Analysis Overview
SHA256
684b4ea17e85d2f3c4ee76ecc1608d9dee7d99bcfec76340a0e763b6ba850bca
Threat Level: Known bad
The file 2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Xmrig family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 13:16
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 13:16
Reported
2024-06-01 13:19
Platform
win7-20240508-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\GJhRSqk.exe | N/A |
| N/A | N/A | C:\Windows\System\YXgtJQP.exe | N/A |
| N/A | N/A | C:\Windows\System\jneVQfv.exe | N/A |
| N/A | N/A | C:\Windows\System\RItvBYC.exe | N/A |
| N/A | N/A | C:\Windows\System\yYzttRK.exe | N/A |
| N/A | N/A | C:\Windows\System\GJJwvDq.exe | N/A |
| N/A | N/A | C:\Windows\System\vtEoxSk.exe | N/A |
| N/A | N/A | C:\Windows\System\RIjZdba.exe | N/A |
| N/A | N/A | C:\Windows\System\eJvHJeh.exe | N/A |
| N/A | N/A | C:\Windows\System\gODShum.exe | N/A |
| N/A | N/A | C:\Windows\System\YxDcDfx.exe | N/A |
| N/A | N/A | C:\Windows\System\kSKaBkg.exe | N/A |
| N/A | N/A | C:\Windows\System\NWLgVrz.exe | N/A |
| N/A | N/A | C:\Windows\System\iVzXQWY.exe | N/A |
| N/A | N/A | C:\Windows\System\ALfBKBe.exe | N/A |
| N/A | N/A | C:\Windows\System\diEoxry.exe | N/A |
| N/A | N/A | C:\Windows\System\qcLKsyC.exe | N/A |
| N/A | N/A | C:\Windows\System\IeHIUyv.exe | N/A |
| N/A | N/A | C:\Windows\System\GeFNKWV.exe | N/A |
| N/A | N/A | C:\Windows\System\BNUBAbW.exe | N/A |
| N/A | N/A | C:\Windows\System\rzQZDCy.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\YXgtJQP.exe
C:\Windows\System\YXgtJQP.exe
C:\Windows\System\GJhRSqk.exe
C:\Windows\System\GJhRSqk.exe
C:\Windows\System\RItvBYC.exe
C:\Windows\System\RItvBYC.exe
C:\Windows\System\jneVQfv.exe
C:\Windows\System\jneVQfv.exe
C:\Windows\System\yYzttRK.exe
C:\Windows\System\yYzttRK.exe
C:\Windows\System\GJJwvDq.exe
C:\Windows\System\GJJwvDq.exe
C:\Windows\System\vtEoxSk.exe
C:\Windows\System\vtEoxSk.exe
C:\Windows\System\RIjZdba.exe
C:\Windows\System\RIjZdba.exe
C:\Windows\System\eJvHJeh.exe
C:\Windows\System\eJvHJeh.exe
C:\Windows\System\gODShum.exe
C:\Windows\System\gODShum.exe
C:\Windows\System\YxDcDfx.exe
C:\Windows\System\YxDcDfx.exe
C:\Windows\System\kSKaBkg.exe
C:\Windows\System\kSKaBkg.exe
C:\Windows\System\NWLgVrz.exe
C:\Windows\System\NWLgVrz.exe
C:\Windows\System\iVzXQWY.exe
C:\Windows\System\iVzXQWY.exe
C:\Windows\System\ALfBKBe.exe
C:\Windows\System\ALfBKBe.exe
C:\Windows\System\diEoxry.exe
C:\Windows\System\diEoxry.exe
C:\Windows\System\qcLKsyC.exe
C:\Windows\System\qcLKsyC.exe
C:\Windows\System\IeHIUyv.exe
C:\Windows\System\IeHIUyv.exe
C:\Windows\System\GeFNKWV.exe
C:\Windows\System\GeFNKWV.exe
C:\Windows\System\BNUBAbW.exe
C:\Windows\System\BNUBAbW.exe
C:\Windows\System\rzQZDCy.exe
C:\Windows\System\rzQZDCy.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2716-0-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/2716-1-0x000000013FE00000-0x0000000140154000-memory.dmp
\Windows\system\YXgtJQP.exe
| MD5 | 543a5feaeaffed8a5dfb57ac1d950535 |
| SHA1 | 0cb8d40d1465d8e1daea9f39fe88e34b6f9e0826 |
| SHA256 | 25ed217f757748ce4567cdff0ece1e1b097c34bb568846af8093919dc0b6f33a |
| SHA512 | 8a0ed3a5342736124844e35121042f8c8385d0a4ce9600ebc27fbb160ef913d1e421cd40fd945a50ef50bc269bb0f0bcaae1aac2fe4a2cbf543f0386fa980864 |
memory/2660-25-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2716-24-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2716-23-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\GJJwvDq.exe
| MD5 | 96a3f5cf869e0454eb6807c17ed5b85c |
| SHA1 | 5c9e70c13b4f2bd53ae9aa3ff99b005fb41c0cd8 |
| SHA256 | 4b2df80b32dc1fc79d12f4b01439227021312a37f2f94162d03c130c3208215c |
| SHA512 | 90a5515a15632fc38e8de45e5c6c84a120c4210b51a22dc872d0412e8698b0599ab01c4abaac68121c7904d540d7d21c7507ff682597642bd8d10355930d89f5 |
memory/2740-34-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2864-42-0x000000013F020000-0x000000013F374000-memory.dmp
C:\Windows\system\RIjZdba.exe
| MD5 | 925526dbfe2dcb1b5e93fbd51a737ddb |
| SHA1 | 93fa881c308830482d5b0e134164d459d0b85a77 |
| SHA256 | a3b44813b67ce1396fc59cbee8728ff666e3ff189c39874511d682713df05838 |
| SHA512 | 83208d540a9adc3fcb733ed38f61d71659acba76b13c0eb887f9ae0cfeb4910052d102b35353a2bca74d0177bc0d6b7645317ce1b183fa6542ec5d0f356aaa02 |
memory/2860-49-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2708-54-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2716-63-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\kSKaBkg.exe
| MD5 | 0c78a95b2caae5f1fb3225af3bee6d76 |
| SHA1 | 13c8b3524ce832abed8473e4918d03403a9019fe |
| SHA256 | ea4b6e8f1639508161fca1e5799b179aa0aa965c5cf9fd54491b4211f633f67e |
| SHA512 | 9d6ced6c990f63672c004d3092c9ae3fdc800da75e78c633262738e9239413fbd7ad3f4dc891a03623af8b15c8b41a79f46801ee01595068af87b1e8c0bb6434 |
memory/2716-82-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2116-83-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2704-100-0x000000013F2F0000-0x000000013F644000-memory.dmp
C:\Windows\system\IeHIUyv.exe
| MD5 | cde9148e4cdf2820fb221e516bc3b3c8 |
| SHA1 | 2e14beaf4d6433c078b98bbd9bd6a54815de845c |
| SHA256 | 29d56ccf7b445429ac77817f20f1ebe9ba277ae5254c46de0563f3e912dc7288 |
| SHA512 | 7654ca88e28d06b3fd1b461b6ff4a840e6575d19cd3034532a40ec7fc3fce496917f2a2c0a5289ea97bacbc81c3bbc70c4e57bfc46c63828604fcc70d1ab4a06 |
\Windows\system\rzQZDCy.exe
| MD5 | d9c4c516e8864957b3727ab3ae965d7c |
| SHA1 | 9fd15e0585fe1564b9f83dae7098f3fe0afccc5e |
| SHA256 | f7c3cae68847dd05ec537f4ec142dad0f2e8bfe1defb16a8e4cf28cf893e658b |
| SHA512 | d65b5a80d3908400d94dd0e7006b589180cdcdfacf8d0147eb4f386191efc8fffe006d357b022d1497b0a2e350d7804ac3bcb7e5c3ff5712851b0a0c6333f1b2 |
C:\Windows\system\BNUBAbW.exe
| MD5 | a4e9949e32e9d79b69ada63dc77383ab |
| SHA1 | 2f8d1f9a39d513ff638a3bdb85222076486025c1 |
| SHA256 | b5203bc5ba2e931642582841244d5913e5724fe0f2b2144615594ac35a831f2f |
| SHA512 | 2edd417113d10cd28d05c1649624ac96bb72a1c6379f6477e7358f3107c86be7272953a3bbe65d44cb2ac61ddf4bffa4e66d1dcb5a7aab133e9143cd0a2e866a |
C:\Windows\system\GeFNKWV.exe
| MD5 | 7d984f8884e38a4f318a5b2d4c86bfcb |
| SHA1 | 2d14859bb700f2c049735a8895cdaf172f5bec1a |
| SHA256 | e3cc7605afe78fbb5264ffbc0a333bdd1080c9d2eb873dd43d234ad38c0c68a2 |
| SHA512 | adff90d0ac620357ae6212d9f25c82f5a38bee04e420de4e37bd13d141e9c02b0b8cc9adfa374162a685f58d6df1faabcd3c8d3bf83b73afe1184b945510866d |
C:\Windows\system\qcLKsyC.exe
| MD5 | 4ce408eb4583e985b3a560b88427bb3c |
| SHA1 | b8c541c7cb6d3bceddac583f79f9aa143babb760 |
| SHA256 | 84b3416ae6544963edd0ae268a6eca0ca5e5ca62e97d0ab52ebf5cb3e1aa4ceb |
| SHA512 | fa7db334d5267c526196037e580cc52bd7db183062407858f840615d313720e7bb3a96408265cd2864f1ed1f1020c7e594789f6e5fdb17e62ca7adb2ed2ba4d5 |
memory/2716-110-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2864-109-0x000000013F020000-0x000000013F374000-memory.dmp
C:\Windows\system\ALfBKBe.exe
| MD5 | 687f44801581e95c78bfac6b345a91a6 |
| SHA1 | 479bc8f6cb01e5afb72e28660d4dbd34cdca8af1 |
| SHA256 | 2bc2a18878434499f65b0629e90d54be4c283866eebd122922291b790f8375ee |
| SHA512 | 58e8bf68cab4204294212af7dd1286012984d4ddc2ac2feeb4b012476ecbc6e250c096f41f39443693a6bd1017f372ee66d5bee748fcfd366deb705b89035838 |
C:\Windows\system\diEoxry.exe
| MD5 | 0d36adc92ec893e382feaef56a7e3a8b |
| SHA1 | 06936a07b01c8a6298716ffcb319248ffddcf48c |
| SHA256 | 4a7a5698463c7169f2958249cbf15866c6ee7a63a5309007ce824f24d242fab9 |
| SHA512 | 183753def518372d573752e77c217bb7ae303c4ca68ca6727830c00e6bae44c05fa5d69b1554d15ec1b96cce31a5e3af989f04787468901b07bff4026fd67885 |
memory/2860-140-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1448-94-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2988-93-0x000000013FD40000-0x0000000140094000-memory.dmp
C:\Windows\system\NWLgVrz.exe
| MD5 | cb28281bf0c30c88b9c6911474849cde |
| SHA1 | 04f4f9b340fa931c489539404a372077638d462c |
| SHA256 | cb0cb73458fd918c88bac8e42978cc7a746085def52d8e27eae93011a8d10661 |
| SHA512 | 1a2d63662f0d736b73f1142400db4354c7f0c1961c7093bf791159e7988468849abcbec352a65246497d214e4f04906a5002bfa0095952d3e1271b5214281bd6 |
memory/2716-90-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2660-89-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2716-99-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2640-78-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2740-98-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2716-77-0x000000013F320000-0x000000013F674000-memory.dmp
C:\Windows\system\iVzXQWY.exe
| MD5 | c98c121099e52a2cc53b9ecf0739f2ef |
| SHA1 | a4f088a225c525a3a155618bb51c7bc68f1c2ee7 |
| SHA256 | cb0959ee8035578d8e5466138149e4cb863eb2ecae9677a4a30cbd4923085527 |
| SHA512 | 68d68f06649f443272deed914b6f7aae00814e704055806ea79e503ad4c391d663d32e378f4ee6e53eba607a4960a20555522eaa96ca1c963c97f2e33fcff558 |
memory/3028-76-0x000000013FEE0000-0x0000000140234000-memory.dmp
C:\Windows\system\YxDcDfx.exe
| MD5 | 0fbca405fe49870c497b85bb3c25a128 |
| SHA1 | 8c6cd5c4c1ab508b9d0c017743ead1130354cda9 |
| SHA256 | 2e9908126db6a99bdcca82ed82d5820fe10a54c1064620cdc16e07878cd9f06b |
| SHA512 | ae32f007ee89efe21c73e5289ed700f65ec98097356e174e24f5b2a9b2993a4f1228ed904b0438a19dbd435bd6bafb3e158e2bc085bf5dd2e0499fa025fe013f |
memory/2208-64-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2544-70-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2152-62-0x000000013F530000-0x000000013F884000-memory.dmp
C:\Windows\system\gODShum.exe
| MD5 | 7462ce2bf19997d400b0ead96e1fd253 |
| SHA1 | 3f8933d4ec745cce97f38a32f11371a7f6089414 |
| SHA256 | fc1ed4e3d4c2ebdbe25c1e824b352dd6a1fc43d6dff8f9a0ee25c0aa398c0418 |
| SHA512 | 3426162a8dc81f51086d008379aef31c191e7cc127fe0afbf00785f230fb77cd1c2e1cbc0ce1ce0f6bf3f74f7322ce787b6eb2179a7328625e4dfef75e99ef19 |
C:\Windows\system\eJvHJeh.exe
| MD5 | e65a92c089f736d3356509c90a32bc9d |
| SHA1 | cbb4f9c3be46d13cd99a5ba3937216067f3d6aea |
| SHA256 | 3f4c3dad173dbf599eaabbc5ebab98c723e758ffeaed1bb34d717a17f90c0ad8 |
| SHA512 | 815b83d1ce78afef51eb7fc7d5861a79f5f02a41eefb09bb909c8ea192ad150a723988e2e78714b6065a6239e8dbad7614b3322afcfdf2a11a3b144960f6ddc7 |
memory/2716-48-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2716-53-0x000000013FE00000-0x0000000140154000-memory.dmp
C:\Windows\system\vtEoxSk.exe
| MD5 | 7ac12cd71b5af2c60271c83389375b51 |
| SHA1 | e587099e15ceb0a0e7ab6132dfbca1e0fb3d797c |
| SHA256 | 9bed54d569bdfd570feb75e4642f4e858e1c74c7210d3714093b162b6ac80b40 |
| SHA512 | 7814bde4ace2c1bc2ff3200b5b3ead8b8d54330188ba630137c1865461c29a98ecc2a777a90511d420cbe0980d6dff9935a3e560d446e563752aca864196fe4a |
memory/2716-39-0x000000013F020000-0x000000013F374000-memory.dmp
C:\Windows\system\yYzttRK.exe
| MD5 | c9ab3bfe867374613c60d0194423197a |
| SHA1 | 4032c5fc820f8385c2db2588a5e689a67e838fea |
| SHA256 | 6227ebe5e3b225f61387c9641cf22c4f3d0a55bfd65963c3bed1683055be8877 |
| SHA512 | 694f35b216c1cdc45475649feae93b0327e7eb9c58dc31cca680bd109dbf35c3e1a14eca2e44b57e53bb35631d5bffc317a2765a2965e780f89cab526bf16bf8 |
memory/2988-32-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2716-30-0x000000013F400000-0x000000013F754000-memory.dmp
C:\Windows\system\RItvBYC.exe
| MD5 | b5aa1144cc4cdc0ba9fafd12c6d28ba6 |
| SHA1 | 4fb0df5b63ddc981db20d82cfd697d6282c56a25 |
| SHA256 | 1f4be72481521e4d20dccbbaedca9763d65e2f145d59b835b9141073a28a82ef |
| SHA512 | 56d1e39a6fcb0da249391438971c273cfe5ec8bb8aa4ee6ac2f2d3194a2732f9aa04a565c415eb57f8277a325d1e34ecd9f4cdbca193c968a8dfa18d18911fab |
memory/2708-141-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/3028-18-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2152-15-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2716-6-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\jneVQfv.exe
| MD5 | 2b9744e23d27ed6c37c4ddacf629565a |
| SHA1 | 93b909f8eedcdeda260bc7469c01d41b3fb12abf |
| SHA256 | ae2e90d2b74b7a91247e630609a0a05f336604c48b40c2cbff85b6eac32f0051 |
| SHA512 | 9c2142af4791755402b814197e981b540d0784f675b6d02486a0a30842680c919e2b74d71ffdea8806da8c49d52dbd3985a5b021ccdd3c0dc9113950cbfbfc86 |
C:\Windows\system\GJhRSqk.exe
| MD5 | 7f50495d6ac587fa45cfa81fee445cc7 |
| SHA1 | 10c60df794ff15478d76c1f843e3a6ec55179add |
| SHA256 | 89b6bbaca0ae3cc135c6a6e2918f182bcc6f2e7951a9b63e8d19e65c0d1c3139 |
| SHA512 | fe7ac4b32f34d6721e4a6d2310594b05631158e155bb29fefa5709cf9f55316abed4ace26681095525a98b33a5c69fc5151a60667cbff91971b8b5b3bd4899e9 |
memory/2208-143-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2716-142-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2544-144-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2716-145-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2640-146-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2716-147-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2116-148-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2716-149-0x000000013F340000-0x000000013F694000-memory.dmp
memory/1448-150-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2716-151-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2704-152-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/3028-154-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2152-153-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2660-155-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2988-156-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2864-157-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2740-158-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2708-159-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2860-160-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2208-161-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2544-162-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2116-163-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2640-164-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2704-165-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/1448-166-0x000000013F340000-0x000000013F694000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 13:16
Reported
2024-06-01 13:19
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cAIYbjH.exe | N/A |
| N/A | N/A | C:\Windows\System\TsaRUZh.exe | N/A |
| N/A | N/A | C:\Windows\System\AAVaLqN.exe | N/A |
| N/A | N/A | C:\Windows\System\JnHflGp.exe | N/A |
| N/A | N/A | C:\Windows\System\OzwoHrF.exe | N/A |
| N/A | N/A | C:\Windows\System\JbnkJkC.exe | N/A |
| N/A | N/A | C:\Windows\System\FeBQpIl.exe | N/A |
| N/A | N/A | C:\Windows\System\jYUdilw.exe | N/A |
| N/A | N/A | C:\Windows\System\glnXpEj.exe | N/A |
| N/A | N/A | C:\Windows\System\AoUbqyO.exe | N/A |
| N/A | N/A | C:\Windows\System\DJjBySs.exe | N/A |
| N/A | N/A | C:\Windows\System\ksFRhSP.exe | N/A |
| N/A | N/A | C:\Windows\System\UWbrxxl.exe | N/A |
| N/A | N/A | C:\Windows\System\KjMCWBn.exe | N/A |
| N/A | N/A | C:\Windows\System\zsIzNPO.exe | N/A |
| N/A | N/A | C:\Windows\System\mGsAMTB.exe | N/A |
| N/A | N/A | C:\Windows\System\GdRtOTh.exe | N/A |
| N/A | N/A | C:\Windows\System\NaeHcPB.exe | N/A |
| N/A | N/A | C:\Windows\System\QyBfxXb.exe | N/A |
| N/A | N/A | C:\Windows\System\DtYoCNP.exe | N/A |
| N/A | N/A | C:\Windows\System\rLGaJpu.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\cAIYbjH.exe
C:\Windows\System\cAIYbjH.exe
C:\Windows\System\TsaRUZh.exe
C:\Windows\System\TsaRUZh.exe
C:\Windows\System\AAVaLqN.exe
C:\Windows\System\AAVaLqN.exe
C:\Windows\System\JnHflGp.exe
C:\Windows\System\JnHflGp.exe
C:\Windows\System\OzwoHrF.exe
C:\Windows\System\OzwoHrF.exe
C:\Windows\System\JbnkJkC.exe
C:\Windows\System\JbnkJkC.exe
C:\Windows\System\FeBQpIl.exe
C:\Windows\System\FeBQpIl.exe
C:\Windows\System\jYUdilw.exe
C:\Windows\System\jYUdilw.exe
C:\Windows\System\glnXpEj.exe
C:\Windows\System\glnXpEj.exe
C:\Windows\System\AoUbqyO.exe
C:\Windows\System\AoUbqyO.exe
C:\Windows\System\DJjBySs.exe
C:\Windows\System\DJjBySs.exe
C:\Windows\System\ksFRhSP.exe
C:\Windows\System\ksFRhSP.exe
C:\Windows\System\UWbrxxl.exe
C:\Windows\System\UWbrxxl.exe
C:\Windows\System\KjMCWBn.exe
C:\Windows\System\KjMCWBn.exe
C:\Windows\System\zsIzNPO.exe
C:\Windows\System\zsIzNPO.exe
C:\Windows\System\mGsAMTB.exe
C:\Windows\System\mGsAMTB.exe
C:\Windows\System\GdRtOTh.exe
C:\Windows\System\GdRtOTh.exe
C:\Windows\System\NaeHcPB.exe
C:\Windows\System\NaeHcPB.exe
C:\Windows\System\rLGaJpu.exe
C:\Windows\System\rLGaJpu.exe
C:\Windows\System\QyBfxXb.exe
C:\Windows\System\QyBfxXb.exe
C:\Windows\System\DtYoCNP.exe
C:\Windows\System\DtYoCNP.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 104.246.116.51.in-addr.arpa | udp |
Files
memory/1148-0-0x00007FF729A90000-0x00007FF729DE4000-memory.dmp
memory/1148-1-0x00000165F1AF0000-0x00000165F1B00000-memory.dmp
C:\Windows\System\cAIYbjH.exe
| MD5 | 15de25dfd2adbe7a66fbd85259a64e5c |
| SHA1 | f8400ee3517f769cc53c9a8c9cd256737562dd01 |
| SHA256 | 9dde33f7839e6327229aa5e0e0e1ea1510eeebc143b42c43bc8c8a9e3c6b2ef0 |
| SHA512 | 8a4e9f73640c91346e7b536492515ee900bea208ff4e2db4857a173567d027d998a535ebc6134d7dfd2540f63cdc6d52ac69795c87673176141a34a1933ac5b1 |
memory/3176-8-0x00007FF6E95B0000-0x00007FF6E9904000-memory.dmp
C:\Windows\System\TsaRUZh.exe
| MD5 | aace8a803ab2b5fe62d7cf64a61c429b |
| SHA1 | 7884d4b1ec1a0982a6ed94bd67124fd698cfd7ea |
| SHA256 | c2aad50a306bdb2c6e335ad0bdab11a86eb08fdc0fa5e30f0282d7473689b027 |
| SHA512 | 1d0a8843e871e27e88b2f6bc764facaa5410d8d5051ded5b6301e01a8e496814a3cbbdea0c8b413deab6c440a0fecc3638d5587bdf33eb45c65abfa78f38e7e4 |
C:\Windows\System\AAVaLqN.exe
| MD5 | 6e3418517e4ed2f0ef2819e292cca27f |
| SHA1 | 8c17a59b6cbf1db79eb49a27557b9b8ce9635d7c |
| SHA256 | c0f9b1cb7a5dd2b3619386269a9d5ee6d55cb54d42041dfec5bf3ef6887cf6b4 |
| SHA512 | 4232babccc17e5bc12bb53c92cf18c06536571b27f0748be9964c1593c4d92a83c7d5d6278aa6ff07cf568d510e26c2c5143fab2ee8073f6f3b774d16166549d |
memory/2564-14-0x00007FF7E6F20000-0x00007FF7E7274000-memory.dmp
memory/4964-20-0x00007FF60F430000-0x00007FF60F784000-memory.dmp
C:\Windows\System\JnHflGp.exe
| MD5 | e251ad1d30b89d4f299cf1db7f02454e |
| SHA1 | f45641d2812247a51c2222c8442b19665ac1f924 |
| SHA256 | c86b07628b75056b45af0348a1644158dbe1e1fe11932f4e37330076cfe22160 |
| SHA512 | 7c9c53345f8ba2647530d373dc9236772059042d21392972168c0f4f579e6eae282536aed337b819454b9e737e86d512a3f7e747da6b522e0f28105edacc310a |
memory/3000-26-0x00007FF7695F0000-0x00007FF769944000-memory.dmp
C:\Windows\System\OzwoHrF.exe
| MD5 | 278cc231cf1b79db83146424d384ec30 |
| SHA1 | 8f83e6174393a61517e868c6043e494ba69073f7 |
| SHA256 | efdf15276518032f441a813d6b9f6f8d6cc03578d5a84885992103d270f77d9d |
| SHA512 | 8c0d0b3ad660d0d19d30abc28dac5e69b05a3c047098b63ce41cf8c72a7f79589ce09dd95471da31adc82a705ce9e3b850d79d91b2b8151646a86eded200b8c1 |
memory/4652-32-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp
C:\Windows\System\JbnkJkC.exe
| MD5 | 4bc4e6d9ef409d8fdf9b01c903337391 |
| SHA1 | ca3de0f2cfb3b5f6d8b8f7d6efb8cd27e329d5ac |
| SHA256 | 26cceadadf5c9ced24ea014bee3ba7cb4e79d34b6435fd9b4a9a94f48b8e4ec3 |
| SHA512 | ef966fdf5da0ebacbd76370ccc9fe2f960ee9c133dbbaa01a8f0c05138bcb32d37f5903760766a7dfdd961987ed41551e8fda4b73966bbf1f3ab0169188128d1 |
memory/4832-35-0x00007FF73C990000-0x00007FF73CCE4000-memory.dmp
C:\Windows\System\FeBQpIl.exe
| MD5 | 99aedb50262054a910205026df3a9a18 |
| SHA1 | 7fe274ce9ac9f8e996caed2dc7131be34c1f43d2 |
| SHA256 | e5f41e744cab7ddba35d8c307748658430d225e68f066ee1b68521a2ed1ae82e |
| SHA512 | f5a2a78d753e67d0f451bcff2123d3e0fb17989aa2ff4b1eb2899bc36d508c36b6b5d81ce9e8dea74c50137bea78f92a49c6b87bb04bb1a428ee83e4b7218090 |
memory/960-56-0x00007FF6A0C10000-0x00007FF6A0F64000-memory.dmp
C:\Windows\System\DJjBySs.exe
| MD5 | fbd5821c6dd523390deee6a64d8af791 |
| SHA1 | 48c3be4dccc9442c5e58ed5db9b7292032feac3d |
| SHA256 | 44c3e5368d2af20fa8350c26c77f07a5cfc0825f663364bc9dac068fe9d8db6f |
| SHA512 | 8bedaea77bb841920573f3e71a00390b9ad5a793d49de844f484e366f07be2832e53ebaf0ad01f8dd9c490b7069583335d9a63f04efb0858e59d720a8a0d7d4e |
C:\Windows\System\AoUbqyO.exe
| MD5 | 913994b6ae0dcdaa9a6232d8bd364a91 |
| SHA1 | a06f8be08b2a95e451f4a52d75a6cbc7feff2507 |
| SHA256 | 4e09b0baba76942e17dac44dc3441d417e5a6947763429f2c01cb20dbfa2428b |
| SHA512 | da94b0b6217a4f412b7bf9b43bb8cf48a00f57dd2145fe9a39aae66253a6137fc358f6c654a6fe93acf2fc55c8c801c659c8e1a146dd01eccdde33e62741b1a7 |
memory/1996-70-0x00007FF656960000-0x00007FF656CB4000-memory.dmp
C:\Windows\System\ksFRhSP.exe
| MD5 | 6c3a7f44033e91227cc588584a96006c |
| SHA1 | 03c66fa8de9b86a9f0fd070783b12280ef6cddf0 |
| SHA256 | 5edcee9667e08861fe9a99e05587d971210c63048fc44c35579895e9410c958c |
| SHA512 | a6371631ccb1b02a5d6122b21233a1d7f8f64dd06bf703dfe10f91caa10eedf47ef17743cbb005feccbab339de6eb53f8e028e3800e7d95ad0a7777056c44bee |
C:\Windows\System\UWbrxxl.exe
| MD5 | 95fd5fa863f83aeaad71483a57be5660 |
| SHA1 | 97736caec39856813ea9de0ca1aacd89e9f37c30 |
| SHA256 | cd374d8e4c9ef9fcd4e42b8ef72821a39e783e7d373a6822f5c6c49a44edb865 |
| SHA512 | 761f307c95aa6ff8e43eef1954f5d51ac7bf6e8114093cb620433791b6fa1c85e4bb3a2300023db01622542650b42d2289d1fbb325e1424adca5decd515f45f0 |
C:\Windows\System\zsIzNPO.exe
| MD5 | bbc049f82386594b3693ad642effd7ad |
| SHA1 | 6675da6401da651fba0ee9fbf8e33012cb019e7b |
| SHA256 | 663d01ca9e5cfa2adb0d1b2edbf1581ac5932a5a3a2fc003a68afd4c86eda31e |
| SHA512 | bd71014c4039edc3c5532526b58323b574dda1233de44996ace404ab69a53d8244411c612afdb14c92a1693d229598305a51b5969104919041f3a99059a2bfe1 |
C:\Windows\System\NaeHcPB.exe
| MD5 | 888db79dd5fdb6476dde00b27da27c80 |
| SHA1 | ff0f298a6c528d4f7178c17ace0981eae50fc5b3 |
| SHA256 | 3aa188ab8c0a85b111ede22cff834b0b6b5fc960ddf790bf8d694b335020b188 |
| SHA512 | 2f26597070fb2b8905db62bc2e82959710179c734722d3c93dc7620ba271158b023a3179e961df273f4e417efd22fd94008c8a99fd367d96696764c4431ce8bb |
C:\Windows\System\rLGaJpu.exe
| MD5 | 4346a99a700558b3c4cf2f7458aeabcf |
| SHA1 | 5d7bab08dc7e9a11babf56b5aacc48a84e2b99e8 |
| SHA256 | b56cfddea8348d89de4b431c313408d7e72968a09fd387c8bada0ba5050a375e |
| SHA512 | 99abd96bb1d8ed6d219c671ad53a7b01a68d9fafaa76ada9c76233fefe05648d329b07971883f9b763a7615c55f5b0f25c2e8b5fb17b5534b1908b2425480874 |
C:\Windows\System\GdRtOTh.exe
| MD5 | 9b932dadbbdbb5f12b8b696a18b325bb |
| SHA1 | 7b6908afae668885fac5f2e71ace947d9231fa25 |
| SHA256 | 3bb5741b194b909c64bcf491b46e28ca6a58cd51c4dea4f965e27190b9a98eab |
| SHA512 | 5a825984673dcb15f1e4ff4edba88b53fba013e97de1ce4e35f47e3c1fbdb5a1a0a50e3d04feec95b7128d03f76632bd4495b099c0239ef3766df50007447dc8 |
C:\Windows\System\DtYoCNP.exe
| MD5 | 016e0e2ef61640b041220c6cc535d0e9 |
| SHA1 | e399810f70a3ad5ba4abe6d08a6e90d9e1a4f86c |
| SHA256 | 75243843504ee84d3703875f22525693284474d6fddadf384f776470cbf5da89 |
| SHA512 | d3f072ce9331df778b969c922cb53184a57a75418353b92ee2367ce8b281f5f1f44b092f603e541d7845679819614f8900e3fa051f9cbbcbff2a1ae662a0fc1b |
C:\Windows\System\QyBfxXb.exe
| MD5 | ac52493e7142c695840c3531b1f83ba3 |
| SHA1 | 1c9441aa6dd8bcad91c32394197233f7dfbc5ba7 |
| SHA256 | d12b16d2d5d5b3e74b3074a5e1413bc6f74204245ace17e3071742c32c1bcd74 |
| SHA512 | 75db85d3f05678fb1b464b69980cf1d1407d4f8c03a6b3dcbc3e77769b7e8b231ff058214d0fab9eeef074dc45a93d931ac22be6c6c3f8b3f2ce421584cb0201 |
C:\Windows\System\KjMCWBn.exe
| MD5 | 339e41bda5230d1e8fa02e15f5e47257 |
| SHA1 | 93ed46a8e8ce2c8c39d4ff01008911a408164442 |
| SHA256 | 25586ed52097dd127a2ce63d2fc00ee3171d8fb447560ae2540e7e3bb59cba13 |
| SHA512 | c6e0a4264836c71961861f49fb20b8d619c6abd601bb50d412eb65b761d4e559f14de0a108384707e2876a651856cfea4ac7384f375372c7614f5c162587f182 |
C:\Windows\System\mGsAMTB.exe
| MD5 | 0abb24030c085b55bd392b3a02b9889c |
| SHA1 | 28dcbd4cba04ecccfb3161d7f991a7e0c1bbe245 |
| SHA256 | 06b435955ae766be7a795141f3c8c65a8e30368ec449e3298eb439f075f634fc |
| SHA512 | 81dc08598d50b8e76cb71da8ad97566b2d4127461b76408b749c8edea7871953d0d343512346fb56347a316adddff693952a095cdb0cf5e12e6a84babc9669ae |
memory/1888-88-0x00007FF7EB470000-0x00007FF7EB7C4000-memory.dmp
memory/1460-65-0x00007FF63E640000-0x00007FF63E994000-memory.dmp
memory/5112-62-0x00007FF66FD40000-0x00007FF670094000-memory.dmp
memory/2272-60-0x00007FF6797C0000-0x00007FF679B14000-memory.dmp
C:\Windows\System\glnXpEj.exe
| MD5 | 747931d9a2b301a4e8dbf6ff417bf13d |
| SHA1 | b2b0ce784d197a874d737deda6cf5adf62891622 |
| SHA256 | 5531c18a15c5b31e270185efe731cc72845b9495a0eb43160718833c3506f55d |
| SHA512 | 15e3f5eeb1baca15f532e1930ca82379c1f3cf7df9817dd9f4218472774c8e17c0f8de495ba5fe1fcca9d703291030fd86cfc507c68e7f756e8bc09cec214d32 |
C:\Windows\System\jYUdilw.exe
| MD5 | b9380ad91b193901065c913952bb3710 |
| SHA1 | 63df448433c7c0575f16a7de09477179ed15e3c6 |
| SHA256 | e7ff8073b5738ad0e3750314411f2db6bc9fa59ed58caa6e07fa47488308f8f0 |
| SHA512 | 321304037507185dbf86a851d6c631e0db91fff2e1584b801ab596a88ca635ece5ca63b6782c7d9caf0c0f009295bc3fecdf025abd278dff913a071af3974248 |
memory/1468-119-0x00007FF696B00000-0x00007FF696E54000-memory.dmp
memory/3852-120-0x00007FF7B2C20000-0x00007FF7B2F74000-memory.dmp
memory/648-121-0x00007FF6C32B0000-0x00007FF6C3604000-memory.dmp
memory/3056-122-0x00007FF644A40000-0x00007FF644D94000-memory.dmp
memory/4084-124-0x00007FF770860000-0x00007FF770BB4000-memory.dmp
memory/4808-123-0x00007FF6CDEA0000-0x00007FF6CE1F4000-memory.dmp
memory/2100-125-0x00007FF681F50000-0x00007FF6822A4000-memory.dmp
memory/1148-126-0x00007FF729A90000-0x00007FF729DE4000-memory.dmp
memory/4772-127-0x00007FF6A7E10000-0x00007FF6A8164000-memory.dmp
memory/4220-128-0x00007FF7966F0000-0x00007FF796A44000-memory.dmp
memory/4964-129-0x00007FF60F430000-0x00007FF60F784000-memory.dmp
memory/3000-130-0x00007FF7695F0000-0x00007FF769944000-memory.dmp
memory/4652-131-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp
memory/4832-132-0x00007FF73C990000-0x00007FF73CCE4000-memory.dmp
memory/5112-133-0x00007FF66FD40000-0x00007FF670094000-memory.dmp
memory/1996-134-0x00007FF656960000-0x00007FF656CB4000-memory.dmp
memory/1888-135-0x00007FF7EB470000-0x00007FF7EB7C4000-memory.dmp
memory/1468-136-0x00007FF696B00000-0x00007FF696E54000-memory.dmp
memory/3176-137-0x00007FF6E95B0000-0x00007FF6E9904000-memory.dmp
memory/2564-138-0x00007FF7E6F20000-0x00007FF7E7274000-memory.dmp
memory/4964-139-0x00007FF60F430000-0x00007FF60F784000-memory.dmp
memory/3000-140-0x00007FF7695F0000-0x00007FF769944000-memory.dmp
memory/4652-141-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp
memory/4832-142-0x00007FF73C990000-0x00007FF73CCE4000-memory.dmp
memory/960-143-0x00007FF6A0C10000-0x00007FF6A0F64000-memory.dmp
memory/1460-144-0x00007FF63E640000-0x00007FF63E994000-memory.dmp
memory/2272-145-0x00007FF6797C0000-0x00007FF679B14000-memory.dmp
memory/5112-146-0x00007FF66FD40000-0x00007FF670094000-memory.dmp
memory/1996-147-0x00007FF656960000-0x00007FF656CB4000-memory.dmp
memory/1468-148-0x00007FF696B00000-0x00007FF696E54000-memory.dmp
memory/648-149-0x00007FF6C32B0000-0x00007FF6C3604000-memory.dmp
memory/1888-150-0x00007FF7EB470000-0x00007FF7EB7C4000-memory.dmp
memory/4808-156-0x00007FF6CDEA0000-0x00007FF6CE1F4000-memory.dmp
memory/2100-157-0x00007FF681F50000-0x00007FF6822A4000-memory.dmp
memory/4220-155-0x00007FF7966F0000-0x00007FF796A44000-memory.dmp
memory/3056-154-0x00007FF644A40000-0x00007FF644D94000-memory.dmp
memory/4084-153-0x00007FF770860000-0x00007FF770BB4000-memory.dmp
memory/3852-152-0x00007FF7B2C20000-0x00007FF7B2F74000-memory.dmp
memory/4772-151-0x00007FF6A7E10000-0x00007FF6A8164000-memory.dmp