0x00007FF620440000-0x00007FF620794000-memory.dmp
memory/4848-101-0x00007FF75E6A0000-0x00007FF75E9F4000-memory.dmp
memory/3292-130-0x00007FF79BA50000-0x00007FF79BDA4000-memory.dmp
memory/4020-131-0x00007FF6A30F0000-0x00007FF6A3444000-memory.dmp
memory/4432-132-0x00007FF624A20000-0x00007FF624D74000-memory.dmp
memory/1476-133-0x00007FF6485A0000-0x00007FF6488F4000-memory.dmp
memory/3088-134-0x00007FF602E00000-0x00007FF603154000-memory.dmp
memory/4848-135-0x00007FF75E6A0000-0x00007FF75E9F4000-memory.dmp
memory/1468-136-0x00007FF620440000-0x00007FF620794000-memory.dmp
memory/3160-137-0x00007FF792A20000-0x00007FF792D74000-memory.dmp
memory/5080-138-0x00007FF6F2A60000-0x00007FF6F2DB4000-memory.dmp
memory/2448-139-0x00007FF701D70000-0x00007FF7020C4000-memory.dmp
memory/4552-140-0x00007FF7513E0000-0x00007FF751734000-memory.dmp
memory/2912-141-0x00007FF72EAF0000-0x00007FF72EE44000-memory.dmp
memory/1892-142-0x00007FF62D3C0000-0x00007FF62D714000-memory.dmp
memory/3292-143-0x00007FF79BA50000-0x00007FF79BDA4000-memory.dmp
memory/2208-144-0x00007FF658FB0000-0x00007FF659304000-memory.dmp
memory/1688-145-0x00007FF6841A0000-0x00007FF6844F4000-memory.dmp
memory/3668-146-0x00007FF6D18B0000-0x00007FF6D1C04000-memory.dmp
memory/1476-147-0x00007FF6485A0000-0x00007FF6488F4000-memory.dmp
memory/4488-148-0x00007FF7EE960000-0x00007FF7EECB4000-memory.dmp
memory/3088-149-0x00007FF602E00000-0x00007FF603154000-memory.dmp
memory/4616-150-0x00007FF6556D0000-0x00007FF655A24000-memory.dmp
memory/880-151-0x00007FF687CF0000-0x00007FF688044000-memory.dmp
memory/1544-152-0x00007FF62D410000-0x00007FF62D764000-memory.dmp
memory/2944-153-0x00007FF625400000-0x00007FF625754000-memory.dmp
memory/4848-154-0x00007FF75E6A0000-0x00007FF75E9F4000-memory.dmp
memory/1468-155-0x00007FF620440000-0x00007FF620794000-memory.dmp
memory/2912-156-0x00007FF72EAF0000-0x00007FF72EE44000-memory.dmp
memory/4432-157-0x00007FF624A20000-0x00007FF624D74000-memory.dmp
memory/4020-158-0x00007FF6A30F0000-0x00007FF6A3444000-memory.dmp
memory/4552-159-0x00007FF7513E0000-0x00007FF751734000-memory.dmp